Summary:


NtAccessCheck(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtQueryVolumeInformationFile(>)  11 
NtAllocateVirtualMemory(>)  52 

NtAddAtom(>)  1 
NtGdiHfontCreate(>)  2 
NtUserCallOneParam(>)  11 
NtSetValueKey(>)  52 

NtCallbackReturn(>)  1 
NtOpenDirectoryObject(>)  2 
NtUserSystemParametersInfo(>)  11 
NtQueryInformationProcess(>)  54 

NtContinue(>)  1 
NtQueryInstallUILanguage(>)  2 
NtCreateSemaphore(>)  12 
NtRequestWaitReplyPort(>)  55 

NtGdiCreateBitmap(>)  1 
NtUserCreateWindowEx(>)  2 
NtEnumerateKey(>)  12 
NtCreateFile(>)  57 

NtGdiCreatePatternBrushInternal(>)  1 
NtUserGetObjectInformation(>)  2 
NtOpenProcessToken(>)  12 
NtSetInformationThread(>)  61 

NtGdiInit(>)  1 
NtUserMessageCall(>)  2 
NtQueryDefaultUILanguage(>)  12 
NtMapViewOfSection(>)  63 

NtGdiQueryFontAssocInfo(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtSetEvent(>)  12 
NtUserRegisterClassExWOW(>)  64 

NtGdiSelectBitmap(>)  1 
NtDuplicateObject(>)  4 
NtOpenProcessTokenEx(>)  16 
NtOpenThreadToken(>)  77 

NtOpenKeyedEvent(>)  1 
NtUserRegisterWindowMessage(>)  4 
NtOpenThreadTokenEx(>)  16 
NtCreateEvent(>)  86 

NtOpenProcess(>)  1 
NtDuplicateToken(>)  5 
NtProtectVirtualMemory(>)  16 
NtSetInformationFile(>)  96 

NtOpenSymbolicLinkObject(>)  1 
NtGdiGetStockObject(>)  5 
NtQuerySection(>)  18 
NtQueryDefaultLocale(>)  99 

NtQueryEvent(>)  1 
NtQuerySecurityObject(>)  5 
NtUnmapViewOfSection(>)  20 
NtQueryInformationFile(>)  108 

NtQueryObject(>)  1 
NtSetInformationObject(>)  5 
NtConnectPort(>)  22 
NtQueryAttributesFile(>)  110 

NtQuerySymbolicLinkObject(>)  1 
NtCreateMutant(>)  6 
NtOpenEvent(>)  23 
NtOpenFile(>)  114 

NtQuerySystemTime(>)  1 
NtFreeVirtualMemory(>)  6 
NtQuerySystemInformation(>)  25 
NtFsControlFile(>)  125 

NtQueryTimerResolution(>)  1 
NtNotifyChangeKey(>)  6 
NtQueryDirectoryFile(>)  28 
NtQueryVirtualMemory(>)  147 

NtRegisterThreadTerminatePort(>)  1 
NtWaitForMultipleObjects(>)  6 
NtQueryDebugFilterState(>)  29 
NtCreateKey(>)  163 

NtSecureConnectPort(>)  1 
NtReleaseSemaphore(>)  7 
NtCreateSection(>)  32 
NtReleaseMutant(>)  185 

NtTestAlert(>)  1 
NtUserCallNoParam(>)  7 
NtWriteFile(>)  32 
NtEnumerateValueKey(>)  231 

NtUserGetDC(>)  1 
NtFlushInstructionCache(>)  8 
NtUserGetMessage(>)  34 
NtWaitForSingleObject(>)  253 

NtUserGetGUIThreadInfo(>)  1 
NtQueryKey(>)  8 
NtReadFile(>)  35 
NtOpenKey(>)  339 

NtUserGetProcessWindowStation(>)  1 
NtOpenMutant(>)  9 
NtUserGetClassInfo(>)  37 
NtQueryValueKey(>)  649 

NtUserGetThreadDesktop(>)  1 
NtDeviceIoControlFile(>)  10 
NtOpenSection(>)  45 
NtClose(>)  709 

NtUserSetProp(>)  1 
NtUserGetWindowDC(>)  10 
NtQueryInformationToken(>)  48 

NtUserSetTimer(>)  1 
NtClearEvent(>)  11 
NtUserFindExistingCursorIcon(>)  48 

NtCreateIoCompletion(>)  2 

Trace:
 00001   452   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   452   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   452   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   452   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   452   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   452   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   452   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   452   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   452   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   452   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   452   NtClose  (12, ... ) == 0x0
 00014   452   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   452   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   452   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   452   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   452   NtClose  (16, ... ) == 0x0
 00021   452   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   452   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   452   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18481152}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18481152}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   452   NtClose  (16, ... ) == 0x0
 00026   452   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   452   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   452   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   452   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   452   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 444, 452, 1522, 0} "\3609\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ... {28, 56, reply, 0, 444, 452, 1522, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 444, 452, 1522, 0} "\3609\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ) == 0x0
 00032   452   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   452   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   452   NtClose  (16, ... ) == 0x0
 00036   452   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   452   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   452   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   452   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   452   NtClose  (28, ... ) == 0x0
 00041   452   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   452   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   452   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   452   NtClose  (28, ... ) == 0x0
 00045   452   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   452   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   452   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   452   NtClose  (28, ... ) == 0x0
 00049   452   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   452   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   452   NtClose  (28, ... ) == 0x0
 00052   452   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   452   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   452   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   452   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 444, 452, 1532, 0} "\10\260\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ... {28, 56, reply, 0, 444, 452, 1532, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 444, 452, 1532, 0} "\10\260\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ) == 0x0
 00056   452   NtProtectVirtualMemory  (-1, (0x407000), 12, 4, ... (0x407000), 4096, 8, ) == 0x0
 00057   452   NtProtectVirtualMemory  (-1, (0x407000), 4096, 8, ... (0x407000), 4096, 4, ) == 0x0
 00058   452   NtFlushInstructionCache  (-1, 4222976, 12, ... ) == 0x0
 00059   452   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00060   452   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00061   452   NtClose  (28, ... ) == 0x0
 00062   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00063   452   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00064   452   NtClose  (28, ... ) == 0x0
 00065   452   NtTestAlert  (... ) == 0x0
 00066   452   NtContinue  (1244464, 1, ...
 00067   452   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x406190,}, 4, ... ) == 0x0
 00068   452   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 28, ) }, ... 28, ) == 0x0
 00069   452   NtQueryValueKey  (28,  (28, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00070   452   NtClose  (28, ... ) == 0x0
 00071   452   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00072   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wininet.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00073   452   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00074   452   NtClose  (28, ... ) == 0x0
 00075   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00076   452   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00077   452   NtClose  (28, ... ) == 0x0
 00078   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00079   452   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00080   452   NtClose  (28, ... ) == 0x0
 00081   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00082   452   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00083   452   NtClose  (28, ... ) == 0x0
 00084   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00085   452   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00086   452   NtClose  (28, ... ) == 0x0
 00087   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00088   452   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00089   452   NtClose  (28, ... ) == 0x0
 00090   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00091   452   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00092   452   NtClose  (28, ... ) == 0x0
 00093   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00094   452   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00095   452   NtClose  (28, ... ) == 0x0
 00096   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00097   452   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00098   452   NtClose  (28, ... ) == 0x0
 00099   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00100   452   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00101   452   NtClose  (28, ... ) == 0x0
 00102   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 28, ) }, ... 28, ) == 0x0
 00103   452   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00104   452   NtClose  (28, ... ) == 0x0
 00105   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00106   452   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00107   452   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00108   452   NtAllocateVirtualMemory  (-1, 3280896, 0, 8192, 4096, 4, ... 3280896, 8192, ) == 0x0
 00109   452   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 28, ) }, ... 28, ) == 0x0
 00110   452   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00111   452   NtClose  (28, ... ) == 0x0
 00112   452   NtAllocateVirtualMemory  (-1, 3289088, 0, 4096, 4096, 4, ... 3289088, 4096, ) == 0x0
 00113   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00114   452   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242160, 256, 1241904, 256}  (24, {28, 56, new_msg, 0, 1242160, 256, 1241904, 256} "\210\6\32\1\0\0\0\0\1\0\0\00\364\22\0\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 444, 452, 1553, 0} "XQ\26\0\0\0\0\0\0\0\0\00\364\22\0\3\0\0\0\234\6\32\1$\1\0\0" )  ... {28, 56, reply, 0, 444, 452, 1553, 0}  (24, {28, 56, new_msg, 0, 1242160, 256, 1241904, 256} "\210\6\32\1\0\0\0\0\1\0\0\00\364\22\0\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 444, 452, 1553, 0} "XQ\26\0\0\0\0\0\0\0\0\00\364\22\0\3\0\0\0\234\6\32\1$\1\0\0" )  ) == 0x0
 00115   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00116   452   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x4f0000), 0x0, 1060864, ) == 0x0
 00117   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 32, ) == 0x0
 00118   452   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00119   452   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00120   452   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00121   452   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00122   452   NtClose  (-2147482020, ... ) == 0x0
 00123   452   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3407872, 4096, ) == 0x0
 00124   452   NtFreeVirtualMemory  (-1, (0x340000), 4096, 32768, ... (0x340000), 4096, ) == 0x0
 00125   452   NtDuplicateObject  (-1, 36, -1, 0x0, 0, 2, ... 44, ) == 0x0
 00126   452   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00127   452   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00128   452   NtClose  (-2147482020, ... ) == 0x0
 00129   452   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00130   452   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00131   452   NtClose  (-2147482020, ... ) == 0x0
 00132   452   NtQueryDefaultLocale  (0, -136148468, ... ) == 0x0
 00133   452   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00134   452   NtUserCallNoParam  (24, ... ) == 0x0
 00135   452   NtGdiCreateCompatibleDC  (0, ...
 00136   452   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3407872, 4096, ) == 0x0
 00135   452   NtGdiCreateCompatibleDC  ... ) == 0xe010451
 00137   452   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00138   452   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00139   452   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0xb050458
 00140   452   NtGdiCreateSolidBrush  (0, 0, ...
 00141   452   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3473408, 4096, ) == 0x0
 00140   452   NtGdiCreateSolidBrush  ... ) == 0x810045b
 00142   452   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00143   452   NtGdiCreateCompatibleDC  (0, ... ) == 0x601045c
 00144   452   NtGdiSelectBitmap  (100729948, 184878168, ... ) == 0x185000f
 00145   452   NtUserGetThreadDesktop  (452, 0, ... ) == 0x28
 00146   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 48, ) }, ... 48, ) == 0x0
 00147   452   NtQueryValueKey  (48,  (48, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (48, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00148   452   NtClose  (48, ... ) == 0x0
 00149   452   NtUserFindExistingCursorIcon  (1240244, 1240260, 1240828, ... ) == 0x10011
 00150   452   NtUserRegisterClassExWOW  (1240764, 1240844, 1240828, 1240860, 673, 128, 0, ... ) == 0x810cc017
 00151   452   NtUserFindExistingCursorIcon  (1240244, 1240260, 1240828, ... ) == 0x10011
 00152   452   NtUserRegisterClassExWOW  (1240764, 1240844, 1240828, 1240860, 674, 128, 0, ... ) == 0x810cc01c
 00153   452   NtUserFindExistingCursorIcon  (1240244, 1240260, 1240828, ... ) == 0x10011
 00154   452   NtUserRegisterClassExWOW  (1240764, 1240844, 1240828, 1240860, 675, 128, 0, ... ) == 0x810cc01e
 00155   452   NtUserFindExistingCursorIcon  (1240244, 1240260, 1240828, ... ) == 0x10011
 00156   452   NtUserRegisterClassExWOW  (1240764, 1240844, 1240828, 1240860, 676, 128, 0, ... ) == 0x810c8002
 00157   452   NtUserFindExistingCursorIcon  (1240244, 1240260, 1240828, ... ) == 0x10013
 00158   452   NtUserRegisterClassExWOW  (1240764, 1240844, 1240828, 1240860, 677, 128, 0, ... ) == 0x810cc018
 00159   452   NtUserFindExistingCursorIcon  (1240244, 1240260, 1240828, ... ) == 0x10011
 00160   452   NtUserRegisterClassExWOW  (1240764, 1240844, 1240828, 1240860, 678, 128, 0, ... ) == 0x810cc01a
 00161   452   NtUserFindExistingCursorIcon  (1240244, 1240260, 1240828, ... ) == 0x10011
 00162   452   NtUserRegisterClassExWOW  (1240764, 1240844, 1240828, 1240860, 679, 128, 0, ... ) == 0x810cc01d
 00163   452   NtUserFindExistingCursorIcon  (1240244, 1240260, 1240828, ... ) == 0x10011
 00164   452   NtUserRegisterClassExWOW  (1240764, 1240844, 1240828, 1240860, 681, 128, 0, ... ) == 0x810cc026
 00165   452   NtUserFindExistingCursorIcon  (1240244, 1240260, 1240828, ... ) == 0x10011
 00166   452   NtUserRegisterClassExWOW  (1240764, 1240844, 1240828, 1240860, 680, 128, 0, ... ) == 0x810cc019
 00167   452   NtUserRegisterClassExWOW  (1240716, 1240796, 1240780, 1240812, 0, 128, 0, ... ) == 0x810cc020
 00168   452   NtUserRegisterClassExWOW  (1240716, 1240792, 1240808, 1240780, 0, 130, 0, ... ) == 0x810cc022
 00169   452   NtUserRegisterClassExWOW  (1240716, 1240796, 1240780, 1240812, 0, 128, 0, ...
 00170   452   NtAllocateVirtualMemory  (-1, 6402048, 0, 4096, 4096, 32, ... 6402048, 4096, ) == 0x0
 00169   452   NtUserRegisterClassExWOW  ... ) == 0x810cc023
 00171   452   NtUserRegisterClassExWOW  (1240716, 1240792, 1240808, 1240780, 0, 130, 0, ... ) == 0x810cc024
 00172   452   NtUserRegisterClassExWOW  (1240716, 1240796, 1240780, 1240812, 0, 128, 0, ... ) == 0x810cc025
 00173   452   NtCallbackReturn  (0, 0, 0, ...
 00174   452   NtGdiInit  (... ) == 0x1
 00175   452   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00176   452   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00177   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 48, ) }, ... 48, ) == 0x0
 00178   452   NtQueryValueKey  (48,  (48, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (48, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00179   452   NtQueryValueKey  (48,  (48, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (48, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00180   452   NtClose  (48, ... ) == 0x0
 00181   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 48, ) }, ... 48, ) == 0x0
 00182   452   NtQueryValueKey  (48,  (48, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00183   452   NtClose  (48, ... ) == 0x0
 00184   452   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 48, ) }, ... 48, ) == 0x0
 00185   452   NtSetInformationObject  (48, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00186   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00187   452   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00188   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00189   452   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00190   452   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00191   452   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00192   452   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00193   452   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00194   452   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1242572, 0,  (0x1f0003, {24, 52, 0x80, 1242572, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00195   452   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 56, ) }, ... 56, ) == 0x0
 00196   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00197   452   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00198   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 60, ) }, ... 60, ) == 0x0
 00199   452   NtQueryValueKey  (60,  (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00200   452   NtClose  (60, ... ) == 0x0
 00201   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00202   452   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00203   452   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00204   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00205   452   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00206   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 60, ) }, ... 60, ) == 0x0
 00207   452   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00208   452   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00209   452   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00210   452   NtClose  (60, ... ) == 0x0
 00211   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 60, ) }, ... 60, ) == 0x0
 00212   452   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00213   452   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00214   452   NtClose  (60, ... ) == 0x0
 00215   452   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00216   452   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00217   452   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00218   452   NtOpenKey  (0x9, {24, 48, 0x40, 0, 0,  (0x9, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00219   452   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00220   452   NtAllocateVirtualMemory  (-1, 1347584, 0, 8192, 4096, 4, ... 1347584, 8192, ) == 0x0
 00221   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00222   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 60, ) == 0x0
 00223   452   NtQueryInformationToken  (60, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00224   452   NtClose  (60, ... ) == 0x0
 00225   452   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 60, ) }, ... 60, ) == 0x0
 00226   452   NtSetInformationObject  (60, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00227   452   NtCreateKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 64, 2, ) }, 0, 0x0, 0, ... 64, 2, ) == 0x0
 00228   452   NtQueryDefaultUILanguage  (1240808, ...
 00229   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00230   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00231   452   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00232   452   NtClose  (-2147482020, ... ) == 0x0
 00233   452   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00234   452   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00235   452   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00236   452   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00237   452   NtClose  (-2147482032, ... ) == 0x0
 00238   452   NtClose  (-2147482020, ... ) == 0x0
 00228   452   NtQueryDefaultUILanguage  ... ) == 0x0
 00239   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00240   452   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00241   452   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00242   452   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 72, ) == 0x0
 00243   452   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x360000), 0x0, 593920, ) == 0x0
 00244   452   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00245   452   NtQueryDefaultUILanguage  (2013024600, ...
 00246   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00247   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00248   452   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00249   452   NtClose  (-2147482020, ... ) == 0x0
 00250   452   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00251   452   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00252   452   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00253   452   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00254   452   NtClose  (-2147482032, ... ) == 0x0
 00255   452   NtClose  (-2147482020, ... ) == 0x0
 00245   452   NtQueryDefaultUILanguage  ... ) == 0x0
 00256   452   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00257   452   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00258   452   NtQueryDefaultLocale  (1, 1238844, ... ) == 0x0
 00259   452   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00260   452   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1239700, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1239700, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\355\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1D\0\0\0\377\377\377\377\0\0\0\0P\275=\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\224\361\22\0\0\0\0\0" ... {128, 156, reply, 0, 444, 452, 1564, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\355\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1D\0\0\0\377\377\377\377\0\0\0\0P\275=\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\224\361\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 444, 452, 1564, 0}  (24, {128, 156, new_msg, 0, 1239700, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\355\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1D\0\0\0\377\377\377\377\0\0\0\0P\275=\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\224\361\22\0\0\0\0\0" ... {128, 156, reply, 0, 444, 452, 1564, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\355\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1D\0\0\0\377\377\377\377\0\0\0\0P\275=\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\224\361\22\0\0\0\0\0" )  ) == 0x0
 00261   452   NtClose  (68, ... ) == 0x0
 00262   452   NtClose  (72, ... ) == 0x0
 00263   452   NtUnmapViewOfSection  (-1, 0x360000, ... ) == 0x0
 00264   452   NtUnmapViewOfSection  (-1, 0x12f194, ... ) == STATUS_NOT_MAPPED_VIEW
 00265   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00266   452   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00267   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00268   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00269   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1237384, ... ) }, 1237384, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00270   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00271   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00272   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00273   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237976, ... ) }, 1237976, ... ) == 0x0
 00274   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 72, {status=0x0, info=1}, ) }, 3, 33, ... 72, {status=0x0, info=1}, ) == 0x0
 00275   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00276   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00277   452   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00278   452   NtClose  (68, ... ) == 0x0
 00279   452   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x910000), 0x0, 921600, ) == 0x0
 00280   452   NtClose  (76, ... ) == 0x0
 00281   452   NtUnmapViewOfSection  (-1, 0x910000, ... ) == 0x0
 00282   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 00283   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 76, ... 68, ) == 0x0
 00284   452   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00285   452   NtOpenProcessToken  (-1, 0x8, ... 80, ) == 0x0
 00286   452   NtQueryInformationToken  (80, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00287   452   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00288   452   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 84, ) }, ... 84, ) == 0x0
 00289   452   NtQueryValueKey  (84,  (84, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (84, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00290   452   NtClose  (84, ... ) == 0x0
 00291   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00292   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00293   452   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00294   452   NtClose  (84, ... ) == 0x0
 00295   452   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00296   452   NtClose  (80, ... ) == 0x0
 00297   452   NtClose  (76, ... ) == 0x0
 00298   452   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00299   452   NtClose  (68, ... ) == 0x0
 00300   452   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00301   452   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00302   452   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00303   452   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00304   452   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00305   452   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00306   452   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00307   452   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00308   452   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00309   452   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00310   452   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00311   452   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00312   452   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00313   452   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00314   452   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00315   452   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00316   452   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00317   452   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00318   452   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00319   452   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00320   452   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00321   452   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1239160, ... ) , 42, 1239160, ... ) == 0x0
 00322   452   NtQueryDefaultUILanguage  (1237876, ...
 00323   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00324   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00325   452   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00326   452   NtClose  (-2147482020, ... ) == 0x0
 00327   452   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00328   452   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00329   452   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00330   452   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00331   452   NtClose  (-2147482032, ... ) == 0x0
 00332   452   NtClose  (-2147482020, ... ) == 0x0
 00322   452   NtQueryDefaultUILanguage  ... ) == 0x0
 00333   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00334   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1236728, ... ) }, 1236728, ... ) == 0x0
 00335   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00336   452   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00337   452   NtClose  (68, ... ) == 0x0
 00338   452   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x360000), 0x0, 4096, ) == 0x0
 00339   452   NtClose  (76, ... ) == 0x0
 00340   452   NtUnmapViewOfSection  (-1, 0x360000, ... ) == 0x0
 00341   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1236368, ... ) }, 1236368, ... ) == 0x0
 00342   452   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237068,  (0x80100080, {24, 0, 0x40, 0, 1237068, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) == 0x0
 00343   452   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 76, ... 68, ) == 0x0
 00344   452   NtClose  (76, ... ) == 0x0
 00345   452   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x360000), {0, 0}, 4096, ) == 0x0
 00346   452   NtClose  (68, ... ) == 0x0
 00347   452   NtUnmapViewOfSection  (-1, 0x360000, ... ) == 0x0
 00348   452   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00349   452   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 76, ) == 0x0
 00350   452   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x360000), 0x0, 4096, ) == 0x0
 00351   452   NtQueryInformationFile  (68, 1236688, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00352   452   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00353   452   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1236768, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1236768, 1, 96, 0} "\210\6\32\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0 \346\22\0\0\0\0\0" ... {128, 156, reply, 0, 444, 452, 1565, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0 \346\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 444, 452, 1565, 0}  (24, {128, 156, new_msg, 0, 1236768, 1, 96, 0} "\210\6\32\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0 \346\22\0\0\0\0\0" ... {128, 156, reply, 0, 444, 452, 1565, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0 \346\22\0\0\0\0\0" )  ) == 0x0
 00354   452   NtClose  (68, ... ) == 0x0
 00355   452   NtClose  (76, ... ) == 0x0
 00356   452   NtUnmapViewOfSection  (-1, 0x360000, ... ) == 0x0
 00357   452   NtUnmapViewOfSection  (-1, 0x12e620, ... ) == STATUS_NOT_MAPPED_VIEW
 00358   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00359   452   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00360   452   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00361   452   NtUserGetDC  (0, ... ) == 0x1010050
 00362   452   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00363   452   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00364   452   NtUserSystemParametersInfo  (66, 12, 1239180, 0, ... ) == 0x1
 00365   452   NtOpenProcessToken  (-1, 0x8, ... 76, ) == 0x0
 00366   452   NtAccessCheck  (1343968, 76, 0x1, 1238584, 1238528, 56, 1238612, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00367   452   NtClose  (76, ... ) == 0x0
 00368   452   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 76, ) }, ... 76, ) == 0x0
 00369   452   NtQueryValueKey  (76,  (76, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00370   452   NtClose  (76, ... ) == 0x0
 00371   452   NtUserSystemParametersInfo  (41, 500, 1238680, 0, ... ) == 0x1
 00372   452   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 76, ) }, ... 76, ) == 0x0
 00373   452   NtQueryValueKey  (76,  (76, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00374   452   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 68, ) }, ... 68, ) == 0x0
 00375   452   NtQueryValueKey  (68,  (68, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00376   452   NtClose  (68, ... ) == 0x0
 00377   452   NtClose  (76, ... ) == 0x0
 00378   452   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00379   452   NtUserSystemParametersInfo  (4130, 0, 1239204, 0, ... ) == 0x1
 00380   452   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 76, ) }, ... 76, ) == 0x0
 00381   452   NtEnumerateValueKey  (76, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00382   452   NtClose  (76, ... ) == 0x0
 00383   452   NtUserFindExistingCursorIcon  (1238488, 1238504, 1239072, ... ) == 0x10011
 00384   452   NtUserRegisterClassExWOW  (1238940, 1239020, 1239004, 1239036, 0, 384, 0, ... ) == 0x810cc03b
 00385   452   NtUserRegisterClassExWOW  (1238940, 1239020, 1239004, 1239036, 0, 384, 0, ... ) == 0x810cc03d
 00386   452   NtUserFindExistingCursorIcon  (1238484, 1238500, 1239068, ... ) == 0x10011
 00387   452   NtUserRegisterClassExWOW  (1238936, 1239016, 1239000, 1239032, 0, 384, 0, ... ) == 0x810cc03f
 00388   452   NtUserFindExistingCursorIcon  (1238488, 1238504, 1239072, ... ) == 0x10011
 00389   452   NtUserRegisterClassExWOW  (1238940, 1239020, 1239004, 1239036, 0, 384, 0, ... ) == 0x810cc041
 00390   452   NtUserFindExistingCursorIcon  (1238488, 1238504, 1239072, ... ) == 0x10011
 00391   452   NtUserRegisterClassExWOW  (1238940, 1239020, 1239004, 1239036, 0, 384, 0, ... ) == 0x810cc043
 00392   452   NtUserRegisterClassExWOW  (1238940, 1239020, 1239004, 1239036, 0, 384, 0, ... ) == 0x810cc045
 00393   452   NtUserFindExistingCursorIcon  (1238488, 1238504, 1239072, ... ) == 0x10011
 00394   452   NtUserRegisterClassExWOW  (1238940, 1239020, 1239004, 1239036, 0, 384, 0, ... ) == 0x810cc047
 00395   452   NtUserFindExistingCursorIcon  (1238484, 1238500, 1239068, ... ) == 0x10011
 00396   452   NtUserRegisterClassExWOW  (1238936, 1239016, 1239000, 1239032, 0, 384, 0, ... ) == 0x810cc049
 00397   452   NtUserGetClassInfo  (1905590272, 1239100, 1239052, 1239128, 0, ... ) == 0xc049
 00398   452   NtUserFindExistingCursorIcon  (1238488, 1238504, 1239072, ... ) == 0x10011
 00399   452   NtUserRegisterClassExWOW  (1238940, 1239020, 1239004, 1239036, 0, 384, 0, ... ) == 0x810cc04b
 00400   452   NtUserFindExistingCursorIcon  (1238488, 1238504, 1239072, ... ) == 0x10011
 00401   452   NtUserRegisterClassExWOW  (1238940, 1239020, 1239004, 1239036, 0, 384, 0, ... ) == 0x810cc04d
 00402   452   NtUserFindExistingCursorIcon  (1238488, 1238504, 1239072, ... ) == 0x10011
 00403   452   NtUserRegisterClassExWOW  (1238940, 1239020, 1239004, 1239036, 0, 384, 0, ... ) == 0x810cc04f
 00404   452   NtUserRegisterClassExWOW  (1238940, 1239020, 1239004, 1239036, 0, 384, 0, ... ) == 0x810cc051
 00405   452   NtUserFindExistingCursorIcon  (1238488, 1238504, 1239072, ... ) == 0x10011
 00406   452   NtUserRegisterClassExWOW  (1238940, 1239020, 1239004, 1239036, 0, 384, 0, ... ) == 0x810cc053
 00407   452   NtUserFindExistingCursorIcon  (1238484, 1238500, 1239068, ... ) == 0x10011
 00408   452   NtUserRegisterClassExWOW  (1238936, 1239016, 1239000, 1239032, 0, 384, 0, ... ) == 0x810cc055
 00409   452   NtUserRegisterClassExWOW  (1238936, 1239016, 1239000, 1239032, 0, 384, 0, ... ) == 0x810cc057
 00410   452   NtUserFindExistingCursorIcon  (1238488, 1238504, 1239072, ... ) == 0x10011
 00411   452   NtUserRegisterClassExWOW  (1238940, 1239020, 1239004, 1239036, 0, 384, 0, ... ) == 0x810cc059
 00412   452   NtUserFindExistingCursorIcon  (1238488, 1238504, 1239072, ... ) == 0x10013
 00413   452   NtUserRegisterClassExWOW  (1238940, 1239020, 1239004, 1239036, 0, 384, 0, ... ) == 0x810cc05b
 00414   452   NtUserFindExistingCursorIcon  (1238488, 1238504, 1239072, ... ) == 0x10011
 00415   452   NtUserRegisterClassExWOW  (1238940, 1239020, 1239004, 1239036, 0, 384, 0, ... ) == 0x810cc05d
 00416   452   NtUserFindExistingCursorIcon  (1238488, 1238504, 1239072, ... ) == 0x10011
 00417   452   NtUserRegisterClassExWOW  (1238940, 1239020, 1239004, 1239036, 0, 384, 0, ... ) == 0x810cc05f
 00418   452   NtUserFindExistingCursorIcon  (1238484, 1238500, 1239068, ... ) == 0x10011
 00419   452   NtUserRegisterClassExWOW  (1238936, 1239016, 1239000, 1239032, 0, 384, 0, ... ) == 0x810cc017
 00420   452   NtUserFindExistingCursorIcon  (1238484, 1238500, 1239068, ... ) == 0x10011
 00421   452   NtUserRegisterClassExWOW  (1238936, 1239016, 1239000, 1239032, 0, 384, 0, ... ) == 0x810cc019
 00422   452   NtUserFindExistingCursorIcon  (1238484, 1238500, 1239068, ... ) == 0x10013
 00423   452   NtUserRegisterClassExWOW  (1238936, 1239016, 1239000, 1239032, 0, 384, 0, ... ) == 0x810cc018
 00424   452   NtUserFindExistingCursorIcon  (1238488, 1238504, 1239072, ... ) == 0x10011
 00425   452   NtUserRegisterClassExWOW  (1238940, 1239020, 1239004, 1239036, 0, 384, 0, ... ) == 0x810cc01a
 00426   452   NtUserFindExistingCursorIcon  (1238484, 1238500, 1239068, ... ) == 0x10011
 00427   452   NtUserRegisterClassExWOW  (1238936, 1239016, 1239000, 1239032, 0, 384, 0, ... ) == 0x810cc01c
 00428   452   NtUserFindExistingCursorIcon  (1238488, 1238504, 1239072, ... ) == 0x10011
 00429   452   NtUserRegisterClassExWOW  (1238940, 1239020, 1239004, 1239036, 0, 384, 0, ... ) == 0x810cc01e
 00430   452   NtUserFindExistingCursorIcon  (1238484, 1238500, 1239068, ... ) == 0x10011
 00431   452   NtUserRegisterClassExWOW  (1238996, 1239076, 1239060, 1239092, 0, 384, 0, ... ) == 0x810cc01b
 00432   452   NtUserFindExistingCursorIcon  (1238480, 1238496, 1239064, ... ) == 0x10011
 00433   452   NtUserRegisterClassExWOW  (1238992, 1239072, 1239056, 1239088, 0, 384, 0, ... ) == 0x810cc068
 00434   452   NtUserFindExistingCursorIcon  (1238488, 1238504, 1239072, ... ) == 0x10011
 00435   452   NtUserRegisterClassExWOW  (1238940, 1239020, 1239004, 1239036, 0, 384, 0, ... ) == 0x810cc06a
 00436   452   NtCreateKey  (0x2001f, {24, 60, 0x40, 0, 0,  (0x2001f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 76, 2, ) }, 0, 0x0, 0, ... 76, 2, ) == 0x0
 00437   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "mpr.dll"}, ... 68, ) }, ... 68, ) == 0x0
 00438   452   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00439   452   NtClose  (68, ... ) == 0x0
 00440   452   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 68, ) == 0x0
 00441   452   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 80, ) == 0x0
 00442   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 84, ) }, ... 84, ) == 0x0
 00443   452   NtNotifyChangeKey  (84, 80, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00444   452   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00445   452   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 88, ) == 0x0
 00446   452   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 92, ) == 0x0
 00447   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "shell32.dll"}, ... 96, ) }, ... 96, ) == 0x0
 00448   452   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00449   452   NtClose  (96, ... ) == 0x0
 00450   452   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SYSTEM\Setup"}, ... 96, ) }, ... 96, ) == 0x0
 00451   452   NtQueryValueKey  (96,  (96, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00452   452   NtClose  (96, ... ) == 0x0
 00453   452   NtQueryDefaultUILanguage  (1240796, ...
 00454   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00455   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00456   452   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00457   452   NtClose  (-2147482020, ... ) == 0x0
 00458   452   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00459   452   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00460   452   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00461   452   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00462   452   NtClose  (-2147482032, ... ) == 0x0
 00463   452   NtClose  (-2147482020, ... ) == 0x0
 00453   452   NtQueryDefaultUILanguage  ... ) == 0x0
 00464   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00465   452   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll"}, 1, 96, ... 96, {status=0x0, info=1}, ) }, 1, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00466   452   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 96, ... 100, ) == 0x0
 00467   452   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x910000), 0x0, 8323072, ) == 0x0
 00468   452   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00469   452   NtQueryDefaultLocale  (1, 1238832, ... ) == 0x0
 00470   452   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00471   452   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1239688, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1239688, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\355\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1`\0\0\0\377\377\377\377\0\0\0\0\20\311\310\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\210\361\22\0\0\0\0\0" ... {128, 156, reply, 0, 444, 452, 1566, 0} " S\26\0\33\0\1\0\0\0\0\0\1\355\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1`\0\0\0\377\377\377\377\0\0\0\0\20\311\310\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\210\361\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 444, 452, 1566, 0}  (24, {128, 156, new_msg, 0, 1239688, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\355\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1`\0\0\0\377\377\377\377\0\0\0\0\20\311\310\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\210\361\22\0\0\0\0\0" ... {128, 156, reply, 0, 444, 452, 1566, 0} " S\26\0\33\0\1\0\0\0\0\0\1\355\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1`\0\0\0\377\377\377\377\0\0\0\0\20\311\310\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\210\361\22\0\0\0\0\0" )  ) == 0x0
 00472   452   NtClose  (96, ... ) == 0x0
 00473   452   NtClose  (100, ... ) == 0x0
 00474   452   NtUnmapViewOfSection  (-1, 0x910000, ... ) == 0x0
 00475   452   NtUnmapViewOfSection  (-1, 0x12f188, ... ) == STATUS_NOT_MAPPED_VIEW
 00476   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00477   452   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00478   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00479   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00480   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1237916, ... ) }, 1237916, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00481   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00482   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00483   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00484   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1238508, ... ) }, 1238508, ... ) == 0x0
 00485   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 100, {status=0x0, info=1}, ) }, 3, 33, ... 100, {status=0x0, info=1}, ) == 0x0
 00486   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00487   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 96, ) }, ... 96, ) == 0x0
 00488   452   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00489   452   NtClose  (96, ... ) == 0x0
 00490   452   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {444, 0}, ... 96, ) == 0x0
 00491   452   NtQueryInformationProcess  (96, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00492   452   NtClose  (96, ... ) == 0x0
 00493   452   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00494   452   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00495   452   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00496   452   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 96, ) }, ... 96, ) == 0x0
 00497   452   NtQueryValueKey  (96,  (96, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00498   452   NtClose  (96, ... ) == 0x0
 00499   452   NtUserSystemParametersInfo  (41, 500, 1240372, 0, ... ) == 0x1
 00500   452   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00501   452   NtUserGetClassInfo  (1999896576, 1240780, 1240732, 1240808, 0, ... ) == 0x0
 00502   452   NtUserFindExistingCursorIcon  (1240164, 1240180, 1240748, ... ) == 0x10011
 00503   452   NtUserRegisterClassExWOW  (1240616, 1240696, 1240680, 1240712, 0, 384, 0, ...
 00504   452   NtAllocateVirtualMemory  (-1, 6406144, 0, 4096, 4096, 32, ... 6406144, 4096, ) == 0x0
 00503   452   NtUserRegisterClassExWOW  ... ) == 0x810cc03b
 00505   452   NtUserGetClassInfo  (1999896576, 1240780, 1240732, 1240808, 0, ... ) == 0x0
 00506   452   NtUserRegisterClassExWOW  (1240616, 1240696, 1240680, 1240712, 0, 384, 0, ... ) == 0x810cc03d
 00507   452   NtUserGetClassInfo  (1999896576, 1240780, 1240732, 1240808, 0, ... ) == 0x0
 00508   452   NtUserFindExistingCursorIcon  (1240164, 1240180, 1240748, ... ) == 0x10011
 00509   452   NtUserRegisterClassExWOW  (1240616, 1240696, 1240680, 1240712, 0, 384, 0, ... ) == 0x810cc03f
 00510   452   NtUserGetClassInfo  (1999896576, 1240780, 1240732, 1240808, 0, ... ) == 0x0
 00511   452   NtUserFindExistingCursorIcon  (1240164, 1240180, 1240748, ... ) == 0x10011
 00512   452   NtUserRegisterClassExWOW  (1240616, 1240696, 1240680, 1240712, 0, 384, 0, ... ) == 0x810cc041
 00513   452   NtUserGetClassInfo  (1999896576, 1240780, 1240732, 1240808, 0, ... ) == 0x0
 00514   452   NtUserFindExistingCursorIcon  (1240164, 1240180, 1240748, ... ) == 0x10011
 00515   452   NtUserRegisterClassExWOW  (1240616, 1240696, 1240680, 1240712, 0, 384, 0, ... ) == 0x810cc043
 00516   452   NtUserGetClassInfo  (1999896576, 1240780, 1240732, 1240808, 0, ... ) == 0x0
 00517   452   NtUserRegisterClassExWOW  (1240616, 1240696, 1240680, 1240712, 0, 384, 0, ... ) == 0x810cc045
 00518   452   NtUserGetClassInfo  (1999896576, 1240780, 1240732, 1240808, 0, ... ) == 0x0
 00519   452   NtUserFindExistingCursorIcon  (1240164, 1240180, 1240748, ... ) == 0x10011
 00520   452   NtUserRegisterClassExWOW  (1240616, 1240696, 1240680, 1240712, 0, 384, 0, ... ) == 0x810cc047
 00521   452   NtUserGetClassInfo  (1999896576, 1240780, 1240732, 1240808, 0, ... ) == 0x0
 00522   452   NtUserFindExistingCursorIcon  (1240160, 1240176, 1240744, ... ) == 0x10011
 00523   452   NtUserRegisterClassExWOW  (1240612, 1240692, 1240676, 1240708, 0, 384, 0, ... ) == 0x810cc049
 00524   452   NtUserGetClassInfo  (1999896576, 1240780, 1240732, 1240808, 0, ... ) == 0x0
 00525   452   NtUserFindExistingCursorIcon  (1240164, 1240180, 1240748, ... ) == 0x10011
 00526   452   NtUserRegisterClassExWOW  (1240616, 1240696, 1240680, 1240712, 0, 384, 0, ... ) == 0x810cc04b
 00527   452   NtUserGetClassInfo  (1999896576, 1240780, 1240732, 1240808, 0, ... ) == 0x0
 00528   452   NtUserFindExistingCursorIcon  (1240164, 1240180, 1240748, ... ) == 0x10011
 00529   452   NtUserRegisterClassExWOW  (1240616, 1240696, 1240680, 1240712, 0, 384, 0, ... ) == 0x810cc04d
 00530   452   NtUserGetClassInfo  (1999896576, 1240780, 1240732, 1240808, 0, ... ) == 0x0
 00531   452   NtUserFindExistingCursorIcon  (1240164, 1240180, 1240748, ... ) == 0x10011
 00532   452   NtUserRegisterClassExWOW  (1240616, 1240696, 1240680, 1240712, 0, 384, 0, ... ) == 0x810cc04f
 00533   452   NtUserGetClassInfo  (1999896576, 1240784, 1240736, 1240812, 0, ... ) == 0x0
 00534   452   NtUserRegisterClassExWOW  (1240620, 1240700, 1240684, 1240716, 0, 384, 0, ... ) == 0x810cc051
 00535   452   NtUserGetClassInfo  (1999896576, 1240780, 1240732, 1240808, 0, ... ) == 0x0
 00536   452   NtUserFindExistingCursorIcon  (1240164, 1240180, 1240748, ... ) == 0x10011
 00537   452   NtUserRegisterClassExWOW  (1240616, 1240696, 1240680, 1240712, 0, 384, 0, ... ) == 0x810cc053
 00538   452   NtUserGetClassInfo  (1999896576, 1240780, 1240732, 1240808, 0, ... ) == 0x0
 00539   452   NtUserFindExistingCursorIcon  (1240164, 1240180, 1240748, ... ) == 0x10011
 00540   452   NtUserRegisterClassExWOW  (1240616, 1240696, 1240680, 1240712, 0, 384, 0, ... ) == 0x810cc055
 00541   452   NtUserRegisterClassExWOW  (1240616, 1240696, 1240680, 1240712, 0, 384, 0, ... ) == 0x810cc057
 00542   452   NtUserGetClassInfo  (1999896576, 1240780, 1240732, 1240808, 0, ... ) == 0x0
 00543   452   NtUserFindExistingCursorIcon  (1240164, 1240180, 1240748, ... ) == 0x10011
 00544   452   NtUserRegisterClassExWOW  (1240616, 1240696, 1240680, 1240712, 0, 384, 0, ... ) == 0x810cc059
 00545   452   NtUserGetClassInfo  (1999896576, 1240780, 1240732, 1240808, 0, ... ) == 0x0
 00546   452   NtUserFindExistingCursorIcon  (1240164, 1240180, 1240748, ... ) == 0x10013
 00547   452   NtUserRegisterClassExWOW  (1240616, 1240696, 1240680, 1240712, 0, 384, 0, ... ) == 0x810cc05b
 00548   452   NtUserGetClassInfo  (1999896576, 1240780, 1240732, 1240808, 0, ... ) == 0x0
 00549   452   NtUserFindExistingCursorIcon  (1240164, 1240180, 1240748, ... ) == 0x10011
 00550   452   NtUserRegisterClassExWOW  (1240616, 1240696, 1240680, 1240712, 0, 384, 0, ... ) == 0x810cc05d
 00551   452   NtUserGetClassInfo  (1999896576, 1240780, 1240732, 1240808, 0, ... ) == 0x0
 00552   452   NtUserFindExistingCursorIcon  (1240164, 1240180, 1240748, ... ) == 0x10011
 00553   452   NtUserRegisterClassExWOW  (1240616, 1240696, 1240680, 1240712, 0, 384, 0, ... ) == 0x810cc05f
 00554   452   NtUserGetClassInfo  (1999896576, 1242532, 1242484, 1242560, 0, ... ) == 0xc03b
 00555   452   NtUserGetClassInfo  (1999896576, 1242532, 1242484, 1242560, 0, ... ) == 0xc03d
 00556   452   NtUserGetClassInfo  (1999896576, 1242532, 1242484, 1242560, 0, ... ) == 0xc03f
 00557   452   NtUserGetClassInfo  (1999896576, 1242532, 1242484, 1242560, 0, ... ) == 0xc041
 00558   452   NtUserGetClassInfo  (1999896576, 1242532, 1242484, 1242560, 0, ... ) == 0xc043
 00559   452   NtUserGetClassInfo  (1999896576, 1242532, 1242484, 1242560, 0, ... ) == 0xc045
 00560   452   NtUserGetClassInfo  (1999896576, 1242532, 1242484, 1242560, 0, ... ) == 0xc047
 00561   452   NtUserGetClassInfo  (1999896576, 1242532, 1242484, 1242560, 0, ... ) == 0xc049
 00562   452   NtUserGetClassInfo  (1999896576, 1242532, 1242484, 1242560, 0, ... ) == 0xc04b
 00563   452   NtUserGetClassInfo  (1999896576, 1242532, 1242484, 1242560, 0, ... ) == 0xc04d
 00564   452   NtUserGetClassInfo  (1999896576, 1242532, 1242484, 1242560, 0, ... ) == 0xc04f
 00565   452   NtUserGetClassInfo  (1999896576, 1242536, 1242488, 1242564, 0, ... ) == 0xc051
 00566   452   NtUserGetClassInfo  (1999896576, 1242532, 1242484, 1242560, 0, ... ) == 0xc053
 00567   452   NtUserGetClassInfo  (1999896576, 1242532, 1242484, 1242560, 0, ... ) == 0xc055
 00568   452   NtUserGetClassInfo  (1999896576, 1242532, 1242484, 1242560, 0, ... ) == 0xc059
 00569   452   NtUserGetClassInfo  (1999896576, 1242532, 1242484, 1242560, 0, ... ) == 0xc05b
 00570   452   NtUserGetClassInfo  (1999896576, 1242532, 1242484, 1242560, 0, ... ) == 0xc05d
 00571   452   NtUserGetClassInfo  (1999896576, 1242532, 1242484, 1242560, 0, ... ) == 0xc05f
 00572   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ws2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00573   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ws2_32.dll"}, 1242440, ... ) }, 1242440, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00574   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ws2_32.dll"}, 1242440, ... ) }, 1242440, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00575   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ws2_32.dll"}, 1242440, ... ) }, 1242440, ... ) == 0x0
 00576   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ws2_32.dll"}, 5, 96, ... 96, {status=0x0, info=1}, ) }, 5, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00577   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 96, ... 104, ) == 0x0
 00578   452   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00579   452   NtClose  (96, ... ) == 0x0
 00580   452   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00581   452   NtClose  (104, ... ) == 0x0
 00582   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00583   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241636, ... ) }, 1241636, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00584   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1241636, ... ) }, 1241636, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00585   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1241636, ... ) }, 1241636, ... ) == 0x0
 00586   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00587   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 96, ) == 0x0
 00588   452   NtQuerySection  (96, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00589   452   NtClose  (104, ... ) == 0x0
 00590   452   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00591   452   NtClose  (96, ... ) == 0x0
 00592   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00593   452   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00594   452   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 96, ) }, ... 96, ) == 0x0
 00595   452   NtQueryValueKey  (96,  (96, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (96, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00596   452   NtQueryValueKey  (96,  (96, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (96, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00597   452   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 104, ) == 0x0
 00598   452   NtOpenKey  (0x2000000, {24, 96, 0x40, 0, 0,  (0x2000000, {24, 96, 0x40, 0, 0, "Protocol_Catalog9"}, ... 108, ) }, ... 108, ) == 0x0
 00599   452   NtQueryValueKey  (108,  (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00600   452   NtNotifyChangeKey  (108, 104, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00601   452   NtQueryValueKey  (108,  (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00602   452   NtOpenKey  (0x2000000, {24, 108, 0x40, 0, 0,  (0x2000000, {24, 108, 0x40, 0, 0, "00000019"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00603   452   NtQueryValueKey  (108,  (108, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) }, 16, ) == 0x0
 00604   452   NtQueryValueKey  (108,  (108, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00605   452   NtOpenKey  (0x2000000, {24, 108, 0x40, 0, 0,  (0x2000000, {24, 108, 0x40, 0, 0, "Catalog_Entries"}, ... 112, ) }, ... 112, ) == 0x0
 00606   452   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00607   452   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000001"}, ... 116, ) }, ... 116, ) == 0x0
 00608   452   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00609   452   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00610   452   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0c\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0c\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0d\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0@\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0d\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0e\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0e\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0f\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0c\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0c\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0d\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0@\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0d\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0e\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0e\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0f\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0e\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0f\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0 (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0c\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0c\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0d\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0@\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0d\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0e\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0e\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0f\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00611   452   NtClose  (116, ... ) == 0x0
 00612   452   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000002"}, ... 116, ) }, ... 116, ) == 0x0
 00613   452   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00614   452   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00615   452   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0h\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0h\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0i\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0@\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0i\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0j\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0j\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0k\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0h\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0h\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0i\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0@\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0i\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0j\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0j\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0k\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0j\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0k\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0 (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0h\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0h\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0i\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0@\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0i\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0j\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0j\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0k\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00616   452   NtClose  (116, ... ) == 0x0
 00617   452   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000003"}, ... 116, ) }, ... 116, ) == 0x0
 00618   452   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00619   452   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00620   452   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 00621   452   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0n\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0n\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0o\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0@\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0o\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0p\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0n\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0n\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0o\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0@\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0o\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0p\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0 (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0n\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0n\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0o\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0@\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0o\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0p\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0p\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0q\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00622   452   NtClose  (116, ... ) == 0x0
 00623   452   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000004"}, ... 116, ) }, ... 116, ) == 0x0
 00624   452   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00625   452   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00626   452   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0s\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0s\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0t\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0@\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0t\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0u\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0u\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0v\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0s\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0s\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0t\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0@\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0t\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0u\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0u\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0v\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0u\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0v\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0 (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0s\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0s\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0t\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0@\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0t\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0u\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0u\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0v\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00627   452   NtClose  (116, ... ) == 0x0
 00628   452   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000005"}, ... 116, ) }, ... 116, ) == 0x0
 00629   452   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00630   452   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00631   452   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0x\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0x\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0y\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0@\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0y\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0z\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0z\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0{\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0x\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0x\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0y\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0@\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0y\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0z\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0z\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0{\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0z\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0{\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0 (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0x\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0x\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0y\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0@\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0y\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0z\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0z\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0{\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00632   452   NtClose  (116, ... ) == 0x0
 00633   452   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000006"}, ... 116, ) }, ... 116, ) == 0x0
 00634   452   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00635   452   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00636   452   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0}\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0}\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0~\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0@\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0~\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\177\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\177\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\200\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0}\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0}\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0~\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0@\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0~\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\177\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\177\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\200\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\177\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\200\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0 (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0}\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0}\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0~\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0@\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0~\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\177\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\177\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\200\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00637   452   NtClose  (116, ... ) == 0x0
 00638   452   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000007"}, ... 116, ) }, ... 116, ) == 0x0
 00639   452   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00640   452   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00641   452   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\202\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\202\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\203\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0@\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\203\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\204\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\204\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\205\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\202\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\202\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\203\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0@\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\203\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\204\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\204\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\205\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\204\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\205\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0 (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\202\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\202\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\203\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0@\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\203\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\204\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\204\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\205\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00642   452   NtClose  (116, ... ) == 0x0
 00643   452   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000008"}, ... 116, ) }, ... 116, ) == 0x0
 00644   452   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00645   452   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00646   452   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 00647   452   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\210\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\210\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\211\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0@\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\211\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\212\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\212\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\213\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\210\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\210\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\211\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0@\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\211\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\212\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\212\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\213\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\212\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\213\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0 (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\210\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\210\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\211\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0@\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\211\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\212\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\212\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\213\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00648   452   NtClose  (116, ... ) == 0x0
 00649   452   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000009"}, ... 116, ) }, ... 116, ) == 0x0
 00650   452   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00651   452   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00652   452   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\215\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\215\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\216\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0@\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\216\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\217\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\217\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\220\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\215\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\215\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\216\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0@\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\216\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\217\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\217\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\220\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\217\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\220\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0 (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\215\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\215\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\216\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0@\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\216\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\217\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\217\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\220\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00653   452   NtClose  (116, ... ) == 0x0
 00654   452   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000010"}, ... 116, ) }, ... 116, ) == 0x0
 00655   452   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00656   452   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00657   452   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\222\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\222\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\223\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0@\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\223\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\224\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\224\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\225\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\222\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\222\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\223\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0@\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\223\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\224\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\224\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\225\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\224\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\225\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0 (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\222\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\222\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\223\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0@\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\223\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\224\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\224\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\225\2\0\0\274\1\0\0\304\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00658   452   NtClose  (116, ... ) == 0x0
 00659   452   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000011"}, ... 116, ) }, ... 116, ) == 0x0
 00660   452   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00661   452   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00662   452   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\227\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\227\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\230\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0\230\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\231\2\0\0\274\1\0\0\304\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0h\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\231\2\0\0\274\1\0\0\304\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\232\2\0\0\274\1\0\0\304\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\232\2\0\0\274\1\0\0\304\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0\233\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0`\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\250\237\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\227\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\227\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\230\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0\230\2\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\231\2\0\0\274\1\0\0\304\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0h\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\231\2\0\0\274\1\0\0\304\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\232\2\0\0\274\1\0\0\304\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\232\2\0\0\274\1\0\0\304\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0\233\2\0\0\274\1\0\0\304\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0`\0\0\0\\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\250\237\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) }, 900, ) == 0x0
 00663   452   NtClose  (116, ... ) == 0x0
 00664   452   NtClose  (112, ... ) == 0x0
 00665   452   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 00666   452   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 112, ) == 0x0
 00667   452   NtOpenKey  (0x2000000, {24, 96, 0x40, 0, 0,  (0x2000000, {24, 96, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 116, ) }, ... 116, ) == 0x0
 00668   452   NtQueryValueKey  (116,  (116, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00669   452   NtNotifyChangeKey  (116, 112, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00670   452   NtQueryValueKey  (116,  (116, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00671   452   NtOpenKey  (0x2000000, {24, 116, 0x40, 0, 0,  (0x2000000, {24, 116, 0x40, 0, 0, "00000004"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00672   452   NtQueryValueKey  (116,  (116, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 00673   452   NtOpenKey  (0x2000000, {24, 116, 0x40, 0, 0,  (0x2000000, {24, 116, 0x40, 0, 0, "Catalog_Entries"}, ... 120, ) }, ... 120, ) == 0x0
 00674   452   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0
 00675   452   NtOpenKey  (0x20019, {24, 120, 0x40, 0, 0,  (0x20019, {24, 120, 0x40, 0, 0, "000000000001"}, ... 124, ) }, ... 124, ) == 0x0
 00676   452   NtQueryValueKey  (124,  (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00677   452   NtQueryValueKey  (124,  (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00678   452   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00679   452   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00680   452   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00681   452   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00682   452   NtQueryValueKey  (124,  (124, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (124, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00683   452   NtQueryValueKey  (124,  (124, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00684   452   NtQueryValueKey  (124,  (124, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00685   452   NtQueryValueKey  (124,  (124, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00686   452   NtQueryValueKey  (124,  (124, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00687   452   NtQueryValueKey  (124,  (124, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00688   452   NtClose  (124, ... ) == 0x0
 00689   452   NtOpenKey  (0x20019, {24, 120, 0x40, 0, 0,  (0x20019, {24, 120, 0x40, 0, 0, "000000000002"}, ... 124, ) }, ... 124, ) == 0x0
 00690   452   NtQueryValueKey  (124,  (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00691   452   NtQueryValueKey  (124,  (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00692   452   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00693   452   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00694   452   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00695   452   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00696   452   NtQueryValueKey  (124,  (124, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (124, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 00697   452   NtQueryValueKey  (124,  (124, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00698   452   NtQueryValueKey  (124,  (124, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 00699   452   NtQueryValueKey  (124,  (124, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00700   452   NtQueryValueKey  (124,  (124, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00701   452   NtQueryValueKey  (124,  (124, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00702   452   NtClose  (124, ... ) == 0x0
 00703   452   NtOpenKey  (0x20019, {24, 120, 0x40, 0, 0,  (0x20019, {24, 120, 0x40, 0, 0, "000000000003"}, ... 124, ) }, ... 124, ) == 0x0
 00704   452   NtQueryValueKey  (124,  (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00705   452   NtQueryValueKey  (124,  (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00706   452   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00707   452   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00708   452   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00709   452   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00710   452   NtQueryValueKey  (124,  (124, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (124, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 00711   452   NtQueryValueKey  (124,  (124, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00712   452   NtQueryValueKey  (124,  (124, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 00713   452   NtQueryValueKey  (124,  (124, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00714   452   NtQueryValueKey  (124,  (124, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00715   452   NtQueryValueKey  (124,  (124, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00716   452   NtClose  (124, ... ) == 0x0
 00717   452   NtClose  (120, ... ) == 0x0
 00718   452   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 00719   452   NtClose  (96, ... ) == 0x0
 00720   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00721   452   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00722   452   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 96, ) }, ... 96, ) == 0x0
 00723   452   NtQueryValueKey  (96,  (96, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00724   452   NtClose  (96, ... ) == 0x0
 00725   452   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 96, ) == 0x0
 00726   452   NtSetInformationProcess  (-1, PriorityClass, {process info, class 18, size 2}, 3277056, ... ) == 0x0
 00727   452   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "mtx_cv_cv_v3.5"}, 0, ... 120, ) }, 0, ... 120, ) == 0x0
 00728   452   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cvrss.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00729   452   NtOpenFile  (0x110080, {24, 0, 0x40, 0, 0,  (0x110080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cvrss.exe"}, 7, 2113568, ... ) }, 7, 2113568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00730   452   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00731   452   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations2", Partial, 1024, ... ) , Partial, 1024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00732   452   NtClose  (124, ... ) == 0x0
 00733   452   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00734   452   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations", Partial, 1024, ... ) , Partial, 1024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00735   452   NtSetValueKey  (124,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\0\0", 72, ... , 0, 7,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\0\0", 72, ... , 72, ...
 00736   452   NtSetInformationFile  (-2147482844, -136149196, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00737   452   NtSetInformationFile  (-2147482844, -136149288, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00738   452   NtSetInformationFile  (-2147482844, -136149692, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00735   452   NtSetValueKey  ... ) == 0x0
 00739   452   NtClose  (124, ... ) == 0x0
 00740   452   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\acrmon32.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00741   452   NtOpenFile  (0x110080, {24, 0, 0x40, 0, 0,  (0x110080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\acrmon32.exe"}, 7, 2113568, ... ) }, 7, 2113568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00742   452   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00743   452   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations2", Partial, 1024, ... ) , Partial, 1024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00744   452   NtClose  (124, ... ) == 0x0
 00745   452   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00746   452   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations", Partial, 1024, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\0\0"}, 84, ) , Partial, 1024, ... TitleIdx=0, Type=7, Data= (124, "PendingFileRenameOperations", Partial, 1024, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\0\0"}, 84, ) }, 84, ) == 0x0
 00747   452   NtSetValueKey  (124,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\0\0", 148, ... , 0, 7,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\0\0", 148, ... , 148, ...
 00748   452   NtSetInformationFile  (-2147482844, -136149584, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00747   452   NtSetValueKey  ... ) == 0x0
 00749   452   NtClose  (124, ... ) == 0x0
 00750   452   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\acroup.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00751   452   NtOpenFile  (0x110080, {24, 0, 0x40, 0, 0,  (0x110080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\acroup.exe"}, 7, 2113568, ... ) }, 7, 2113568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00752   452   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00753   452   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations2", Partial, 1024, ... ) , Partial, 1024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00754   452   NtClose  (124, ... ) == 0x0
 00755   452   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00756   452   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations", Partial, 1024, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\0\0"}, 160, ) , Partial, 1024, ... TitleIdx=0, Type=7, Data= (124, "PendingFileRenameOperations", Partial, 1024, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\0\0"}, 160, ) }, 160, ) == 0x0
 00757   452   NtSetValueKey  (124,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\0\0", 220, ... , 0, 7,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\0\0", 220, ... , 220, ...
 00758   452   NtSetInformationFile  (-2147482844, -136149584, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00757   452   NtSetValueKey  ... ) == 0x0
 00759   452   NtClose  (124, ... ) == 0x0
 00760   452   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\acroup32.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00761   452   NtOpenFile  (0x110080, {24, 0, 0x40, 0, 0,  (0x110080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\acroup32.exe"}, 7, 2113568, ... ) }, 7, 2113568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00762   452   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00763   452   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations2", Partial, 1024, ... ) , Partial, 1024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00764   452   NtClose  (124, ... ) == 0x0
 00765   452   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00766   452   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations", Partial, 1024, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\0\0"}, 232, ) , Partial, 1024, ... TitleIdx=0, Type=7, Data= (124, "PendingFileRenameOperations", Partial, 1024, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\0\0"}, 232, ) }, 232, ) == 0x0
 00767   452   NtSetValueKey  (124,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\0\0", 296, ... ) , 0, 7,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\0\0", 296, ... ) , 296, ... ) == 0x0
 00768   452   NtClose  (124, ... ) == 0x0
 00769   452   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman32.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00770   452   NtOpenFile  (0x110080, {24, 0, 0x40, 0, 0,  (0x110080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman32.exe"}, 7, 2113568, ... ) }, 7, 2113568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00771   452   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00772   452   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations2", Partial, 1024, ... ) , Partial, 1024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00773   452   NtClose  (124, ... ) == 0x0
 00774   452   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00775   452   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations", Partial, 1024, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\0\0"}, 308, ) , Partial, 1024, ... TitleIdx=0, Type=7, Data= (124, "PendingFileRenameOperations", Partial, 1024, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\0\0"}, 308, ) }, 308, ) == 0x0
 00776   452   NtSetValueKey  (124,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\0\0", 372, ... ) , 0, 7,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\0\0", 372, ... ) , 372, ... ) == 0x0
 00777   452   NtClose  (124, ... ) == 0x0
 00778   452   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wcescom32.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00779   452   NtOpenFile  (0x110080, {24, 0, 0x40, 0, 0,  (0x110080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wcescom32.exe"}, 7, 2113568, ... ) }, 7, 2113568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00780   452   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00781   452   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations2", Partial, 1024, ... ) , Partial, 1024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00782   452   NtClose  (124, ... ) == 0x0
 00783   452   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00784   452   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations", Partial, 1024, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\0\0"}, 384, ) , Partial, 1024, ... TitleIdx=0, Type=7, Data= (124, "PendingFileRenameOperations", Partial, 1024, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\0\0"}, 384, ) }, 384, ) == 0x0
 00785   452   NtSetValueKey  (124,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\0\0", 450, ... ) , 0, 7,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\0\0", 450, ... ) , 450, ... ) == 0x0
 00786   452   NtClose  (124, ... ) == 0x0
 00787   452   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\qmedia.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00788   452   NtOpenFile  (0x110080, {24, 0, 0x40, 0, 0,  (0x110080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\qmedia.exe"}, 7, 2113568, ... ) }, 7, 2113568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00789   452   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00790   452   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations2", Partial, 1024, ... ) , Partial, 1024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00791   452   NtClose  (124, ... ) == 0x0
 00792   452   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00793   452   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations", Partial, 1024, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\0\0"}, 462, ) , Partial, 1024, ... TitleIdx=0, Type=7, Data= (124, "PendingFileRenameOperations", Partial, 1024, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\0\0"}, 462, ) }, 462, ) == 0x0
 00794   452   NtSetValueKey  (124,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0q\0m\0", 522, ... , 0, 7,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0q\0m\0", 522, ... , 522, ...
 00795   452   NtSetInformationFile  (-2147482844, -136149584, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00794   452   NtSetValueKey  ... ) == 0x0
 00796   452   NtClose  (124, ... ) == 0x0
 00797   452   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\icq6.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00798   452   NtOpenFile  (0x110080, {24, 0, 0x40, 0, 0,  (0x110080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\icq6.exe"}, 7, 2113568, ... ) }, 7, 2113568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00799   452   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00800   452   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations2", Partial, 1024, ... ) , Partial, 1024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00801   452   NtClose  (124, ... ) == 0x0
 00802   452   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00803   452   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations", Partial, 1024, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0\0\0\0\0\26\2\0\0$\3\0\0\274\1\0\0\304\1\0\0\263\0\0\0\0\0\1\0\0\0\0\0T\2"}, 534, ) , Partial, 1024, ... TitleIdx=0, Type=7, Data= (124, "PendingFileRenameOperations", Partial, 1024, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0\0\0\0\0\26\2\0\0$\3\0\0\274\1\0\0\304\1\0\0\263\0\0\0\0\0\1\0\0\0\0\0T\2"}, 534, ) }, 534, ) == 0x0
 00804   452   NtSetValueKey  (124,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0q\0m\0", 590, ... , 0, 7,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0q\0m\0", 590, ... , 590, ...
 00805   452   NtSetInformationFile  (-2147482844, -136149584, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00804   452   NtSetValueKey  ... ) == 0x0
 00806   452   NtClose  (124, ... ) == 0x0
 00807   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Userenv.dll"}, ... 124, ) }, ... 124, ) == 0x0
 00808   452   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75a70000), 0x0, 667648, ) == 0x0
 00809   452   NtClose  (124, ... ) == 0x0
 00810   452   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 124, ) }, ... 124, ) == 0x0
 00811   452   NtQueryValueKey  (124,  (124, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00812   452   NtClose  (124, ... ) == 0x0
 00813   452   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 124, ) }, ... 124, ) == 0x0
 00814   452   NtQueryValueKey  (124,  (124, "ChkAccDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00815   452   NtClose  (124, ... ) == 0x0
 00816   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\ProductOptions"}, ... 124, ) }, ... 124, ) == 0x0
 00817   452   NtQueryValueKey  (124,  (124, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) }, 24, ) == 0x0
 00818   452   NtClose  (124, ... ) == 0x0
 00819   452   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1241272, 0,  (0x1f0003, {24, 52, 0x80, 1241272, 0, "Global\userenv:  User Profile setup event"}, 0, 1, ... 124, ) }, 0, 1, ... 124, ) == STATUS_OBJECT_NAME_EXISTS
 00820   452   NtQueryDefaultLocale  (1, 1239108, ... ) == 0x0
 00821   452   NtQueryDefaultLocale  (1, 1239108, ... ) == 0x0
 00822   452   NtQueryDefaultLocale  (1, 1239108, ... ) == 0x0
 00823   452   NtQueryDefaultLocale  (1, 1239108, ... ) == 0x0
 00824   452   NtQueryDefaultLocale  (1, 1239108, ... ) == 0x0
 00825   452   NtQueryDefaultLocale  (1, 1239108, ... ) == 0x0
 00826   452   NtQueryDefaultLocale  (1, 1239108, ... ) == 0x0
 00827   452   NtQueryDefaultLocale  (1, 1239108, ... ) == 0x0
 00828   452   NtQueryDefaultLocale  (1, 1239108, ... ) == 0x0
 00829   452   NtQueryDefaultLocale  (1, 1239108, ... ) == 0x0
 00830   452   NtQueryDefaultLocale  (1, 1239108, ... ) == 0x0
 00831   452   NtQueryDefaultLocale  (1, 1239108, ... ) == 0x0
 00832   452   NtQueryDefaultLocale  (1, 1239108, ... ) == 0x0
 00833   452   NtQueryDefaultLocale  (1, 1239108, ... ) == 0x0
 00834   452   NtQueryDefaultLocale  (1, 1239108, ... ) == 0x0
 00835   452   NtQueryDefaultLocale  (1, 1239108, ... ) == 0x0
 00836   452   NtQueryDefaultLocale  (1, 1239108, ... ) == 0x0
 00837   452   NtQueryDefaultLocale  (1, 1239108, ... ) == 0x0
 00838   452   NtQueryDefaultLocale  (1, 1239108, ... ) == 0x0
 00839   452   NtQueryDefaultLocale  (1, 1239108, ... ) == 0x0
 00840   452   NtQueryDefaultLocale  (1, 1239108, ... ) == 0x0
 00841   452   NtQueryDefaultLocale  (1, 1239108, ... ) == 0x0
 00842   452   NtQueryDefaultLocale  (1, 1239108, ... ) == 0x0
 00843   452   NtQueryDefaultLocale  (1, 1239108, ... ) == 0x0
 00844   452   NtQueryDefaultLocale  (1, 1239108, ... ) == 0x0
 00845   452   NtQueryDefaultLocale  (1, 1239108, ... ) == 0x0
 00846   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00847   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 00848   452   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00849   452   NtClose  (128, ... ) == 0x0
 00850   452   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 128, ) }, ... 128, ) == 0x0
 00851   452   NtOpenKey  (0x20019, {24, 128, 0x40, 0, 0,  (0x20019, {24, 128, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 132, ) }, ... 132, ) == 0x0
 00852   452   NtQueryValueKey  (132,  (132, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (132, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) }, 66, ) == 0x0
 00853   452   NtQueryDefaultLocale  (1, 1239108, ... ) == 0x0
 00854   452   NtQueryValueKey  (132,  (132, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (132, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) }, 70, ) == 0x0
 00855   452   NtQueryDefaultLocale  (1, 1239108, ... ) == 0x0
 00856   452   NtQueryDefaultLocale  (1, 1239108, ... ) == 0x0
 00857   452   NtQueryDefaultLocale  (1, 1239108, ... ) == 0x0
 00858   452   NtQueryDefaultLocale  (1, 1239108, ... ) == 0x0
 00859   452   NtClose  (132, ... ) == 0x0
 00860   452   NtClose  (128, ... ) == 0x0
 00861   452   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 128, ) }, ... 128, ) == 0x0
 00862   452   NtQueryValueKey  (128,  (128, "RsopDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00863   452   NtClose  (128, ... ) == 0x0
 00864   452   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 128, ) }, ... 128, ) == 0x0
 00865   452   NtQueryValueKey  (128,  (128, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00866   452   NtQueryValueKey  (128,  (128, "RsopLogging", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00867   452   NtClose  (128, ... ) == 0x0
 00868   452   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00869   452   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 128, ) }, ... 128, ) == 0x0
 00870   452   NtQueryValueKey  (128,  (128, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00871   452   NtClose  (128, ... ) == 0x0
 00872   452   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00873   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 128, ) }, ... 128, ) == 0x0
 00874   452   NtQueryValueKey  (128,  (128, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (128, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 00875   452   NtClose  (128, ... ) == 0x0
 00876   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 128, ) }, ... 128, ) == 0x0
 00877   452   NtQueryValueKey  (128,  (128, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (128, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) }, 32, ) == 0x0
 00878   452   NtClose  (128, ... ) == 0x0
 00879   452   NtClose  (124, ... ) == 0x0
 00880   452   NtUnmapViewOfSection  (-1, 0x75a70000, ... ) == 0x0
 00881   452   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Task Manager.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00882   452   NtOpenFile  (0x110080, {24, 0, 0x40, 0, 0,  (0x110080, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Task Manager.exe"}, 7, 2113568, ... ) }, 7, 2113568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00883   452   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00884   452   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations2", Partial, 1024, ... ) , Partial, 1024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00885   452   NtClose  (124, ... ) == 0x0
 00886   452   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00887   452   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations", Partial, 1024, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0\0\0\0\0Z\2\0\0x\3\0\0\274\1\0\0\304\1\0\0\263\0\0\0\0\0\1\0\0\0\0\0T\2\0\0|\0\0\0\0\0\0\06\08\0\210\13\355w\0\0\0\0P\0e\0n\0d\0i\0n\0g\0F\0i\0l\0e\0R\0e\0n\0a\0m\0e\0O\0p\0e\0r\0a\0t\0"}, 602, ) , Partial, 1024, ... TitleIdx=0, Type=7, Data= (124, "PendingFileRenameOperations", Partial, 1024, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0\0\0\0\0Z\2\0\0x\3\0\0\274\1\0\0\304\1\0\0\263\0\0\0\0\0\1\0\0\0\0\0T\2\0\0|\0\0\0\0\0\0\06\08\0\210\13\355w\0\0\0\0P\0e\0n\0d\0i\0n\0g\0F\0i\0l\0e\0R\0e\0n\0a\0m\0e\0O\0p\0e\0r\0a\0t\0"}, 602, ) }, 602, ) == 0x0
 00888   452   NtSetValueKey  (124,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0q\0m\0", 762, ... ) , 0, 7,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0q\0m\0", 762, ... ) , 762, ... ) == 0x0
 00889   452   NtClose  (124, ... ) == 0x0
 00890   452   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Start Menu\Programs\Startup\taskman.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00891   452   NtOpenFile  (0x110080, {24, 0, 0x40, 0, 0,  (0x110080, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Start Menu\Programs\Startup\taskman.exe"}, 7, 2113568, ... ) }, 7, 2113568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00892   452   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00893   452   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations2", Partial, 1024, ... ) , Partial, 1024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00894   452   NtClose  (124, ... ) == 0x0
 00895   452   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00896   452   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations", Partial, 1024, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0\0\0\0\0\6\3\0\0\201\3\0\0\274\1\0\0\304\1\0\0\263\0\0\0\0\0\1\0\0\0\0\0T\2\0\0|\0\0\0\0\0\0\06\08\0\210\13\355w\0\0\0\0P\0e\0n\0d\0i\0n\0g\0F\0i\0l\0e\0R\0e\0n\0a\0m\0e\0O\0p\0e\0r\0a\0t\0i\0o\0n\0s\0v\0\0\0\0\0\7\0\0\0\0\0\0\0\364\1\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0"}, 774, ) , Partial, 1024, ... TitleIdx=0, Type=7, Data= (124, "PendingFileRenameOperations", Partial, 1024, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0\0\0\0\0\6\3\0\0\201\3\0\0\274\1\0\0\304\1\0\0\263\0\0\0\0\0\1\0\0\0\0\0T\2\0\0|\0\0\0\0\0\0\06\08\0\210\13\355w\0\0\0\0P\0e\0n\0d\0i\0n\0g\0F\0i\0l\0e\0R\0e\0n\0a\0m\0e\0O\0p\0e\0r\0a\0t\0i\0o\0n\0s\0v\0\0\0\0\0\7\0\0\0\0\0\0\0\364\1\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0"}, 774, ) }, 774, ) == 0x0
 00897   452   NtSetValueKey  (124,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0q\0m\0", 924, ... , 0, 7,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0q\0m\0", 924, ... , 924, ...
 00898   452   NtSetInformationFile  (-2147482844, -136149584, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00897   452   NtSetValueKey  ... ) == 0x0
 00899   452   NtClose  (124, ... ) == 0x0
 00900   452   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Start Menu\Programs\Startup\mmedia.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00901   452   NtOpenFile  (0x110080, {24, 0, 0x40, 0, 0,  (0x110080, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Start Menu\Programs\Startup\mmedia.exe"}, 7, 2113568, ... ) }, 7, 2113568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00902   452   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00903   452   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations2", Partial, 1024, ... ) , Partial, 1024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00904   452   NtClose  (124, ... ) == 0x0
 00905   452   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00906   452   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations", Partial, 1024, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0\0\0\0\0\250\3\0\0\213\3\0\0\274\1\0\0\304\1\0\0\263\0\0\0\0\0\1\0\0\0\0\0T\2\0\0|\0\0\0\0\0\0\06\08\0\210\13\355w\0\0\0\0P\0e\0n\0d\0i\0n\0g\0F\0i\0l\0e\0R\0e\0n\0a\0m\0e\0O\0p\0e\0r\0a\0t\0i\0o\0n\0s\0v\0\0\0\0\0\7\0\0\0\0\0\0\0\364\1\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0"}, 936, ) , Partial, 1024, ... TitleIdx=0, Type=7, Data= (124, "PendingFileRenameOperations", Partial, 1024, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0\0\0\0\0\250\3\0\0\213\3\0\0\274\1\0\0\304\1\0\0\263\0\0\0\0\0\1\0\0\0\0\0T\2\0\0|\0\0\0\0\0\0\06\08\0\210\13\355w\0\0\0\0P\0e\0n\0d\0i\0n\0g\0F\0i\0l\0e\0R\0e\0n\0a\0m\0e\0O\0p\0e\0r\0a\0t\0i\0o\0n\0s\0v\0\0\0\0\0\7\0\0\0\0\0\0\0\364\1\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0"}, 936, ) }, 936, ) == 0x0
 00907   452   NtSetValueKey  (124,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0q\0m\0", 1084, ... ) , 0, 7,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0q\0m\0", 1084, ... ) , 1084, ... ) == 0x0
 00908   452   NtClose  (124, ... ) == 0x0
 00909   452   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winamp.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00910   452   NtOpenFile  (0x110080, {24, 0, 0x40, 0, 0,  (0x110080, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winamp.exe"}, 7, 2113568, ... ) }, 7, 2113568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00911   452   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00912   452   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations2", Partial, 1024, ... ) , Partial, 1024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00913   452   NtClose  (124, ... ) == 0x0
 00914   452   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00915   452   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations", Partial, 1024, ... ) , Partial, 1024, ... ) == STATUS_BUFFER_OVERFLOW
 00916   452   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations", Partial, 1096, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0\0\0\0\0H\4\0\0\225\3\0\0\274\1\0\0\304\1\0\0\263\0\0\0\0\0\1\0\0\0\0\0T\2\0\0|\0\0\0\0\0\0\06\08\0\210\13\355w\0\0\0\0P\0e\0n\0d\0i\0n\0g\0F\0i\0l\0e\0R\0e\0n\0a\0m\0e\0O\0p\0e\0r\0a\0t\0i\0o\0n\0s\0v\0\0\0\0\0\7\0\0\0\0\0\0\0\364\1\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0"}, 1096, ) , Partial, 1096, ... TitleIdx=0, Type=7, Data= (124, "PendingFileRenameOperations", Partial, 1096, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0\0\0\0\0H\4\0\0\225\3\0\0\274\1\0\0\304\1\0\0\263\0\0\0\0\0\1\0\0\0\0\0T\2\0\0|\0\0\0\0\0\0\06\08\0\210\13\355w\0\0\0\0P\0e\0n\0d\0i\0n\0g\0F\0i\0l\0e\0R\0e\0n\0a\0m\0e\0O\0p\0e\0r\0a\0t\0i\0o\0n\0s\0v\0\0\0\0\0\7\0\0\0\0\0\0\0\364\1\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0"}, 1096, ) }, 1096, ) == 0x0
 00917   452   NtSetValueKey  (124,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0q\0m\0", 1244, ... ) , 0, 7,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0q\0m\0", 1244, ... ) , 1244, ... ) == 0x0
 00918   452   NtClose  (124, ... ) == 0x0
 00919   452   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Start Menu\Programs\Startup\icq.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00920   452   NtOpenFile  (0x110080, {24, 0, 0x40, 0, 0,  (0x110080, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Start Menu\Programs\Startup\icq.exe"}, 7, 2113568, ... ) }, 7, 2113568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00921   452   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00922   452   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations2", Partial, 1024, ... ) , Partial, 1024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00923   452   NtClose  (124, ... ) == 0x0
 00924   452   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00925   452   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations", Partial, 1024, ... ) , Partial, 1024, ... ) == STATUS_BUFFER_OVERFLOW
 00926   452   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations", Partial, 1256, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0\0\0\0\0\350\4\0\0\237\3\0\0\274\1\0\0\304\1\0\0\263\0\0\0\0\0\1\0\0\0\0\0T\2\0\0|\0\0\0\0\0\0\06\08\0\210\13\355w\0\0\0\0P\0e\0n\0d\0i\0n\0g\0F\0i\0l\0e\0R\0e\0n\0a\0m\0e\0O\0p\0e\0r\0a\0t\0i\0o\0n\0s\0v\0\0\0\0\0\7\0\0\0\0\0\0\0\364\1\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0q\0m\0v\5\0\0\237\3\0\0\274\1\0\0\304\1\0\0\263\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\240\3\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0|\0\0\0\240\3\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\241\3\0\0\274\1\0\0\304\1\0\0O\0\0\0\0\0\1\0\0\0\0\0\334\0\0\0\200\0\1\0\0\0\0\0"}, 1256, ) , Partial, 1256, ... TitleIdx=0, Type=7, Data= (124, "PendingFileRenameOperations", Partial, 1256, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0\0\0\0\0\350\4\0\0\237\3\0\0\274\1\0\0\304\1\0\0\263\0\0\0\0\0\1\0\0\0\0\0T\2\0\0|\0\0\0\0\0\0\06\08\0\210\13\355w\0\0\0\0P\0e\0n\0d\0i\0n\0g\0F\0i\0l\0e\0R\0e\0n\0a\0m\0e\0O\0p\0e\0r\0a\0t\0i\0o\0n\0s\0v\0\0\0\0\0\7\0\0\0\0\0\0\0\364\1\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0q\0m\0v\5\0\0\237\3\0\0\274\1\0\0\304\1\0\0\263\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\240\3\0\0\274\1\0\0\304\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0|\0\0\0\240\3\0\0\274\1\0\0\304\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\241\3\0\0\274\1\0\0\304\1\0\0O\0\0\0\0\0\1\0\0\0\0\0\334\0\0\0\200\0\1\0\0\0\0\0"}, 1256, ) }, 1256, ) == 0x0
 00927   452   NtSetValueKey  (124,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0q\0m\0", 1398, ... ) , 0, 7,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0q\0m\0", 1398, ... ) , 1398, ... ) == 0x0
 00928   452   NtClose  (124, ... ) == 0x0
 00929   452   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Start Menu\Programs\Startup\icq agent.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00930   452   NtOpenFile  (0x110080, {24, 0, 0x40, 0, 0,  (0x110080, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Start Menu\Programs\Startup\icq agent.exe"}, 7, 2113568, ... ) }, 7, 2113568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00931   452   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00932   452   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations2", Partial, 1024, ... ) , Partial, 1024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00933   452   NtClose  (124, ... ) == 0x0
 00934   452   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00935   452   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations", Partial, 1024, ... ) , Partial, 1024, ... ) == STATUS_BUFFER_OVERFLOW
 00936   452   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ... 1372160, 4096, ) == 0x0
 00937   452   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations", Partial, 1410, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0\0\0\0\0\202\5\0\0\252\3\0\0\274\1\0\0\304\1\0\0\263\0\0\0\0\0\1\0\0\0\0\0T\2\0\0|\0\0\0\0\0\0\06\08\0\210\13\355w\0\0\0\0P\0e\0n\0d\0i\0n\0g\0F\0i\0l\0e\0R\0e\0n\0a\0m\0e\0O\0p\0e\0r\0a\0t\0i\0o\0n\0s\0v\0\0\0\0\0\7\0\0\0\0\0\0\0\364\1\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0q\0m\0\34\6\0\0\253\3\0\0\274\1\0\0\304\1\0\0\241\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0$\3\0\200\220\206\342\367\10\0\0\0\24\0\0\0\253\3\0\0\274\1\0\0\304\1\0\0\241\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\254\3\0\0\274\1\0\0\304\1\0\0\241\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0 \3\0\200\244\206\342\367\10\0\0\0\24\0\0\0\254\3\0\0\274\1\0\0\304\1\0\0\241\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\255\3\0\0\274\1\0\0\304\1\0\0\241\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0$\3\0\200l\206\342\367\10\0\0\0\24\0\0\0\255\3\0\0\274\1\0\0\304\1\0\0\241\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\252\3\0\0\274\1\0\0\304\1\0\0\263\0\0\0\1\0\1\0\0\0\0\0\0\0"}, 1410, ) , Partial, 1410, ... TitleIdx=0, Type=7, Data= (124, "PendingFileRenameOperations", Partial, 1410, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0\0\0\0\0\202\5\0\0\252\3\0\0\274\1\0\0\304\1\0\0\263\0\0\0\0\0\1\0\0\0\0\0T\2\0\0|\0\0\0\0\0\0\06\08\0\210\13\355w\0\0\0\0P\0e\0n\0d\0i\0n\0g\0F\0i\0l\0e\0R\0e\0n\0a\0m\0e\0O\0p\0e\0r\0a\0t\0i\0o\0n\0s\0v\0\0\0\0\0\7\0\0\0\0\0\0\0\364\1\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0q\0m\0\34\6\0\0\253\3\0\0\274\1\0\0\304\1\0\0\241\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0$\3\0\200\220\206\342\367\10\0\0\0\24\0\0\0\253\3\0\0\274\1\0\0\304\1\0\0\241\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\254\3\0\0\274\1\0\0\304\1\0\0\241\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0 \3\0\200\244\206\342\367\10\0\0\0\24\0\0\0\254\3\0\0\274\1\0\0\304\1\0\0\241\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\255\3\0\0\274\1\0\0\304\1\0\0\241\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0$\3\0\200l\206\342\367\10\0\0\0\24\0\0\0\255\3\0\0\274\1\0\0\304\1\0\0\241\0\0\0\1\0\0\0\0\0\0\0\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\252\3\0\0\274\1\0\0\304\1\0\0\263\0\0\0\1\0\1\0\0\0\0\0\0\0"}, 1410, ) }, 1410, ) == 0x0
 00938   452   NtSetValueKey  (124,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0q\0m\0", 1564, ... , 0, 7,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0q\0m\0", 1564, ... , 1564, ...
 00939   452   NtSetInformationFile  (-2147482844, -136149360, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00940   452   NtSetInformationFile  (-2147482848, -136149340, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00941   452   NtSetInformationFile  (-2147482844, -136149396, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00938   452   NtSetValueKey  ... ) == 0x0
 00942   452   NtClose  (124, ... ) == 0x0
 00943   452   NtCreateKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Run"}, 0, 0x0, 0, ... 124, 2, ) }, 0, 0x0, 0, ... 124, 2, ) == 0x0
 00944   452   NtDeleteValueKey  (124,  (124, "ATI", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00945   452   NtDeleteValueKey  (124,  (124, "Acrobat", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00946   452   NtDeleteValueKey  (124,  (124, "Acrobat Update", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00947   452   NtDeleteValueKey  (124,  (124, "Acrobat Read", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00948   452   NtDeleteValueKey  (124,  (124, "rasman", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00949   452   NtDeleteValueKey  (124,  (124, "ActiveSync", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00950   452   NtDeleteValueKey  (124,  (124, "Winamp Media", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00951   452   NtDeleteValueKey  (124,  (124, "ICQ Agent", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00952   452   NtClose  (124, ... ) == 0x0
 00953   452   NtUserRegisterClassExWOW  (1244368, 1244444, 1244460, 1244432, 0, 386, 0, ... ) == 0x810cc0d5
 00954   452   NtUserCreateWindowEx  (-2147483648, 1244352, 1244164, "-2147483648, 0, 0, 1, 1, 0, 0, 0, 0, 1073742848, 0, ...
 00955   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1240548, ... ) }, 1240548, ... ) == 0x0
 00956   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 124, {status=0x0, info=1}, ) }, 5, 96, ... 124, {status=0x0, info=1}, ) == 0x0
 00957   452   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 124, ... 128, ) == 0x0
 00958   452   NtClose  (124, ... ) == 0x0
 00959   452   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x380000), 0x0, 204800, ) == 0x0
 00960   452   NtClose  (128, ... ) == 0x0
 00961   452   NtUnmapViewOfSection  (-1, 0x380000, ... ) == 0x0
 00962   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1240864, ... ) }, 1240864, ... ) == 0x0
 00963   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 00964   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 128, ... 124, ) == 0x0
 00965   452   NtQuerySection  (124, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00966   452   NtClose  (128, ... ) == 0x0
 00967   452   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 00968   452   NtClose  (124, ... ) == 0x0
 00969   452   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00970   452   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00971   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00972   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 00973   452   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00974   452   NtClose  (124, ... ) == 0x0
 00975   452   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 124, ) }, ... 124, ) == 0x0
 00976   452   NtOpenKey  (0x1, {24, 124, 0x40, 0, 0,  (0x1, {24, 124, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 128, ) }, ... 128, ) == 0x0
 00977   452   NtQueryValueKey  (128,  (128, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00978   452   NtClose  (128, ... ) == 0x0
 00979   452   NtClose  (124, ... ) == 0x0
 00980   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00981   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 00982   452   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00983   452   NtClose  (124, ... ) == 0x0
 00984   452   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 124, ) }, ... 124, ) == 0x0
 00985   452   NtOpenKey  (0x1, {24, 124, 0x40, 0, 0,  (0x1, {24, 124, 0x40, 0, 0, "Control Panel\Desktop"}, ... 128, ) }, ... 128, ) == 0x0
 00986   452   NtQueryValueKey  (128,  (128, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00987   452   NtClose  (128, ... ) == 0x0
 00988   452   NtClose  (124, ... ) == 0x0
 00989   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 1240364, ... ) }, 1240364, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00990   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "UxTheme.dll"}, 1240364, ... ) }, 1240364, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00991   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 1240364, ... ) }, 1240364, ... ) == 0x0
 00992   452   NtUserGetProcessWindowStation  (... ) == 0x24
 00993   452   NtUserGetObjectInformation  (36, 2, 0, 0, 1242660, ... ) == 0x0
 00994   452   NtUserGetObjectInformation  (36, 2, 1370248, 16, 1242660, ... ) == 0x1
 00995   452   NtUserGetGUIThreadInfo  (452, 1242616, ... ) == 0x1
 00996   452   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1242436, 64, ... 124, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1242436, 64, ... 124, 0x0, 0x0, 0x0, 64, ) == 0x0
 00997   452   NtRequestWaitReplyPort  (124, {32, 56, new_msg, 0, 0, 0, 0, 0}  (124, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 444, 452, 1568, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 444, 452, 1568, 0}  (124, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 444, 452, 1568, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00998   452   NtRequestWaitReplyPort  (124, {32, 56, new_msg, 0, 0, 0, 0, 0}  (124, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 444, 452, 1569, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 444, 452, 1569, 0}  (124, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 444, 452, 1569, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00999   452   NtUserCallNoParam  (29, ...
 01000   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1239908, ... ) }, 1239908, ... ) == 0x0
 00999   452   NtUserCallNoParam  ... ) == 0x0
 01001   452   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 01002   452   NtGdiHfontCreate  (1241988, 356, 0, 0, 1344040, ... ) == 0x80a045d
 01003   452   NtGdiHfontCreate  (1241988, 356, 0, 0, 1344032, ... ) == 0x60a045e
 01004   452   NtRequestWaitReplyPort  (124, {32, 56, new_msg, 0, 0, 0, 0, 0}  (124, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 444, 452, 1570, 0} "\0\0\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 444, 452, 1570, 0}  (124, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 444, 452, 1570, 0} "\0\0\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01005   452   NtMapViewOfSection  (128, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x380000), {0, 0}, 331776, ) == 0x0
 01006   452   NtAllocateVirtualMemory  (-1, 3293184, 0, 4096, 4096, 4, ... 3293184, 4096, ) == 0x0
 01007   452   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01008   452   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01009   452   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01010   452   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01011   452   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01012   452   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01013   452   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01014   452   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01015   452   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01016   452   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01017   452   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01018   452   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01019   452   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01020   452   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01021   452   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01022   452   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01023   452   NtUserGetWindowDC  (0, ... ) == 0x1010053
 01024   452   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x1100460
 01025   452   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01026   452   NtUserCallNoParam  (29, ...
 01027   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1239352, ... ) }, 1239352, ... ) == 0x0
 01026   452   NtUserCallNoParam  ... ) == 0x0
 01028   452   NtUserCallNoParam  (29, ...
 01029   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1239348, ... ) }, 1239348, ... ) == 0x0
 01028   452   NtUserCallNoParam  ... ) == 0x0
 01030   452   NtUserMessageCall  (0x200b2, WM_NCCREATE, 0x0, 0x12f730, 0, 670, 1, ... ) == 0x1
 01031   452   NtUserMessageCall  (0x200b2, WM_NCCALCSIZE, 0x0, 0x12f764, 0, 670, 1, ... ) == 0x0
 01032   452   NtUserSetProp  (131250, 43288, -1, ... ) == 0x1
 01033   452   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1240816,  (0x80100080, {24, 0, 0x40, 0, 1240816, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 132, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 132, {status=0x0, info=1}, ) == 0x0
 01034   452   NtQueryInformationFile  (132, 1241752, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01035   452   NtQueryInformationFile  (132, 1241724, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01036   452   NtQueryInformationFile  (132, 1241676, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01037   452   NtQueryInformationFile  (132, 1371448, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01038   452   NtQueryInformationFile  (132, 1240220, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01039   452   NtQueryInformationFile  (132, 1240064, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01040   452   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1240072,  (0x40110080, {24, 0, 0x40, 0, 1240072, "\??\C:\WINDOWS\System32\msgs7.exe"}, 0x0, 32, 0, 2, 100, 0, 0, ... 136, {status=0x0, info=2}, ) }, 0x0, 32, 0, 2, 100, 0, 0, ... 136, {status=0x0, info=2}, ) == 0x0
 01041   452   NtQueryVolumeInformationFile  (136, 1239444, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 01042   452   NtQueryInformationFile  (136, 1239404, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01043   452   NtQueryVolumeInformationFile  (132, 1239444, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01044   452   NtSetInformationFile  (136, 1239232, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01045   452   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 132, ... 140, ) == 0x0
 01046   452   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01047   452   NtClose  (140, ... ) == 0x0
 01048   452   NtWriteFile  (136, 0, 0, 0,  (136, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\0\305q_D\244\37\14D\244\37\14D\244\37\14\307\254B\14G\244\37\14D\244\36\14F\244\37\14A\250\177\14N\244\37\14A\250E\14E\244\37\14RichD\244\37\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\5\0\215\2\354F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0J\0\0\0\236\0\0\0\0\0\0\220a\0\0\0\20\0\0\0p\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0 \1\0\0\4\0\0\0\0\0\0\2\0\0\4\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\214{\0\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p\0\0\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\330F\0\0\0\20\0\0\0H\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\340CODE", 24576, 0x0, 0, ... {status=0x0, info=24576}, ) , 24576, 0x0, 0, ... {status=0x0, info=24576}, ) == 0x0
 01049   452   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01050   452   NtSetInformationFile  (136, 1241676, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01051   452   NtClose  (132, ... ) == 0x0
 01052   452   NtClose  (136, ... ) == 0x0
 01053   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Userenv.dll"}, ... 136, ) }, ... 136, ) == 0x0
 01054   452   NtMapViewOfSection  (136, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75a70000), 0x0, 667648, ) == 0x0
 01055   452   NtClose  (136, ... ) == 0x0
 01056   452   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 136, ) }, ... 136, ) == 0x0
 01057   452   NtQueryValueKey  (136,  (136, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01058   452   NtClose  (136, ... ) == 0x0
 01059   452   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 136, ) }, ... 136, ) == 0x0
 01060   452   NtQueryValueKey  (136,  (136, "ChkAccDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01061   452   NtClose  (136, ... ) == 0x0
 01062   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\ProductOptions"}, ... 136, ) }, ... 136, ) == 0x0
 01063   452   NtQueryValueKey  (136,  (136, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (136, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) }, 24, ) == 0x0
 01064   452   NtClose  (136, ... ) == 0x0
 01065   452   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1238768, 0,  (0x1f0003, {24, 52, 0x80, 1238768, 0, "Global\userenv:  User Profile setup event"}, 0, 1, ... 136, ) }, 0, 1, ... 136, ) == STATUS_OBJECT_NAME_EXISTS
 01066   452   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01067   452   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01068   452   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01069   452   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01070   452   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01071   452   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01072   452   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01073   452   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01074   452   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01075   452   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01076   452   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01077   452   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01078   452   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01079   452   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01080   452   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01081   452   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01082   452   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01083   452   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01084   452   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01085   452   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01086   452   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01087   452   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01088   452   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01089   452   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01090   452   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01091   452   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01092   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01093   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 01094   452   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01095   452   NtClose  (132, ... ) == 0x0
 01096   452   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 132, ) }, ... 132, ) == 0x0
 01097   452   NtOpenKey  (0x20019, {24, 132, 0x40, 0, 0,  (0x20019, {24, 132, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 140, ) }, ... 140, ) == 0x0
 01098   452   NtQueryValueKey  (140,  (140, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (140, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) }, 66, ) == 0x0
 01099   452   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01100   452   NtQueryValueKey  (140,  (140, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (140, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) }, 70, ) == 0x0
 01101   452   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01102   452   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01103   452   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01104   452   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01105   452   NtClose  (140, ... ) == 0x0
 01106   452   NtClose  (132, ... ) == 0x0
 01107   452   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 132, ) }, ... 132, ) == 0x0
 01108   452   NtQueryValueKey  (132,  (132, "RsopDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01109   452   NtClose  (132, ... ) == 0x0
 01110   452   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 132, ) }, ... 132, ) == 0x0
 01111   452   NtQueryValueKey  (132,  (132, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01112   452   NtQueryValueKey  (132,  (132, "RsopLogging", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01113   452   NtClose  (132, ... ) == 0x0
 01114   452   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01115   452   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 132, ) }, ... 132, ) == 0x0
 01116   452   NtQueryValueKey  (132,  (132, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01117   452   NtClose  (132, ... ) == 0x0
 01118   452   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01119   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 132, ) }, ... 132, ) == 0x0
 01120   452   NtQueryValueKey  (132,  (132, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (132, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 01121   452   NtClose  (132, ... ) == 0x0
 01122   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 132, ) }, ... 132, ) == 0x0
 01123   452   NtQueryValueKey  (132,  (132, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) }, 32, ) == 0x0
 01124   452   NtClose  (132, ... ) == 0x0
 01125   452   NtClose  (136, ... ) == 0x0
 01126   452   NtUnmapViewOfSection  (-1, 0x75a70000, ... ) == 0x0
 01127   452   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1240008,  (0x80100080, {24, 0, 0x40, 0, 1240008, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 136, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 136, {status=0x0, info=1}, ) == 0x0
 01128   452   NtQueryInformationFile  (136, 1240944, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01129   452   NtQueryInformationFile  (136, 1240916, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01130   452   NtQueryInformationFile  (136, 1240868, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01131   452   NtQueryInformationFile  (136, 1371752, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01132   452   NtQueryInformationFile  (136, 1239412, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01133   452   NtQueryInformationFile  (136, 1239256, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01134   452   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1239264,  (0x40110080, {24, 0, 0x40, 0, 1239264, "\??\C:\Documents and Settings\All Users\Start Menu\Programs\Startup\taskman.exe"}, 0x0, 32, 0, 2, 100, 0, 0, ... 132, {status=0x0, info=2}, ) }, 0x0, 32, 0, 2, 100, 0, 0, ... 132, {status=0x0, info=2}, ) == 0x0
 01135   452   NtQueryVolumeInformationFile  (132, 1238636, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 01136   452   NtQueryInformationFile  (132, 1238596, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01137   452   NtQueryVolumeInformationFile  (136, 1238636, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01138   452   NtSetInformationFile  (132, 1238424, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01139   452   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 136, ... 140, ) == 0x0
 01140   452   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3e0000), {0, 0}, 24576, ) == 0x0
 01141   452   NtClose  (140, ... ) == 0x0
 01142   452   NtWriteFile  (132, 0, 0, 0,  (132, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\0\305q_D\244\37\14D\244\37\14D\244\37\14\307\254B\14G\244\37\14D\244\36\14F\244\37\14A\250\177\14N\244\37\14A\250E\14E\244\37\14RichD\244\37\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\5\0\215\2\354F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0J\0\0\0\236\0\0\0\0\0\0\220a\0\0\0\20\0\0\0p\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0 \1\0\0\4\0\0\0\0\0\0\2\0\0\4\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\214{\0\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p\0\0\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\330F\0\0\0\20\0\0\0H\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\340CODE", 24576, 0x0, 0, ... {status=0x0, info=24576}, ) , 24576, 0x0, 0, ... {status=0x0, info=24576}, ) == 0x0
 01143   452   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01144   452   NtSetInformationFile  (132, 1240868, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01145   452   NtClose  (136, ... ) == 0x0
 01146   452   NtClose  (132, ... ) == 0x0
 01147   452   NtCreateKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Run"}, 0, 0x0, 0, ... 132, 2, ) }, 0, 0x0, 0, ... 132, 2, ) == 0x0
 01148   452   NtSetValueKey  (132,  (132, "Messanger 7", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0g\0s\07\0.\0e\0x\0e\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\254 \1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0 \0\10\0\0\0\0\0\0\0\254 \6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\08\0\355\0\24\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\306\2\0\0\0\0\0\0\36 \0\0\0\0\0\0H\0\357\0\22\0\0\0\11\0\0\0\0\0\0\0D\0\363\0\22\0\0\0  \273\0\351\0w\0 \0\23\0\350\0w\0\377\0\377\0\377\0\377\0M\0\263\0\346\0w\00 \263\0\346\0w\0\0\0\354\0\375\0\177\0\240\0\347\0\24\0\0\0\0\0\0\0\0\0\0\0O\0\345\0\367\0w\0\243\0y\0\347\0w\0\306\2\0\0\0\0\0\0\11\0\0\0\0\0\0\0H\0\0\0\0\0\0\0\235\0\263\0\346\0w\0\34\0\367\0\22\0\0\0\370\0\353\0\375\0\177\0\0\0\0\0\1\0\0\0\0\0\0\0\24\0\0\0\220\0\362\0\22\0\0\0\36 \0\0\0\0\0\0P\0\366\0\22\0\0\0\2\0$\0\370\0w\0\370\0T\0\367\0w\0\377\0\377\0\377\0\377\0\215\0\26\0\365\0w\0\313\0%\0\365\0w\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\240\0\347\0\24\0\0\0\254\0%\0\365\0w\0\240\0\347\0\24\0\0\0\34\0\367\0\22\0\0\0]\0\275\0\346\0w\0x\0\363\0\22\0\0\0@\0\26\0", 520, ... , 0, 1,  (132, "Messanger 7", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0g\0s\07\0.\0e\0x\0e\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\254 \1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0 \0\10\0\0\0\0\0\0\0\254 \6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\08\0\355\0\24\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\306\2\0\0\0\0\0\0\36 \0\0\0\0\0\0H\0\357\0\22\0\0\0\11\0\0\0\0\0\0\0D\0\363\0\22\0\0\0  \273\0\351\0w\0 \0\23\0\350\0w\0\377\0\377\0\377\0\377\0M\0\263\0\346\0w\00 \263\0\346\0w\0\0\0\354\0\375\0\177\0\240\0\347\0\24\0\0\0\0\0\0\0\0\0\0\0O\0\345\0\367\0w\0\243\0y\0\347\0w\0\306\2\0\0\0\0\0\0\11\0\0\0\0\0\0\0H\0\0\0\0\0\0\0\235\0\263\0\346\0w\0\34\0\367\0\22\0\0\0\370\0\353\0\375\0\177\0\0\0\0\0\1\0\0\0\0\0\0\0\24\0\0\0\220\0\362\0\22\0\0\0\36 \0\0\0\0\0\0P\0\366\0\22\0\0\0\2\0$\0\370\0w\0\370\0T\0\367\0w\0\377\0\377\0\377\0\377\0\215\0\26\0\365\0w\0\313\0%\0\365\0w\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\240\0\347\0\24\0\0\0\254\0%\0\365\0w\0\240\0\347\0\24\0\0\0\34\0\367\0\22\0\0\0]\0\275\0\346\0w\0x\0\363\0\22\0\0\0@\0\26\0", 520, ... , 520, ...
 01149   452   NtSetInformationFile  (-2147482808, -136152636, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01150   452   NtSetInformationFile  (-2147482808, -136152728, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01151   452   NtSetInformationFile  (-2147482808, -136153036, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01148   452   NtSetValueKey  ... ) == 0x0
 01152   452   NtClose  (132, ... ) == 0x0
 01153   452   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Run"}, 0, 0x0, 0, ... 132, 2, ) }, 0, 0x0, 0, ... 132, 2, ) == 0x0
 01154   452   NtSetValueKey  (132,  (132, "Messanger 7", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0g\0s\07\0.\0e\0x\0e\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\254 \1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0 \0\10\0\0\0\0\0\0\0\254 \6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\08\0\355\0\24\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\306\2\0\0\0\0\0\0\36 \0\0\0\0\0\0H\0\357\0\22\0\0\0\11\0\0\0\0\0\0\0D\0\363\0\22\0\0\0  \273\0\351\0w\0 \0\23\0\350\0w\0\377\0\377\0\377\0\377\0M\0\263\0\346\0w\00 \263\0\346\0w\0\0\0\354\0\375\0\177\0\240\0\347\0\24\0\0\0\0\0\0\0\0\0\0\0O\0\345\0\367\0w\0\243\0y\0\347\0w\0\306\2\0\0\0\0\0\0\11\0\0\0\0\0\0\0H\0\0\0\0\0\0\0\235\0\263\0\346\0w\0\34\0\367\0\22\0\0\0\370\0\353\0\375\0\177\0\0\0\0\0\1\0\0\0\0\0\0\0\24\0\0\0\220\0\362\0\22\0\0\0\36 \0\0\0\0\0\0P\0\366\0\22\0\0\0\2\0$\0\370\0w\0\370\0T\0\367\0w\0\377\0\377\0\377\0\377\0\215\0\26\0\365\0w\0\313\0%\0\365\0w\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\240\0\347\0\24\0\0\0\254\0%\0\365\0w\0\240\0\347\0\24\0\0\0\34\0\367\0\22\0\0\0]\0\275\0\346\0w\0x\0\363\0\22\0\0\0@\0\26\0", 520, ... , 0, 1,  (132, "Messanger 7", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0g\0s\07\0.\0e\0x\0e\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\254 \1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0 \0\10\0\0\0\0\0\0\0\254 \6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\08\0\355\0\24\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\306\2\0\0\0\0\0\0\36 \0\0\0\0\0\0H\0\357\0\22\0\0\0\11\0\0\0\0\0\0\0D\0\363\0\22\0\0\0  \273\0\351\0w\0 \0\23\0\350\0w\0\377\0\377\0\377\0\377\0M\0\263\0\346\0w\00 \263\0\346\0w\0\0\0\354\0\375\0\177\0\240\0\347\0\24\0\0\0\0\0\0\0\0\0\0\0O\0\345\0\367\0w\0\243\0y\0\347\0w\0\306\2\0\0\0\0\0\0\11\0\0\0\0\0\0\0H\0\0\0\0\0\0\0\235\0\263\0\346\0w\0\34\0\367\0\22\0\0\0\370\0\353\0\375\0\177\0\0\0\0\0\1\0\0\0\0\0\0\0\24\0\0\0\220\0\362\0\22\0\0\0\36 \0\0\0\0\0\0P\0\366\0\22\0\0\0\2\0$\0\370\0w\0\370\0T\0\367\0w\0\377\0\377\0\377\0\377\0\215\0\26\0\365\0w\0\313\0%\0\365\0w\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\240\0\347\0\24\0\0\0\254\0%\0\365\0w\0\240\0\347\0\24\0\0\0\34\0\367\0\22\0\0\0]\0\275\0\346\0w\0x\0\363\0\22\0\0\0@\0\26\0", 520, ... , 520, ...
 01155   452   NtSetInformationFile  (-2147482700, -136152636, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01156   452   NtSetInformationFile  (-2147482700, -136152728, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01157   452   NtSetInformationFile  (-2147482700, -136153036, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01154   452   NtSetValueKey  ... ) == 0x0
 01158   452   NtClose  (132, ... ) == 0x0
 01159   452   NtUserSetTimer  (131250, 101, 2000, 0, ... ) == 0x65
 00954   452   NtUserCreateWindowEx  ... ) == 0x200b2
 01160   452   NtUserGetMessage  (0, 0, 0, ... {0x200b2, WM_TIMER, 0x65, 0x0, 0x738a, {512, 384}}, ) == 0x1
 01161   452   NtQueryValueKey  (76,  (76, "FromCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01162   452   NtQueryValueKey  (76,  (76, "SecureProtocols", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01163   452   NtQueryValueKey  (76,  (76, "CertificateRevocation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01164   452   NtQueryValueKey  (76,  (76, "DisableKeepAlive", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01165   452   NtQueryValueKey  (76,  (76, "DisablePassport", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01166   452   NtQueryValueKey  (76,  (76, "CacheMode", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01167   452   NtQueryValueKey  (76,  (76, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01168   452   NtQueryValueKey  (76,  (76, "ProxyHttp1.1", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01169   452   NtQueryValueKey  (76,  (76, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01170   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01171   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\Secur32.dll"}, 1240268, ... ) }, 1240268, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01172   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "Secur32.dll"}, 1240268, ... ) }, 1240268, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01173   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 1240268, ... ) }, 1240268, ... ) == 0x0
 01174   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 01175   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 132, ... 136, ) == 0x0
 01176   452   NtQuerySection  (136, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01177   452   NtClose  (132, ... ) == 0x0
 01178   452   NtMapViewOfSection  (136, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f90000), 0x0, 65536, ) == 0x0
 01179   452   NtClose  (136, ... ) == 0x0
 01180   452   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 136, ) == 0x0
 01181   452   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 132, ) == 0x0
 01182   452   NtOpenEvent  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\SECURITY\LSA_AUTHENTICATION_INITIALIZED"}, ... 140, ) }, ... 140, ) == 0x0
 01183   452   NtQueryEvent  (140, Basic, 8, ... {EventType=0,SignalState=1,}, 0x0, ) == 0x0
 01184   452   NtClose  (140, ... ) == 0x0
 01185   452   NtConnectPort  ( ("\LsaAuthenticationPort", {12, 2, 1, 0}, 0x0, 0x0, 1241752, 140, ... 140, 0x0, 0x0, 256, 140, ) , {12, 2, 1, 0}, 0x0, 0x0, 1241752, 140, ... 140, 0x0, 0x0, 256, 140, ) == 0x0
 01186   452   NtRequestWaitReplyPort  (140, {28, 52, new_msg, 0, 0, 0, 0, 0}  (140, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\220\36\24\0" ... {176, 200, reply, 0, 444, 452, 1581, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ... {176, 200, reply, 0, 444, 452, 1581, 0}  (140, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\220\36\24\0" ... {176, 200, reply, 0, 444, 452, 1581, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ) == 0x0
 01187   452   NtQueryValueKey  (76,  (76, "SyncMode5", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01188   452   NtOpenKey  (0xf, {24, 48, 0x40, 0, 0,  (0xf, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache"}, ... 144, ) }, ... 144, ) == 0x0
 01189   452   NtQueryValueKey  (144,  (144, "FixupKey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01190   452   NtClose  (144, ... ) == 0x0
 01191   452   NtOpenKey  (0xf, {24, 48, 0x40, 0, 0,  (0xf, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 144, ) }, ... 144, ) == 0x0
 01192   452   NtQueryValueKey  (144,  (144, "SessionStartTimeDefaultDeltaSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01193   452   NtClose  (144, ... ) == 0x0
 01194   452   NtOpenKey  (0xf, {24, 48, 0x40, 0, 0,  (0xf, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 144, ) }, ... 144, ) == 0x0
 01195   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\Setup"}, ... 148, ) }, ... 148, ) == 0x0
 01196   452   NtQueryValueKey  (148,  (148, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (148, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01197   452   NtClose  (148, ... ) == 0x0
 01198   452   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 148, ) }, ... 148, ) == 0x0
 01199   452   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 152, ) }, ... 152, ) == 0x0
 01200   452   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 156, ) }, ... 156, ) == 0x0
 01201   452   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 160, ) }, ... 160, ) == 0x0
 01202   452   NtQueryValueKey  (160,  (160, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (160, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 01203   452   NtQueryValueKey  (160,  (160, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (160, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 01204   452   NtClose  (160, ... ) == 0x0
 01205   452   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 160, ) }, ... 160, ) == 0x0
 01206   452   NtQueryValueKey  (160,  (160, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (160, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 01207   452   NtQueryValueKey  (160,  (160, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (160, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 01208   452   NtQueryValueKey  (160,  (160, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (160, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 01209   452   NtQueryValueKey  (160,  (160, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (160, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 01210   452   NtQueryValueKey  (160,  (160, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (160, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 01211   452   NtQueryValueKey  (160,  (160, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (160, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 01212   452   NtClose  (160, ... ) == 0x0
 01213   452   NtOpenKey  (0xf, {24, 152, 0x40, 0, 0,  (0xf, {24, 152, 0x40, 0, 0, "Content"}, ... 160, ) }, ... 160, ) == 0x0
 01214   452   NtQueryValueKey  (160,  (160, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (160, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01215   452   NtClose  (160, ... ) == 0x0
 01216   452   NtOpenKey  (0xf, {24, 152, 0x40, 0, 0,  (0xf, {24, 152, 0x40, 0, 0, "Content"}, ... 160, ) }, ... 160, ) == 0x0
 01217   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01218   452   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1370088, 0,  (0x1f0003, {24, 52, 0x80, 1370088, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 164, ) }, 0, 2147483647, ... 164, ) == STATUS_OBJECT_NAME_EXISTS
 01219   452   NtReleaseSemaphore  (164, 1, ... 0, ) == 0x0
 01220   452   NtWaitForSingleObject  (164, 0, {0, 0}, ... ) == 0x0
 01221   452   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 168, 2, ) }, 0, 0x0, 0, ... 168, 2, ) == 0x0
 01222   452   NtQueryValueKey  (168,  (168, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (168, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 01223   452   NtClose  (168, ... ) == 0x0
 01224   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1238980, ... ) }, 1238980, ... ) == 0x0
 01225   452   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 168, 2, ) }, 0, 0x0, 0, ... 168, 2, ) == 0x0
 01226   452   NtSetValueKey  (168,  (168, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 150, ... ) , 0, 1,  (168, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 150, ... ) , 150, ... ) == 0x0
 01227   452   NtClose  (168, ... ) == 0x0
 01228   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1240312, ... ) }, 1240312, ... ) == 0x0
 01229   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1240044, ... ) }, 1240044, ... ) == 0x0
 01230   452   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 7, 2113568, ... 168, {status=0x0, info=1}, ) }, 7, 2113568, ... 168, {status=0x0, info=1}, ) == 0x0
 01231   452   NtSetInformationFile  (168, 1240020, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01232   452   NtClose  (168, ... ) == 0x0
 01233   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\desktop.ini"}, 1240044, ... ) }, 1240044, ... ) == 0x0
 01234   452   NtQueryValueKey  (160,  (160, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (160, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01235   452   NtQueryValueKey  (160,  (160, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (160, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01236   452   NtQueryValueKey  (160,  (160, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\251~\1\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (160, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\251~\1\0"}, 16, ) }, 16, ) == 0x0
 01237   452   NtOpenKey  (0xf, {24, 48, 0x40, 0, 0,  (0xf, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache"}, ... 168, ) }, ... 168, ) == 0x0
 01238   452   NtOpenKey  (0xf, {24, 168, 0x40, 0, 0,  (0xf, {24, 168, 0x40, 0, 0, "Paths"}, ... 172, ) }, ... 172, ) == 0x0
 01239   452   NtOpenKey  (0xf, {24, 172, 0x40, 0, 0,  (0xf, {24, 172, 0x40, 0, 0, "Path1"}, ... 176, ) }, ... 176, ) == 0x0
 01240   452   NtOpenKey  (0xf, {24, 172, 0x40, 0, 0,  (0xf, {24, 172, 0x40, 0, 0, "Path2"}, ... 180, ) }, ... 180, ) == 0x0
 01241   452   NtOpenKey  (0xf, {24, 172, 0x40, 0, 0,  (0xf, {24, 172, 0x40, 0, 0, "Path3"}, ... 184, ) }, ... 184, ) == 0x0
 01242   452   NtOpenKey  (0xf, {24, 172, 0x40, 0, 0,  (0xf, {24, 172, 0x40, 0, 0, "Path4"}, ... 188, ) }, ... 188, ) == 0x0
 01243   452   NtOpenKey  (0xf, {24, 168, 0x40, 0, 0,  (0xf, {24, 168, 0x40, 0, 0, "Special Paths"}, ... 192, ) }, ... 192, ) == 0x0
 01244   452   NtSetValueKey  (172,  (172, "Directory", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\0\0", 174, ... ) , 0, 1,  (172, "Directory", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\0\0", 174, ... ) , 174, ... ) == 0x0
 01245   452   NtSetValueKey  (172,  (172, "Paths", 0, 4, "\4\0\0\0", 4, ... ) , 0, 4,  (172, "Paths", 0, 4, "\4\0\0\0", 4, ... ) , 4, ... ) == 0x0
 01246   452   NtSetValueKey  (176,  (176, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\01\0\0\0", 188, ... ) , 0, 1,  (176, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\01\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01247   452   NtSetValueKey  (180,  (180, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\02\0\0\0", 188, ... ) , 0, 1,  (180, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\02\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01248   452   NtSetValueKey  (184,  (184, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\03\0\0\0", 188, ... ) , 0, 1,  (184, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\03\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01249   452   NtSetValueKey  (188,  (188, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\04\0\0\0", 188, ... ) , 0, 1,  (188, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\04\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01250   452   NtSetValueKey  (176,  (176, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (176, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01251   452   NtSetValueKey  (180,  (180, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (180, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01252   452   NtSetValueKey  (184,  (184, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (184, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01253   452   NtSetValueKey  (188,  (188, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (188, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01254   452   NtClose  (188, ... ) == 0x0
 01255   452   NtClose  (184, ... ) == 0x0
 01256   452   NtClose  (180, ... ) == 0x0
 01257   452   NtClose  (176, ... ) == 0x0
 01258   452   NtClose  (172, ... ) == 0x0
 01259   452   NtClose  (192, ... ) == 0x0
 01260   452   NtClose  (168, ... ) == 0x0
 01261   452   NtOpenKey  (0xf, {24, 152, 0x40, 0, 0,  (0xf, {24, 152, 0x40, 0, 0, "Cookies"}, ... 168, ) }, ... 168, ) == 0x0
 01262   452   NtQueryValueKey  (168,  (168, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01263   452   NtClose  (168, ... ) == 0x0
 01264   452   NtClose  (160, ... ) == 0x0
 01265   452   NtOpenKey  (0xf, {24, 152, 0x40, 0, 0,  (0xf, {24, 152, 0x40, 0, 0, "Cookies"}, ... 160, ) }, ... 160, ) == 0x0
 01266   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01267   452   NtReleaseSemaphore  (164, 1, ... 0, ) == 0x0
 01268   452   NtWaitForSingleObject  (164, 0, {0, 0}, ... ) == 0x0
 01269   452   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 168, 2, ) }, 0, 0x0, 0, ... 168, 2, ) == 0x0
 01270   452   NtQueryValueKey  (168,  (168, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (168, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 01271   452   NtClose  (168, ... ) == 0x0
 01272   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies"}, 1238980, ... ) }, 1238980, ... ) == 0x0
 01273   452   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 168, 2, ) }, 0, 0x0, 0, ... 168, 2, ) == 0x0
 01274   452   NtSetValueKey  (168,  (168, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 86, ... ) , 0, 1,  (168, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 86, ... ) , 86, ... ) == 0x0
 01275   452   NtClose  (168, ... ) == 0x0
 01276   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies"}, 1240312, ... ) }, 1240312, ... ) == 0x0
 01277   452   NtQueryValueKey  (160,  (160, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (160, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 01278   452   NtQueryValueKey  (160,  (160, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (160, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 01279   452   NtQueryValueKey  (160,  (160, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (160, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01280   452   NtOpenKey  (0xf, {24, 152, 0x40, 0, 0,  (0xf, {24, 152, 0x40, 0, 0, "History"}, ... 168, ) }, ... 168, ) == 0x0
 01281   452   NtQueryValueKey  (168,  (168, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01282   452   NtClose  (168, ... ) == 0x0
 01283   452   NtClose  (160, ... ) == 0x0
 01284   452   NtOpenKey  (0xf, {24, 152, 0x40, 0, 0,  (0xf, {24, 152, 0x40, 0, 0, "History"}, ... 160, ) }, ... 160, ) == 0x0
 01285   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01286   452   NtReleaseSemaphore  (164, 1, ... 0, ) == 0x0
 01287   452   NtWaitForSingleObject  (164, 0, {0, 0}, ... ) == 0x0
 01288   452   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 168, 2, ) }, 0, 0x0, 0, ... 168, 2, ) == 0x0
 01289   452   NtQueryValueKey  (168,  (168, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (168, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 01290   452   NtClose  (168, ... ) == 0x0
 01291   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1238980, ... ) }, 1238980, ... ) == 0x0
 01292   452   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 168, 2, ) }, 0, 0x0, 0, ... 168, 2, ) == 0x0
 01293   452   NtSetValueKey  (168,  (168, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 116, ... ) , 0, 1,  (168, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 116, ... ) , 116, ... ) == 0x0
 01294   452   NtClose  (168, ... ) == 0x0
 01295   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1240312, ... ) }, 1240312, ... ) == 0x0
 01296   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1240044, ... ) }, 1240044, ... ) == 0x0
 01297   452   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 7, 2113568, ... 168, {status=0x0, info=1}, ) }, 7, 2113568, ... 168, {status=0x0, info=1}, ) == 0x0
 01298   452   NtSetInformationFile  (168, 1240020, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01299   452   NtClose  (168, ... ) == 0x0
 01300   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\desktop.ini"}, 1240044, ... ) }, 1240044, ... ) == 0x0
 01301   452   NtQueryValueKey  (160,  (160, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (160, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 01302   452   NtQueryValueKey  (160,  (160, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (160, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 01303   452   NtQueryValueKey  (160,  (160, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (160, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01304   452   NtClose  (160, ... ) == 0x0
 01305   452   NtClose  (156, ... ) == 0x0
 01306   452   NtClose  (148, ... ) == 0x0
 01307   452   NtClose  (152, ... ) == 0x0
 01308   452   NtClose  (144, ... ) == 0x0
 01309   452   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "_!MSFTHISTORY!_"}, ... 144, ) }, ... 144, ) == 0x0
 01310   452   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "c:!documents and settings!sri-user!local settings!temporary internet files!content.ie5!"}, ... 152, ) }, ... 152, ) == 0x0
 01311   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 01312   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 3, 8388641, ... 148, {status=0x0, info=1}, ) }, 3, 8388641, ... 148, {status=0x0, info=1}, ) == 0x0
 01313   452   NtQueryVolumeInformationFile  (148, 1241564, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01314   452   NtClose  (148, ... ) == 0x0
 01315   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 148, {status=0x0, info=1}, ) }, 3, 8388641, ... 148, {status=0x0, info=1}, ) == 0x0
 01316   452   NtQueryVolumeInformationFile  (148, 1241588, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01317   452   NtClose  (148, ... ) == 0x0
 01318   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 1241916, ... ) }, 1241916, ... ) == 0x0
 01319   452   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 148, {status=0x0, info=1}, ) }, 7, 2113568, ... 148, {status=0x0, info=1}, ) == 0x0
 01320   452   NtSetInformationFile  (148, 1241892, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01321   452   NtClose  (148, ... ) == 0x0
 01322   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1370088, 1241908,  (0xc0100080, {24, 0, 0x40, 1370088, 1241908, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 148, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 148, {status=0x0, info=1}, ) == 0x0
 01323   452   NtSetInformationFile  (148, 1241960, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01324   452   NtQueryInformationFile  (148, 1241960, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01325   452   NtClose  (148, ... ) == 0x0
 01326   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1370088, 1241892,  (0xc0100080, {24, 0, 0x40, 1370088, 1241892, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 148, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 148, {status=0x0, info=1}, ) == 0x0
 01327   452   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Local Settings_Temporary Internet Files_Content.IE5_index.dat_32768"}, ... 156, ) }, ... 156, ) == 0x0
 01328   452   NtMapViewOfSection  (156, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 32768, ) == 0x0
 01329   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 01330   452   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "c:!documents and settings!sri-user!cookies!"}, ... 160, ) }, ... 160, ) == 0x0
 01331   452   NtWaitForSingleObject  (160, 0, 0x0, ... ) == 0x0
 01332   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 3, 8388641, ... 168, {status=0x0, info=1}, ) }, 3, 8388641, ... 168, {status=0x0, info=1}, ) == 0x0
 01333   452   NtQueryVolumeInformationFile  (168, 1241564, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01334   452   NtClose  (168, ... ) == 0x0
 01335   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 168, {status=0x0, info=1}, ) }, 3, 8388641, ... 168, {status=0x0, info=1}, ) == 0x0
 01336   452   NtQueryVolumeInformationFile  (168, 1241588, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01337   452   NtClose  (168, ... ) == 0x0
 01338   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 1241916, ... ) }, 1241916, ... ) == 0x0
 01339   452   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 7, 2113568, ... 168, {status=0x0, info=1}, ) }, 7, 2113568, ... 168, {status=0x0, info=1}, ) == 0x0
 01340   452   NtSetInformationFile  (168, 1241892, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01341   452   NtClose  (168, ... ) == 0x0
 01342   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1370088, 1241908,  (0xc0100080, {24, 0, 0x40, 1370088, 1241908, "\??\C:\Documents and Settings\SRI-user\Cookies\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 168, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 168, {status=0x0, info=1}, ) == 0x0
 01343   452   NtSetInformationFile  (168, 1241960, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01344   452   NtQueryInformationFile  (168, 1241960, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01345   452   NtClose  (168, ... ) == 0x0
 01346   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1370088, 1241892,  (0xc0100080, {24, 0, 0x40, 1370088, 1241892, "\??\C:\Documents and Settings\SRI-user\Cookies\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 168, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 168, {status=0x0, info=1}, ) == 0x0
 01347   452   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Cookies_index.dat_16384"}, ... 192, ) }, ... 192, ) == 0x0
 01348   452   NtMapViewOfSection  (192, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3f0000), {0, 0}, 16384, ) == 0x0
 01349   452   NtReleaseMutant  (160, ... 0x0, ) == 0x0
 01350   452   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "c:!documents and settings!sri-user!local settings!history!history.ie5!"}, ... 172, ) }, ... 172, ) == 0x0
 01351   452   NtWaitForSingleObject  (172, 0, 0x0, ... ) == 0x0
 01352   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 3, 8388641, ... 176, {status=0x0, info=1}, ) }, 3, 8388641, ... 176, {status=0x0, info=1}, ) == 0x0
 01353   452   NtQueryVolumeInformationFile  (176, 1241564, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01354   452   NtClose  (176, ... ) == 0x0
 01355   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 176, {status=0x0, info=1}, ) }, 3, 8388641, ... 176, {status=0x0, info=1}, ) == 0x0
 01356   452   NtQueryVolumeInformationFile  (176, 1241588, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01357   452   NtClose  (176, ... ) == 0x0
 01358   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 1241916, ... ) }, 1241916, ... ) == 0x0
 01359   452   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 7, 2113568, ... 176, {status=0x0, info=1}, ) }, 7, 2113568, ... 176, {status=0x0, info=1}, ) == 0x0
 01360   452   NtSetInformationFile  (176, 1241892, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01361   452   NtClose  (176, ... ) == 0x0
 01362   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1370088, 1241908,  (0xc0100080, {24, 0, 0x40, 1370088, 1241908, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 176, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 176, {status=0x0, info=1}, ) == 0x0
 01363   452   NtSetInformationFile  (176, 1241960, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01364   452   NtQueryInformationFile  (176, 1241960, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01365   452   NtClose  (176, ... ) == 0x0
 01366   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1370088, 1241892,  (0xc0100080, {24, 0, 0x40, 1370088, 1241892, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 176, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 176, {status=0x0, info=1}, ) == 0x0
 01367   452   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Local Settings_History_History.IE5_index.dat_32768"}, ... 180, ) }, ... 180, ) == 0x0
 01368   452   NtMapViewOfSection  (180, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x910000), {0, 0}, 32768, ) == 0x0
 01369   452   NtReleaseMutant  (172, ... 0x0, ) == 0x0
 01370   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 1241972, ... ) }, 1241972, ... ) == 0x0
 01371   452   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 184, {status=0x0, info=1}, ) }, 7, 2113568, ... 184, {status=0x0, info=1}, ) == 0x0
 01372   452   NtSetInformationFile  (184, 1241948, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01373   452   NtClose  (184, ... ) == 0x0
 01374   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini"}, 1241972, ... ) }, 1241972, ... ) == 0x0
 01375   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 1241972, ... ) }, 1241972, ... ) == 0x0
 01376   452   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 7, 2113568, ... 184, {status=0x0, info=1}, ) }, 7, 2113568, ... 184, {status=0x0, info=1}, ) == 0x0
 01377   452   NtSetInformationFile  (184, 1241948, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01378   452   NtClose  (184, ... ) == 0x0
 01379   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\desktop.ini"}, 1241972, ... ) }, 1241972, ... ) == 0x0
 01380   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 01381   452   NtQueryInformationFile  (148, 1240356, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01382   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 01383   452   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 184, ) }, ... 184, ) == 0x0
 01384   452   NtOpenKey  (0xf, {24, 184, 0x40, 0, 0,  (0xf, {24, 184, 0x40, 0, 0, "Extensible Cache"}, ... 188, ) }, ... 188, ) == 0x0
 01385   452   NtClose  (184, ... ) == 0x0
 01386   452   NtWaitForSingleObject  (144, 0, {-600000000, -1}, ... ) == 0x0
 01387   452   NtEnumerateKey  (188, 0, Basic, 288, ... {LastWrite={0x89210de2,0x1c79d95}, TitleIdx=0, Name= (188, 0, Basic, 288, ... {LastWrite={0x89210de2,0x1c79d95}, TitleIdx=0, Name="MSHist012007051420070521"}, 64, ) }, 64, ) == 0x0
 01388   452   NtOpenKey  (0xf, {24, 188, 0x40, 0, 0,  (0xf, {24, 188, 0x40, 0, 0, "MSHist012007051420070521"}, ... 184, ) }, ... 184, ) == 0x0
 01389   452   NtQueryValueKey  (184,  (184, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01390   452   NtQueryValueKey  (184,  (184, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01391   452   NtQueryValueKey  (184,  (184, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (184, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01392   452   NtQueryValueKey  (184,  (184, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01393   452   NtQueryValueKey  (184,  (184, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (184, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01394   452   NtQueryValueKey  (184,  (184, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01395   452   NtQueryValueKey  (184,  (184, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01396   452   NtQueryValueKey  (184,  (184, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01397   452   NtQueryValueKey  (184,  (184, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 01398   452   NtClose  (184, ... ) == 0x0
 01399   452   NtEnumerateKey  (188, 1, Basic, 288, ... {LastWrite={0xfe4bb184,0x1c7a3a9}, TitleIdx=0, Name= (188, 1, Basic, 288, ... {LastWrite={0xfe4bb184,0x1c7a3a9}, TitleIdx=0, Name="MSHist012007052120070528"}, 64, ) }, 64, ) == 0x0
 01400   452   NtOpenKey  (0xf, {24, 188, 0x40, 0, 0,  (0xf, {24, 188, 0x40, 0, 0, "MSHist012007052120070528"}, ... 184, ) }, ... 184, ) == 0x0
 01401   452   NtQueryValueKey  (184,  (184, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01402   452   NtQueryValueKey  (184,  (184, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01403   452   NtQueryValueKey  (184,  (184, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (184, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01404   452   NtQueryValueKey  (184,  (184, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01405   452   NtQueryValueKey  (184,  (184, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (184, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01406   452   NtQueryValueKey  (184,  (184, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01407   452   NtQueryValueKey  (184,  (184, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01408   452   NtQueryValueKey  (184,  (184, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01409   452   NtQueryValueKey  (184,  (184, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 01410   452   NtClose  (184, ... ) == 0x0
 01411   452   NtEnumerateKey  (188, 2, Basic, 288, ... {LastWrite={0xfe4e13de,0x1c7a3a9}, TitleIdx=0, Name= (188, 2, Basic, 288, ... {LastWrite={0xfe4e13de,0x1c7a3a9}, TitleIdx=0, Name="MSHist012007053120070601"}, 64, ) }, 64, ) == 0x0
 01412   452   NtOpenKey  (0xf, {24, 188, 0x40, 0, 0,  (0xf, {24, 188, 0x40, 0, 0, "MSHist012007053120070601"}, ... 184, ) }, ... 184, ) == 0x0
 01413   452   NtQueryValueKey  (184,  (184, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01414   452   NtQueryValueKey  (184,  (184, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01415   452   NtQueryValueKey  (184,  (184, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (184, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01416   452   NtQueryValueKey  (184,  (184, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01417   452   NtQueryValueKey  (184,  (184, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (184, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01418   452   NtQueryValueKey  (184,  (184, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01419   452   NtQueryValueKey  (184,  (184, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01420   452   NtQueryValueKey  (184,  (184, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01421   452   NtQueryValueKey  (184,  (184, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 01422   452   NtClose  (184, ... ) == 0x0
 01423   452   NtEnumerateKey  (188, 3, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 01424   452   NtReleaseMutant  (144, ... 0x0, ) == 0x0
 01425   452   NtClose  (188, ... ) == 0x0
 01426   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 01427   452   NtQueryInformationFile  (148, 1242284, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01428   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 01429   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 01430   452   NtQueryInformationFile  (148, 1242356, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01431   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 01432   452   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01433   452   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01434   452   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01435   452   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01436   452   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01437   452   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 188, ) }, ... 188, ) == 0x0
 01438   452   NtQueryValueKey  (188,  (188, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01439   452   NtClose  (188, ... ) == 0x0
 01440   452   NtQueryValueKey  (76,  (76, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01441   452   NtQueryValueKey  (76,  (76, "DisableReadRange", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01442   452   NtQueryValueKey  (76,  (76, "SocketSendBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01443   452   NtQueryValueKey  (76,  (76, "SocketReceiveBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01444   452   NtQueryValueKey  (76,  (76, "KeepAliveTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01445   452   NtQueryValueKey  (76,  (76, "MaxHttpRedirects", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01446   452   NtQueryValueKey  (76,  (76, "MaxConnectionsPerServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01447   452   NtQueryValueKey  (76,  (76, "MaxConnectionsPer1_0Server", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01448   452   NtQueryValueKey  (76,  (76, "ServerInfoTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01449   452   NtQueryValueKey  (76,  (76, "ReceiveTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01450   452   NtQueryValueKey  (76,  (76, "DisableNTLMPreAuth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01451   452   NtQueryValueKey  (76,  (76, "ScavengeCacheLowerBound", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01452   452   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 188, ) }, ... 188, ) == 0x0
 01453   452   NtQueryValueKey  (188,  (188, "ScavengeCacheFileLifeTime", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01454   452   NtClose  (188, ... ) == 0x0
 01455   452   NtQueryValueKey  (76,  (76, "HttpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01456   452   NtQueryValueKey  (76,  (76, "FtpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01457   452   NtQueryValueKey  (76,  (76, "GopherDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01458   452   NtQueryValueKey  (76,  (76, "DisableCachingOfSSLPages", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01459   452   NtQueryValueKey  (76,  (76, "PerUserCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01460   452   NtQueryValueKey  (76,  (76, "LeashLegacyCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01461   452   NtQueryValueKey  (76,  (76, "DisableNT4RasCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01462   452   NtQueryValueKey  (76,  (76, "DialupUseLanSettings", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01463   452   NtQueryValueKey  (76,  (76, "SendExtraCRLF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01464   452   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 188, ) }, ... 188, ) == 0x0
 01465   452   NtQueryValueKey  (188,  (188, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01466   452   NtClose  (188, ... ) == 0x0
 01467   452   NtQueryValueKey  (76,  (76, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01468   452   NtQueryValueKey  (76,  (76, "NonBlockingClient32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01469   452   NtQueryValueKey  (76,  (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01470   452   NtQueryValueKey  (76,  (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01471   452   NtQueryValueKey  (76,  (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01472   452   NtQueryValueKey  (76,  (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01473   452   NtQueryValueKey  (76,  (76, "HeaderExclusionListForCache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01474   452   NtQueryValueKey  (76,  (76, "DnsCacheEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01475   452   NtQueryValueKey  (76,  (76, "DnsCacheEntries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01476   452   NtQueryValueKey  (76,  (76, "DnsCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01477   452   NtQueryValueKey  (76,  (76, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01478   452   NtQueryValueKey  (76,  (76, "WarnAlwaysOnPost", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01479   452   NtQueryValueKey  (76,  (76, "WarnOnZoneCrossing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01480   452   NtQueryValueKey  (76,  (76, "WarnOnBadCertSending", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01481   452   NtQueryValueKey  (76,  (76, "WarnOnBadCertRecving", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01482   452   NtQueryValueKey  (76,  (76, "WarnOnPostRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01483   452   NtQueryValueKey  (76,  (76, "AlwaysDrainOnRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01484   452   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "WininetStartupMutex"}, ... 188, ) }, ... 188, ) == 0x0
 01485   452   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 184, ) == 0x0
 01486   452   NtQueryValueKey  (76,  (76, "GlobalUserOffline", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01487   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 01488   452   NtQueryInformationFile  (148, 1242332, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01489   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 01490   452   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "WininetConnectionMutex"}, ... 196, ) }, ... 196, ) == 0x0
 01491   452   NtCreateMutant  (0x1f0001, 0x0, 0, ... 200, ) == 0x0
 01492   452   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "WininetProxyRegistryMutex"}, ... 204, ) }, ... 204, ) == 0x0
 01493   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01494   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01495   452   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 208, ) }, ... 208, ) == 0x0
 01496   452   NtQueryValueKey  (208,  (208, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 01497   452   NtQueryValueKey  (208,  (208, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 01498   452   NtClose  (208, ... ) == 0x0
 01499   452   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0
 01500   452   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 01501   452   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 01502   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RASAPI32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01503   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\RASAPI32.DLL"}, 1240720, ... ) }, 1240720, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01504   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "RASAPI32.DLL"}, 1240720, ... ) }, 1240720, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01505   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\RASAPI32.DLL"}, 1240720, ... ) }, 1240720, ... ) == 0x0
 01506   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\RASAPI32.DLL"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 01507   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 208, ... 212, ) == 0x0
 01508   452   NtQuerySection  (212, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01509   452   NtClose  (208, ... ) == 0x0
 01510   452   NtMapViewOfSection  (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76ee0000), 0x0, 225280, ) == 0x0
 01511   452   NtClose  (212, ... ) == 0x0
 01512   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rasman.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01513   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rasman.dll"}, 1239916, ... ) }, 1239916, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01514   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rasman.dll"}, 1239916, ... ) }, 1239916, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01515   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman.dll"}, 1239916, ... ) }, 1239916, ... ) == 0x0
 01516   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman.dll"}, 5, 96, ... 212, {status=0x0, info=1}, ) }, 5, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 01517   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 212, ... 208, ) == 0x0
 01518   452   NtQuerySection  (208, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01519   452   NtClose  (212, ... ) == 0x0
 01520   452   NtMapViewOfSection  (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e90000), 0x0, 69632, ) == 0x0
 01521   452   NtClose  (208, ... ) == 0x0
 01522   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01523   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\NETAPI32.dll"}, 1239112, ... ) }, 1239112, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01524   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "NETAPI32.dll"}, 1239112, ... ) }, 1239112, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01525   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 1239112, ... ) }, 1239112, ... ) == 0x0
 01526   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 01527   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 208, ... 212, ) == 0x0
 01528   452   NtQuerySection  (212, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01529   452   NtClose  (208, ... ) == 0x0
 01530   452   NtMapViewOfSection  (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 01531   452   NtClose  (212, ... ) == 0x0
 01532   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "TAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01533   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\TAPI32.dll"}, 1239916, ... ) }, 1239916, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01534   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "TAPI32.dll"}, 1239916, ... ) }, 1239916, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01535   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 1239916, ... ) }, 1239916, ... ) == 0x0
 01536   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 5, 96, ... 212, {status=0x0, info=1}, ) }, 5, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 01537   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 212, ... 208, ) == 0x0
 01538   452   NtQuerySection  (208, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01539   452   NtClose  (212, ... ) == 0x0
 01540   452   NtMapViewOfSection  (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76eb0000), 0x0, 172032, ) == 0x0
 01541   452   NtClose  (208, ... ) == 0x0
 01542   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rtutils.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01543   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rtutils.dll"}, 1239112, ... ) }, 1239112, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01544   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rtutils.dll"}, 1239112, ... ) }, 1239112, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01545   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rtutils.dll"}, 1239112, ... ) }, 1239112, ... ) == 0x0
 01546   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rtutils.dll"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 01547   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 208, ... 212, ) == 0x0
 01548   452   NtQuerySection  (212, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01549   452   NtClose  (208, ... ) == 0x0
 01550   452   NtMapViewOfSection  (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e80000), 0x0, 53248, ) == 0x0
 01551   452   NtClose  (212, ... ) == 0x0
 01552   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINMM.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01553   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINMM.dll"}, 1239112, ... ) }, 1239112, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01554   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WINMM.dll"}, 1239112, ... ) }, 1239112, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01555   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINMM.dll"}, 1239112, ... ) }, 1239112, ... ) == 0x0
 01556   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINMM.dll"}, 5, 96, ... 212, {status=0x0, info=1}, ) }, 5, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 01557   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 212, ... 208, ) == 0x0
 01558   452   NtQuerySection  (208, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01559   452   NtClose  (212, ... ) == 0x0
 01560   452   NtMapViewOfSection  (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b40000), 0x0, 180224, ) == 0x0
 01561   452   NtClose  (208, ... ) == 0x0
 01562   452   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 208, ) == 0x0
 01563   452   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 212, ) == 0x0
 01564   452   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 216, ) == 0x0
 01565   452   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32"}, ... 220, ) }, ... 220, ) == 0x0
 01566   452   NtQueryValueKey  (220,  (220, "wave", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01567   452   NtQueryValueKey  (220,  (220, "wave1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01568   452   NtQueryValueKey  (220,  (220, "wave2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01569   452   NtQueryValueKey  (220,  (220, "wave3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01570   452   NtQueryValueKey  (220,  (220, "wave4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01571   452   NtQueryValueKey  (220,  (220, "wave5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01572   452   NtQueryValueKey  (220,  (220, "wave6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01573   452   NtQueryValueKey  (220,  (220, "wave7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01574   452   NtQueryValueKey  (220,  (220, "wave8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01575   452   NtQueryValueKey  (220,  (220, "wave9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01576   452   NtQueryValueKey  (220,  (220, "midi", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01577   452   NtQueryValueKey  (220,  (220, "midi1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01578   452   NtQueryValueKey  (220,  (220, "midi2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01579   452   NtQueryValueKey  (220,  (220, "midi3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01580   452   NtQueryValueKey  (220,  (220, "midi4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01581   452   NtQueryValueKey  (220,  (220, "midi5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01582   452   NtQueryValueKey  (220,  (220, "midi6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01583   452   NtQueryValueKey  (220,  (220, "midi7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01584   452   NtQueryValueKey  (220,  (220, "midi8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01585   452   NtQueryValueKey  (220,  (220, "midi9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01586   452   NtQueryTimerResolution  (... 156250, 10000, 156250, ) == 0x0
 01587   452   NtQueryValueKey  (220,  (220, "aux", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01588   452   NtQueryValueKey  (220,  (220, "aux1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01589   452   NtQueryValueKey  (220,  (220, "aux2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01590   452   NtQueryValueKey  (220,  (220, "aux3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01591   452   NtQueryValueKey  (220,  (220, "aux4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01592   452   NtQueryValueKey  (220,  (220, "aux5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01593   452   NtQueryValueKey  (220,  (220, "aux6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01594   452   NtQueryValueKey  (220,  (220, "aux7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01595   452   NtQueryValueKey  (220,  (220, "aux8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01596   452   NtQueryValueKey  (220,  (220, "aux9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01597   452   NtUserRegisterWindowMessage  ( ("MSJSTICK_VJOYD_MSGSTR", ... ) , ... ) == 0xc07c
 01598   452   NtOpenKey  (0xf003f, {24, 48, 0x40, 0, 0,  (0xf003f, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm"}, ... 224, ) }, ... 224, ) == 0x0
 01599   452   NtQueryValueKey  (224,  (224, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (224, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01600   452   NtClose  (224, ... ) == 0x0
 01601   452   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 0, 0,  (0x1f0003, {24, 52, 0x80, 0, 0, "DINPUTWINMM"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 01602   452   NtQueryValueKey  (220,  (220, "mixer", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01603   452   NtQueryValueKey  (220,  (220, "mixer1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01604   452   NtQueryValueKey  (220,  (220, "mixer2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01605   452   NtQueryValueKey  (220,  (220, "mixer3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01606   452   NtQueryValueKey  (220,  (220, "mixer4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01607   452   NtQueryValueKey  (220,  (220, "mixer5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01608   452   NtQueryValueKey  (220,  (220, "mixer6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01609   452   NtQueryValueKey  (220,  (220, "mixer7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01610   452   NtQueryValueKey  (220,  (220, "mixer8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01611   452   NtQueryValueKey  (220,  (220, "mixer9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01612   452   NtQueryDefaultUILanguage  (1239112, ...
 01613   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01614   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 01615   452   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01616   452   NtClose  (-2147482020, ... ) == 0x0
 01617   452   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 01618   452   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01619   452   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 01620   452   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01621   452   NtClose  (-2147482032, ... ) == 0x0
 01622   452   NtClose  (-2147482020, ... ) == 0x0
 01612   452   NtQueryDefaultUILanguage  ... ) == 0x0
 01623   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01624   452   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 1, 96, ... 224, {status=0x0, info=1}, ) }, 1, 96, ... 224, {status=0x0, info=1}, ) == 0x0
 01625   452   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 224, ... 228, ) == 0x0
 01626   452   NtMapViewOfSection  (228, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x920000), 0x0, 163840, ) == 0x0
 01627   452   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01628   452   NtQueryDefaultLocale  (1, 1237148, ... ) == 0x0
 01629   452   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01630   452   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238004, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238004, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\347\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\32\1\340\0\0\0\377\377\377\377\0\0\0\0\360Z\224\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\364\352\22\0\0\0\0\0" ... {128, 156, reply, 0, 444, 452, 1583, 0} " S\26\0\33\0\1\0\0\0\0\0\1\347\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\32\1\340\0\0\0\377\377\377\377\0\0\0\0\360Z\224\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\364\352\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 444, 452, 1583, 0}  (24, {128, 156, new_msg, 0, 1238004, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\347\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\32\1\340\0\0\0\377\377\377\377\0\0\0\0\360Z\224\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\364\352\22\0\0\0\0\0" ... {128, 156, reply, 0, 444, 452, 1583, 0} " S\26\0\33\0\1\0\0\0\0\0\1\347\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\32\1\340\0\0\0\377\377\377\377\0\0\0\0\360Z\224\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\364\352\22\0\0\0\0\0" )  ) == 0x0
 01631   452   NtClose  (224, ... ) == 0x0
 01632   452   NtClose  (228, ... ) == 0x0
 01633   452   NtUnmapViewOfSection  (-1, 0x920000, ... ) == 0x0
 01634   452   NtUnmapViewOfSection  (-1, 0x12eaf4, ... ) == STATUS_NOT_MAPPED_VIEW
 01635   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01636   452   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ... 1380352, 4096, ) == 0x0
 01637   452   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01638   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01639   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01640   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236232, ... ) }, 1236232, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01641   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01642   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01643   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01644   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1236824, ... ) }, 1236824, ... ) == 0x0
 01645   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 228, {status=0x0, info=1}, ) }, 3, 33, ... 228, {status=0x0, info=1}, ) == 0x0
 01646   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01647   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Telephony"}, ... 224, ) }, ... 224, ) == 0x0
 01648   452   NtQueryValueKey  (224,  (224, "Tapi32MaxNumRequestRetries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01649   452   NtQueryValueKey  (224,  (224, "Tapi32RequestRetryTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01650   452   NtClose  (224, ... ) == 0x0
 01651   452   NtCreateMutant  (0x1f0001, 0x0, 0, ... 224, ) == 0x0
 01652   452   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 1380656, 0,  (0x1f0001, {24, 52, 0x80, 1380656, 0, "RasPbFile"}, 0, ... ) }, 0, ... ) == STATUS_ACCESS_DENIED
 01653   452   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "RasPbFile"}, ... 232, ) }, ... 232, ) == 0x0
 01654   452   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 236, ) == 0x0
 01655   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 240, ) == 0x0
 01656   452   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 244, ) == 0x0
 01657   452   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 248, ) == 0x0
 01658   452   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 252, ) == 0x0
 01659   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 256, ) == 0x0
 01660   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 260, ) == 0x0
 01661   452   NtCreateKey  (0xf003f, {24, 48, 0x40, 0, 0,  (0xf003f, {24, 48, 0x40, 0, 0, "Software\Microsoft\Tracing"}, 0, 0x0, 0, ... 264, 2, ) }, 0, 0x0, 0, ... 264, 2, ) == 0x0
 01662   452   NtQueryValueKey  (264,  (264, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (264, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01663   452   NtClose  (264, ... ) == 0x0
 01664   452   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 264, ) == 0x0
 01665   452   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 268, ) == 0x0
 01666   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Tracing\RASAPI32"}, ... 272, ) }, ... 272, ) == 0x0
 01667   452   NtQueryValueKey  (272,  (272, "EnableFileTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "EnableFileTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01668   452   NtQueryValueKey  (272,  (272, "FileTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "FileTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) }, 16, ) == 0x0
 01669   452   NtQueryValueKey  (272,  (272, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01670   452   NtQueryValueKey  (272,  (272, "ConsoleTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "ConsoleTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) }, 16, ) == 0x0
 01671   452   NtQueryValueKey  (272,  (272, "MaxFileSize", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\20\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "MaxFileSize", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\20\0"}, 16, ) }, 16, ) == 0x0
 01672   452   NtQueryValueKey  (272,  (272, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (272, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) }, 46, ) == 0x0
 01673   452   NtQueryValueKey  (272,  (272, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (272, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) }, 46, ) == 0x0
 01674   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 276, ) == 0x0
 01675   452   NtNotifyChangeKey  (272, 276, 0, 0, 2011390432, 14, 0, 0, 0, 1, ... ) == 0x103
 01676   452   NtQueryValueKey  (272,  (272, "EnableFileTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "EnableFileTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01677   452   NtQueryValueKey  (272,  (272, "FileTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "FileTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) }, 16, ) == 0x0
 01678   452   NtQueryValueKey  (272,  (272, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01679   452   NtQueryValueKey  (272,  (272, "ConsoleTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "ConsoleTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) }, 16, ) == 0x0
 01680   452   NtQueryValueKey  (272,  (272, "MaxFileSize", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\20\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "MaxFileSize", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\20\0"}, 16, ) }, 16, ) == 0x0
 01681   452   NtQueryValueKey  (272,  (272, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (272, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) }, 46, ) == 0x0
 01682   452   NtQueryValueKey  (272,  (272, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (272, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) }, 46, ) == 0x0
 01683   452   NtNotifyChangeKey  (272, 276, 0, 0, 2011390432, 14, 0, 0, 0, 1, ... ) == 0x103
 01684   452   NtSetEvent  (260, ... 0x0, ) == 0x0
 01685   452   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 280, ) }, ... 280, ) == 0x0
 01686   452   NtWaitForSingleObject  (280, 0, {-1800000000, -1}, ... ) == 0x0
 01687   452   NtClose  (280, ... ) == 0x0
 01688   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01689   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01690   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 280, ) }, ... 280, ) == 0x0
 01691   452   NtQueryValueKey  (280,  (280, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01692   452   NtClose  (280, ... ) == 0x0
 01693   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01694   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 280, ) == 0x0
 01695   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 284, ) == 0x0
 01696   452   NtQuerySystemTime  (... {159168258, 29889777}, ) == 0x0
 01697   452   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 288, ) == 0x0
 01698   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01699   452   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01700   452   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01701   452   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01702   452   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ... 1384448, 4096, ) == 0x0
 01703   452   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 292, ) == 0x0
 01704   452   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 296, ) == 0x0
 01705   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 300, ) }, ... 300, ) == 0x0
 01706   452   NtOpenKey  (0x20019, {24, 300, 0x40, 0, 0,  (0x20019, {24, 300, 0x40, 0, 0, "ActiveComputerName"}, ... 304, ) }, ... 304, ) == 0x0
 01707   452   NtQueryValueKey  (304,  (304, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (304, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (304, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01708   452   NtClose  (304, ... ) == 0x0
 01709   452   NtClose  (300, ... ) == 0x0
 01710   452   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 300, ) == 0x0
 01711   452   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 304, ) == 0x0
 01712   452   NtDuplicateObject  (-1, 300, -1, 0x0, 0, 2, ... 308, ) == 0x0
 01713   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01714   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 312, ) == 0x0
 01715   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01716   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01717   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1240880,  (0xc0100080, {24, 0, 0x40, 0, 1240880, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 316, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 316, {status=0x0, info=1}, ) == 0x0
 01718   452   NtSetInformationFile  (316, 1240936, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01719   452   NtSetInformationFile  (316, 1240928, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01720   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01721   452   NtWriteFile  (316, 293, 0, 0,  (316, 293, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01722   452   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 01723   452   NtReadFile  (316, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (316, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\273\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01724   452   NtFsControlFile  (316, 293, 0x0, 0x0, 0x11c017,  (316, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\273\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (316, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\273\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01725   452   NtFsControlFile  (316, 293, 0x0, 0x0, 0x11c017,  (316, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\332\345\270A\344\200\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\332\345\270A\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 76, 1024, ... {status=0x103, info=48},  (316, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\332\345\270A\344\200\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\332\345\270A\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01726   452   NtFsControlFile  (316, 293, 0x0, 0x0, 0x11c017,  (316, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\333\345\270A\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\333\345\270A\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (316, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\333\345\270A\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\333\345\270A\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01727   452   NtFsControlFile  (316, 293, 0x0, 0x0, 0x11c017,  (316, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\333\345\270A\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (316, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\333\345\270A\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01728   452   NtFsControlFile  (316, 293, 0x0, 0x0, 0x11c017,  (316, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\332\345\270A\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (316, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\332\345\270A\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01729   452   NtClose  (312, ... ) == 0x0
 01730   452   NtClose  (316, ... ) == 0x0
 01731   452   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 01732   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01733   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01734   452   NtOpenEvent  (0x100000, {24, 0, 0x0, 0, 0,  (0x100000, {24, 0, 0x0, 0, 0, "\INSTALLATION_SECURITY_HOLD"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01735   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01736   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 316, ) == 0x0
 01737   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01738   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01739   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1238384,  (0xc0100080, {24, 0, 0x40, 0, 1238384, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 312, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 312, {status=0x0, info=1}, ) == 0x0
 01740   452   NtSetInformationFile  (312, 1238440, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01741   452   NtSetInformationFile  (312, 1238432, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01742   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01743   452   NtWriteFile  (312, 293, 0, 0,  (312, 293, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0j(\319\14\261\320\21\233\250\0\300O\331.\365\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01744   452   NtReadFile  (312, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (312, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\7\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01745   452   NtFsControlFile  (312, 293, 0x0, 0x0, 0x11c017,  (312, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\32\0\0\0\1\0\0\0\2\0\0\0\0\0\0\0\1\0", 26, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\7\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 26, 1024, ... {status=0x103, info=68},  (312, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\32\0\0\0\1\0\0\0\2\0\0\0\0\0\0\0\1\0", 26, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\7\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01746   452   NtClose  (316, ... ) == 0x0
 01747   452   NtClose  (312, ... ) == 0x0
 01748   452   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 312, 2, ) }, 0, 0x0, 0, ... 312, 2, ) == 0x0
 01749   452   NtCreateKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 316, 2, ) }, 0, 0x0, 0, ... 316, 2, ) == 0x0
 01750   452   NtClose  (312, ... ) == 0x0
 01751   452   NtQueryValueKey  (316,  (316, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01752   452   NtClose  (316, ... ) == 0x0
 01753   452   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 316, ) }, ... 316, ) == 0x0
 01754   452   NtWaitForSingleObject  (316, 0, {-1800000000, -1}, ... ) == 0x0
 01755   452   NtClose  (316, ... ) == 0x0
 01756   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01757   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 316, ) == 0x0
 01758   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01759   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01760   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1240468,  (0xc0100080, {24, 0, 0x40, 0, 1240468, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 312, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 312, {status=0x0, info=1}, ) == 0x0
 01761   452   NtSetInformationFile  (312, 1240524, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01762   452   NtSetInformationFile  (312, 1240516, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01763   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01764   452   NtWriteFile  (312, 293, 0, 0,  (312, 293, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01765   452   NtReadFile  (312, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (312, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\274\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01766   452   NtFsControlFile  (312, 293, 0x0, 0x0, 0x11c017,  (312, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\33\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\274\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (312, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\33\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\274\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01767   452   NtFsControlFile  (312, 293, 0x0, 0x0, 0x11c017,  (312, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\2\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\334\345\270A\344\200\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0`\366\22\0\0\0\0\0", 64, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\334\345\270A\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 64, 1024, ... {status=0x103, info=48},  (312, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\2\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\334\345\270A\344\200\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0`\366\22\0\0\0\0\0", 64, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\334\345\270A\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01768   452   NtWaitForSingleObject  (293, 0, 0x0, ... ) == 0x0
 01769   452   NtFsControlFile  (312, 293, 0x0, 0x0, 0x11c017,  (312, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\3\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\334\345\270A\344\200\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0`\366\22\02\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\2\0\0\0X\2\0\0\0\0\0\0@\2\0\0.\2\0\0\22\2\0\0 \0\0\0\4\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\2\0\0\340\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\316\1\0\0\240\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\226\1\0\0~\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\1\0\0B\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\1\0\0\32\1\0\0 \0\0\0\4\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\16\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0E\0R\0S\0v\0c\0\0\0DNS Client\0\0i\0e\0n\0t\0\0\0Dnscache\0\0c\0h\0e\0\0\0Logical Disk Manager\0\0k\0 \0M\0a\0n\0a\0g\0e\0r\0\0\0dmserver\0\0v\0e\0r\0\0\0DHCP Client\0l\0i\0e\0n\0t\0\0\0Dhcp\0\0p\0\0\0Cryptographic Services\0\0c\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0CryptSvc\0\0", ) , 64, 1024, ... {status=0x103, info=624},  (312, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\3\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\334\345\270A\344\200\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0`\366\22\02\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\2\0\0\0X\2\0\0\0\0\0\0@\2\0\0.\2\0\0\22\2\0\0 \0\0\0\4\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\2\0\0\340\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\316\1\0\0\240\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\226\1\0\0~\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\1\0\0B\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\1\0\0\32\1\0\0 \0\0\0\4\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\16\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0E\0R\0S\0v\0c\0\0\0DNS Client\0\0i\0e\0n\0t\0\0\0Dnscache\0\0c\0h\0e\0\0\0Logical Disk Manager\0\0k\0 \0M\0a\0n\0a\0g\0e\0r\0\0\0dmserver\0\0v\0e\0r\0\0\0DHCP Client\0l\0i\0e\0n\0t\0\0\0Dhcp\0\0p\0\0\0Cryptographic Services\0\0c\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0CryptSvc\0\0", ) , ) == 0x103
 01770   452   NtFsControlFile  (312, 293, 0x0, 0x0, 0x11c017,  (312, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\4\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\334\345\270A\344\200\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0`\366\22\0>\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\3\0\0\0X\2\0\0\0\0\0\0@\2\0\04\2\0\0\4\2\0\0 \0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\362\1\0\0\336\1\0\0 \0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\306\1\0\0\242\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0d\1\0\0 \1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\1\0\0\356\0\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Help and Support\0\0S\0u\0p\0p\0o\0r\0t\0\0\0helpsvc\0s\0v\0c\0\0\0Fast User Switching Compatibility\0n\0g\0 \0C\0o\0m\0p\0a\0t\0i\0b\0i\0l\0i\0t\0y\0\0\0FastUserSwitchingCompatibility\0\0g\0C\0o\0m\0p\0a\0t\0i\0b\0i\0l\0i\0t\0y\0\0\0COM+ Event System\0t\0 \0S\0y\0s\0t\0e\0m\0\0\0EventSystem\0y\0s\0t\0", ) , 64, 1024, ... {status=0x103, info=624},  (312, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\4\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\334\345\270A\344\200\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0`\366\22\0>\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\3\0\0\0X\2\0\0\0\0\0\0@\2\0\04\2\0\0\4\2\0\0 \0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\362\1\0\0\336\1\0\0 \0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\306\1\0\0\242\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0d\1\0\0 \1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\1\0\0\356\0\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Help and Support\0\0S\0u\0p\0p\0o\0r\0t\0\0\0helpsvc\0s\0v\0c\0\0\0Fast User Switching Compatibility\0n\0g\0 \0C\0o\0m\0p\0a\0t\0i\0b\0i\0l\0i\0t\0y\0\0\0FastUserSwitchingCompatibility\0\0g\0C\0o\0m\0p\0a\0t\0i\0b\0i\0l\0i\0t\0y\0\0\0COM+ Event System\0t\0 \0S\0y\0s\0t\0e\0m\0\0\0EventSystem\0y\0s\0t\0", ) , ) == 0x103
 01771   452   NtWaitForSingleObject  (293, 0, 0x0, ... ) == 0x0
 01772   452   NtFsControlFile  (312, 293, 0x0, 0x0, 0x11c017,  (312, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\5\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\334\345\270A\344\200\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0`\366\22\0p\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\4\0\0\0X\2\0\0\0\0\0\0@\2\0\0&\2\0\0\30\2\0\0 \0\0\0\4\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\364\1\0\0\334\1\0\0 \0\0\0\4\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\314\1\0\0\240\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\214\1\0\0x\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0j\1\0\0B\1\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\1\0\0\370\0\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Network Location Awareness (NLA)\0\0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0\0\0Nla\0a\0\0\0Network Connections\0n\0n\0e\0c\0t\0i\0o\0n\0s\0\0\0Netman\0\0a\0n\0\0\0Messenger\0n\0g\0e\0r\0\0\0Messenger\0n\0g\0e\0r\0\0\0TCP/IP NetBIOS Helper\0I\0O\0S\0 \0H\0e\0l\0p\0e\0r\0\0\0LmHosts\0s\0t\0", ) , 64, 1024, ... {status=0x103, info=624},  (312, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\5\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\334\345\270A\344\200\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0`\366\22\0p\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\4\0\0\0X\2\0\0\0\0\0\0@\2\0\0&\2\0\0\30\2\0\0 \0\0\0\4\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\364\1\0\0\334\1\0\0 \0\0\0\4\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\314\1\0\0\240\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\214\1\0\0x\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0j\1\0\0B\1\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\1\0\0\370\0\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Network Location Awareness (NLA)\0\0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0\0\0Nla\0a\0\0\0Network Connections\0n\0n\0e\0c\0t\0i\0o\0n\0s\0\0\0Netman\0\0a\0n\0\0\0Messenger\0n\0g\0e\0r\0\0\0Messenger\0n\0g\0e\0r\0\0\0TCP/IP NetBIOS Helper\0I\0O\0S\0 \0H\0e\0l\0p\0e\0r\0\0\0LmHosts\0s\0t\0", ) , ) == 0x103
 01773   452   NtFsControlFile  (312, 293, 0x0, 0x0, 0x11c017,  (312, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\6\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\334\345\270A\344\200\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0`\366\22\0\242\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\5\0\0\0X\2\0\0\0\0\0\0@\2\0\0.\2\0\0\22\2\0\0 \0\0\0\4\0\0\0\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\372\1\0\0\334\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\272\1\0\0\226\1\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\0\0X\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0L\1\0\0\24\1\0\0 \0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0a\0m\0S\0s\0\0\0Remote Procedure Call (RPC)\0r\0e\0 \0C\0a\0l\0l\0 \0(\0R\0P\0C\0)\0\0\0RpcSs\0S\0s\0\0\0Remote Registry\0e\0g\0i\0s\0t\0r\0y\0\0\0RemoteRegistry\0\0g\0i\0s\0t\0r\0y\0\0\0Protected Storage\0 \0S\0t\0o\0r\0a\0g\0e\0\0\0ProtectedStorage\0\0S\0t\0o\0r\0a\0g\0", ) , 64, 1024, ... {status=0x103, info=624},  (312, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\6\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\334\345\270A\344\200\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0`\366\22\0\242\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\5\0\0\0X\2\0\0\0\0\0\0@\2\0\0.\2\0\0\22\2\0\0 \0\0\0\4\0\0\0\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\372\1\0\0\334\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\272\1\0\0\226\1\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\0\0X\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0L\1\0\0\24\1\0\0 \0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0a\0m\0S\0s\0\0\0Remote Procedure Call (RPC)\0r\0e\0 \0C\0a\0l\0l\0 \0(\0R\0P\0C\0)\0\0\0RpcSs\0S\0s\0\0\0Remote Registry\0e\0g\0i\0s\0t\0r\0y\0\0\0RemoteRegistry\0\0g\0i\0s\0t\0r\0y\0\0\0Protected Storage\0 \0S\0t\0o\0r\0a\0g\0e\0\0\0ProtectedStorage\0\0S\0t\0o\0r\0a\0g\0", ) , ) == 0x103
 01774   452   NtFsControlFile  (312, 293, 0x0, 0x0, 0x11c017,  (312, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\7\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\334\345\270A\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\6\0\0\0X\2\0\0\0\0\0\0@\2\0\04\2\0\0\0\2\0\0 \0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\356\1\0\0\320\1\0\0 \1\0\0\4\0\0\0G\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\276\1\0\0\236\1\0\0 \1\0\0\4\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\1\0\0`\1\0\0 \0\0\0\4\0\0\0A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0>\1\0\0\14\1\0\0 \0\0\0\4\0\0\0\207\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\374\0\0\0\340\0\0\0\20\1\0\0\4\0\0\0E\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Print Spooler\0p\0o\0o\0l\0e\0r\0\0\0Spooler\0l\0e\0r\0\0\0Shell Hardware Detection\0\0e\0 \0D\0e\0t\0e\0c\0t\0i\0o\0n\0\0\0ShellHWDetection\0\0t\0e\0c\0t\0i\0o\0n\0\0\0System Event Notification\0N\0o\0t\0i\0f\0i\0c\0a\0t\0i\0o\0n\0\0\0SENS\0\0S\0\0\0Secondary Logon\0y\0 \0L\0o\0g\0o\0n\0\0\0seclogon\0\0g\0o\0n\0\0\0Task Sch", ) , 44, 1024, ... {status=0x103, info=624},  (312, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\7\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\334\345\270A\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\6\0\0\0X\2\0\0\0\0\0\0@\2\0\04\2\0\0\0\2\0\0 \0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\356\1\0\0\320\1\0\0 \1\0\0\4\0\0\0G\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\276\1\0\0\236\1\0\0 \1\0\0\4\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\1\0\0`\1\0\0 \0\0\0\4\0\0\0A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0>\1\0\0\14\1\0\0 \0\0\0\4\0\0\0\207\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\374\0\0\0\340\0\0\0\20\1\0\0\4\0\0\0E\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Print Spooler\0p\0o\0o\0l\0e\0r\0\0\0Spooler\0l\0e\0r\0\0\0Shell Hardware Detection\0\0e\0 \0D\0e\0t\0e\0c\0t\0i\0o\0n\0\0\0ShellHWDetection\0\0t\0e\0c\0t\0i\0o\0n\0\0\0System Event Notification\0N\0o\0t\0i\0f\0i\0c\0a\0t\0i\0o\0n\0\0\0SENS\0\0S\0\0\0Secondary Logon\0y\0 \0L\0o\0g\0o\0n\0\0\0seclogon\0\0g\0o\0n\0\0\0Task Sch", ) , ) == 0x103
 01775   452   NtClose  (316, ... ) == 0x0
 01776   452   NtClose  (312, ... ) == 0x0
 01777   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "sensapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01778   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\sensapi.dll"}, 1240728, ... ) }, 1240728, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01779   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "sensapi.dll"}, 1240728, ... ) }, 1240728, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01780   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sensapi.dll"}, 1240728, ... ) }, 1240728, ... ) == 0x0
 01781   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sensapi.dll"}, 5, 96, ... 312, {status=0x0, info=1}, ) }, 5, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 01782   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 312, ... 316, ) == 0x0
 01783   452   NtQuerySection  (316, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01784   452   NtClose  (312, ... ) == 0x0
 01785   452   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x722b0000), 0x0, 20480, ) == 0x0
 01786   452   NtClose  (316, ... ) == 0x0
 01787   452   NtOpenSection  (0x4, {24, 52, 0x0, 0, 0,  (0x4, {24, 52, 0x0, 0, 0, "SENS Information Cache"}, ... 316, ) }, ... 316, ) == 0x0
 01788   452   NtMapViewOfSection  (316, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x920000), {0, 0}, 4096, ) == 0x0
 01789   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 312, ) == 0x0
 01790   452   NtConnectPort  ( ("\RPC Control\senssvc", {12, 2, 1, 1}, 0x0, 0x0, 1241192, 112, ... 320, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1241192, 112, ... 320, 0x0, 0x0, 0x0, 112, ) == 0x0
 01791   452   NtRequestWaitReplyPort  (320, {128, 152, new_msg, 0, 126524, 1310720, 1240956, 2012750850}  (320, {128, 152, new_msg, 0, 126524, 1310720, 1240956, 2012750850} "\0\366\22\0\2$\370w\370T\367w$\344\373c) \321\21\215\270\0\252\0J\275^\1\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\320\32\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\24\0x\1\24\0\340*\25\0\240\1\24\0`,\25\0\3203\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\0\0\0\0\310\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 444, 452, 1585, 0} "\7\366\22\0\2$\370w\370T\367w$\344\373c) \321\21\215\270\0\252\0J\275^\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\24\0x\1\24\0\340*\25\0\240\1\24\0`,\25\0\3203\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\0\0\0\0\310\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 444, 452, 1585, 0}  (320, {128, 152, new_msg, 0, 126524, 1310720, 1240956, 2012750850} "\0\366\22\0\2$\370w\370T\367w$\344\373c) \321\21\215\270\0\252\0J\275^\1\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\320\32\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\24\0x\1\24\0\340*\25\0\240\1\24\0`,\25\0\3203\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\0\0\0\0\310\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 444, 452, 1585, 0} "\7\366\22\0\2$\370w\370T\367w$\344\373c) \321\21\215\270\0\252\0J\275^\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\24\0x\1\24\0\340*\25\0\240\1\24\0`,\25\0\3203\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\0\0\0\0\310\0\0\0\5\0\0\0" )  ) == 0x0
 01792   452   NtRequestWaitReplyPort  (320, {32, 56, new_msg, 0, 44, 7, 20, 0}  (320, {32, 56, new_msg, 0, 44, 7, 20, 0} "\1\0\0\0A\2\0\0\344\200\334\21\261\310\0\14)\371\246\3050\0\0\0\377\377\377\377@\2\0\0" ... {124, 148, reply, 0, 444, 452, 1586, 0} "\2\4\0\0\1\0O\200\244\4\0\0\30\2\31\201\0\200\371\177\374\70\300\0\0\0\0\244\4\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\220{\24\201\304\13\24\370\277\6O\200\374\70\300\304\13\24\370X\5O\200\0\200\371\177\0\0\0\0\0\0\0\0\330\201\24\201 \0\31\201\1\0\31\201\0\0\0\0`\376\37\300 \0\31\201\0\0\0\0\0\0\34\1\377\377\33\1\0\0\0\0" )  ... {124, 148, reply, 0, 444, 452, 1586, 0}  (320, {32, 56, new_msg, 0, 44, 7, 20, 0} "\1\0\0\0A\2\0\0\344\200\334\21\261\310\0\14)\371\246\3050\0\0\0\377\377\377\377@\2\0\0" ... {124, 148, reply, 0, 444, 452, 1586, 0} "\2\4\0\0\1\0O\200\244\4\0\0\30\2\31\201\0\200\371\177\374\70\300\0\0\0\0\244\4\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\220{\24\201\304\13\24\370\277\6O\200\374\70\300\304\13\24\370X\5O\200\0\200\371\177\0\0\0\0\0\0\0\0\330\201\24\201 \0\31\201\1\0\31\201\0\0\0\0`\376\37\300 \0\31\201\0\0\0\0\0\0\34\1\377\377\33\1\0\0\0\0" )  ) == 0x0
 01793   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 01794   452   NtQueryInformationFile  (148, 1242300, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01795   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 01796   452   NtRequestWaitReplyPort  (140, {28, 52, new_msg, 0, 0, 0, 0, 0}  (140, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\0\2\3109\25\0" ... {176, 200, reply, 0, 444, 452, 1587, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\0\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ... {176, 200, reply, 0, 444, 452, 1587, 0}  (140, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\0\2\3109\25\0" ... {176, 200, reply, 0, 444, 452, 1587, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\0\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ) == 0x0
 01797   452   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01798   452   NtOpenThreadToken  (-2, 0x20008, 1, ... ) == STATUS_NO_TOKEN
 01799   452   NtOpenProcessToken  (-1, 0x20008, ... 324, ) == 0x0
 01800   452   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01801   452   NtClose  (324, ... ) == 0x0
 01802   452   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER"}, ... 324, ) }, ... 324, ) == 0x0
 01803   452   NtSetInformationObject  (324, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 01804   452   NtOpenKey  (0x3, {24, 324, 0x40, 0, 0,  (0x3, {24, 324, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 328, ) }, ... 328, ) == 0x0
 01805   452   NtOpenKey  (0x1, {24, 328, 0x40, 0, 0,  (0x1, {24, 328, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, ... 332, ) }, ... 332, ) == 0x0
 01806   452   NtQueryValueKey  (332,  (332, "MigrateProxy", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (332, "MigrateProxy", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01807   452   NtClose  (332, ... ) == 0x0
 01808   452   NtAllocateVirtualMemory  (-1, 1392640, 0, 20480, 4096, 4, ... 1392640, 20480, ) == 0x0
 01809   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01810   452   NtOpenProcessToken  (-1, 0xc, ... 332, ) == 0x0
 01811   452   NtReleaseSemaphore  (164, 1, ... 0, ) == 0x0
 01812   452   NtWaitForSingleObject  (164, 0, {0, 0}, ... ) == 0x0
 01813   452   NtCreateKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 336, 2, ) }, 0, 0x0, 0, ... 336, 2, ) == 0x0
 01814   452   NtQueryValueKey  (336,  (336, "Common AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (336, "Common AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 82, ) }, 82, ) == 0x0
 01815   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USERENV.dll"}, ... 340, ) }, ... 340, ) == 0x0
 01816   452   NtMapViewOfSection  (340, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75a70000), 0x0, 667648, ) == 0x0
 01817   452   NtClose  (340, ... ) == 0x0
 01818   452   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 340, ) }, ... 340, ) == 0x0
 01819   452   NtQueryValueKey  (340,  (340, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01820   452   NtClose  (340, ... ) == 0x0
 01821   452   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 340, ) }, ... 340, ) == 0x0
 01822   452   NtQueryValueKey  (340,  (340, "ChkAccDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01823   452   NtClose  (340, ... ) == 0x0
 01824   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\ProductOptions"}, ... 340, ) }, ... 340, ) == 0x0
 01825   452   NtQueryValueKey  (340,  (340, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (340, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) }, 24, ) == 0x0
 01826   452   NtClose  (340, ... ) == 0x0
 01827   452   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1237512, 0,  (0x1f0003, {24, 52, 0x80, 1237512, 0, "Global\userenv:  User Profile setup event"}, 0, 1, ... 340, ) }, 0, 1, ... 340, ) == STATUS_OBJECT_NAME_EXISTS
 01828   452   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 01829   452   NtQueryDefaultLocale  (1, 1235348, ... ) == 0x0
 01830   452   NtQueryDefaultLocale  (1, 1235348, ... ) == 0x0
 01831   452   NtQueryDefaultLocale  (1, 1235348, ... ) == 0x0
 01832   452   NtQueryDefaultLocale  (1, 1235348, ... ) == 0x0
 01833   452   NtQueryDefaultLocale  (1, 1235348, ... ) == 0x0
 01834   452   NtQueryDefaultLocale  (1, 1235348, ... ) == 0x0
 01835   452   NtQueryDefaultLocale  (1, 1235348, ... ) == 0x0
 01836   452   NtQueryDefaultLocale  (1, 1235348, ... ) == 0x0
 01837   452   NtQueryDefaultLocale  (1, 1235348, ... ) == 0x0
 01838   452   NtQueryDefaultLocale  (1, 1235348, ... ) == 0x0
 01839   452   NtQueryDefaultLocale  (1, 1235348, ... ) == 0x0
 01840   452   NtQueryDefaultLocale  (1, 1235348, ... ) == 0x0
 01841   452   NtQueryDefaultLocale  (1, 1235348, ... ) == 0x0
 01842   452   NtQueryDefaultLocale  (1, 1235348, ... ) == 0x0
 01843   452   NtQueryDefaultLocale  (1, 1235348, ... ) == 0x0
 01844   452   NtQueryDefaultLocale  (1, 1235348, ... ) == 0x0
 01845   452   NtQueryDefaultLocale  (1, 1235348, ... ) == 0x0
 01846   452   NtQueryDefaultLocale  (1, 1235348, ... ) == 0x0
 01847   452   NtQueryDefaultLocale  (1, 1235348, ... ) == 0x0
 01848   452   NtQueryDefaultLocale  (1, 1235348, ... ) == 0x0
 01849   452   NtQueryDefaultLocale  (1, 1235348, ... ) == 0x0
 01850   452   NtQueryDefaultLocale  (1, 1235348, ... ) == 0x0
 01851   452   NtQueryDefaultLocale  (1, 1235348, ... ) == 0x0
 01852   452   NtQueryDefaultLocale  (1, 1235348, ... ) == 0x0
 01853   452   NtQueryDefaultLocale  (1, 1235348, ... ) == 0x0
 01854   452   NtQueryDefaultLocale  (1, 1235348, ... ) == 0x0
 01855   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01856   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 01857   452   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01858   452   NtClose  (344, ... ) == 0x0
 01859   452   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 344, ) }, ... 344, ) == 0x0
 01860   452   NtOpenKey  (0x20019, {24, 344, 0x40, 0, 0,  (0x20019, {24, 344, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 348, ) }, ... 348, ) == 0x0
 01861   452   NtQueryValueKey  (348,  (348, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (348, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) }, 66, ) == 0x0
 01862   452   NtQueryDefaultLocale  (1, 1235348, ... ) == 0x0
 01863   452   NtQueryValueKey  (348,  (348, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (348, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) }, 70, ) == 0x0
 01864   452   NtQueryDefaultLocale  (1, 1235348, ... ) == 0x0
 01865   452   NtQueryDefaultLocale  (1, 1235348, ... ) == 0x0
 01866   452   NtQueryDefaultLocale  (1, 1235348, ... ) == 0x0
 01867   452   NtQueryDefaultLocale  (1, 1235348, ... ) == 0x0
 01868   452   NtClose  (348, ... ) == 0x0
 01869   452   NtClose  (344, ... ) == 0x0
 01870   452   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 344, ) }, ... 344, ) == 0x0
 01871   452   NtQueryValueKey  (344,  (344, "RsopDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01872   452   NtClose  (344, ... ) == 0x0
 01873   452   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 344, ) }, ... 344, ) == 0x0
 01874   452   NtQueryValueKey  (344,  (344, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01875   452   NtQueryValueKey  (344,  (344, "RsopLogging", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01876   452   NtClose  (344, ... ) == 0x0
 01877   452   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01878   452   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 344, ) }, ... 344, ) == 0x0
 01879   452   NtQueryValueKey  (344,  (344, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01880   452   NtClose  (344, ... ) == 0x0
 01881   452   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01882   452   NtAllocateVirtualMemory  (-1, 0, 0, 1, 4096, 4, ... 9633792, 4096, ) == 0x0
 01883   452   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ... 1413120, 4096, ) == 0x0
 01884   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01885   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01886   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 344, ) }, ... 344, ) == 0x0
 01887   452   NtQueryValueKey  (344,  (344, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (344, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 01888   452   NtClose  (344, ... ) == 0x0
 01889   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 344, ) }, ... 344, ) == 0x0
 01890   452   NtQueryValueKey  (344,  (344, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (344, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) }, 32, ) == 0x0
 01891   452   NtClose  (344, ... ) == 0x0
 01892   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01893   452   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\Environment"}, ... 344, ) }, ... 344, ) == 0x0
 01894   452   NtQueryKey  (344, Full, 176, ... {LastWrite={0x7838d13c,0x1c73999}, TitleIdx=0, Subkeys=0, Values=12, Class=""}, 44, ) == 0x0
 01895   452   NtQuerySecurityObject  (344, 7, 0, ... ) == STATUS_ACCESS_DENIED
 01896   452   NtEnumerateValueKey  (344, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (344, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (344, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 01897   452   NtEnumerateValueKey  (344, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (344, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (344, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 01898   452   NtEnumerateValueKey  (344, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (344, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (344, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 01899   452   NtEnumerateValueKey  (344, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (344, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (344, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 01900   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01901   452   NtEnumerateValueKey  (344, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (344, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (344, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 01902   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01903   452   NtEnumerateValueKey  (344, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (344, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (344, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 01904   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01905   452   NtEnumerateValueKey  (344, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (344, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (344, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 01906   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01907   452   NtEnumerateValueKey  (344, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (344, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (344, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 01908   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01909   452   NtEnumerateValueKey  (344, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (344, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (344, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 01910   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01911   452   NtEnumerateValueKey  (344, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (344, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (344, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 01912   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01913   452   NtEnumerateValueKey  (344, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (344, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (344, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 01914   452   NtEnumerateValueKey  (344, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (344, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (344, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 01915   452   NtEnumerateValueKey  (344, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (344, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (344, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 01916   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01917   452   NtEnumerateValueKey  (344, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (344, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (344, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 01918   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01919   452   NtEnumerateValueKey  (344, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (344, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (344, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 01920   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01921   452   NtEnumerateValueKey  (344, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (344, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (344, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 01922   452   NtEnumerateValueKey  (344, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (344, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (344, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 01923   452   NtEnumerateValueKey  (344, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (344, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (344, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 01924   452   NtEnumerateValueKey  (344, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (344, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (344, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 01925   452   NtEnumerateValueKey  (344, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (344, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (344, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 01926   452   NtEnumerateValueKey  (344, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (344, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (344, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 01927   452   NtEnumerateValueKey  (344, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (344, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (344, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 01928   452   NtEnumerateValueKey  (344, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (344, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (344, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 01929   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01930   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01931   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 1238436, ... ) }, 1238436, ... ) == 0x0
 01932   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01933   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01934   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01935   452   NtEnumerateValueKey  (344, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (344, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (344, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 01936   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01937   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01938   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 1238436, ... ) }, 1238436, ... ) == 0x0
 01939   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01940   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01941   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01942   452   NtClose  (344, ... ) == 0x0
 01943   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 344, ) }, ... 344, ) == 0x0
 01944   452   NtOpenKey  (0x20019, {24, 344, 0x40, 0, 0,  (0x20019, {24, 344, 0x40, 0, 0, "ActiveComputerName"}, ... 348, ) }, ... 348, ) == 0x0
 01945   452   NtQueryValueKey  (348,  (348, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (348, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (348, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01946   452   NtClose  (348, ... ) == 0x0
 01947   452   NtClose  (344, ... ) == 0x0
 01948   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01949   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 344, ) }, ... 344, ) == 0x0
 01950   452   NtQueryValueKey  (344,  (344, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (344, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 01951   452   NtClose  (344, ... ) == 0x0
 01952   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 344, ) }, ... 344, ) == 0x0
 01953   452   NtQueryValueKey  (344,  (344, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (344, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) }, 38, ) == 0x0
 01954   452   NtClose  (344, ... ) == 0x0
 01955   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01956   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 344, ) }, ... 344, ) == 0x0
 01957   452   NtQueryValueKey  (344,  (344, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (344, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 01958   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01959   452   NtQueryValueKey  (344,  (344, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (344, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) }, 72, ) == 0x0
 01960   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01961   452   NtClose  (344, ... ) == 0x0
 01962   452   NtQueryInformationToken  (332, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 01963   452   NtOpenKey  (0x20019, {24, 324, 0x40, 0, 0,  (0x20019, {24, 324, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 344, ) }, ... 344, ) == 0x0
 01964   452   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 01965   452   NtQueryInformationToken  (332, Type, 4, ... {token info, class 8, size 4}, 4, ) == 0x0
 01966   452   NtDuplicateToken  (332, 0xc, {24, 0, 0x0, 0, 1239820, 0x0}, 0, 2, ... ) == STATUS_ACCESS_DENIED
 01967   452   NtQueryInformationToken  (332, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 01968   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01969   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 348, ) == 0x0
 01970   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01971   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01972   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1238024,  (0xc0100080, {24, 0, 0x40, 0, 1238024, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 352, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 352, {status=0x0, info=1}, ) == 0x0
 01973   452   NtSetInformationFile  (352, 1238080, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01974   452   NtSetInformationFile  (352, 1238072, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01975   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01976   452   NtWriteFile  (352, 293, 0, 0,  (352, 293, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01977   452   NtReadFile  (352, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (352, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\10\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01978   452   NtFsControlFile  (352, 293, 0x0, 0x0, 0x11c017,  (352, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\274\352\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\10\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (352, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\274\352\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\10\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01979   452   NtFsControlFile  (352, 293, 0x0, 0x0, 0x11c017,  (352, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\3163\307A\344\200\334\21\261\310\0\14)\371\246\305\1\0\0\0\364\352\22\0\1\0\0\0\230\223\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\3163\307A\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (352, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\3163\307A\344\200\334\21\261\310\0\14)\371\246\305\1\0\0\0\364\352\22\0\1\0\0\0\230\223\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\3163\307A\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01980   452   NtFsControlFile  (352, 293, 0x0, 0x0, 0x11c017,  (352, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\3163\307A\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\300\223\25\0\1\0\0\0\314\223\25\0 \0\0\0\1\0\0\0\16\0\20\0\330\223\25\0\350\223\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0x\226\25\0\1\0\0\0\1\0\0\0\20\0\22\0\214\226\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (352, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\3163\307A\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\300\223\25\0\1\0\0\0\314\223\25\0 \0\0\0\1\0\0\0\16\0\20\0\330\223\25\0\350\223\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0x\226\25\0\1\0\0\0\1\0\0\0\20\0\22\0\214\226\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01981   452   NtClose  (348, ... ) == 0x0
 01982   452   NtClose  (352, ... ) == 0x0
 01983   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01984   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 352, ) == 0x0
 01985   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01986   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01987   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1238020,  (0xc0100080, {24, 0, 0x40, 0, 1238020, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 348, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 348, {status=0x0, info=1}, ) == 0x0
 01988   452   NtSetInformationFile  (348, 1238076, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01989   452   NtSetInformationFile  (348, 1238068, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01990   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01991   452   NtWriteFile  (348, 293, 0, 0,  (348, 293, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01992   452   NtReadFile  (348, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (348, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\11\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01993   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\270\352\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\11\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\270\352\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\11\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01994   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\3173\307A\344\200\334\21\261\310\0\14)\371\246\305\1\0\0\0\360\352\22\0\1\0\0\0\230\223\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\3173\307A\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\3173\307A\344\200\334\21\261\310\0\14)\371\246\305\1\0\0\0\360\352\22\0\1\0\0\0\230\223\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\3173\307A\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01995   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\3173\307A\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\300\223\25\0\1\0\0\0\314\223\25\0 \0\0\0\1\0\0\0\16\0\20\0\330\223\25\0\350\223\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0x\226\25\0\1\0\0\0\1\0\0\0\20\0\22\0\214\226\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\3173\307A\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\300\223\25\0\1\0\0\0\314\223\25\0 \0\0\0\1\0\0\0\16\0\20\0\330\223\25\0\350\223\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0x\226\25\0\1\0\0\0\1\0\0\0\20\0\22\0\214\226\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01996   452   NtClose  (352, ... ) == 0x0
 01997   452   NtClose  (348, ... ) == 0x0
 01998   452   NtOpenEvent  (0x100000, {24, 0, 0x0, 0, 0,  (0x100000, {24, 0, 0x0, 0, 0, "\INSTALLATION_SECURITY_HOLD"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01999   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02000   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 348, ) == 0x0
 02001   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02002   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02003   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1237652,  (0xc0100080, {24, 0, 0x40, 0, 1237652, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 352, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 352, {status=0x0, info=1}, ) == 0x0
 02004   452   NtSetInformationFile  (352, 1237708, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02005   452   NtSetInformationFile  (352, 1237700, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02006   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02007   452   NtWriteFile  (352, 293, 0, 0,  (352, 293, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0j(\319\14\261\320\21\233\250\0\300O\331.\365\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02008   452   NtReadFile  (352, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (352, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\12\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02009   452   NtFsControlFile  (352, 293, 0x0, 0x0, 0x11c017,  (352, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\32\0\0\0\1\0\0\0\2\0\0\0\0\0\0\0\1\0", 26, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\12\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 26, 1024, ... {status=0x103, info=68},  (352, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\32\0\0\0\1\0\0\0\2\0\0\0\0\0\0\0\1\0", 26, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\12\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02010   452   NtClose  (348, ... ) == 0x0
 02011   452   NtClose  (352, ... ) == 0x0
 02012   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02013   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02014   452   NtQueryInformationToken  (332, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 02015   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 352, ) }, ... 352, ) == 0x0
 02016   452   NtQueryValueKey  (352,  (352, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (352, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) }, 104, ) == 0x0
 02017   452   NtClose  (352, ... ) == 0x0
 02018   452   NtCreateKey  (0x2001f, {24, 344, 0x40, 0, 0,  (0x2001f, {24, 344, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Winlogon"}, 0, 0x0, 0, ... 352, 2, ) }, 0, 0x0, 0, ... 352, 2, ) == 0x0
 02019   452   NtQueryValueKey  (352,  (352, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02020   452   NtClose  (352, ... ) == 0x0
 02021   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02022   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02023   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\c:\autoexec.bat"}, 1239724, ... ) }, 1239724, ... ) == 0x0
 02024   452   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1239732,  (0x80100080, {24, 0, 0x40, 0, 1239732, "\??\c:\autoexec.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 352, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 352, {status=0x0, info=1}, ) == 0x0
 02025   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02026   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02027   452   NtQueryInformationFile  (352, 1239748, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02028   452   NtReadFile  (352, 0, 0, 0, 0, 0x0, 0, ... {status=0x0, info=0}, "", ) == 0x0
 02029   452   NtClose  (352, ... ) == 0x0
 02030   452   NtOpenKey  (0x20019, {24, 344, 0x40, 0, 0,  (0x20019, {24, 344, 0x40, 0, 0, "Environment"}, ... 352, ) }, ... 352, ) == 0x0
 02031   452   NtAllocateVirtualMemory  (-1, 1417216, 0, 12288, 4096, 4, ... 1417216, 12288, ) == 0x0
 02032   452   NtEnumerateValueKey  (352, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (352, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (352, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02033   452   NtEnumerateValueKey  (352, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (352, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (352, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02034   452   NtEnumerateValueKey  (352, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02035   452   NtEnumerateValueKey  (352, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (352, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (352, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02036   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02037   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02038   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 1238464, ... ) }, 1238464, ... ) == 0x0
 02039   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 348, {status=0x0, info=1}, ) }, 3, 16417, ... 348, {status=0x0, info=1}, ) == 0x0
 02040   452   NtQueryDirectoryFile  (348, 0, 0, 0, 1237824, 616, BothDirectory, 1,  (348, 0, 0, 0, 1237824, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 02041   452   NtClose  (348, ... ) == 0x0
 02042   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 348, {status=0x0, info=1}, ) }, 3, 16417, ... 348, {status=0x0, info=1}, ) == 0x0
 02043   452   NtQueryDirectoryFile  (348, 0, 0, 0, 1237824, 616, BothDirectory, 1,  (348, 0, 0, 0, 1237824, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 02044   452   NtClose  (348, ... ) == 0x0
 02045   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02046   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02047   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02048   452   NtEnumerateValueKey  (352, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (352, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (352, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02049   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02050   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02051   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 1238464, ... ) }, 1238464, ... ) == 0x0
 02052   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 348, {status=0x0, info=1}, ) }, 3, 16417, ... 348, {status=0x0, info=1}, ) == 0x0
 02053   452   NtQueryDirectoryFile  (348, 0, 0, 0, 1237824, 616, BothDirectory, 1,  (348, 0, 0, 0, 1237824, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 02054   452   NtClose  (348, ... ) == 0x0
 02055   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 348, {status=0x0, info=1}, ) }, 3, 16417, ... 348, {status=0x0, info=1}, ) == 0x0
 02056   452   NtQueryDirectoryFile  (348, 0, 0, 0, 1237824, 616, BothDirectory, 1,  (348, 0, 0, 0, 1237824, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 02057   452   NtClose  (348, ... ) == 0x0
 02058   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02059   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02060   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02061   452   NtEnumerateValueKey  (352, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02062   452   NtClose  (352, ... ) == 0x0
 02063   452   NtOpenKey  (0x20019, {24, 344, 0x40, 0, 0,  (0x20019, {24, 344, 0x40, 0, 0, "Volatile Environment"}, ... 352, ) }, ... 352, ) == 0x0
 02064   452   NtEnumerateValueKey  (352, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (352, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 02065   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02066   452   NtEnumerateValueKey  (352, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (352, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 02067   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02068   452   NtEnumerateValueKey  (352, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (352, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 02069   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02070   452   NtEnumerateValueKey  (352, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (352, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 02071   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02072   452   NtEnumerateValueKey  (352, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (352, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 02073   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02074   452   NtEnumerateValueKey  (352, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (352, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 02075   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02076   452   NtEnumerateValueKey  (352, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (352, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 02077   452   NtEnumerateValueKey  (352, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02078   452   NtEnumerateValueKey  (352, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (352, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 02079   452   NtEnumerateValueKey  (352, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (352, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 02080   452   NtEnumerateValueKey  (352, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (352, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 02081   452   NtEnumerateValueKey  (352, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (352, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 02082   452   NtEnumerateValueKey  (352, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (352, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 02083   452   NtEnumerateValueKey  (352, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (352, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 02084   452   NtEnumerateValueKey  (352, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (352, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 02085   452   NtEnumerateValueKey  (352, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02086   452   NtClose  (352, ... ) == 0x0
 02087   452   NtClose  (344, ... ) == 0x0
 02088   452   NtFreeVirtualMemory  (-1, (0x930000), 0, 32768, ... (0x930000), 4096, ) == 0x0
 02089   452   NtClose  (336, ... ) == 0x0
 02090   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Application Data"}, 1240388, ... ) }, 1240388, ... ) == 0x0
 02091   452   NtCreateKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 336, 2, ) }, 0, 0x0, 0, ... 336, 2, ) == 0x0
 02092   452   NtSetValueKey  (336,  (336, "Common AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 106, ... ) , 0, 1,  (336, "Common AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 106, ... ) , 106, ... ) == 0x0
 02093   452   NtClose  (336, ... ) == 0x0
 02094   452   NtClose  (332, ... ) == 0x0
 02095   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\"}, 3, 16417, ... 332, {status=0x0, info=1}, ) }, 3, 16417, ... 332, {status=0x0, info=1}, ) == 0x0
 02096   452   NtQueryDirectoryFile  (332, 0, 0, 0, 1239364, 616, BothDirectory, 1,  (332, 0, 0, 0, 1239364, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 02097   452   NtClose  (332, ... ) == 0x0
 02098   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Ras\"}, 3, 16417, ... 332, {status=0x0, info=1}, ) }, 3, 16417, ... 332, {status=0x0, info=1}, ) == 0x0
 02099   452   NtQueryDirectoryFile  (332, 0, 0, 0, 1239364, 616, BothDirectory, 1,  (332, 0, 0, 0, 1239364, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 02100   452   NtClose  (332, ... ) == 0x0
 02101   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02102   452   NtOpenProcessToken  (-1, 0xc, ... 332, ) == 0x0
 02103   452   NtQueryInformationToken  (332, User, 64, ... {token info, class 1, size 36}, 36, ) == 0x0
 02104   452   NtOpenKey  (0x2001f, {24, 324, 0x40, 0, 0,  (0x2001f, {24, 324, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 336, ) }, ... 336, ) == 0x0
 02105   452   NtCreateKey  (0x2000000, {24, 336, 0x40, 0, 0,  (0x2000000, {24, 336, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 344, 2, ) }, 0, 0x0, 0, ... 344, 2, ) == 0x0
 02106   452   NtClose  (336, ... ) == 0x0
 02107   452   NtQueryValueKey  (344,  (344, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (344, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) }, 74, ) == 0x0
 02108   452   NtAllocateVirtualMemory  (-1, 0, 0, 1, 4096, 4, ... 9633792, 4096, ) == 0x0
 02109   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02110   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02111   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 336, ) }, ... 336, ) == 0x0
 02112   452   NtQueryValueKey  (336,  (336, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (336, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 02113   452   NtClose  (336, ... ) == 0x0
 02114   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 336, ) }, ... 336, ) == 0x0
 02115   452   NtQueryValueKey  (336,  (336, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (336, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) }, 32, ) == 0x0
 02116   452   NtClose  (336, ... ) == 0x0
 02117   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02118   452   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\Environment"}, ... 336, ) }, ... 336, ) == 0x0
 02119   452   NtQueryKey  (336, Full, 176, ... {LastWrite={0x7838d13c,0x1c73999}, TitleIdx=0, Subkeys=0, Values=12, Class=""}, 44, ) == 0x0
 02120   452   NtQuerySecurityObject  (336, 7, 0, ... ) == STATUS_ACCESS_DENIED
 02121   452   NtEnumerateValueKey  (336, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (336, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (336, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 02122   452   NtEnumerateValueKey  (336, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (336, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (336, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 02123   452   NtEnumerateValueKey  (336, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (336, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (336, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 02124   452   NtEnumerateValueKey  (336, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (336, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 02125   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02126   452   NtEnumerateValueKey  (336, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (336, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 02127   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02128   452   NtEnumerateValueKey  (336, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (336, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 02129   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02130   452   NtEnumerateValueKey  (336, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (336, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 02131   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02132   452   NtEnumerateValueKey  (336, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (336, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 02133   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02134   452   NtEnumerateValueKey  (336, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (336, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 02135   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02136   452   NtEnumerateValueKey  (336, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (336, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 02137   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02138   452   NtEnumerateValueKey  (336, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (336, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (336, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02139   452   NtEnumerateValueKey  (336, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (336, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (336, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02140   452   NtEnumerateValueKey  (336, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (336, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (336, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 02141   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02142   452   NtEnumerateValueKey  (336, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (336, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (336, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 02143   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02144   452   NtEnumerateValueKey  (336, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (336, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (336, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 02145   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02146   452   NtEnumerateValueKey  (336, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (336, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 02147   452   NtEnumerateValueKey  (336, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (336, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 02148   452   NtEnumerateValueKey  (336, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (336, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 02149   452   NtEnumerateValueKey  (336, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (336, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 02150   452   NtEnumerateValueKey  (336, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (336, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 02151   452   NtEnumerateValueKey  (336, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (336, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 02152   452   NtEnumerateValueKey  (336, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (336, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 02153   452   NtEnumerateValueKey  (336, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (336, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (336, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02154   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02155   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02156   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 1238436, ... ) }, 1238436, ... ) == 0x0
 02157   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02158   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02159   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02160   452   NtEnumerateValueKey  (336, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (336, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (336, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02161   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02162   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02163   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 1238436, ... ) }, 1238436, ... ) == 0x0
 02164   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02165   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02166   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02167   452   NtClose  (336, ... ) == 0x0
 02168   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 336, ) }, ... 336, ) == 0x0
 02169   452   NtOpenKey  (0x20019, {24, 336, 0x40, 0, 0,  (0x20019, {24, 336, 0x40, 0, 0, "ActiveComputerName"}, ... 352, ) }, ... 352, ) == 0x0
 02170   452   NtQueryValueKey  (352,  (352, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (352, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (352, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 02171   452   NtClose  (352, ... ) == 0x0
 02172   452   NtClose  (336, ... ) == 0x0
 02173   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02174   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 336, ) }, ... 336, ) == 0x0
 02175   452   NtQueryValueKey  (336,  (336, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (336, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 02176   452   NtClose  (336, ... ) == 0x0
 02177   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 336, ) }, ... 336, ) == 0x0
 02178   452   NtQueryValueKey  (336,  (336, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (336, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) }, 38, ) == 0x0
 02179   452   NtClose  (336, ... ) == 0x0
 02180   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02181   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 336, ) }, ... 336, ) == 0x0
 02182   452   NtQueryValueKey  (336,  (336, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (336, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 02183   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02184   452   NtQueryValueKey  (336,  (336, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (336, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) }, 72, ) == 0x0
 02185   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02186   452   NtClose  (336, ... ) == 0x0
 02187   452   NtQueryInformationToken  (332, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 02188   452   NtOpenKey  (0x20019, {24, 324, 0x40, 0, 0,  (0x20019, {24, 324, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 336, ) }, ... 336, ) == 0x0
 02189   452   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 02190   452   NtQueryInformationToken  (332, Type, 4, ... {token info, class 8, size 4}, 4, ) == 0x0
 02191   452   NtDuplicateToken  (332, 0xc, {24, 0, 0x0, 0, 1239820, 0x0}, 0, 2, ... ) == STATUS_ACCESS_DENIED
 02192   452   NtQueryInformationToken  (332, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 02193   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02194   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 352, ) == 0x0
 02195   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02196   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02197   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1238024,  (0xc0100080, {24, 0, 0x40, 0, 1238024, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 348, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 348, {status=0x0, info=1}, ) == 0x0
 02198   452   NtSetInformationFile  (348, 1238080, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02199   452   NtSetInformationFile  (348, 1238072, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02200   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02201   452   NtWriteFile  (348, 293, 0, 0,  (348, 293, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02202   452   NtReadFile  (348, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (348, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\13\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02203   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\274\352\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\13\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\274\352\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\13\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02204   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\3203\307A\344\200\334\21\261\310\0\14)\371\246\305\1\0\0\0\364\352\22\0\1\0\0\0(\224\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\3203\307A\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\3203\307A\344\200\334\21\261\310\0\14)\371\246\305\1\0\0\0\364\352\22\0\1\0\0\0(\224\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\3203\307A\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02205   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\3203\307A\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0X\307\25\0\1\0\0\0d\307\25\0 \0\0\0\1\0\0\0\16\0\20\0p\307\25\0\200\307\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0x\226\25\0\1\0\0\0\1\0\0\0\20\0\22\0\214\226\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\3203\307A\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0X\307\25\0\1\0\0\0d\307\25\0 \0\0\0\1\0\0\0\16\0\20\0p\307\25\0\200\307\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0x\226\25\0\1\0\0\0\1\0\0\0\20\0\22\0\214\226\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02206   452   NtClose  (352, ... ) == 0x0
 02207   452   NtClose  (348, ... ) == 0x0
 02208   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02209   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 348, ) == 0x0
 02210   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02211   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02212   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1238020,  (0xc0100080, {24, 0, 0x40, 0, 1238020, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 352, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 352, {status=0x0, info=1}, ) == 0x0
 02213   452   NtSetInformationFile  (352, 1238076, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02214   452   NtSetInformationFile  (352, 1238068, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02215   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02216   452   NtWriteFile  (352, 293, 0, 0,  (352, 293, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02217   452   NtReadFile  (352, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (352, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\14\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02218   452   NtFsControlFile  (352, 293, 0x0, 0x0, 0x11c017,  (352, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\270\352\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\14\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (352, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\270\352\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\14\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02219   452   NtFsControlFile  (352, 293, 0x0, 0x0, 0x11c017,  (352, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\3213\307A\344\200\334\21\261\310\0\14)\371\246\305\1\0\0\0\360\352\22\0\1\0\0\0(\224\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\3213\307A\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (352, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\3213\307A\344\200\334\21\261\310\0\14)\371\246\305\1\0\0\0\360\352\22\0\1\0\0\0(\224\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\3213\307A\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02220   452   NtFsControlFile  (352, 293, 0x0, 0x0, 0x11c017,  (352, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\3213\307A\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0X\307\25\0\1\0\0\0d\307\25\0 \0\0\0\1\0\0\0\16\0\20\0p\307\25\0\200\307\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0x\226\25\0\1\0\0\0\1\0\0\0\20\0\22\0\214\226\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (352, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\3213\307A\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0X\307\25\0\1\0\0\0d\307\25\0 \0\0\0\1\0\0\0\16\0\20\0p\307\25\0\200\307\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0x\226\25\0\1\0\0\0\1\0\0\0\20\0\22\0\214\226\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02221   452   NtClose  (348, ... ) == 0x0
 02222   452   NtClose  (352, ... ) == 0x0
 02223   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02224   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02225   452   NtQueryInformationToken  (332, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 02226   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 352, ) }, ... 352, ) == 0x0
 02227   452   NtQueryValueKey  (352,  (352, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (352, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) }, 104, ) == 0x0
 02228   452   NtClose  (352, ... ) == 0x0
 02229   452   NtCreateKey  (0x2001f, {24, 336, 0x40, 0, 0,  (0x2001f, {24, 336, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Winlogon"}, 0, 0x0, 0, ... 352, 2, ) }, 0, 0x0, 0, ... 352, 2, ) == 0x0
 02230   452   NtQueryValueKey  (352,  (352, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02231   452   NtClose  (352, ... ) == 0x0
 02232   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02233   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02234   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\c:\autoexec.bat"}, 1239724, ... ) }, 1239724, ... ) == 0x0
 02235   452   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1239732,  (0x80100080, {24, 0, 0x40, 0, 1239732, "\??\c:\autoexec.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 352, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 352, {status=0x0, info=1}, ) == 0x0
 02236   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02237   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02238   452   NtQueryInformationFile  (352, 1239748, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02239   452   NtReadFile  (352, 0, 0, 0, 0, 0x0, 0, ... {status=0x0, info=0}, "", ) == 0x0
 02240   452   NtClose  (352, ... ) == 0x0
 02241   452   NtOpenKey  (0x20019, {24, 336, 0x40, 0, 0,  (0x20019, {24, 336, 0x40, 0, 0, "Environment"}, ... 352, ) }, ... 352, ) == 0x0
 02242   452   NtEnumerateValueKey  (352, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (352, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (352, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02243   452   NtEnumerateValueKey  (352, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (352, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (352, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02244   452   NtEnumerateValueKey  (352, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02245   452   NtEnumerateValueKey  (352, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (352, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (352, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02246   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02247   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02248   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 1238464, ... ) }, 1238464, ... ) == 0x0
 02249   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 348, {status=0x0, info=1}, ) }, 3, 16417, ... 348, {status=0x0, info=1}, ) == 0x0
 02250   452   NtQueryDirectoryFile  (348, 0, 0, 0, 1237824, 616, BothDirectory, 1,  (348, 0, 0, 0, 1237824, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 02251   452   NtClose  (348, ... ) == 0x0
 02252   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 348, {status=0x0, info=1}, ) }, 3, 16417, ... 348, {status=0x0, info=1}, ) == 0x0
 02253   452   NtQueryDirectoryFile  (348, 0, 0, 0, 1237824, 616, BothDirectory, 1,  (348, 0, 0, 0, 1237824, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 02254   452   NtClose  (348, ... ) == 0x0
 02255   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02256   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02257   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02258   452   NtEnumerateValueKey  (352, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (352, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (352, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02259   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02260   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02261   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 1238464, ... ) }, 1238464, ... ) == 0x0
 02262   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 348, {status=0x0, info=1}, ) }, 3, 16417, ... 348, {status=0x0, info=1}, ) == 0x0
 02263   452   NtQueryDirectoryFile  (348, 0, 0, 0, 1237824, 616, BothDirectory, 1,  (348, 0, 0, 0, 1237824, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 02264   452   NtClose  (348, ... ) == 0x0
 02265   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 348, {status=0x0, info=1}, ) }, 3, 16417, ... 348, {status=0x0, info=1}, ) == 0x0
 02266   452   NtQueryDirectoryFile  (348, 0, 0, 0, 1237824, 616, BothDirectory, 1,  (348, 0, 0, 0, 1237824, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 02267   452   NtClose  (348, ... ) == 0x0
 02268   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02269   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02270   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02271   452   NtEnumerateValueKey  (352, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02272   452   NtClose  (352, ... ) == 0x0
 02273   452   NtOpenKey  (0x20019, {24, 336, 0x40, 0, 0,  (0x20019, {24, 336, 0x40, 0, 0, "Volatile Environment"}, ... 352, ) }, ... 352, ) == 0x0
 02274   452   NtEnumerateValueKey  (352, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (352, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 02275   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02276   452   NtEnumerateValueKey  (352, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (352, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 02277   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02278   452   NtEnumerateValueKey  (352, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (352, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 02279   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02280   452   NtEnumerateValueKey  (352, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (352, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 02281   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02282   452   NtEnumerateValueKey  (352, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (352, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 02283   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02284   452   NtEnumerateValueKey  (352, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (352, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 02285   452   NtQueryVirtualMemory  (-1, 0x930000, Basic, 28, ... {BaseAddress=0x930000,AllocationBase=0x930000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02286   452   NtEnumerateValueKey  (352, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (352, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 02287   452   NtEnumerateValueKey  (352, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02288   452   NtEnumerateValueKey  (352, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (352, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 02289   452   NtEnumerateValueKey  (352, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (352, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 02290   452   NtEnumerateValueKey  (352, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (352, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 02291   452   NtEnumerateValueKey  (352, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (352, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 02292   452   NtEnumerateValueKey  (352, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (352, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 02293   452   NtEnumerateValueKey  (352, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (352, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 02294   452   NtEnumerateValueKey  (352, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (352, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 02295   452   NtEnumerateValueKey  (352, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02296   452   NtClose  (352, ... ) == 0x0
 02297   452   NtClose  (336, ... ) == 0x0
 02298   452   NtFreeVirtualMemory  (-1, (0x930000), 0, 32768, ... (0x930000), 4096, ) == 0x0
 02299   452   NtClose  (344, ... ) == 0x0
 02300   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data"}, 1240388, ... ) }, 1240388, ... ) == 0x0
 02301   452   NtQueryInformationToken  (332, User, 64, ... {token info, class 1, size 36}, 36, ) == 0x0
 02302   452   NtOpenKey  (0x2001f, {24, 324, 0x40, 0, 0,  (0x2001f, {24, 324, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 344, ) }, ... 344, ) == 0x0
 02303   452   NtCreateKey  (0x2000000, {24, 344, 0x40, 0, 0,  (0x2000000, {24, 344, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 336, 2, ) }, 0, 0x0, 0, ... 336, 2, ) == 0x0
 02304   452   NtClose  (344, ... ) == 0x0
 02305   452   NtSetValueKey  (336,  (336, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 0, 1,  (336, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 104, ... ) == 0x0
 02306   452   NtClose  (336, ... ) == 0x0
 02307   452   NtClose  (332, ... ) == 0x0
 02308   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data\Microsoft\Network\Connections\Pbk\"}, 3, 16417, ... ) }, 3, 16417, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02309   452   NtCreateKey  (0x2, {24, 328, 0x40, 0, 0,  (0x2, {24, 328, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, 0, "", 0, ... 332, 2, ) }, 0, "", 0, ... 332, 2, ) == 0x0
 02310   452   NtSetValueKey  (332,  (332, "MigrateProxy", 0, 4, "\1\0\0\0", 4, ... ) , 0, 4,  (332, "MigrateProxy", 0, 4, "\1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 02311   452   NtClose  (332, ... ) == 0x0
 02312   452   NtOpenKey  (0x20019, {24, 328, 0x40, 0, 0,  (0x20019, {24, 328, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, ... 332, ) }, ... 332, ) == 0x0
 02313   452   NtQueryValueKey  (332,  (332, "ProxyEnable", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (332, "ProxyEnable", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02314   452   NtQueryValueKey  (332,  (332, "ProxyServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02315   452   NtQueryValueKey  (332,  (332, "ProxyOverride", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02316   452   NtQueryValueKey  (332,  (332, "AutoConfigURL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02317   452   NtClose  (332, ... ) == 0x0
 02318   452   NtWaitForSingleObject  (204, 0, 0x0, ... ) == 0x0
 02319   452   NtCreateKey  (0x1, {24, 328, 0x40, 0, 0,  (0x1, {24, 328, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections"}, 0, "", 0, ... 332, 2, ) }, 0, "", 0, ... 332, 2, ) == 0x0
 02320   452   NtQueryValueKey  (332,  (332, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (332, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 02321   452   NtQueryValueKey  (332,  (332, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (332, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 02322   452   NtReleaseMutant  (204, ... 0x0, ) == 0x0
 02323   452   NtClose  (332, ... ) == 0x0
 02324   452   NtWaitForSingleObject  (204, 0, 0x0, ... ) == 0x0
 02325   452   NtCreateKey  (0x1, {24, 328, 0x40, 0, 0,  (0x1, {24, 328, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections"}, 0, "", 0, ... 332, 2, ) }, 0, "", 0, ... 332, 2, ) == 0x0
 02326   452   NtQueryValueKey  (332,  (332, "DefaultConnectionSettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\3\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (332, "DefaultConnectionSettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\3\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 02327   452   NtQueryValueKey  (332,  (332, "DefaultConnectionSettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\3\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (332, "DefaultConnectionSettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\3\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 02328   452   NtReleaseMutant  (204, ... 0x0, ) == 0x0
 02329   452   NtClose  (332, ... ) == 0x0
 02330   452   NtWaitForSingleObject  (184, 0, 0x0, ... ) == 0x0
 02331   452   NtClearEvent  (184, ... ) == 0x0
 02332   452   NtSetEvent  (184, ... 0x0, ) == 0x0
 02333   452   NtCreateKey  (0x20006, {24, 328, 0x40, 0, 0,  (0x20006, {24, 328, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, 0, "", 0, ... 332, 2, ) }, 0, "", 0, ... 332, 2, ) == 0x0
 02334   452   NtSetValueKey  (332,  (332, "ProxyEnable", 0, 4, "\0\0\0\0", 4, ... ) , 0, 4,  (332, "ProxyEnable", 0, 4, "\0\0\0\0", 4, ... ) , 4, ... ) == 0x0
 02335   452   NtDeleteValueKey  (332,  (332, "ProxyServer", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02336   452   NtDeleteValueKey  (332,  (332, "ProxyOverride", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02337   452   NtDeleteValueKey  (332,  (332, "AutoConfigURL", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02338   452   NtClose  (332, ... ) == 0x0
 02339   452   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT"}, ... 332, ) }, ... 332, ) == 0x0
 02340   452   NtCreateKey  (0x2, {24, 332, 0x40, 0, 0,  (0x2, {24, 332, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, 0, "", 0, ... 336, 2, ) }, 0, "", 0, ... 336, 2, ) == 0x0
 02341   452   NtSetValueKey  (336,  (336, "ProxyEnable", 0, 4, "\0\0\0\0", 4, ... ) , 0, 4,  (336, "ProxyEnable", 0, 4, "\0\0\0\0", 4, ... ) , 4, ... ) == 0x0
 02342   452   NtClose  (336, ... ) == 0x0
 02343   452   NtWaitForSingleObject  (204, 0, 0x0, ... ) == 0x0
 02344   452   NtCreateKey  (0x1, {24, 328, 0x40, 0, 0,  (0x1, {24, 328, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections"}, 0, "", 0, ... 336, 2, ) }, 0, "", 0, ... 336, 2, ) == 0x0
 02345   452   NtQueryValueKey  (336,  (336, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (336, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 02346   452   NtQueryValueKey  (336,  (336, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (336, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 02347   452   NtCreateKey  (0x2, {24, 328, 0x40, 0, 0,  (0x2, {24, 328, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections"}, 0, "", 0, ... 344, 2, ) }, 0, "", 0, ... 344, 2, ) == 0x0
 02348   452   NtReleaseMutant  (204, ... 0x0, ) == 0x0
 02349   452   NtClose  (336, ... ) == 0x0
 02350   452   NtSetValueKey  (344,  (344, "SavedLegacySettings", 0, 3, "<\0\0\0\27\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0", 56, ... , 0, 3,  (344, "SavedLegacySettings", 0, 3, "<\0\0\0\27\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0", 56, ... , 56, ...
 02351   452   NtSetInformationFile  (-2147482700, -136149196, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02352   452   NtSetInformationFile  (-2147482700, -136149296, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02350   452   NtSetValueKey  ... ) == 0x0
 02353   452   NtClose  (344, ... ) == 0x0
 02354   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 02355   452   NtQueryInformationFile  (148, 1242456, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02356   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 02357   452   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 02358   452   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 02359   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 1238076, ... ) }, 1238076, ... ) == 0x0
 02360   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 5, 96, ... 344, {status=0x0, info=1}, ) }, 5, 96, ... 344, {status=0x0, info=1}, ) == 0x0
 02361   452   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 344, ... 336, ) == 0x0
 02362   452   NtClose  (344, ... ) == 0x0
 02363   452   NtMapViewOfSection  (336, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x960000), 0x0, 229376, ) == 0x0
 02364   452   NtClose  (336, ... ) == 0x0
 02365   452   NtUnmapViewOfSection  (-1, 0x960000, ... ) == 0x0
 02366   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 1238392, ... ) }, 1238392, ... ) == 0x0
 02367   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 5, 96, ... 336, {status=0x0, info=1}, ) }, 5, 96, ... 336, {status=0x0, info=1}, ) == 0x0
 02368   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 336, ... 344, ) == 0x0
 02369   452   NtQuerySection  (344, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02370   452   NtClose  (336, ... ) == 0x0
 02371   452   NtMapViewOfSection  (344, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 241664, ) == 0x0
 02372   452   NtClose  (344, ... ) == 0x0
 02373   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02374   452   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02375   452   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 344, ) == 0x0
 02376   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02377   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 1238192, ... ) }, 1238192, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02378   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DNSAPI.dll"}, 1238192, ... ) }, 1238192, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02379   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 1238192, ... ) }, 1238192, ... ) == 0x0
 02380   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 5, 96, ... 336, {status=0x0, info=1}, ) }, 5, 96, ... 336, {status=0x0, info=1}, ) == 0x0
 02381   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 336, ... 352, ) == 0x0
 02382   452   NtQuerySection  (352, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02383   452   NtClose  (336, ... ) == 0x0
 02384   452   NtMapViewOfSection  (352, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 151552, ) == 0x0
 02385   452   NtClose  (352, ... ) == 0x0
 02386   452   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 352, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 352, 2, ) , 0, ... 352, 2, ) == 0x0
 02387   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 336, ) }, ... 336, ) == 0x0
 02388   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02389   452   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DNS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02390   452   NtQueryValueKey  (336,  (336, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02391   452   NtQueryValueKey  (352,  (352, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02392   452   NtQueryValueKey  (336,  (336, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02393   452   NtQueryValueKey  (352,  (352, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02394   452   NtQueryValueKey  (336,  (336, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02395   452   NtQueryValueKey  (352,  (352, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02396   452   NtQueryValueKey  (336,  (336, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02397   452   NtQueryValueKey  (352,  (352, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02398   452   NtQueryValueKey  (336,  (336, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02399   452   NtQueryValueKey  (336,  (336, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02400   452   NtQueryValueKey  (336,  (336, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02401   452   NtQueryValueKey  (336,  (336, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02402   452   NtQueryValueKey  (336,  (336, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02403   452   NtQueryValueKey  (336,  (336, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02404   452   NtQueryValueKey  (336,  (336, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02405   452   NtQueryValueKey  (352,  (352, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02406   452   NtQueryValueKey  (336,  (336, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02407   452   NtQueryValueKey  (336,  (336, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02408   452   NtQueryValueKey  (352,  (352, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02409   452   NtQueryValueKey  (336,  (336, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02410   452   NtQueryValueKey  (352,  (352, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02411   452   NtQueryValueKey  (336,  (336, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02412   452   NtQueryValueKey  (352,  (352, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02413   452   NtQueryValueKey  (336,  (336, "RegistrationOverwritesInConflict", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02414   452   NtQueryValueKey  (352,  (352, "DisableReplaceAddressesInConflicts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02415   452   NtQueryValueKey  (336,  (336, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02416   452   NtQueryValueKey  (352,  (352, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02417   452   NtQueryValueKey  (336,  (336, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02418   452   NtQueryValueKey  (352,  (352, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02419   452   NtQueryValueKey  (336,  (336, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02420   452   NtQueryValueKey  (352,  (352, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02421   452   NtQueryValueKey  (336,  (336, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02422   452   NtQueryValueKey  (352,  (352, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02423   452   NtQueryValueKey  (336,  (336, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02424   452   NtQueryValueKey  (336,  (336, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02425   452   NtQueryValueKey  (336,  (336, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02426   452   NtQueryValueKey  (336,  (336, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02427   452   NtQueryValueKey  (336,  (336, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02428   452   NtQueryValueKey  (336,  (336, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02429   452   NtQueryValueKey  (336,  (336, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02430   452   NtQueryValueKey  (336,  (336, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02431   452   NtQueryValueKey  (336,  (336, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02432   452   NtQueryValueKey  (336,  (336, "UseMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02433   452   NtQueryValueKey  (336,  (336, "MulticastOnNameError", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02434   452   NtQueryValueKey  (336,  (336, "UseDotLocalDomain", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02435   452   NtQueryValueKey  (336,  (336, "ListenOnMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02436   452   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\Setup"}, ... 348, ) }, ... 348, ) == 0x0
 02437   452   NtQueryValueKey  (348,  (348, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02438   452   NtClose  (348, ... ) == 0x0
 02439   452   NtClose  (352, ... ) == 0x0
 02440   452   NtClose  (336, ... ) == 0x0
 02441   452   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 336, ) }, ... 336, ) == 0x0
 02442   452   NtQueryValueKey  (336,  (336, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02443   452   NtQueryValueKey  (336,  (336, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02444   452   NtQueryValueKey  (336,  (336, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02445   452   NtClose  (336, ... ) == 0x0
 02446   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 336, ) == 0x0
 02447   452   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 1238668, 112, ... 352, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1238668, 112, ... 352, 0x0, 0x0, 0x0, 112, ) == 0x0
 02448   452   NtRequestWaitReplyPort  (352, {128, 152, new_msg, 0, 1310720, 124000, 1310720, 1238432}  (352, {128, 152, new_msg, 0, 1310720, 124000, 1310720, 1238432} "\0$\370wP\354\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\007\25\0\4\0\0\007\25\0\20\344\314w07\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\3\0\30\301\25\0\220\301\25\0\0\0\0\0\210\301\25\0\320\302\25\0@\304\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0S\0\0\0" ... {128, 152, reply, 0, 444, 452, 1589, 0} "\7$\370wP\354\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\007\25\0\377\377\377\37707\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\3\0\30\301\25\0\220\301\25\0\0\0\0\0\210\301\25\0\320\302\25\0@\304\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0S\0\0\0" )  ... {128, 152, reply, 0, 444, 452, 1589, 0}  (352, {128, 152, new_msg, 0, 1310720, 124000, 1310720, 1238432} "\0$\370wP\354\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\007\25\0\4\0\0\007\25\0\20\344\314w07\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\3\0\30\301\25\0\220\301\25\0\0\0\0\0\210\301\25\0\320\302\25\0@\304\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0S\0\0\0" ... {128, 152, reply, 0, 444, 452, 1589, 0} "\7$\370wP\354\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\007\25\0\377\377\377\37707\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\3\0\30\301\25\0\220\301\25\0\0\0\0\0\210\301\25\0\320\302\25\0@\304\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0S\0\0\0" )  ) == 0x0
 02449   452   NtRequestWaitReplyPort  (352, {64, 88, new_msg, 0, 44, 3, 20, 0}  (352, {64, 88, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\10\0\344\200\334\21\261\310\0\14)\371\246\305\1\0\0\0\377\377\377\377\1\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0\3757B@\335\350\344\34C\27\122" ... {52, 76, reply, 0, 444, 452, 1590, 0} "\2P\375\177\1\00\300\0\0\0\0m\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360V\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 444, 452, 1590, 0}  (352, {64, 88, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\10\0\344\200\334\21\261\310\0\14)\371\246\305\1\0\0\0\377\377\377\377\1\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0\3757B@\335\350\344\34C\27\122" ... {52, 76, reply, 0, 444, 452, 1590, 0} "\2P\375\177\1\00\300\0\0\0\0m\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360V\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 02450   452   NtClose  (336, ... ) == 0x0
 02451   452   NtClose  (352, ... ) == 0x0
 02452   452   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 352, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 352, 2, ) , 0, ... 352, 2, ) == 0x0
 02453   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 336, ) }, ... 336, ) == 0x0
 02454   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02455   452   NtQueryValueKey  (352,  (352, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02456   452   NtQueryValueKey  (352,  (352, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02457   452   NtClose  (352, ... ) == 0x0
 02458   452   NtClose  (336, ... ) == 0x0
 02459   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 336, ) == 0x0
 02460   452   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 1238532, 112, ... 352, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1238532, 112, ... 352, 0x0, 0x0, 0x0, 112, ) == 0x0
 02461   452   NtRequestWaitReplyPort  (352, {128, 152, new_msg, 0, 1310720, 123864, 1310720, 1238296}  (352, {128, 152, new_msg, 0, 1310720, 123864, 1310720, 1238296} "\0$\370w\310\353\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\007\25\0\4\0\0\007\25\0\20\344\314w07\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\4\0\30\301\25\0\330\302\25\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\22\0\4\347\22\0\0\0\0\0\0\0\0\0@\304\25\0\5\0\0\0" ... {128, 152, reply, 0, 444, 452, 1593, 0} "\7$\370w\310\353\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\007\25\0\377\377\377\37707\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\4\0\30\301\25\0\330\302\25\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\22\0\4\347\22\0\0\0\0\0\0\0\0\0@\304\25\0\5\0\0\0" )  ... {128, 152, reply, 0, 444, 452, 1593, 0}  (352, {128, 152, new_msg, 0, 1310720, 123864, 1310720, 1238296} "\0$\370w\310\353\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\007\25\0\4\0\0\007\25\0\20\344\314w07\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\4\0\30\301\25\0\330\302\25\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\22\0\4\347\22\0\0\0\0\0\0\0\0\0@\304\25\0\5\0\0\0" ... {128, 152, reply, 0, 444, 452, 1593, 0} "\7$\370w\310\353\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\007\25\0\377\377\377\37707\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\4\0\30\301\25\0\330\302\25\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\22\0\4\347\22\0\0\0\0\0\0\0\0\0@\304\25\0\5\0\0\0" )  ) == 0x0
 02462   452   NtRequestWaitReplyPort  (352, {44, 68, new_msg, 0, 444, 452, 1590, 0}  (352, {44, 68, new_msg, 0, 444, 452, 1590, 0} "\1P\0\0A\2\4\0\0\0\0\0m\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0" ... {40, 64, reply, 0, 444, 452, 1594, 0} "\2P\375\177\4\00\300\0\0\0\0m\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\1\0\0\240,\11\0" )  ... {40, 64, reply, 0, 444, 452, 1594, 0}  (352, {44, 68, new_msg, 0, 444, 452, 1590, 0} "\1P\0\0A\2\4\0\0\0\0\0m\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0" ... {40, 64, reply, 0, 444, 452, 1594, 0} "\2P\375\177\4\00\300\0\0\0\0m\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\1\0\0\240,\11\0" )  ) == 0x0
 02463   452   NtRequestWaitReplyPort  (352, {64, 88, new_msg, 56, 0, 1, 0, 0}  (352, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\347\22\0@\0\314w\260\300\25\0\314\347\22\04\350\22\0\0\267\362v4\350\22\0\260\300\25\0\1\0\0\0p\304\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {64, 88, reply, 56, 444, 452, 1595, 0} "\10\347\22\0@\0\314w\260\300\25\0\314\347\22\04\350\22\0\0\267\362v4\350\22\0\260\300\25\0\1\0\0\0p\304\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {64, 88, reply, 56, 444, 452, 1595, 0}  (352, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\347\22\0@\0\314w\260\300\25\0\314\347\22\04\350\22\0\0\267\362v4\350\22\0\260\300\25\0\1\0\0\0p\304\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {64, 88, reply, 56, 444, 452, 1595, 0} "\10\347\22\0@\0\314w\260\300\25\0\314\347\22\04\350\22\0\0\267\362v4\350\22\0\260\300\25\0\1\0\0\0p\304\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02464   452   NtClose  (336, ... ) == 0x0
 02465   452   NtClose  (352, ... ) == 0x0
 02466   452   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 352, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 352, 2, ) , 0, ... 352, 2, ) == 0x0
 02467   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 336, ) }, ... 336, ) == 0x0
 02468   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02469   452   NtQueryValueKey  (352,  (352, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02470   452   NtQueryValueKey  (352,  (352, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02471   452   NtClose  (352, ... ) == 0x0
 02472   452   NtClose  (336, ... ) == 0x0
 02473   452   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 336, ) }, ... 336, ) == 0x0
 02474   452   NtQueryValueKey  (336,  (336, "DnsNbtLookupOrder", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02475   452   NtClose  (336, ... ) == 0x0
 02476   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 1238076, ... ) }, 1238076, ... ) == 0x0
 02477   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 336, {status=0x0, info=1}, ) }, 5, 96, ... 336, {status=0x0, info=1}, ) == 0x0
 02478   452   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 336, ... 352, ) == 0x0
 02479   452   NtClose  (336, ... ) == 0x0
 02480   452   NtMapViewOfSection  (352, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x930000), 0x0, 16384, ) == 0x0
 02481   452   NtClose  (352, ... ) == 0x0
 02482   452   NtUnmapViewOfSection  (-1, 0x930000, ... ) == 0x0
 02483   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 1238392, ... ) }, 1238392, ... ) == 0x0
 02484   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 352, {status=0x0, info=1}, ) }, 5, 96, ... 352, {status=0x0, info=1}, ) == 0x0
 02485   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 352, ... 336, ) == 0x0
 02486   452   NtQuerySection  (336, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02487   452   NtClose  (352, ... ) == 0x0
 02488   452   NtMapViewOfSection  (336, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fb0000), 0x0, 28672, ) == 0x0
 02489   452   NtClose  (336, ... ) == 0x0
 02490   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... 336, ) }, ... 336, ) == 0x0
 02491   452   NtMapViewOfSection  (336, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 02492   452   NtClose  (336, ... ) == 0x0
 02493   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 336, ) == 0x0
 02494   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 352, ) }, ... 352, ) == 0x0
 02495   452   NtQueryValueKey  (352,  (352, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02496   452   NtClose  (352, ... ) == 0x0
 02497   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 1238076, ... ) }, 1238076, ... ) == 0x0
 02498   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02499   452   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9633792, 65536, ) == 0x0
 02500   452   NtAllocateVirtualMemory  (-1, 9633792, 0, 4096, 4096, 4, ... 9633792, 4096, ) == 0x0
 02501   452   NtAllocateVirtualMemory  (-1, 9637888, 0, 8192, 4096, 4, ... 9637888, 8192, ) == 0x0
 02502   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 352, ) == 0x0
 02503   452   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 1238364, 112, ... 348, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1238364, 112, ... 348, 0x0, 0x0, 0x0, 112, ) == 0x0
 02504   452   NtRequestWaitReplyPort  (348, {128, 152, new_msg, 0, 1310720, 123696, 1310720, 1238128}  (348, {128, 152, new_msg, 0, 1310720, 123696, 1310720, 1238128} "\0$\370w \353\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\007\25\0\4\0\0\007\25\0\20\344\314w07\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\5\0\30\301\25\0\0\216\25\0\0\0\0\0\370\215\25\0 \216\25\0\220\217\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0H\0\0\0" ... {128, 152, reply, 0, 444, 452, 1598, 0} "\7$\370w \353\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\007\25\0\377\377\377\37707\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\5\0\30\301\25\0\0\216\25\0\0\0\0\0\370\215\25\0 \216\25\0\220\217\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0H\0\0\0" )  ... {128, 152, reply, 0, 444, 452, 1598, 0}  (348, {128, 152, new_msg, 0, 1310720, 123696, 1310720, 1238128} "\0$\370w \353\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\007\25\0\4\0\0\007\25\0\20\344\314w07\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\5\0\30\301\25\0\0\216\25\0\0\0\0\0\370\215\25\0 \216\25\0\220\217\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0H\0\0\0" ... {128, 152, reply, 0, 444, 452, 1598, 0} "\7$\370w \353\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\007\25\0\377\377\377\37707\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\5\0\30\301\25\0\0\216\25\0\0\0\0\0\370\215\25\0 \216\25\0\220\217\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0H\0\0\0" )  ) == 0x0
 02505   452   NtRequestWaitReplyPort  (348, {64, 88, new_msg, 0, 444, 452, 1594, 0}  (348, {64, 88, new_msg, 0, 444, 452, 1594, 0} "\1P\0\0A\2\10\0\0\0\0\0m\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\3757B@\335\350\344\34C\27\122" ... {52, 76, reply, 0, 444, 452, 1599, 0} "\2\212T\200\1\0\30\201\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 444, 452, 1599, 0}  (348, {64, 88, new_msg, 0, 444, 452, 1594, 0} "\1P\0\0A\2\10\0\0\0\0\0m\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\3757B@\335\350\344\34C\27\122" ... {52, 76, reply, 0, 444, 452, 1599, 0} "\2\212T\200\1\0\30\201\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 02506   452   NtClose  (352, ... ) == 0x0
 02507   452   NtClose  (348, ... ) == 0x0
 02508   452   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 348, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 348, 2, ) , 0, ... 348, 2, ) == 0x0
 02509   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 352, ) }, ... 352, ) == 0x0
 02510   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02511   452   NtQueryValueKey  (348,  (348, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02512   452   NtQueryValueKey  (348,  (348, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02513   452   NtClose  (348, ... ) == 0x0
 02514   452   NtClose  (352, ... ) == 0x0
 02515   452   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 352, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 352, 2, ) , 0, ... 352, 2, ) == 0x0
 02516   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 348, ) }, ... 348, ) == 0x0
 02517   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02518   452   NtQueryValueKey  (352,  (352, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02519   452   NtQueryValueKey  (352,  (352, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02520   452   NtClose  (352, ... ) == 0x0
 02521   452   NtClose  (348, ... ) == 0x0
 02522   452   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 02523   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 348, ) == 0x0
 02524   452   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 1238164, 112, ... 352, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1238164, 112, ... 352, 0x0, 0x0, 0x0, 112, ) == 0x0
 02525   452   NtRequestWaitReplyPort  (352, {128, 152, new_msg, 0, 1310720, 123496, 1310720, 1237928}  (352, {128, 152, new_msg, 0, 1310720, 123496, 1310720, 1237928} "\0$\370wX\352\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\007\25\0\4\0\0\007\25\0\20\344\314w07\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\6\0\0\0\0\0\240\1\24\0\240\1\24\0\30\347\22\0\300\224\25\0\260\220\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 444, 452, 1602, 0} "\7$\370wX\352\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\007\25\0\377\377\377\37707\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\6\0\0\0\0\0\240\1\24\0\240\1\24\0\30\347\22\0\300\224\25\0\260\220\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 444, 452, 1602, 0}  (352, {128, 152, new_msg, 0, 1310720, 123496, 1310720, 1237928} "\0$\370wX\352\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\007\25\0\4\0\0\007\25\0\20\344\314w07\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\6\0\0\0\0\0\240\1\24\0\240\1\24\0\30\347\22\0\300\224\25\0\260\220\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 444, 452, 1602, 0} "\7$\370wX\352\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\007\25\0\377\377\377\37707\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\6\0\0\0\0\0\240\1\24\0\240\1\24\0\30\347\22\0\300\224\25\0\260\220\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\5\0\0\0" )  ) == 0x0
 02526   452   NtRequestWaitReplyPort  (352, {64, 88, new_msg, 0, 444, 452, 1599, 0}  (352, {64, 88, new_msg, 0, 444, 452, 1599, 0} "\1\212\0\0A\2\10\0\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\377\377\377\377S\275N\200\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\3757B@\335\350\344\34C\27\122" ... {52, 76, reply, 0, 444, 452, 1603, 0} "\2\212T\200\1\0\30\201\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 444, 452, 1603, 0}  (352, {64, 88, new_msg, 0, 444, 452, 1599, 0} "\1\212\0\0A\2\10\0\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\377\377\377\377S\275N\200\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\3757B@\335\350\344\34C\27\122" ... {52, 76, reply, 0, 444, 452, 1603, 0} "\2\212T\200\1\0\30\201\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 02527   452   NtClose  (348, ... ) == 0x0
 02528   452   NtClose  (352, ... ) == 0x0
 02529   452   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 352, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 352, 2, ) , 0, ... 352, 2, ) == 0x0
 02530   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 348, ) }, ... 348, ) == 0x0
 02531   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02532   452   NtQueryValueKey  (352,  (352, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02533   452   NtQueryValueKey  (352,  (352, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02534   452   NtClose  (352, ... ) == 0x0
 02535   452   NtClose  (348, ... ) == 0x0
 02536   452   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 348, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 348, 2, ) , 0, ... 348, 2, ) == 0x0
 02537   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 352, ) }, ... 352, ) == 0x0
 02538   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02539   452   NtQueryValueKey  (348,  (348, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02540   452   NtQueryValueKey  (348,  (348, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02541   452   NtClose  (348, ... ) == 0x0
 02542   452   NtClose  (352, ... ) == 0x0
 02543   452   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 352, ) }, ... 352, ) == 0x0
 02544   452   NtQueryValueKey  (352,  (352, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 02545   452   NtQueryValueKey  (352,  (352, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 02546   452   NtQueryValueKey  (352,  (352, "AutodialDLL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02547   452   NtClose  (352, ... ) == 0x0
 02548   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rasadhlp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02549   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rasadhlp.dll"}, 1239068, ... ) }, 1239068, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02550   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rasadhlp.dll"}, 1239068, ... ) }, 1239068, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02551   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasadhlp.dll"}, 1239068, ... ) }, 1239068, ... ) == 0x0
 02552   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasadhlp.dll"}, 5, 96, ... 352, {status=0x0, info=1}, ) }, 5, 96, ... 352, {status=0x0, info=1}, ) == 0x0
 02553   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 352, ... 348, ) == 0x0
 02554   452   NtQuerySection  (348, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02555   452   NtClose  (352, ... ) == 0x0
 02556   452   NtMapViewOfSection  (348, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fc0000), 0x0, 20480, ) == 0x0
 02557   452   NtClose  (348, ... ) == 0x0
 02558   452   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 348, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 348, {status=0x0, info=0}, ) == 0x0
 02559   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 352, ) == 0x0
 02560   452   NtDeviceIoControlFile  (348, 352, 0x0, 0x0, 0xf14014,  (348, 352, 0x0, 0x0, 0xf14014, "\3\0\0\0MYWORLD\0\20\0\0\0\0\360\375\177h\2\374v\1\0\0\0d\351\22\0\310\354\22\0\310\354\22\0\2$\370w\310j\367w\377\377\377\377\364j\365w$P\374w`i\365w\0\0\0\0\10\0\25\300\0\0\0\0\10\6\24\0H3$\0\254\36$\0\2204$\0\0\340\375\177\24\232\347wc\303\26\0P7\25\0^7\25\0d\303\25\0\2004$\0\30\0\26\2\224\352\22\0\224\352\22\0r\0a\0s\0a\0d\0h\0l\0p\0.\0d\0l\0l\0\0\0\0\0d\303\25\0\377\377\0\0\1\0\0\0\210 \25\00\220\25\0 \0\0\0\0\0\0\0\210\1\24\0(\220\25\0\0\0\0\0\0\0\0\0\0\0\0\0\365<\245qX\303\25\0D\303\25\0\2\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\20\0\0\08!\1\1\0\0\24\0d\352\22\0D\357\22\0\324\374\22\0\2$\370w\370T\367wa/\245q\2642\250q\0\0\0\0\0\0\0\0:/\245q8!\25\0\330\302\25\0x\226\25\0\220\226\25\0P7\25\0^7\25\0d\303\25\0\377\377\0\0\0\0\0\0d\303\25\0\7\0\0\0P7\25\0\224\353\22\0\177;\245q\0\0\0\0\0\0\0\0P7\25\0\0\0\0\0d\303\25\0\377\377\0\0\1\0\0\0\210 \25\0p\213\25\0\4\0\0\0\0\0\0\0\210\1\24\0h\213\25\0\0\0\0\0\0\0\0\0\0\0\0\0\365<\245qX\303\25\0D\303\25\0\2\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\10\375\1\1\0\0\24\0,\353\22\0\14\360\22\0\324\374\22\0\2$\370w\370T\367wa/\245q\2642\250q\0\0\0\0\0\0\0\0:/\245q\10\375\24\0\330\302\25\0x\226\25\0", 1552, 0, ... {status=0x0, info=0}, 0x0, ) , 1552, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02561   452   NtClose  (352, ... ) == 0x0
 02562   452   NtClose  (348, ... ) == 0x0
 02563   452   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\cv35"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02564   452   NtSetInformationFile  (-2147482700, -136149980, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02565   452   NtSetInformationFile  (-2147482700, -136150268, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02566   452   NtSetInformationFile  (-2147482700, -136150076, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02563   452   NtCreateKey  ... 348, 1, ) == 0x0
 02567   452   NtQueryValueKey  (348,  (348, "n", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02568   452   NtSetValueKey  (348,  (348, "n", 0, 4, "\1\0\0\0", 4, ... ) , 0, 4,  (348, "n", 0, 4, "\1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 02569   452   NtClose  (348, ... ) == 0x0
 02570   452   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 348, ) == 0x0
 02571   452   NtWaitForSingleObject  (348, 0, 0x0, ... ) == 0x0
 02572   452   NtClearEvent  (348, ... ) == 0x0
 02573   452   NtSetEvent  (348, ... 0x0, ) == 0x0
 02574   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wsock32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02575   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wsock32.dll"}, 1238660, ... ) }, 1238660, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02576   452   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "wsock32.dll"}, 1238660, ... ) }, 1238660, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02577   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wsock32.dll"}, 1238660, ... ) }, 1238660, ... ) == 0x0
 02578   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wsock32.dll"}, 5, 96, ... 352, {status=0x0, info=1}, ) }, 5, 96, ... 352, {status=0x0, info=1}, ) == 0x0
 02579   452   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 352, ... 356, ) == 0x0
 02580   452   NtQuerySection  (356, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02581   452   NtClose  (352, ... ) == 0x0
 02582   452   NtMapViewOfSection  (356, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ad0000), 0x0, 32768, ) == 0x0
 02583   452   NtClose  (356, ... ) == 0x0
 02584   452   NtClearEvent  (184, ... ) == 0x0
 02585   452   NtSetEvent  (184, ... 0x0, ) == 0x0
 02586   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 02587   452   NtQueryInformationFile  (148, 1240352, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02588   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 02589   452   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Http Filters\RPA"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02590   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Http Filters\RPA"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02591   452   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 02592   452   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 02593   452   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 02594   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02595   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02596   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 02597   452   NtQueryInformationFile  (148, 1240548, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02598   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 02599   452   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 02600   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "urlmon.dll"}, ... 356, ) }, ... 356, ) == 0x0
 02601   452   NtMapViewOfSection  (356, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x760f0000), 0x0, 491520, ) == 0x0
 02602   452   NtClose  (356, ... ) == 0x0
 02603   452   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 356, ) }, ... 356, ) == 0x0
 02604   452   NtMapViewOfSection  (356, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 28672, ) == 0x0
 02605   452   NtClose  (356, ... ) == 0x0
 02606   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02607   452   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9699328, 65536, ) == 0x0
 02608   452   NtAllocateVirtualMemory  (-1, 9699328, 0, 4096, 4096, 4, ... 9699328, 4096, ) == 0x0
 02609   452   NtAllocateVirtualMemory  (-1, 9703424, 0, 8192, 4096, 4, ... 9703424, 8192, ) == 0x0
 02610   452   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "ZonesCounterMutex"}, 0, ... 356, ) }, 0, ... 356, ) == 0x0
 02611   452   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "ZonesCacheCounterMutex"}, 0, ... 352, ) }, 0, ... 352, ) == 0x0
 02612   452   NtQueryDefaultUILanguage  (1236572, ...
 02613   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02614   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 02615   452   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02616   452   NtClose  (-2147482020, ... ) == 0x0
 02617   452   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 02618   452   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02619   452   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 02620   452   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02621   452   NtClose  (-2147482032, ... ) == 0x0
 02622   452   NtClose  (-2147482020, ... ) == 0x0
 02612   452   NtQueryDefaultUILanguage  ... ) == 0x0
 02623   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02624   452   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\urlmon.dll"}, 1, 96, ... 360, {status=0x0, info=1}, ) }, 1, 96, ... 360, {status=0x0, info=1}, ) == 0x0
 02625   452   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 360, ... 364, ) == 0x0
 02626   452   NtMapViewOfSection  (364, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x960000), 0x0, 454656, ) == 0x0
 02627   452   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\urlmon.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02628   452   NtQueryDefaultLocale  (1, 1234608, ... ) == 0x0
 02629   452   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\urlmon.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02630   452   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1235464, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1235464, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\335\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\32\1h\1\0\0\377\377\377\377\0\0\0\0\240\302\233\0\0\0\0\0\303\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\10\341\22\0\0\0\0\0" ... {128, 156, reply, 0, 444, 452, 1605, 0} " S\26\0\33\0\1\0\0\0\0\0\1\335\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\32\1h\1\0\0\377\377\377\377\0\0\0\0\240\302\233\0\0\0\0\0\303\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\10\341\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 444, 452, 1605, 0}  (24, {128, 156, new_msg, 0, 1235464, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\335\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\32\1h\1\0\0\377\377\377\377\0\0\0\0\240\302\233\0\0\0\0\0\303\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\10\341\22\0\0\0\0\0" ... {128, 156, reply, 0, 444, 452, 1605, 0} " S\26\0\33\0\1\0\0\0\0\0\1\335\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\32\1h\1\0\0\377\377\377\377\0\0\0\0\240\302\233\0\0\0\0\0\303\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\10\341\22\0\0\0\0\0" )  ) == 0x0
 02631   452   NtClose  (360, ... ) == 0x0
 02632   452   NtClose  (364, ... ) == 0x0
 02633   452   NtUnmapViewOfSection  (-1, 0x960000, ... ) == 0x0
 02634   452   NtUnmapViewOfSection  (-1, 0x12e108, ... ) == STATUS_NOT_MAPPED_VIEW
 02635   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02636   452   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02637   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02638   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02639   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1233148, ... ) }, 1233148, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02640   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02641   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02642   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02643   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1233740, ... ) }, 1233740, ... ) == 0x0
 02644   452   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 364, {status=0x0, info=1}, ) }, 3, 33, ... 364, {status=0x0, info=1}, ) == 0x0
 02645   452   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02646   452   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02647   452   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02648   452   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02649   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02650   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 360, ) == 0x0
 02651   452   NtQueryInformationToken  (360, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02652   452   NtClose  (360, ... ) == 0x0
 02653   452   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes"}, ... 360, ) }, ... 360, ) == 0x0
 02654   452   NtSetInformationObject  (362, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 02655   452   NtQueryKey  (362, Name, 384, ... {Name= (362, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02656   452   NtOpenKey  (0x2000000, {24, 362, 0x40, 0, 0,  (0x2000000, {24, 362, 0x40, 0, 0, "PROTOCOLS\Name-Space Handler\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02657   452   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\PROTOCOLS\Name-Space Handler"}, ... 368, ) }, ... 368, ) == 0x0
 02658   452   NtQueryKey  (370, Name, 392, ... {Name= (370, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Name-Space HandlerS"}, 130, ) }, 130, ) == 0x0
 02659   452   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02660   452   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 372, ) == 0x0
 02661   452   NtQueryInformationToken  (372, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02662   452   NtClose  (372, ... ) == 0x0
 02663   452   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\PROTOCOLS\Name-Space Handler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02664   452   NtEnumerateKey  (370, 0, Node, 288, ... {LastWrite={0x5d796f8c,0x1c73999}, TitleIdx=0, Name= (370, 0, Node, 288, ... {LastWrite={0x5d796f8c,0x1c73999}, TitleIdx=0, Name="mk", Class=""}, 28, ) , Class=""}, 28, ) == 0x0
 02665   452   NtEnumerateKey  (370, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02666   452   NtClose  (370, ... ) == 0x0
 02667   452   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02668   452   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02669   452   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"}, ... 368, ) }, ... 368, ) == 0x0
 02670   452   NtOpenKey  (0x20019, {24, 368, 0x40, 0, 0,  (0x20019, {24, 368, 0x40, 0, 0, "Ranges\"}, ... 372, ) }, ... 372, ) == 0x0
 02671   452   NtQueryKey  (372, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02672   452   NtClose  (372, ... ) == 0x0
 02673   452   NtRequestWaitReplyPort  (140, {28, 52, new_msg, 0, 0, 0, 0, 0}  (140, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\220\36\24\0" ... {176, 200, reply, 0, 444, 452, 1606, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ... {176, 200, reply, 0, 444, 452, 1606, 0}  (140, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\220\36\24\0" ... {176, 200, reply, 0, 444, 452, 1606, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ) == 0x0
 02674   452   NtCreateSection  (0xf0007, {24, 52, 0x80, 0, 0,  (0xf0007, {24, 52, 0x80, 0, 0, "UrlZonesSM_SRI-user"}, {8, 0}, 4, 134217728, 0, ... 372, ) }, {8, 0}, 4, 134217728, 0, ... 372, ) == 0x0
 02675   452   NtMapViewOfSection  (372, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x960000), {0, 0}, 4096, ) == 0x0
 02676   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\Setup"}, ... 376, ) }, ... 376, ) == 0x0
 02677   452   NtQueryValueKey  (376,  (376, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (376, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02678   452   NtClose  (376, ... ) == 0x0
 02679   452   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\"}, ... 376, ) }, ... 376, ) == 0x0
 02680   452   NtOpenKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "0"}, ... 380, ) }, ... 380, ) == 0x0
 02681   452   NtClose  (380, ... ) == 0x0
 02682   452   NtOpenKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "1"}, ... 380, ) }, ... 380, ) == 0x0
 02683   452   NtClose  (380, ... ) == 0x0
 02684   452   NtOpenKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "2"}, ... 380, ) }, ... 380, ) == 0x0
 02685   452   NtClose  (380, ... ) == 0x0
 02686   452   NtOpenKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "3"}, ... 380, ) }, ... 380, ) == 0x0
 02687   452   NtClose  (380, ... ) == 0x0
 02688   452   NtOpenKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "4"}, ... 380, ) }, ... 380, ) == 0x0
 02689   452   NtClose  (380, ... ) == 0x0
 02690   452   NtClose  (376, ... ) == 0x0
 02691   452   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\"}, ... 376, ) }, ... 376, ) == 0x0
 02692   452   NtEnumerateKey  (376, 0, Basic, 288, ... {LastWrite={0x8db90da8,0x1c7399c}, TitleIdx=0, Name= (376, 0, Basic, 288, ... {LastWrite={0x8db90da8,0x1c7399c}, TitleIdx=0, Name="0"}, 18, ) }, 18, ) == 0x0
 02693   452   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0"}, ... 380, ) }, ... 380, ) == 0x0
 02694   452   NtQueryValueKey  (380,  (380, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="!\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (380, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="!\0\0\0"}, 16, ) }, 16, ) == 0x0
 02695   452   NtClose  (380, ... ) == 0x0
 02696   452   NtEnumerateKey  (376, 1, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name= (376, 1, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name="1"}, 18, ) }, 18, ) == 0x0
 02697   452   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1"}, ... 380, ) }, ... 380, ) == 0x0
 02698   452   NtQueryValueKey  (380,  (380, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\333\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (380, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\333\0\0\0"}, 16, ) }, 16, ) == 0x0
 02699   452   NtWaitForSingleObject  (356, 0, 0x0, ... ) == 0x0
 02700   452   NtReleaseMutant  (356, ... 0x0, ) == 0x0
 02701   452   NtOpenKey  (0x2001f, {24, 60, 0x40, 0, 0,  (0x2001f, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"}, ... 384, ) }, ... 384, ) == 0x0
 02702   452   NtSetValueKey  (384,  (384, "ProxyBypass", 0, 4, "\1\0\0\0", 4, ... ) , 0, 4,  (384, "ProxyBypass", 0, 4, "\1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 02703   452   NtSetValueKey  (384,  (384, "IntranetName", 0, 4, "\1\0\0\0", 4, ... ) , 0, 4,  (384, "IntranetName", 0, 4, "\1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 02704   452   NtSetValueKey  (384,  (384, "UNCAsIntranet", 0, 4, "\1\0\0\0", 4, ... ) , 0, 4,  (384, "UNCAsIntranet", 0, 4, "\1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 02705   452   NtClose  (384, ... ) == 0x0
 02706   452   NtClose  (380, ... ) == 0x0
 02707   452   NtEnumerateKey  (376, 2, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name= (376, 2, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name="2I"}, 18, ) }, 18, ) == 0x0
 02708   452   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2"}, ... 380, ) }, ... 380, ) == 0x0
 02709   452   NtQueryValueKey  (380,  (380, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="G\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (380, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="G\0\0\0"}, 16, ) }, 16, ) == 0x0
 02710   452   NtClose  (380, ... ) == 0x0
 02711   452   NtEnumerateKey  (376, 3, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name= (376, 3, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name="3"}, 18, ) }, 18, ) == 0x0
 02712   452   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3"}, ... 380, ) }, ... 380, ) == 0x0
 02713   452   NtQueryValueKey  (380,  (380, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (380, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02714   452   NtClose  (380, ... ) == 0x0
 02715   452   NtEnumerateKey  (376, 4, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name= (376, 4, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name="4"}, 18, ) }, 18, ) == 0x0
 02716   452   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4"}, ... 380, ) }, ... 380, ) == 0x0
 02717   452   NtQueryValueKey  (380,  (380, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (380, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 02718   452   NtClose  (380, ... ) == 0x0
 02719   452   NtEnumerateKey  (376, 5, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02720   452   NtClose  (376, ... ) == 0x0
 02721   452   NtWaitForSingleObject  (356, 0, 0x0, ... ) == 0x0
 02722   452   NtReleaseMutant  (356, ... 0x0, ) == 0x0
 02723   452   NtOpenKey  (0x20019, {24, 368, 0x40, 0, 0,  (0x20019, {24, 368, 0x40, 0, 0, "Domains\bashchelik.com"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02724   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bashchelik.com"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02725   452   NtQueryValueKey  (368,  (368, "IntranetName", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (368, "IntranetName", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02726   452   NtQueryValueKey  (368,  (368, "ProxyBypass", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (368, "ProxyBypass", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02727   452   NtClearEvent  (184, ... ) == 0x0
 02728   452   NtSetEvent  (184, ... 0x0, ) == 0x0
 02729   452   NtOpenKey  (0x20019, {24, 368, 0x40, 0, 0,  (0x20019, {24, 368, 0x40, 0, 0, "ProtocolDefaults\"}, ... 376, ) }, ... 376, ) == 0x0
 02730   452   NtQueryValueKey  (376,  (376, "http", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (376, "http", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 02731   452   NtClose  (376, ... ) == 0x0
 02732   452   NtWaitForSingleObject  (356, 0, 0x0, ... ) == 0x0
 02733   452   NtReleaseMutant  (356, ... 0x0, ) == 0x0
 02734   452   NtWaitForSingleObject  (356, 0, 0x0, ... ) == 0x0
 02735   452   NtReleaseMutant  (356, ... 0x0, ) == 0x0
 02736   452   NtWaitForSingleObject  (352, 0, 0x0, ... ) == 0x0
 02737   452   NtReleaseMutant  (352, ... 0x0, ) == 0x0
 02738   452   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3"}, ... 376, ) }, ... 376, ) == 0x0
 02739   452   NtQueryValueKey  (376,  (376, "1A10", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (376, "1A10", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02740   452   NtWaitForSingleObject  (352, 0, 0x0, ... ) == 0x0
 02741   452   NtReleaseMutant  (352, ... 0x0, ) == 0x0
 02742   452   NtWaitForSingleObject  (352, 0, 0x0, ... ) == 0x0
 02743   452   NtReleaseMutant  (352, ... 0x0, ) == 0x0
 02744   452   NtClose  (376, ... ) == 0x0
 02745   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 02746   452   NtQueryInformationFile  (148, 1240800, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02747   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 02748   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 02749   452   NtQueryInformationFile  (148, 1238416, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02750   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 02751   452   NtWaitForSingleObject  (160, 0, 0x0, ... ) == 0x0
 02752   452   NtQueryInformationFile  (168, 1240380, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02753   452   NtReleaseMutant  (160, ... 0x0, ) == 0x0
 02754   452   NtWaitForSingleObject  (160, 0, 0x0, ... ) == 0x0
 02755   452   NtQueryInformationFile  (168, 1240340, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02756   452   NtReleaseMutant  (160, ... 0x0, ) == 0x0
 02757   452   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 02758   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 376, ) == 0x0
 02759   452   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 1237256, 112, ... 380, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1237256, 112, ... 380, 0x0, 0x0, 0x0, 112, ) == 0x0
 02760   452   NtRequestWaitReplyPort  (380, {128, 152, new_msg, 0, 122588, 1310720, 1237020, 2012750850}  (380, {128, 152, new_msg, 0, 122588, 1310720, 1237020, 2012750850} "\0\346\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w(\263\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\7\0\0\0\0\0`\262\25\0\0\0\0\0\320\262\25\0\200\262\25\0\250\262\25\0\0\0\0\0\0\0\0\0\0\0\0\0\320\262\25\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {128, 152, reply, 0, 444, 452, 1608, 0} "\7\346\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\7\0\0\0\0\0`\262\25\0\0\0\0\0\320\262\25\0\200\262\25\0\250\262\25\0\0\0\0\0\0\0\0\0\0\0\0\0\320\262\25\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {128, 152, reply, 0, 444, 452, 1608, 0}  (380, {128, 152, new_msg, 0, 122588, 1310720, 1237020, 2012750850} "\0\346\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w(\263\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\7\0\0\0\0\0`\262\25\0\0\0\0\0\320\262\25\0\200\262\25\0\250\262\25\0\0\0\0\0\0\0\0\0\0\0\0\0\320\262\25\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {128, 152, reply, 0, 444, 452, 1608, 0} "\7\346\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\7\0\0\0\0\0`\262\25\0\0\0\0\0\320\262\25\0\200\262\25\0\250\262\25\0\0\0\0\0\0\0\0\0\0\0\0\0\320\262\25\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02761   452   NtRequestWaitReplyPort  (380, {64, 88, new_msg, 0, 444, 452, 1603, 0}  (380, {64, 88, new_msg, 0, 444, 452, 1603, 0} "\1\212\0\0A\2\10\0\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\377\377\377\377S\275N\200\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\3757B@\335\350\344\34C\27\122" ... {52, 76, reply, 0, 444, 452, 1609, 0} "\2\212T\200\1\0\30\201\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 444, 452, 1609, 0}  (380, {64, 88, new_msg, 0, 444, 452, 1603, 0} "\1\212\0\0A\2\10\0\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\377\377\377\377S\275N\200\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\3757B@\335\350\344\34C\27\122" ... {52, 76, reply, 0, 444, 452, 1609, 0} "\2\212T\200\1\0\30\201\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 02762   452   NtClose  (376, ... ) == 0x0
 02763   452   NtClose  (380, ... ) == 0x0
 02764   452   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 380, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 380, 2, ) , 0, ... 380, 2, ) == 0x0
 02765   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 376, ) }, ... 376, ) == 0x0
 02766   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02767   452   NtQueryValueKey  (380,  (380, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (380, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02768   452   NtQueryValueKey  (380,  (380, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (380, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02769   452   NtClose  (380, ... ) == 0x0
 02770   452   NtClose  (376, ... ) == 0x0
 02771   452   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 376, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 376, 2, ) , 0, ... 376, 2, ) == 0x0
 02772   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 380, ) }, ... 380, ) == 0x0
 02773   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02774   452   NtQueryValueKey  (376,  (376, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02775   452   NtQueryValueKey  (376,  (376, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02776   452   NtClose  (376, ... ) == 0x0
 02777   452   NtClose  (380, ... ) == 0x0
 02778   452   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\VxD\MSTCP"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02779   452   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\ComputerName\ComputerName"}, ... 380, ) }, ... 380, ) == 0x0
 02780   452   NtQueryValueKey  (380,  (380, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (380, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02781   452   NtQueryValueKey  (380,  (380, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (380, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02782   452   NtClose  (380, ... ) == 0x0
 02783   452   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 02784   452   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 02785   452   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 02786   452   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 02787   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 380, ) == 0x0
 02788   452   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 1236592, 112, ... 376, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1236592, 112, ... 376, 0x0, 0x0, 0x0, 112, ) == 0x0
 02789   452   NtRequestWaitReplyPort  (376, {128, 152, new_msg, 0, 121924, 1310720, 1236356, 2012750850}  (376, {128, 152, new_msg, 0, 121924, 1310720, 1236356, 2012750850} "\0\344\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w(\263\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\10\0\350\261\25\0h\257\25\0\0\0\0\0\0\0\0\0\24\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\320\336\22\0\0\0\24\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 444, 452, 1612, 0} "\7\344\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\10\0\350\261\25\0h\257\25\0\0\0\0\0\0\0\0\0\24\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\320\336\22\0\0\0\24\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 444, 452, 1612, 0}  (376, {128, 152, new_msg, 0, 121924, 1310720, 1236356, 2012750850} "\0\344\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w(\263\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\10\0\350\261\25\0h\257\25\0\0\0\0\0\0\0\0\0\24\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\320\336\22\0\0\0\24\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 444, 452, 1612, 0} "\7\344\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\10\0\350\261\25\0h\257\25\0\0\0\0\0\0\0\0\0\24\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\320\336\22\0\0\0\24\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 02790   452   NtRequestWaitReplyPort  (376, {112, 136, new_msg, 0, 444, 452, 1609, 0}  (376, {112, 136, new_msg, 0, 444, 452, 1609, 0} "\1\212\0\0A\2\11\0\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\377\377\377\377S\275N\200\0\0\0\0\324\352\24\0\25\0\0\0\0\0\0\0\25\0\0\0s\0r\0v\00\01\0.\0b\0a\0s\0h\0c\0h\0e\0l\0i\0k\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 444, 452, 1613, 0} "\2\212T\200\1\0\30\201\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\0\0\0\0\264\5\0\0\1\0\0\0" )  ... {44, 68, reply, 0, 444, 452, 1613, 0}  (376, {112, 136, new_msg, 0, 444, 452, 1609, 0} "\1\212\0\0A\2\11\0\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\377\377\377\377S\275N\200\0\0\0\0\324\352\24\0\25\0\0\0\0\0\0\0\25\0\0\0s\0r\0v\00\01\0.\0b\0a\0s\0h\0c\0h\0e\0l\0i\0k\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 444, 452, 1613, 0} "\2\212T\200\1\0\30\201\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 02791   452   NtClose  (380, ... ) == 0x0
 02792   452   NtClose  (376, ... ) == 0x0
 02793   452   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 376, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 376, {status=0x0, info=0}, ) == 0x0
 02794   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 380, ) == 0x0
 02795   452   NtDeviceIoControlFile  (376, 380, 0x0, 0x0, 0xf14014,  (376, 380, 0x0, 0x0, 0xf14014, "\3\0\0\0srv01.bashchelik.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 02796   452   NtClose  (380, ... ) == 0x0
 02797   452   NtClose  (376, ... ) == 0x0
 02798   452   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 02799   452   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 02800   452   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 02801   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02802   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02803   452   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 02804   452   NtCreateKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 380, 2, ) }, 0, 0x0, 0, ... 380, 2, ) == 0x0
 02805   452   NtClose  (376, ... ) == 0x0
 02806   452   NtQueryValueKey  (380,  (380, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02807   452   NtClose  (380, ... ) == 0x0
 02808   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02809   452   NtOpenProcessToken  (-1, 0xc, ... 380, ) == 0x0
 02810   452   NtReleaseSemaphore  (164, 1, ... 0, ) == 0x0
 02811   452   NtWaitForSingleObject  (164, 0, {0, 0}, ... ) == 0x0
 02812   452   NtClose  (380, ... ) == 0x0
 02813   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 02814   452   NtQueryDirectoryFile  (380, 0, 0, 0, 1236376, 616, BothDirectory, 1,  (380, 0, 0, 0, 1236376, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 02815   452   NtClose  (380, ... ) == 0x0
 02816   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Ras\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 02817   452   NtQueryDirectoryFile  (380, 0, 0, 0, 1236376, 616, BothDirectory, 1,  (380, 0, 0, 0, 1236376, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 02818   452   NtClose  (380, ... ) == 0x0
 02819   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02820   452   NtOpenProcessToken  (-1, 0xc, ... 380, ) == 0x0
 02821   452   NtQueryInformationToken  (380, User, 64, ... {token info, class 1, size 36}, 36, ) == 0x0
 02822   452   NtOpenKey  (0x2001f, {24, 324, 0x40, 0, 0,  (0x2001f, {24, 324, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 376, ) }, ... 376, ) == 0x0
 02823   452   NtCreateKey  (0x2000000, {24, 376, 0x40, 0, 0,  (0x2000000, {24, 376, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 384, 2, ) }, 0, 0x0, 0, ... 384, 2, ) == 0x0
 02824   452   NtClose  (376, ... ) == 0x0
 02825   452   NtQueryValueKey  (384,  (384, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (384, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) }, 74, ) == 0x0
 02826   452   NtAllocateVirtualMemory  (-1, 0, 0, 1, 4096, 4, ... 9895936, 4096, ) == 0x0
 02827   452   NtAllocateVirtualMemory  (-1, 1429504, 0, 4096, 4096, 4, ... 1429504, 4096, ) == 0x0
 02828   452   NtAllocateVirtualMemory  (-1, 1433600, 0, 4096, 4096, 4, ... 1433600, 4096, ) == 0x0
 02829   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02830   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02831   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 376, ) }, ... 376, ) == 0x0
 02832   452   NtQueryValueKey  (376,  (376, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (376, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 02833   452   NtClose  (376, ... ) == 0x0
 02834   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 376, ) }, ... 376, ) == 0x0
 02835   452   NtQueryValueKey  (376,  (376, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) }, 32, ) == 0x0
 02836   452   NtClose  (376, ... ) == 0x0
 02837   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02838   452   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\Environment"}, ... 376, ) }, ... 376, ) == 0x0
 02839   452   NtQueryKey  (376, Full, 176, ... {LastWrite={0x7838d13c,0x1c73999}, TitleIdx=0, Subkeys=0, Values=12, Class=""}, 44, ) == 0x0
 02840   452   NtQuerySecurityObject  (376, 7, 0, ... ) == STATUS_ACCESS_DENIED
 02841   452   NtEnumerateValueKey  (376, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (376, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 02842   452   NtEnumerateValueKey  (376, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (376, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 02843   452   NtEnumerateValueKey  (376, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (376, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 02844   452   NtEnumerateValueKey  (376, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (376, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 02845   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02846   452   NtEnumerateValueKey  (376, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (376, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 02847   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02848   452   NtEnumerateValueKey  (376, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (376, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 02849   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02850   452   NtEnumerateValueKey  (376, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (376, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 02851   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02852   452   NtEnumerateValueKey  (376, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (376, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 02853   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02854   452   NtEnumerateValueKey  (376, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (376, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 02855   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02856   452   NtEnumerateValueKey  (376, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (376, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 02857   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02858   452   NtEnumerateValueKey  (376, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (376, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02859   452   NtEnumerateValueKey  (376, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (376, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02860   452   NtEnumerateValueKey  (376, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (376, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 02861   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02862   452   NtEnumerateValueKey  (376, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (376, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 02863   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02864   452   NtEnumerateValueKey  (376, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (376, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 02865   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02866   452   NtEnumerateValueKey  (376, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (376, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 02867   452   NtEnumerateValueKey  (376, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (376, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 02868   452   NtEnumerateValueKey  (376, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (376, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 02869   452   NtEnumerateValueKey  (376, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (376, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 02870   452   NtEnumerateValueKey  (376, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (376, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 02871   452   NtEnumerateValueKey  (376, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (376, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 02872   452   NtEnumerateValueKey  (376, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (376, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 02873   452   NtEnumerateValueKey  (376, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (376, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02874   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02875   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02876   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 1235448, ... ) }, 1235448, ... ) == 0x0
 02877   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02878   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02879   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02880   452   NtEnumerateValueKey  (376, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (376, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02881   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02882   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02883   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 1235448, ... ) }, 1235448, ... ) == 0x0
 02884   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02885   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02886   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02887   452   NtClose  (376, ... ) == 0x0
 02888   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 376, ) }, ... 376, ) == 0x0
 02889   452   NtOpenKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "ActiveComputerName"}, ... 388, ) }, ... 388, ) == 0x0
 02890   452   NtQueryValueKey  (388,  (388, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (388, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (388, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 02891   452   NtClose  (388, ... ) == 0x0
 02892   452   NtClose  (376, ... ) == 0x0
 02893   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02894   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 376, ) }, ... 376, ) == 0x0
 02895   452   NtQueryValueKey  (376,  (376, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (376, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 02896   452   NtClose  (376, ... ) == 0x0
 02897   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 376, ) }, ... 376, ) == 0x0
 02898   452   NtQueryValueKey  (376,  (376, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) }, 38, ) == 0x0
 02899   452   NtClose  (376, ... ) == 0x0
 02900   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02901   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 376, ) }, ... 376, ) == 0x0
 02902   452   NtQueryValueKey  (376,  (376, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 02903   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02904   452   NtQueryValueKey  (376,  (376, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) }, 72, ) == 0x0
 02905   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02906   452   NtClose  (376, ... ) == 0x0
 02907   452   NtQueryInformationToken  (380, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 02908   452   NtOpenKey  (0x20019, {24, 324, 0x40, 0, 0,  (0x20019, {24, 324, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 376, ) }, ... 376, ) == 0x0
 02909   452   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 02910   452   NtQueryInformationToken  (380, Type, 4, ... {token info, class 8, size 4}, 4, ) == 0x0
 02911   452   NtDuplicateToken  (380, 0xc, {24, 0, 0x0, 0, 1236832, 0x0}, 0, 2, ... ) == STATUS_ACCESS_DENIED
 02912   452   NtQueryInformationToken  (380, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 02913   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02914   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 388, ) == 0x0
 02915   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02916   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02917   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1235036,  (0xc0100080, {24, 0, 0x40, 0, 1235036, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 392, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 392, {status=0x0, info=1}, ) == 0x0
 02918   452   NtSetInformationFile  (392, 1235092, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02919   452   NtSetInformationFile  (392, 1235084, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02920   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02921   452   NtWriteFile  (392, 293, 0, 0,  (392, 293, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02922   452   NtReadFile  (392, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (392, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\15\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02923   452   NtFsControlFile  (392, 293, 0x0, 0x0, 0x11c017,  (392, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\337\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\15\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (392, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\337\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\15\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02924   452   NtFsControlFile  (392, 293, 0x0, 0x0, 0x11c017,  (392, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\3223\307A\344\200\334\21\261\310\0\14)\371\246\305\1\0\0\0H\337\22\0\1\0\0\0h\257\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0l\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\3223\307A\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (392, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\3223\307A\344\200\334\21\261\310\0\14)\371\246\305\1\0\0\0H\337\22\0\1\0\0\0h\257\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0l\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\3223\307A\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02925   452   NtFsControlFile  (392, 293, 0x0, 0x0, 0x11c017,  (392, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\3223\307A\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\300\223\25\0\1\0\0\0\314\223\25\0 \0\0\0\1\0\0\0\16\0\20\0\330\223\25\0\350\223\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\350\213\25\0\1\0\0\0\1\0\0\0\20\0\22\0\374\213\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (392, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\3223\307A\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\300\223\25\0\1\0\0\0\314\223\25\0 \0\0\0\1\0\0\0\16\0\20\0\330\223\25\0\350\223\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\350\213\25\0\1\0\0\0\1\0\0\0\20\0\22\0\374\213\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02926   452   NtClose  (388, ... ) == 0x0
 02927   452   NtClose  (392, ... ) == 0x0
 02928   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02929   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 392, ) == 0x0
 02930   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02931   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02932   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1235032,  (0xc0100080, {24, 0, 0x40, 0, 1235032, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 388, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 388, {status=0x0, info=1}, ) == 0x0
 02933   452   NtSetInformationFile  (388, 1235088, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02934   452   NtSetInformationFile  (388, 1235080, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02935   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02936   452   NtWriteFile  (388, 293, 0, 0,  (388, 293, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02937   452   NtReadFile  (388, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (388, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\16\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02938   452   NtFsControlFile  (388, 293, 0x0, 0x0, 0x11c017,  (388, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\337\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\16\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (388, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\337\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\16\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02939   452   NtFsControlFile  (388, 293, 0x0, 0x0, 0x11c017,  (388, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\3233\307A\344\200\334\21\261\310\0\14)\371\246\305\1\0\0\0D\337\22\0\1\0\0\0h\257\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0l\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\3233\307A\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (388, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\3233\307A\344\200\334\21\261\310\0\14)\371\246\305\1\0\0\0D\337\22\0\1\0\0\0h\257\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0l\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\3233\307A\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02940   452   NtFsControlFile  (388, 293, 0x0, 0x0, 0x11c017,  (388, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\3233\307A\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\300\223\25\0\1\0\0\0\314\223\25\0 \0\0\0\1\0\0\0\16\0\20\0\330\223\25\0\350\223\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\350\213\25\0\1\0\0\0\1\0\0\0\20\0\22\0\374\213\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (388, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\3233\307A\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\300\223\25\0\1\0\0\0\314\223\25\0 \0\0\0\1\0\0\0\16\0\20\0\330\223\25\0\350\223\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\350\213\25\0\1\0\0\0\1\0\0\0\20\0\22\0\374\213\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02941   452   NtClose  (392, ... ) == 0x0
 02942   452   NtClose  (388, ... ) == 0x0
 02943   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02944   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02945   452   NtQueryInformationToken  (380, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 02946   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 388, ) }, ... 388, ) == 0x0
 02947   452   NtQueryValueKey  (388,  (388, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (388, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) }, 104, ) == 0x0
 02948   452   NtClose  (388, ... ) == 0x0
 02949   452   NtCreateKey  (0x2001f, {24, 376, 0x40, 0, 0,  (0x2001f, {24, 376, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Winlogon"}, 0, 0x0, 0, ... 388, 2, ) }, 0, 0x0, 0, ... 388, 2, ) == 0x0
 02950   452   NtQueryValueKey  (388,  (388, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (388, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02951   452   NtClose  (388, ... ) == 0x0
 02952   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02953   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02954   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\c:\autoexec.bat"}, 1236736, ... ) }, 1236736, ... ) == 0x0
 02955   452   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1236744,  (0x80100080, {24, 0, 0x40, 0, 1236744, "\??\c:\autoexec.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 388, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 388, {status=0x0, info=1}, ) == 0x0
 02956   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02957   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02958   452   NtQueryInformationFile  (388, 1236760, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02959   452   NtReadFile  (388, 0, 0, 0, 0, 0x0, 0, ... {status=0x0, info=0}, "", ) == 0x0
 02960   452   NtClose  (388, ... ) == 0x0
 02961   452   NtOpenKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "Environment"}, ... 388, ) }, ... 388, ) == 0x0
 02962   452   NtAllocateVirtualMemory  (-1, 1437696, 0, 12288, 4096, 4, ... 1437696, 12288, ) == 0x0
 02963   452   NtEnumerateValueKey  (388, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (388, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (388, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02964   452   NtEnumerateValueKey  (388, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (388, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (388, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02965   452   NtEnumerateValueKey  (388, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02966   452   NtEnumerateValueKey  (388, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (388, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (388, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02967   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02968   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02969   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 1235476, ... ) }, 1235476, ... ) == 0x0
 02970   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 392, {status=0x0, info=1}, ) }, 3, 16417, ... 392, {status=0x0, info=1}, ) == 0x0
 02971   452   NtQueryDirectoryFile  (392, 0, 0, 0, 1234836, 616, BothDirectory, 1,  (392, 0, 0, 0, 1234836, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 02972   452   NtClose  (392, ... ) == 0x0
 02973   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 392, {status=0x0, info=1}, ) }, 3, 16417, ... 392, {status=0x0, info=1}, ) == 0x0
 02974   452   NtQueryDirectoryFile  (392, 0, 0, 0, 1234836, 616, BothDirectory, 1,  (392, 0, 0, 0, 1234836, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 02975   452   NtClose  (392, ... ) == 0x0
 02976   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02977   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02978   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02979   452   NtEnumerateValueKey  (388, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (388, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (388, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02980   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02981   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02982   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 1235476, ... ) }, 1235476, ... ) == 0x0
 02983   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 392, {status=0x0, info=1}, ) }, 3, 16417, ... 392, {status=0x0, info=1}, ) == 0x0
 02984   452   NtQueryDirectoryFile  (392, 0, 0, 0, 1234836, 616, BothDirectory, 1,  (392, 0, 0, 0, 1234836, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 02985   452   NtClose  (392, ... ) == 0x0
 02986   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 392, {status=0x0, info=1}, ) }, 3, 16417, ... 392, {status=0x0, info=1}, ) == 0x0
 02987   452   NtQueryDirectoryFile  (392, 0, 0, 0, 1234836, 616, BothDirectory, 1,  (392, 0, 0, 0, 1234836, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 02988   452   NtClose  (392, ... ) == 0x0
 02989   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02990   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02991   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02992   452   NtEnumerateValueKey  (388, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02993   452   NtClose  (388, ... ) == 0x0
 02994   452   NtOpenKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "Volatile Environment"}, ... 388, ) }, ... 388, ) == 0x0
 02995   452   NtEnumerateValueKey  (388, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (388, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 02996   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02997   452   NtEnumerateValueKey  (388, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (388, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 02998   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02999   452   NtEnumerateValueKey  (388, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (388, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 03000   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03001   452   NtEnumerateValueKey  (388, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (388, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 03002   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03003   452   NtEnumerateValueKey  (388, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (388, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 03004   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03005   452   NtEnumerateValueKey  (388, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (388, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 03006   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03007   452   NtEnumerateValueKey  (388, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (388, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 03008   452   NtEnumerateValueKey  (388, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 03009   452   NtEnumerateValueKey  (388, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (388, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 03010   452   NtEnumerateValueKey  (388, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (388, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 03011   452   NtEnumerateValueKey  (388, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (388, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 03012   452   NtEnumerateValueKey  (388, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (388, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 03013   452   NtEnumerateValueKey  (388, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (388, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 03014   452   NtEnumerateValueKey  (388, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (388, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 03015   452   NtEnumerateValueKey  (388, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (388, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 03016   452   NtEnumerateValueKey  (388, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 03017   452   NtClose  (388, ... ) == 0x0
 03018   452   NtClose  (376, ... ) == 0x0
 03019   452   NtFreeVirtualMemory  (-1, (0x970000), 0, 32768, ... (0x970000), 4096, ) == 0x0
 03020   452   NtClose  (384, ... ) == 0x0
 03021   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data"}, 1237400, ... ) }, 1237400, ... ) == 0x0
 03022   452   NtQueryInformationToken  (380, User, 64, ... {token info, class 1, size 36}, 36, ) == 0x0
 03023   452   NtOpenKey  (0x2001f, {24, 324, 0x40, 0, 0,  (0x2001f, {24, 324, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 384, ) }, ... 384, ) == 0x0
 03024   452   NtCreateKey  (0x2000000, {24, 384, 0x40, 0, 0,  (0x2000000, {24, 384, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 03025   452   NtClose  (384, ... ) == 0x0
 03026   452   NtSetValueKey  (376,  (376, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 0, 1,  (376, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 104, ... ) == 0x0
 03027   452   NtClose  (376, ... ) == 0x0
 03028   452   NtClose  (380, ... ) == 0x0
 03029   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data\Microsoft\Network\Connections\Pbk\"}, 3, 16417, ... ) }, 3, 16417, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03030   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 03031   452   NtQueryInformationFile  (148, 1238448, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03032   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 03033   452   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 03034   452   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 03035   452   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 03036   452   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 03037   452   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 03038   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 380, ) == 0x0
 03039   452   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 1236588, 112, ... 376, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1236588, 112, ... 376, 0x0, 0x0, 0x0, 112, ) == 0x0
 03040   452   NtRequestWaitReplyPort  (376, {128, 152, new_msg, 0, 1310720, 121920, 1310720, 1236352}  (376, {128, 152, new_msg, 0, 1310720, 121920, 1310720, 1236352} "\0$\370w0\344\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0(\263\25\0\4\0\0\0(\263\25\0\20\344\314w(\263\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\0\350\261\25\0`\262\25\0\0\0\0\0f\0\0\03\0\0\0 \345\22\0\0\0\0\0\0\0\22\0\34\336\22\0\220,\25\0\0\0\0\0\2$\370w\5\0\0\0" ... {128, 152, reply, 0, 444, 452, 1616, 0} "\7$\370w0\344\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0(\263\25\0\377\377\377\377(\263\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\0\350\261\25\0`\262\25\0\0\0\0\0f\0\0\03\0\0\0 \345\22\0\0\0\0\0\0\0\22\0\34\336\22\0\220,\25\0\0\0\0\0\2$\370w\5\0\0\0" )  ... {128, 152, reply, 0, 444, 452, 1616, 0}  (376, {128, 152, new_msg, 0, 1310720, 121920, 1310720, 1236352} "\0$\370w0\344\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0(\263\25\0\4\0\0\0(\263\25\0\20\344\314w(\263\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\0\350\261\25\0`\262\25\0\0\0\0\0f\0\0\03\0\0\0 \345\22\0\0\0\0\0\0\0\22\0\34\336\22\0\220,\25\0\0\0\0\0\2$\370w\5\0\0\0" ... {128, 152, reply, 0, 444, 452, 1616, 0} "\7$\370w0\344\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0(\263\25\0\377\377\377\377(\263\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\0\350\261\25\0`\262\25\0\0\0\0\0f\0\0\03\0\0\0 \345\22\0\0\0\0\0\0\0\22\0\34\336\22\0\220,\25\0\0\0\0\0\2$\370w\5\0\0\0" )  ) == 0x0
 03041   452   NtRequestWaitReplyPort  (376, {112, 136, new_msg, 0, 44, 3, 20, 0}  (376, {112, 136, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\11\0\344\200\334\21\261\310\0\14)\371\246\305\1\0\0\0\377\377\377\377\1\0\0\0\0\0\0\0\324\352\24\0\25\0\0\0\0\0\0\0\25\0\0\0s\0r\0v\00\01\0.\0b\0a\0s\0h\0c\0h\0e\0l\0i\0k\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 444, 452, 1617, 0} "\2\212T\200\1\0\30\201\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\0\0\0\0\264\5\0\0\1\0\0\0" )  ... {44, 68, reply, 0, 444, 452, 1617, 0}  (376, {112, 136, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\11\0\344\200\334\21\261\310\0\14)\371\246\305\1\0\0\0\377\377\377\377\1\0\0\0\0\0\0\0\324\352\24\0\25\0\0\0\0\0\0\0\25\0\0\0s\0r\0v\00\01\0.\0b\0a\0s\0h\0c\0h\0e\0l\0i\0k\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 444, 452, 1617, 0} "\2\212T\200\1\0\30\201\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 03042   452   NtClose  (380, ... ) == 0x0
 03043   452   NtClose  (376, ... ) == 0x0
 03044   452   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 376, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 376, {status=0x0, info=0}, ) == 0x0
 03045   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 380, ) == 0x0
 03046   452   NtDeviceIoControlFile  (376, 380, 0x0, 0x0, 0xf14014,  (376, 380, 0x0, 0x0, 0xf14014, "\3\0\0\0srv01.bashchelik.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 03047   452   NtClose  (380, ... ) == 0x0
 03048   452   NtClose  (376, ... ) == 0x0
 03049   452   NtClearEvent  (348, ... ) == 0x0
 03050   452   NtSetEvent  (348, ... 0x0, ) == 0x0
 03051   452   NtClose  (348, ... ) == 0x0
 03052   452   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 03053   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 348, ) == 0x0
 03054   452   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 1238364, 112, ... 376, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1238364, 112, ... 376, 0x0, 0x0, 0x0, 112, ) == 0x0
 03055   452   NtRequestWaitReplyPort  (376, {128, 152, new_msg, 0, 1310720, 123696, 1310720, 1238128}  (376, {128, 152, new_msg, 0, 1310720, 123696, 1310720, 1238128} "\0$\370w \353\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0h\212\25\0\4\0\0\0h\212\25\0\20\344\314wh\212\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\12\0\30\301\25\0\310\224\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 444, 452, 1620, 0} "\7$\370w \353\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0h\212\25\0\377\377\377\377h\212\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\12\0\30\301\25\0\310\224\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 444, 452, 1620, 0}  (376, {128, 152, new_msg, 0, 1310720, 123696, 1310720, 1238128} "\0$\370w \353\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0h\212\25\0\4\0\0\0h\212\25\0\20\344\314wh\212\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\12\0\30\301\25\0\310\224\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 444, 452, 1620, 0} "\7$\370w \353\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0h\212\25\0\377\377\377\377h\212\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\12\0\30\301\25\0\310\224\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0" )  ) == 0x0
 03056   452   NtRequestWaitReplyPort  (376, {64, 88, new_msg, 0, 444, 452, 1617, 0}  (376, {64, 88, new_msg, 0, 444, 452, 1617, 0} "\1\212\0\0A\2\10\0\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\377\377\377\377S\275N\200\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0s\0r\0v\00\01\0.\0" ... {52, 76, reply, 0, 444, 452, 1621, 0} "\2\212T\200\1\0\30\201\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 444, 452, 1621, 0}  (376, {64, 88, new_msg, 0, 444, 452, 1617, 0} "\1\212\0\0A\2\10\0\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\377\377\377\377S\275N\200\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0s\0r\0v\00\01\0.\0" ... {52, 76, reply, 0, 444, 452, 1621, 0} "\2\212T\200\1\0\30\201\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 03057   452   NtClose  (348, ... ) == 0x0
 03058   452   NtClose  (376, ... ) == 0x0
 03059   452   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 376, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 376, 2, ) , 0, ... 376, 2, ) == 0x0
 03060   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 348, ) }, ... 348, ) == 0x0
 03061   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03062   452   NtQueryValueKey  (376,  (376, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03063   452   NtQueryValueKey  (376,  (376, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03064   452   NtClose  (376, ... ) == 0x0
 03065   452   NtClose  (348, ... ) == 0x0
 03066   452   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 348, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 348, 2, ) , 0, ... 348, 2, ) == 0x0
 03067   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 376, ) }, ... 376, ) == 0x0
 03068   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03069   452   NtQueryValueKey  (348,  (348, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03070   452   NtQueryValueKey  (348,  (348, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03071   452   NtClose  (348, ... ) == 0x0
 03072   452   NtClose  (376, ... ) == 0x0
 03073   452   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 03074   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 376, ) == 0x0
 03075   452   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 1238164, 112, ... 348, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1238164, 112, ... 348, 0x0, 0x0, 0x0, 112, ) == 0x0
 03076   452   NtRequestWaitReplyPort  (348, {128, 152, new_msg, 0, 1310720, 123496, 1310720, 1237928}  (348, {128, 152, new_msg, 0, 1310720, 123496, 1310720, 1237928} "\0$\370wX\352\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0h\212\25\0\4\0\0\0h\212\25\0\20\344\314wh\212\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\13\0\30\301\25\0\230\217\25\0\0\0\0\0\30\347\22\0\310\346\22\0\270\350\22\0\0\0\0\0\0\0\25\0\377\377\377\377\365\26\365w\0\0\0\0\13\30\365w\5\0\0\0" ... {128, 152, reply, 0, 444, 452, 1624, 0} "\7$\370wX\352\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0h\212\25\0\377\377\377\377h\212\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\13\0\30\301\25\0\230\217\25\0\0\0\0\0\30\347\22\0\310\346\22\0\270\350\22\0\0\0\0\0\0\0\25\0\377\377\377\377\365\26\365w\0\0\0\0\13\30\365w\5\0\0\0" )  ... {128, 152, reply, 0, 444, 452, 1624, 0}  (348, {128, 152, new_msg, 0, 1310720, 123496, 1310720, 1237928} "\0$\370wX\352\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0h\212\25\0\4\0\0\0h\212\25\0\20\344\314wh\212\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\13\0\30\301\25\0\230\217\25\0\0\0\0\0\30\347\22\0\310\346\22\0\270\350\22\0\0\0\0\0\0\0\25\0\377\377\377\377\365\26\365w\0\0\0\0\13\30\365w\5\0\0\0" ... {128, 152, reply, 0, 444, 452, 1624, 0} "\7$\370wX\352\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0h\212\25\0\377\377\377\377h\212\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\13\0\30\301\25\0\230\217\25\0\0\0\0\0\30\347\22\0\310\346\22\0\270\350\22\0\0\0\0\0\0\0\25\0\377\377\377\377\365\26\365w\0\0\0\0\13\30\365w\5\0\0\0" )  ) == 0x0
 03077   452   NtRequestWaitReplyPort  (348, {64, 88, new_msg, 0, 444, 452, 1621, 0}  (348, {64, 88, new_msg, 0, 444, 452, 1621, 0} "\1\212\0\0A\2\10\0\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\377\377\377\377S\275N\200\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0s\0r\0v\00\01\0.\0" ... {52, 76, reply, 0, 444, 452, 1625, 0} "\2\212T\200\1\0\30\201\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 444, 452, 1625, 0}  (348, {64, 88, new_msg, 0, 444, 452, 1621, 0} "\1\212\0\0A\2\10\0\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\377\377\377\377S\275N\200\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0s\0r\0v\00\01\0.\0" ... {52, 76, reply, 0, 444, 452, 1625, 0} "\2\212T\200\1\0\30\201\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 03078   452   NtClose  (376, ... ) == 0x0
 03079   452   NtClose  (348, ... ) == 0x0
 03080   452   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 348, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 348, 2, ) , 0, ... 348, 2, ) == 0x0
 03081   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 376, ) }, ... 376, ) == 0x0
 03082   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03083   452   NtQueryValueKey  (348,  (348, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03084   452   NtQueryValueKey  (348,  (348, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03085   452   NtClose  (348, ... ) == 0x0
 03086   452   NtClose  (376, ... ) == 0x0
 03087   452   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 376, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 376, 2, ) , 0, ... 376, 2, ) == 0x0
 03088   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 348, ) }, ... 348, ) == 0x0
 03089   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03090   452   NtQueryValueKey  (376,  (376, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03091   452   NtQueryValueKey  (376,  (376, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03092   452   NtClose  (376, ... ) == 0x0
 03093   452   NtClose  (348, ... ) == 0x0
 03094   452   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 348, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 348, {status=0x0, info=0}, ) == 0x0
 03095   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 376, ) == 0x0
 03096   452   NtDeviceIoControlFile  (348, 376, 0x0, 0x0, 0xf14014,  (348, 376, 0x0, 0x0, 0xf14014, "\3\0\0\0MYWORLD\0\231%\362v\2\0\0\200\330\304\362v\0\0\0\0\20\352\22\0O\345\367w{\30\335w\0\0\0\0\300.\24\0\210\212\25\0"\2\373\177 \353\22\0\0\0\0\0\263\26\365w\200 \25\0q\26\365w\350\6\24\0\215\26\365w\0\0\0\0\0\303\25\08!\25\0\24\232\347wc\303\26\0\210\212\25\0\226\212\25\0d\303\25\0\377\377\0\0\0\0\0\0d\303\25\0\7\0\0\0\210\212\25\0\314\352\22\0\177;\245q\0\0\0\0\0\0\0\0\210\212\25\0\0\0\0\0d\303\25\0\377\377\0\0\1\0\0\0\0\0\0\0\200\212\25\0d\303\25\0h\212\25\0\14\353\22\0}<\245qd\303\25\0\0\0\0\0\210\212\25\0\365<\245qX\303\25\0D\303\25\0\2\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\20\0\0\08!\1\0\0\0\24\0d\352\22\0D\357\22\0\324\374\22\0\2$\370w\370T\367wa/\245q\2642\250q\0\0\0\0\0\0\0\0:/\245q8!\25\08\254\25\0x\226\25\0\220\226\25\0\210\212\25\0\226\212\25\0d\303\25\0\377\377\0\0\0\0\0\0d\303\25\0\7\0\0\0\210\212\25\0\224\353\22\0\177;\245q\0\0\0\0\0\0\0\0\210\212\25\0\0\0\0\0d\303\25\0\377\377\0\0\1\0\0\0\230\1\24\0\250\263\25\0\20\0\0\0\0\0\0\0\230\1\24\0\240\263\25\0\0\0\0\0\0\0\0\0\0\0\0\0\365<\245qX\303\25\0D\303\25\0\4\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\10\375\1\1\0\0\24\0,\353\22\0\14\360\22\0\324\374\22\0\2$\370w\370T\367wa/\245q\2642\250q\0\0\0\0\0\0\0\0:/\245q\10\375\24\08\254\25\0x\226\25\0", 1552, 0, ... {status=0x0, info=0}, 0x0, ) \2\373\177 \353\22\0\0\0\0\0\263\26\365w\200 \25\0q\26\365w\350\6\24\0\215\26\365w\0\0\0\0\0\303\25\08!\25\0\24\232\347wc\303\26\0\210\212\25\0\226\212\25\0d\303\25\0\377\377\0\0\0\0\0\0d\303\25\0\7\0\0\0\210\212\25\0\314\352\22\0\177;\245q\0\0\0\0\0\0\0\0\210\212\25\0\0\0\0\0d\303\25\0\377\377\0\0\1\0\0\0\0\0\0\0\200\212\25\0d\303\25\0h\212\25\0\14\353\22\0}<\245qd\303\25\0\0\0\0\0\210\212\25\0\365<\245qX\303\25\0D\303\25\0\2\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\20\0\0\08!\1\0\0\0\24\0d\352\22\0D\357\22\0\324\374\22\0\2$\370w\370T\367wa/\245q\2642\250q\0\0\0\0\0\0\0\0:/\245q8!\25\08\254\25\0x\226\25\0\220\226\25\0\210\212\25\0\226\212\25\0d\303\25\0\377\377\0\0\0\0\0\0d\303\25\0\7\0\0\0\210\212\25\0\224\353\22\0\177;\245q\0\0\0\0\0\0\0\0\210\212\25\0\0\0\0\0d\303\25\0\377\377\0\0\1\0\0\0\230\1\24\0\250\263\25\0\20\0\0\0\0\0\0\0\230\1\24\0\240\263\25\0\0\0\0\0\0\0\0\0\0\0\0\0\365<\245qX\303\25\0D\303\25\0\4\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\10\375\1\1\0\0\24\0,\353\22\0\14\360\22\0\324\374\22\0\2$\370w\370T\367wa/\245q\2642\250q\0\0\0\0\0\0\0\0:/\245q\10\375\24\08\254\25\0x\226\25\0", 1552, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03097   452   NtClose  (376, ... ) == 0x0
 03098   452   NtClose  (348, ... ) == 0x0
 03099   452   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\cv35"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 03100   452   NtQueryValueKey  (348,  (348, "n", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "n", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03101   452   NtClose  (348, ... ) == 0x0
 03102   452   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 348, ) == 0x0
 03103   452   NtWaitForSingleObject  (348, 0, 0x0, ... ) == 0x0
 03104   452   NtClearEvent  (348, ... ) == 0x0
 03105   452   NtSetEvent  (348, ... 0x0, ) == 0x0
 03106   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 03107   452   NtQueryInformationFile  (148, 1240352, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03108   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 03109   452   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Http Filters\RPA"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03110   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Http Filters\RPA"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03111   452   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 03112   452   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 03113   452   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 03114   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03115   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03116   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 03117   452   NtQueryInformationFile  (148, 1240548, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03118   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 03119   452   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 03120   452   NtWaitForSingleObject  (356, 0, 0x0, ... ) == 0x0
 03121   452   NtReleaseMutant  (356, ... 0x0, ) == 0x0
 03122   452   NtOpenKey  (0x20019, {24, 368, 0x40, 0, 0,  (0x20019, {24, 368, 0x40, 0, 0, "Domains\bashchelik.com"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03123   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bashchelik.com"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03124   452   NtQueryValueKey  (368,  (368, "IntranetName", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (368, "IntranetName", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03125   452   NtQueryValueKey  (368,  (368, "ProxyBypass", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (368, "ProxyBypass", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03126   452   NtClearEvent  (184, ... ) == 0x0
 03127   452   NtSetEvent  (184, ... 0x0, ) == 0x0
 03128   452   NtOpenKey  (0x20019, {24, 368, 0x40, 0, 0,  (0x20019, {24, 368, 0x40, 0, 0, "ProtocolDefaults\"}, ... 376, ) }, ... 376, ) == 0x0
 03129   452   NtQueryValueKey  (376,  (376, "http", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (376, "http", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 03130   452   NtClose  (376, ... ) == 0x0
 03131   452   NtWaitForSingleObject  (356, 0, 0x0, ... ) == 0x0
 03132   452   NtReleaseMutant  (356, ... 0x0, ) == 0x0
 03133   452   NtWaitForSingleObject  (356, 0, 0x0, ... ) == 0x0
 03134   452   NtReleaseMutant  (356, ... 0x0, ) == 0x0
 03135   452   NtWaitForSingleObject  (352, 0, 0x0, ... ) == 0x0
 03136   452   NtReleaseMutant  (352, ... 0x0, ) == 0x0
 03137   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 03138   452   NtQueryInformationFile  (148, 1240796, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03139   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 03140   452   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 03141   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 376, ) == 0x0
 03142   452   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 1237256, 112, ... 380, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1237256, 112, ... 380, 0x0, 0x0, 0x0, 112, ) == 0x0
 03143   452   NtRequestWaitReplyPort  (380, {128, 152, new_msg, 0, 122588, 1310720, 1237020, 2012750850}  (380, {128, 152, new_msg, 0, 122588, 1310720, 1237020, 2012750850} "\0\346\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w(\263\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\14\0\350\261\25\0\260\262\25\0\0\0\0\0\0\0\0\0\0\0\0\0X\357\22\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\3\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 444, 452, 1628, 0} "\7\346\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\14\0\350\261\25\0\260\262\25\0\0\0\0\0\0\0\0\0\0\0\0\0X\357\22\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\3\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 444, 452, 1628, 0}  (380, {128, 152, new_msg, 0, 122588, 1310720, 1237020, 2012750850} "\0\346\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w(\263\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\14\0\350\261\25\0\260\262\25\0\0\0\0\0\0\0\0\0\0\0\0\0X\357\22\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\3\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 444, 452, 1628, 0} "\7\346\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\14\0\350\261\25\0\260\262\25\0\0\0\0\0\0\0\0\0\0\0\0\0X\357\22\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\3\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 03144   452   NtRequestWaitReplyPort  (380, {64, 88, new_msg, 0, 444, 452, 1625, 0}  (380, {64, 88, new_msg, 0, 444, 452, 1625, 0} "\1\212\0\0A\2\10\0\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\377\377\377\377S\275N\200\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0s\0r\0v\00\01\0.\0" ... {52, 76, reply, 0, 444, 452, 1629, 0} "\2\212T\200\1\0\30\201\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 444, 452, 1629, 0}  (380, {64, 88, new_msg, 0, 444, 452, 1625, 0} "\1\212\0\0A\2\10\0\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\377\377\377\377S\275N\200\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0s\0r\0v\00\01\0.\0" ... {52, 76, reply, 0, 444, 452, 1629, 0} "\2\212T\200\1\0\30\201\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 03145   452   NtClose  (376, ... ) == 0x0
 03146   452   NtClose  (380, ... ) == 0x0
 03147   452   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 380, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 380, 2, ) , 0, ... 380, 2, ) == 0x0
 03148   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 376, ) }, ... 376, ) == 0x0
 03149   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03150   452   NtQueryValueKey  (380,  (380, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (380, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03151   452   NtQueryValueKey  (380,  (380, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (380, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03152   452   NtClose  (380, ... ) == 0x0
 03153   452   NtClose  (376, ... ) == 0x0
 03154   452   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 376, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 376, 2, ) , 0, ... 376, 2, ) == 0x0
 03155   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 380, ) }, ... 380, ) == 0x0
 03156   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03157   452   NtQueryValueKey  (376,  (376, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03158   452   NtQueryValueKey  (376,  (376, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03159   452   NtClose  (376, ... ) == 0x0
 03160   452   NtClose  (380, ... ) == 0x0
 03161   452   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\VxD\MSTCP"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03162   452   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\ComputerName\ComputerName"}, ... 380, ) }, ... 380, ) == 0x0
 03163   452   NtQueryValueKey  (380,  (380, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (380, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03164   452   NtQueryValueKey  (380,  (380, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (380, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03165   452   NtClose  (380, ... ) == 0x0
 03166   452   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 03167   452   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 03168   452   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 03169   452   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 03170   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 380, ) == 0x0
 03171   452   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 1236592, 112, ... 376, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1236592, 112, ... 376, 0x0, 0x0, 0x0, 112, ) == 0x0
 03172   452   NtRequestWaitReplyPort  (376, {128, 152, new_msg, 0, 121924, 1310720, 1236356, 2012750850}  (376, {128, 152, new_msg, 0, 121924, 1310720, 1236356, 2012750850} "\0\344\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w(\263\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\15\0\350\261\25\0\260\262\25\0\0\0\0\0\0\0\0\0$1\347w\0\0\0\0\0\0\0\0\0\0\0\0\320\276\25\0\320\336\22\0\0\0\24\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 444, 452, 1632, 0} "\7\344\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\15\0\350\261\25\0\260\262\25\0\0\0\0\0\0\0\0\0$1\347w\0\0\0\0\0\0\0\0\0\0\0\0\320\276\25\0\320\336\22\0\0\0\24\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 444, 452, 1632, 0}  (376, {128, 152, new_msg, 0, 121924, 1310720, 1236356, 2012750850} "\0\344\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w(\263\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\15\0\350\261\25\0\260\262\25\0\0\0\0\0\0\0\0\0$1\347w\0\0\0\0\0\0\0\0\0\0\0\0\320\276\25\0\320\336\22\0\0\0\24\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 444, 452, 1632, 0} "\7\344\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\15\0\350\261\25\0\260\262\25\0\0\0\0\0\0\0\0\0$1\347w\0\0\0\0\0\0\0\0\0\0\0\0\320\276\25\0\320\336\22\0\0\0\24\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 03173   452   NtRequestWaitReplyPort  (376, {112, 136, new_msg, 0, 444, 452, 1629, 0}  (376, {112, 136, new_msg, 0, 444, 452, 1629, 0} "\1\212\0\0A\2\11\0\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\377\377\377\377S\275N\200\0\0\0\0\324\352\24\0\25\0\0\0\0\0\0\0\25\0\0\0s\0r\0v\00\02\0.\0b\0a\0s\0h\0c\0h\0e\0l\0i\0k\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 444, 452, 1633, 0} "\2\212T\200\1\0\30\201\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\0\0\0\0\264\5\0\0\1\0\0\0" )  ... {44, 68, reply, 0, 444, 452, 1633, 0}  (376, {112, 136, new_msg, 0, 444, 452, 1629, 0} "\1\212\0\0A\2\11\0\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\377\377\377\377S\275N\200\0\0\0\0\324\352\24\0\25\0\0\0\0\0\0\0\25\0\0\0s\0r\0v\00\02\0.\0b\0a\0s\0h\0c\0h\0e\0l\0i\0k\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 444, 452, 1633, 0} "\2\212T\200\1\0\30\201\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 03174   452   NtClose  (380, ... ) == 0x0
 03175   452   NtClose  (376, ... ) == 0x0
 03176   452   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 376, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 376, {status=0x0, info=0}, ) == 0x0
 03177   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 380, ) == 0x0
 03178   452   NtDeviceIoControlFile  (376, 380, 0x0, 0x0, 0xf14014,  (376, 380, 0x0, 0x0, 0xf14014, "\3\0\0\0srv02.bashchelik.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 03179   452   NtClose  (380, ... ) == 0x0
 03180   452   NtClose  (376, ... ) == 0x0
 03181   452   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 03182   452   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 03183   452   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 03184   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03185   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03186   452   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 03187   452   NtCreateKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 380, 2, ) }, 0, 0x0, 0, ... 380, 2, ) == 0x0
 03188   452   NtClose  (376, ... ) == 0x0
 03189   452   NtQueryValueKey  (380,  (380, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03190   452   NtClose  (380, ... ) == 0x0
 03191   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03192   452   NtOpenProcessToken  (-1, 0xc, ... 380, ) == 0x0
 03193   452   NtReleaseSemaphore  (164, 1, ... 0, ) == 0x0
 03194   452   NtWaitForSingleObject  (164, 0, {0, 0}, ... ) == 0x0
 03195   452   NtClose  (380, ... ) == 0x0
 03196   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 03197   452   NtQueryDirectoryFile  (380, 0, 0, 0, 1236376, 616, BothDirectory, 1,  (380, 0, 0, 0, 1236376, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 03198   452   NtClose  (380, ... ) == 0x0
 03199   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Ras\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 03200   452   NtQueryDirectoryFile  (380, 0, 0, 0, 1236376, 616, BothDirectory, 1,  (380, 0, 0, 0, 1236376, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 03201   452   NtClose  (380, ... ) == 0x0
 03202   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03203   452   NtOpenProcessToken  (-1, 0xc, ... 380, ) == 0x0
 03204   452   NtQueryInformationToken  (380, User, 64, ... {token info, class 1, size 36}, 36, ) == 0x0
 03205   452   NtOpenKey  (0x2001f, {24, 324, 0x40, 0, 0,  (0x2001f, {24, 324, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 376, ) }, ... 376, ) == 0x0
 03206   452   NtCreateKey  (0x2000000, {24, 376, 0x40, 0, 0,  (0x2000000, {24, 376, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 384, 2, ) }, 0, 0x0, 0, ... 384, 2, ) == 0x0
 03207   452   NtClose  (376, ... ) == 0x0
 03208   452   NtQueryValueKey  (384,  (384, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (384, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) }, 74, ) == 0x0
 03209   452   NtAllocateVirtualMemory  (-1, 0, 0, 1, 4096, 4, ... 9895936, 4096, ) == 0x0
 03210   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03211   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03212   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 376, ) }, ... 376, ) == 0x0
 03213   452   NtQueryValueKey  (376,  (376, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (376, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 03214   452   NtClose  (376, ... ) == 0x0
 03215   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 376, ) }, ... 376, ) == 0x0
 03216   452   NtQueryValueKey  (376,  (376, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) }, 32, ) == 0x0
 03217   452   NtClose  (376, ... ) == 0x0
 03218   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03219   452   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\Environment"}, ... 376, ) }, ... 376, ) == 0x0
 03220   452   NtQueryKey  (376, Full, 176, ... {LastWrite={0x7838d13c,0x1c73999}, TitleIdx=0, Subkeys=0, Values=12, Class=""}, 44, ) == 0x0
 03221   452   NtQuerySecurityObject  (376, 7, 0, ... ) == STATUS_ACCESS_DENIED
 03222   452   NtEnumerateValueKey  (376, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (376, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 03223   452   NtEnumerateValueKey  (376, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (376, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 03224   452   NtEnumerateValueKey  (376, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (376, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 03225   452   NtEnumerateValueKey  (376, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (376, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 03226   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03227   452   NtEnumerateValueKey  (376, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (376, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 03228   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03229   452   NtEnumerateValueKey  (376, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (376, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 03230   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03231   452   NtEnumerateValueKey  (376, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (376, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 03232   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03233   452   NtEnumerateValueKey  (376, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (376, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 03234   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03235   452   NtEnumerateValueKey  (376, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (376, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 03236   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03237   452   NtEnumerateValueKey  (376, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (376, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 03238   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03239   452   NtEnumerateValueKey  (376, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (376, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 03240   452   NtEnumerateValueKey  (376, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (376, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 03241   452   NtEnumerateValueKey  (376, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (376, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 03242   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03243   452   NtEnumerateValueKey  (376, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (376, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 03244   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03245   452   NtEnumerateValueKey  (376, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (376, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 03246   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03247   452   NtEnumerateValueKey  (376, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (376, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 03248   452   NtEnumerateValueKey  (376, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (376, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 03249   452   NtEnumerateValueKey  (376, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (376, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 03250   452   NtEnumerateValueKey  (376, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (376, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 03251   452   NtEnumerateValueKey  (376, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (376, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 03252   452   NtEnumerateValueKey  (376, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (376, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 03253   452   NtEnumerateValueKey  (376, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (376, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 03254   452   NtEnumerateValueKey  (376, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (376, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 03255   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03256   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03257   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 1235448, ... ) }, 1235448, ... ) == 0x0
 03258   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03259   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03260   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03261   452   NtEnumerateValueKey  (376, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (376, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 03262   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03263   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03264   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 1235448, ... ) }, 1235448, ... ) == 0x0
 03265   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03266   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03267   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03268   452   NtClose  (376, ... ) == 0x0
 03269   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 376, ) }, ... 376, ) == 0x0
 03270   452   NtOpenKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "ActiveComputerName"}, ... 388, ) }, ... 388, ) == 0x0
 03271   452   NtQueryValueKey  (388,  (388, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (388, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (388, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 03272   452   NtClose  (388, ... ) == 0x0
 03273   452   NtClose  (376, ... ) == 0x0
 03274   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03275   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 376, ) }, ... 376, ) == 0x0
 03276   452   NtQueryValueKey  (376,  (376, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (376, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 03277   452   NtClose  (376, ... ) == 0x0
 03278   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 376, ) }, ... 376, ) == 0x0
 03279   452   NtQueryValueKey  (376,  (376, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) }, 38, ) == 0x0
 03280   452   NtClose  (376, ... ) == 0x0
 03281   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03282   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 376, ) }, ... 376, ) == 0x0
 03283   452   NtQueryValueKey  (376,  (376, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 03284   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03285   452   NtQueryValueKey  (376,  (376, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) }, 72, ) == 0x0
 03286   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03287   452   NtClose  (376, ... ) == 0x0
 03288   452   NtQueryInformationToken  (380, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 03289   452   NtOpenKey  (0x20019, {24, 324, 0x40, 0, 0,  (0x20019, {24, 324, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 376, ) }, ... 376, ) == 0x0
 03290   452   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 03291   452   NtQueryInformationToken  (380, Type, 4, ... {token info, class 8, size 4}, 4, ) == 0x0
 03292   452   NtDuplicateToken  (380, 0xc, {24, 0, 0x0, 0, 1236832, 0x0}, 0, 2, ... ) == STATUS_ACCESS_DENIED
 03293   452   NtQueryInformationToken  (380, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 03294   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03295   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 388, ) == 0x0
 03296   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03297   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03298   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1235036,  (0xc0100080, {24, 0, 0x40, 0, 1235036, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 392, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 392, {status=0x0, info=1}, ) == 0x0
 03299   452   NtSetInformationFile  (392, 1235092, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03300   452   NtSetInformationFile  (392, 1235084, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03301   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03302   452   NtWriteFile  (392, 293, 0, 0,  (392, 293, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03303   452   NtReadFile  (392, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (392, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\17\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03304   452   NtFsControlFile  (392, 293, 0x0, 0x0, 0x11c017,  (392, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\337\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\17\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (392, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\337\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\17\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03305   452   NtFsControlFile  (392, 293, 0x0, 0x0, 0x11c017,  (392, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\3243\307A\344\200\334\21\261\310\0\14)\371\246\305\1\0\0\0H\337\22\0\1\0\0\0\370\270\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0l\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\3243\307A\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (392, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\3243\307A\344\200\334\21\261\310\0\14)\371\246\305\1\0\0\0H\337\22\0\1\0\0\0\370\270\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0l\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\3243\307A\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03306   452   NtFsControlFile  (392, 293, 0x0, 0x0, 0x11c017,  (392, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\3243\307A\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0X\307\25\0\1\0\0\0d\307\25\0 \0\0\0\1\0\0\0\16\0\20\0p\307\25\0\200\307\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\350\213\25\0\1\0\0\0\1\0\0\0\20\0\22\0\374\213\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (392, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\3243\307A\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0X\307\25\0\1\0\0\0d\307\25\0 \0\0\0\1\0\0\0\16\0\20\0p\307\25\0\200\307\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\350\213\25\0\1\0\0\0\1\0\0\0\20\0\22\0\374\213\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 03307   452   NtClose  (388, ... ) == 0x0
 03308   452   NtClose  (392, ... ) == 0x0
 03309   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03310   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 392, ) == 0x0
 03311   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03312   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03313   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1235032,  (0xc0100080, {24, 0, 0x40, 0, 1235032, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 388, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 388, {status=0x0, info=1}, ) == 0x0
 03314   452   NtSetInformationFile  (388, 1235088, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03315   452   NtSetInformationFile  (388, 1235080, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03316   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03317   452   NtWriteFile  (388, 293, 0, 0,  (388, 293, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03318   452   NtReadFile  (388, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (388, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\20\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03319   452   NtFsControlFile  (388, 293, 0x0, 0x0, 0x11c017,  (388, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\337\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\20\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (388, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\337\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\20\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03320   452   NtFsControlFile  (388, 293, 0x0, 0x0, 0x11c017,  (388, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\3253\307A\344\200\334\21\261\310\0\14)\371\246\305\1\0\0\0D\337\22\0\1\0\0\0\370\270\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0l\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\3253\307A\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (388, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\3253\307A\344\200\334\21\261\310\0\14)\371\246\305\1\0\0\0D\337\22\0\1\0\0\0\370\270\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0l\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\3253\307A\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03321   452   NtFsControlFile  (388, 293, 0x0, 0x0, 0x11c017,  (388, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\3253\307A\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0X\307\25\0\1\0\0\0d\307\25\0 \0\0\0\1\0\0\0\16\0\20\0p\307\25\0\200\307\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\350\213\25\0\1\0\0\0\1\0\0\0\20\0\22\0\374\213\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (388, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\3253\307A\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0X\307\25\0\1\0\0\0d\307\25\0 \0\0\0\1\0\0\0\16\0\20\0p\307\25\0\200\307\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\350\213\25\0\1\0\0\0\1\0\0\0\20\0\22\0\374\213\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 03322   452   NtClose  (392, ... ) == 0x0
 03323   452   NtClose  (388, ... ) == 0x0
 03324   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03325   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03326   452   NtQueryInformationToken  (380, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 03327   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 388, ) }, ... 388, ) == 0x0
 03328   452   NtQueryValueKey  (388,  (388, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (388, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) }, 104, ) == 0x0
 03329   452   NtClose  (388, ... ) == 0x0
 03330   452   NtCreateKey  (0x2001f, {24, 376, 0x40, 0, 0,  (0x2001f, {24, 376, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Winlogon"}, 0, 0x0, 0, ... 388, 2, ) }, 0, 0x0, 0, ... 388, 2, ) == 0x0
 03331   452   NtQueryValueKey  (388,  (388, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (388, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03332   452   NtClose  (388, ... ) == 0x0
 03333   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03334   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03335   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\c:\autoexec.bat"}, 1236736, ... ) }, 1236736, ... ) == 0x0
 03336   452   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1236744,  (0x80100080, {24, 0, 0x40, 0, 1236744, "\??\c:\autoexec.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 388, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 388, {status=0x0, info=1}, ) == 0x0
 03337   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03338   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03339   452   NtQueryInformationFile  (388, 1236760, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03340   452   NtReadFile  (388, 0, 0, 0, 0, 0x0, 0, ... {status=0x0, info=0}, "", ) == 0x0
 03341   452   NtClose  (388, ... ) == 0x0
 03342   452   NtOpenKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "Environment"}, ... 388, ) }, ... 388, ) == 0x0
 03343   452   NtEnumerateValueKey  (388, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (388, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (388, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 03344   452   NtEnumerateValueKey  (388, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (388, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (388, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 03345   452   NtEnumerateValueKey  (388, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 03346   452   NtEnumerateValueKey  (388, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (388, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (388, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 03347   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03348   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03349   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 1235476, ... ) }, 1235476, ... ) == 0x0
 03350   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 392, {status=0x0, info=1}, ) }, 3, 16417, ... 392, {status=0x0, info=1}, ) == 0x0
 03351   452   NtQueryDirectoryFile  (392, 0, 0, 0, 1234836, 616, BothDirectory, 1,  (392, 0, 0, 0, 1234836, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 03352   452   NtClose  (392, ... ) == 0x0
 03353   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 392, {status=0x0, info=1}, ) }, 3, 16417, ... 392, {status=0x0, info=1}, ) == 0x0
 03354   452   NtQueryDirectoryFile  (392, 0, 0, 0, 1234836, 616, BothDirectory, 1,  (392, 0, 0, 0, 1234836, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 03355   452   NtClose  (392, ... ) == 0x0
 03356   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03357   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03358   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03359   452   NtEnumerateValueKey  (388, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (388, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (388, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 03360   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03361   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03362   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 1235476, ... ) }, 1235476, ... ) == 0x0
 03363   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 392, {status=0x0, info=1}, ) }, 3, 16417, ... 392, {status=0x0, info=1}, ) == 0x0
 03364   452   NtQueryDirectoryFile  (392, 0, 0, 0, 1234836, 616, BothDirectory, 1,  (392, 0, 0, 0, 1234836, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 03365   452   NtClose  (392, ... ) == 0x0
 03366   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 392, {status=0x0, info=1}, ) }, 3, 16417, ... 392, {status=0x0, info=1}, ) == 0x0
 03367   452   NtQueryDirectoryFile  (392, 0, 0, 0, 1234836, 616, BothDirectory, 1,  (392, 0, 0, 0, 1234836, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 03368   452   NtClose  (392, ... ) == 0x0
 03369   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03370   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03371   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03372   452   NtEnumerateValueKey  (388, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 03373   452   NtClose  (388, ... ) == 0x0
 03374   452   NtOpenKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "Volatile Environment"}, ... 388, ) }, ... 388, ) == 0x0
 03375   452   NtEnumerateValueKey  (388, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (388, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 03376   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03377   452   NtEnumerateValueKey  (388, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (388, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 03378   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03379   452   NtEnumerateValueKey  (388, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (388, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 03380   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03381   452   NtEnumerateValueKey  (388, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (388, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 03382   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03383   452   NtEnumerateValueKey  (388, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (388, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 03384   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03385   452   NtEnumerateValueKey  (388, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (388, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 03386   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03387   452   NtEnumerateValueKey  (388, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (388, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 03388   452   NtEnumerateValueKey  (388, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 03389   452   NtEnumerateValueKey  (388, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (388, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 03390   452   NtEnumerateValueKey  (388, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (388, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 03391   452   NtEnumerateValueKey  (388, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (388, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 03392   452   NtEnumerateValueKey  (388, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (388, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 03393   452   NtEnumerateValueKey  (388, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (388, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 03394   452   NtEnumerateValueKey  (388, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (388, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 03395   452   NtEnumerateValueKey  (388, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (388, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 03396   452   NtEnumerateValueKey  (388, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 03397   452   NtClose  (388, ... ) == 0x0
 03398   452   NtClose  (376, ... ) == 0x0
 03399   452   NtFreeVirtualMemory  (-1, (0x970000), 0, 32768, ... (0x970000), 4096, ) == 0x0
 03400   452   NtClose  (384, ... ) == 0x0
 03401   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data"}, 1237400, ... ) }, 1237400, ... ) == 0x0
 03402   452   NtQueryInformationToken  (380, User, 64, ... {token info, class 1, size 36}, 36, ) == 0x0
 03403   452   NtOpenKey  (0x2001f, {24, 324, 0x40, 0, 0,  (0x2001f, {24, 324, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 384, ) }, ... 384, ) == 0x0
 03404   452   NtCreateKey  (0x2000000, {24, 384, 0x40, 0, 0,  (0x2000000, {24, 384, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 03405   452   NtClose  (384, ... ) == 0x0
 03406   452   NtSetValueKey  (376,  (376, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 0, 1,  (376, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 104, ... ) == 0x0
 03407   452   NtClose  (376, ... ) == 0x0
 03408   452   NtClose  (380, ... ) == 0x0
 03409   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data\Microsoft\Network\Connections\Pbk\"}, 3, 16417, ... ) }, 3, 16417, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03410   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 03411   452   NtQueryInformationFile  (148, 1238448, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03412   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 03413   452   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 03414   452   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 03415   452   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 03416   452   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 03417   452   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 03418   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 380, ) == 0x0
 03419   452   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 1236588, 112, ... 376, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1236588, 112, ... 376, 0x0, 0x0, 0x0, 112, ) == 0x0
 03420   452   NtRequestWaitReplyPort  (376, {128, 152, new_msg, 0, 1310720, 121920, 1310720, 1236352}  (376, {128, 152, new_msg, 0, 1310720, 121920, 1310720, 1236352} "\0$\370w0\344\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0(\263\25\0\4\0\0\0(\263\25\0\20\344\314w(\263\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\16\0\350\261\25\08\261\25\0\0\0\0\0f\0\0\03\0\0\0 \345\22\0\0\0\0\0\0\0\22\0\34\336\22\0\220,\25\0\0\0\0\0\2$\370w\5\0\0\0" ... {128, 152, reply, 0, 444, 452, 1636, 0} "\7$\370w0\344\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0(\263\25\0\377\377\377\377(\263\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\16\0\350\261\25\08\261\25\0\0\0\0\0f\0\0\03\0\0\0 \345\22\0\0\0\0\0\0\0\22\0\34\336\22\0\220,\25\0\0\0\0\0\2$\370w\5\0\0\0" )  ... {128, 152, reply, 0, 444, 452, 1636, 0}  (376, {128, 152, new_msg, 0, 1310720, 121920, 1310720, 1236352} "\0$\370w0\344\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0(\263\25\0\4\0\0\0(\263\25\0\20\344\314w(\263\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\16\0\350\261\25\08\261\25\0\0\0\0\0f\0\0\03\0\0\0 \345\22\0\0\0\0\0\0\0\22\0\34\336\22\0\220,\25\0\0\0\0\0\2$\370w\5\0\0\0" ... {128, 152, reply, 0, 444, 452, 1636, 0} "\7$\370w0\344\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0(\263\25\0\377\377\377\377(\263\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\16\0\350\261\25\08\261\25\0\0\0\0\0f\0\0\03\0\0\0 \345\22\0\0\0\0\0\0\0\22\0\34\336\22\0\220,\25\0\0\0\0\0\2$\370w\5\0\0\0" )  ) == 0x0
 03421   452   NtRequestWaitReplyPort  (376, {112, 136, new_msg, 0, 44, 3, 20, 0}  (376, {112, 136, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\11\0\344\200\334\21\261\310\0\14)\371\246\305\1\0\0\0\377\377\377\377\1\0\0\0\0\0\0\0\324\352\24\0\25\0\0\0\0\0\0\0\25\0\0\0s\0r\0v\00\02\0.\0b\0a\0s\0h\0c\0h\0e\0l\0i\0k\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 444, 452, 1637, 0} "\2\212T\200\1\0\30\201\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\0\0\0\0\264\5\0\0\1\0\0\0" )  ... {44, 68, reply, 0, 444, 452, 1637, 0}  (376, {112, 136, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\11\0\344\200\334\21\261\310\0\14)\371\246\305\1\0\0\0\377\377\377\377\1\0\0\0\0\0\0\0\324\352\24\0\25\0\0\0\0\0\0\0\25\0\0\0s\0r\0v\00\02\0.\0b\0a\0s\0h\0c\0h\0e\0l\0i\0k\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 444, 452, 1637, 0} "\2\212T\200\1\0\30\201\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 03422   452   NtClose  (380, ... ) == 0x0
 03423   452   NtClose  (376, ... ) == 0x0
 03424   452   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 376, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 376, {status=0x0, info=0}, ) == 0x0
 03425   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 380, ) == 0x0
 03426   452   NtDeviceIoControlFile  (376, 380, 0x0, 0x0, 0xf14014,  (376, 380, 0x0, 0x0, 0xf14014, "\3\0\0\0srv02.bashchelik.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 03427   452   NtClose  (380, ... ) == 0x0
 03428   452   NtClose  (376, ... ) == 0x0
 03429   452   NtClearEvent  (348, ... ) == 0x0
 03430   452   NtSetEvent  (348, ... 0x0, ) == 0x0
 03431   452   NtClose  (348, ... ) == 0x0
 03432   452   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 03433   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 348, ) == 0x0
 03434   452   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 1238364, 112, ... 376, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1238364, 112, ... 376, 0x0, 0x0, 0x0, 112, ) == 0x0
 03435   452   NtRequestWaitReplyPort  (376, {128, 152, new_msg, 0, 1310720, 123696, 1310720, 1238128}  (376, {128, 152, new_msg, 0, 1310720, 123696, 1310720, 1238128} "\0$\370w \353\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\320\212\25\0\4\0\0\0\320\212\25\0\20\344\314w\320\212\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\17\0\30\301\25\0\360\316\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 444, 452, 1640, 0} "\7$\370w \353\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\320\212\25\0\377\377\377\377\320\212\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\17\0\30\301\25\0\360\316\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 444, 452, 1640, 0}  (376, {128, 152, new_msg, 0, 1310720, 123696, 1310720, 1238128} "\0$\370w \353\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\320\212\25\0\4\0\0\0\320\212\25\0\20\344\314w\320\212\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\17\0\30\301\25\0\360\316\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 444, 452, 1640, 0} "\7$\370w \353\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\320\212\25\0\377\377\377\377\320\212\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\17\0\30\301\25\0\360\316\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0" )  ) == 0x0
 03436   452   NtRequestWaitReplyPort  (376, {64, 88, new_msg, 0, 444, 452, 1637, 0}  (376, {64, 88, new_msg, 0, 444, 452, 1637, 0} "\1\212\0\0A\2\10\0\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\377\377\377\377S\275N\200\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0s\0r\0v\00\02\0.\0" ... {52, 76, reply, 0, 444, 452, 1641, 0} "\2\212T\200\1\0\30\201\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 444, 452, 1641, 0}  (376, {64, 88, new_msg, 0, 444, 452, 1637, 0} "\1\212\0\0A\2\10\0\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\377\377\377\377S\275N\200\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0s\0r\0v\00\02\0.\0" ... {52, 76, reply, 0, 444, 452, 1641, 0} "\2\212T\200\1\0\30\201\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 03437   452   NtClose  (348, ... ) == 0x0
 03438   452   NtClose  (376, ... ) == 0x0
 03439   452   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 376, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 376, 2, ) , 0, ... 376, 2, ) == 0x0
 03440   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 348, ) }, ... 348, ) == 0x0
 03441   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03442   452   NtQueryValueKey  (376,  (376, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03443   452   NtQueryValueKey  (376,  (376, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03444   452   NtClose  (376, ... ) == 0x0
 03445   452   NtClose  (348, ... ) == 0x0
 03446   452   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 348, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 348, 2, ) , 0, ... 348, 2, ) == 0x0
 03447   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 376, ) }, ... 376, ) == 0x0
 03448   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03449   452   NtQueryValueKey  (348,  (348, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03450   452   NtQueryValueKey  (348,  (348, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03451   452   NtClose  (348, ... ) == 0x0
 03452   452   NtClose  (376, ... ) == 0x0
 03453   452   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 03454   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 376, ) == 0x0
 03455   452   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 1238164, 112, ... 348, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1238164, 112, ... 348, 0x0, 0x0, 0x0, 112, ) == 0x0
 03456   452   NtRequestWaitReplyPort  (348, {128, 152, new_msg, 0, 1310720, 123496, 1310720, 1237928}  (348, {128, 152, new_msg, 0, 1310720, 123496, 1310720, 1237928} "\0$\370wX\352\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\320\212\25\0\4\0\0\0\320\212\25\0\20\344\314w\320\212\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\20\0\30\301\25\0\230\217\25\0\0\0\0\0\30\347\22\0\310\346\22\0\270\350\22\0\0\0\0\0\0\0\25\0\377\377\377\377\365\26\365w\0\0\0\0\13\30\365w\5\0\0\0" ... {128, 152, reply, 0, 444, 452, 1644, 0} "\7$\370wX\352\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\320\212\25\0\377\377\377\377\320\212\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\20\0\30\301\25\0\230\217\25\0\0\0\0\0\30\347\22\0\310\346\22\0\270\350\22\0\0\0\0\0\0\0\25\0\377\377\377\377\365\26\365w\0\0\0\0\13\30\365w\5\0\0\0" )  ... {128, 152, reply, 0, 444, 452, 1644, 0}  (348, {128, 152, new_msg, 0, 1310720, 123496, 1310720, 1237928} "\0$\370wX\352\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\320\212\25\0\4\0\0\0\320\212\25\0\20\344\314w\320\212\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\20\0\30\301\25\0\230\217\25\0\0\0\0\0\30\347\22\0\310\346\22\0\270\350\22\0\0\0\0\0\0\0\25\0\377\377\377\377\365\26\365w\0\0\0\0\13\30\365w\5\0\0\0" ... {128, 152, reply, 0, 444, 452, 1644, 0} "\7$\370wX\352\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\320\212\25\0\377\377\377\377\320\212\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\20\0\30\301\25\0\230\217\25\0\0\0\0\0\30\347\22\0\310\346\22\0\270\350\22\0\0\0\0\0\0\0\25\0\377\377\377\377\365\26\365w\0\0\0\0\13\30\365w\5\0\0\0" )  ) == 0x0
 03457   452   NtRequestWaitReplyPort  (348, {64, 88, new_msg, 0, 444, 452, 1641, 0}  (348, {64, 88, new_msg, 0, 444, 452, 1641, 0} "\1\212\0\0A\2\10\0\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\377\377\377\377S\275N\200\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0s\0r\0v\00\02\0.\0" ... {52, 76, reply, 0, 444, 452, 1645, 0} "\2\212T\200\1\0\30\201\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 444, 452, 1645, 0}  (348, {64, 88, new_msg, 0, 444, 452, 1641, 0} "\1\212\0\0A\2\10\0\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\377\377\377\377S\275N\200\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0s\0r\0v\00\02\0.\0" ... {52, 76, reply, 0, 444, 452, 1645, 0} "\2\212T\200\1\0\30\201\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 03458   452   NtClose  (376, ... ) == 0x0
 03459   452   NtClose  (348, ... ) == 0x0
 03460   452   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 348, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 348, 2, ) , 0, ... 348, 2, ) == 0x0
 03461   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 376, ) }, ... 376, ) == 0x0
 03462   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03463   452   NtQueryValueKey  (348,  (348, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03464   452   NtQueryValueKey  (348,  (348, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03465   452   NtClose  (348, ... ) == 0x0
 03466   452   NtClose  (376, ... ) == 0x0
 03467   452   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 376, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 376, 2, ) , 0, ... 376, 2, ) == 0x0
 03468   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 348, ) }, ... 348, ) == 0x0
 03469   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03470   452   NtQueryValueKey  (376,  (376, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03471   452   NtQueryValueKey  (376,  (376, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03472   452   NtClose  (376, ... ) == 0x0
 03473   452   NtClose  (348, ... ) == 0x0
 03474   452   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 348, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 348, {status=0x0, info=0}, ) == 0x0
 03475   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 376, ) == 0x0
 03476   452   NtDeviceIoControlFile  (348, 376, 0x0, 0x0, 0xf14014,  (348, 376, 0x0, 0x0, 0xf14014, "\3\0\0\0MYWORLD\0\231%\362v\2\0\0\200\330\304\362v\0\0\0\0\20\352\22\0O\345\367w{\30\335w\0\0\0\0\300.\24\0\360\212\25\0"\2\373\177 \353\22\0\0\0\0\0\263\26\365wX\261\25\0q\26\365w\350\6\24\0\215\26\365w\0\0\0\0\0\303\25\08!\25\0\24\232\347wc\303\26\0\360\212\25\0\376\212\25\0d\303\25\0\377\377\0\0\0\0\0\0d\303\25\0\7\0\0\0\360\212\25\0\314\352\22\0\177;\245q\0\0\0\0\0\0\0\0\360\212\25\0\0\0\0\0d\303\25\0\377\377\0\0\1\0\0\0\0\0\0\0\350\212\25\0d\303\25\0\320\212\25\0\14\353\22\0}<\245qd\303\25\0\0\0\0\0\360\212\25\0\365<\245qX\303\25\0D\303\25\0\2\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\20\0\0\08!\1\0\0\0\24\0d\352\22\0D\357\22\0\324\374\22\0\2$\370w\370T\367wa/\245q\2642\250q\0\0\0\0\0\0\0\0:/\245q8!\25\0\300\215\25\0x\226\25\0\220\226\25\0\360\212\25\0\376\212\25\0d\303\25\0\377\377\0\0\0\0\0\0d\303\25\0\7\0\0\0\360\212\25\0\224\353\22\0\177;\245q\0\0\0\0\0\0\0\0\360\212\25\0\0\0\0\0d\303\25\0\377\377\0\0\1\0\0\0\0\0\0\0\350\212\25\0d\303\25\0\320\212\25\0\324\353\22\0}<\245qd\303\25\0\0\0\0\0\360\212\25\0\365<\245qX\303\25\0D\303\25\0\2\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\10\375\1\0\0\0\24\0,\353\22\0\14\360\22\0\324\374\22\0\2$\370w\370T\367wa/\245q\2642\250q\0\0\0\0\0\0\0\0:/\245q\10\375\24\0h\253\25\0x\226\25\0", 1552, 0, ... {status=0x0, info=0}, 0x0, ) \2\373\177 \353\22\0\0\0\0\0\263\26\365wX\261\25\0q\26\365w\350\6\24\0\215\26\365w\0\0\0\0\0\303\25\08!\25\0\24\232\347wc\303\26\0\360\212\25\0\376\212\25\0d\303\25\0\377\377\0\0\0\0\0\0d\303\25\0\7\0\0\0\360\212\25\0\314\352\22\0\177;\245q\0\0\0\0\0\0\0\0\360\212\25\0\0\0\0\0d\303\25\0\377\377\0\0\1\0\0\0\0\0\0\0\350\212\25\0d\303\25\0\320\212\25\0\14\353\22\0}<\245qd\303\25\0\0\0\0\0\360\212\25\0\365<\245qX\303\25\0D\303\25\0\2\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\20\0\0\08!\1\0\0\0\24\0d\352\22\0D\357\22\0\324\374\22\0\2$\370w\370T\367wa/\245q\2642\250q\0\0\0\0\0\0\0\0:/\245q8!\25\0\300\215\25\0x\226\25\0\220\226\25\0\360\212\25\0\376\212\25\0d\303\25\0\377\377\0\0\0\0\0\0d\303\25\0\7\0\0\0\360\212\25\0\224\353\22\0\177;\245q\0\0\0\0\0\0\0\0\360\212\25\0\0\0\0\0d\303\25\0\377\377\0\0\1\0\0\0\0\0\0\0\350\212\25\0d\303\25\0\320\212\25\0\324\353\22\0}<\245qd\303\25\0\0\0\0\0\360\212\25\0\365<\245qX\303\25\0D\303\25\0\2\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\10\375\1\0\0\0\24\0,\353\22\0\14\360\22\0\324\374\22\0\2$\370w\370T\367wa/\245q\2642\250q\0\0\0\0\0\0\0\0:/\245q\10\375\24\0h\253\25\0x\226\25\0", 1552, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03477   452   NtClose  (376, ... ) == 0x0
 03478   452   NtClose  (348, ... ) == 0x0
 03479   452   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\cv35"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 03480   452   NtQueryValueKey  (348,  (348, "n", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "n", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03481   452   NtClose  (348, ... ) == 0x0
 03482   452   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 348, ) == 0x0
 03483   452   NtWaitForSingleObject  (348, 0, 0x0, ... ) == 0x0
 03484   452   NtClearEvent  (348, ... ) == 0x0
 03485   452   NtSetEvent  (348, ... 0x0, ) == 0x0
 03486   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 03487   452   NtQueryInformationFile  (148, 1240352, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03488   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 03489   452   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Http Filters\RPA"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03490   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Http Filters\RPA"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03491   452   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 03492   452   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 03493   452   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 03494   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03495   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03496   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 03497   452   NtQueryInformationFile  (148, 1240548, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03498   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 03499   452   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 03500   452   NtWaitForSingleObject  (356, 0, 0x0, ... ) == 0x0
 03501   452   NtReleaseMutant  (356, ... 0x0, ) == 0x0
 03502   452   NtOpenKey  (0x20019, {24, 368, 0x40, 0, 0,  (0x20019, {24, 368, 0x40, 0, 0, "Domains\debelizombi.com"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03503   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\debelizombi.com"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03504   452   NtQueryValueKey  (368,  (368, "IntranetName", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (368, "IntranetName", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03505   452   NtQueryValueKey  (368,  (368, "ProxyBypass", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (368, "ProxyBypass", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03506   452   NtClearEvent  (184, ... ) == 0x0
 03507   452   NtSetEvent  (184, ... 0x0, ) == 0x0
 03508   452   NtOpenKey  (0x20019, {24, 368, 0x40, 0, 0,  (0x20019, {24, 368, 0x40, 0, 0, "ProtocolDefaults\"}, ... 376, ) }, ... 376, ) == 0x0
 03509   452   NtQueryValueKey  (376,  (376, "http", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (376, "http", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 03510   452   NtClose  (376, ... ) == 0x0
 03511   452   NtWaitForSingleObject  (356, 0, 0x0, ... ) == 0x0
 03512   452   NtReleaseMutant  (356, ... 0x0, ) == 0x0
 03513   452   NtWaitForSingleObject  (356, 0, 0x0, ... ) == 0x0
 03514   452   NtReleaseMutant  (356, ... 0x0, ) == 0x0
 03515   452   NtWaitForSingleObject  (352, 0, 0x0, ... ) == 0x0
 03516   452   NtReleaseMutant  (352, ... 0x0, ) == 0x0
 03517   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 03518   452   NtQueryInformationFile  (148, 1240796, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03519   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 03520   452   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 03521   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 376, ) == 0x0
 03522   452   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 1237256, 112, ... 380, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1237256, 112, ... 380, 0x0, 0x0, 0x0, 112, ) == 0x0
 03523   452   NtRequestWaitReplyPort  (380, {128, 152, new_msg, 0, 122588, 1310720, 1237020, 2012750850}  (380, {128, 152, new_msg, 0, 122588, 1310720, 1237020, 2012750850} "\0\346\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314wh\212\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\21\0\350\261\25\0@\272\25\0\0\0\0\0\0\0\0\0\0\0\0\0X\357\22\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\3\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 444, 452, 1648, 0} "\7\346\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\21\0\350\261\25\0@\272\25\0\0\0\0\0\0\0\0\0\0\0\0\0X\357\22\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\3\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 444, 452, 1648, 0}  (380, {128, 152, new_msg, 0, 122588, 1310720, 1237020, 2012750850} "\0\346\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314wh\212\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\21\0\350\261\25\0@\272\25\0\0\0\0\0\0\0\0\0\0\0\0\0X\357\22\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\3\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 444, 452, 1648, 0} "\7\346\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\21\0\350\261\25\0@\272\25\0\0\0\0\0\0\0\0\0\0\0\0\0X\357\22\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\3\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 03524   452   NtRequestWaitReplyPort  (380, {64, 88, new_msg, 0, 444, 452, 1645, 0}  (380, {64, 88, new_msg, 0, 444, 452, 1645, 0} "\1\212\0\0A\2\10\0\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\377\377\377\377S\275N\200\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0s\0r\0v\00\02\0.\0" ... {52, 76, reply, 0, 444, 452, 1649, 0} "\2\212T\200\1\0\30\201\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 444, 452, 1649, 0}  (380, {64, 88, new_msg, 0, 444, 452, 1645, 0} "\1\212\0\0A\2\10\0\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\377\377\377\377S\275N\200\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0s\0r\0v\00\02\0.\0" ... {52, 76, reply, 0, 444, 452, 1649, 0} "\2\212T\200\1\0\30\201\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 03525   452   NtClose  (376, ... ) == 0x0
 03526   452   NtClose  (380, ... ) == 0x0
 03527   452   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 380, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 380, 2, ) , 0, ... 380, 2, ) == 0x0
 03528   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 376, ) }, ... 376, ) == 0x0
 03529   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03530   452   NtQueryValueKey  (380,  (380, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (380, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03531   452   NtQueryValueKey  (380,  (380, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (380, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03532   452   NtClose  (380, ... ) == 0x0
 03533   452   NtClose  (376, ... ) == 0x0
 03534   452   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 376, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 376, 2, ) , 0, ... 376, 2, ) == 0x0
 03535   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 380, ) }, ... 380, ) == 0x0
 03536   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03537   452   NtQueryValueKey  (376,  (376, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03538   452   NtQueryValueKey  (376,  (376, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03539   452   NtClose  (376, ... ) == 0x0
 03540   452   NtClose  (380, ... ) == 0x0
 03541   452   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\VxD\MSTCP"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03542   452   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\ComputerName\ComputerName"}, ... 380, ) }, ... 380, ) == 0x0
 03543   452   NtQueryValueKey  (380,  (380, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (380, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03544   452   NtQueryValueKey  (380,  (380, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (380, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03545   452   NtClose  (380, ... ) == 0x0
 03546   452   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 03547   452   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 03548   452   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 03549   452   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 03550   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 380, ) == 0x0
 03551   452   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 1236592, 112, ... 376, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1236592, 112, ... 376, 0x0, 0x0, 0x0, 112, ) == 0x0
 03552   452   NtRequestWaitReplyPort  (376, {128, 152, new_msg, 0, 121924, 1310720, 1236356, 2012750850}  (376, {128, 152, new_msg, 0, 121924, 1310720, 1236356, 2012750850} "\0\344\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314wh\212\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\22\0\350\261\25\0@\272\25\0\0\0\0\0\0\0\0\0$1\347w\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\336\22\0\0\0\24\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 444, 452, 1652, 0} "\7\344\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\22\0\350\261\25\0@\272\25\0\0\0\0\0\0\0\0\0$1\347w\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\336\22\0\0\0\24\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 444, 452, 1652, 0}  (376, {128, 152, new_msg, 0, 121924, 1310720, 1236356, 2012750850} "\0\344\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314wh\212\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\22\0\350\261\25\0@\272\25\0\0\0\0\0\0\0\0\0$1\347w\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\336\22\0\0\0\24\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 444, 452, 1652, 0} "\7\344\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\22\0\350\261\25\0@\272\25\0\0\0\0\0\0\0\0\0$1\347w\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\336\22\0\0\0\24\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 03553   452   NtRequestWaitReplyPort  (376, {112, 136, new_msg, 0, 444, 452, 1649, 0}  (376, {112, 136, new_msg, 0, 444, 452, 1649, 0} "\1\212\0\0A\2\11\0\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\377\377\377\377S\275N\200\0\0\0\0\324\352\24\0\26\0\0\0\0\0\0\0\26\0\0\0s\0r\0v\00\01\0.\0d\0e\0b\0e\0l\0i\0z\0o\0m\0b\0i\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 444, 452, 1653, 0} "\2\212T\200\1\0\30\201\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\0\0\0\0\264\5\0\0\1\0\0\0" )  ... {44, 68, reply, 0, 444, 452, 1653, 0}  (376, {112, 136, new_msg, 0, 444, 452, 1649, 0} "\1\212\0\0A\2\11\0\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\377\377\377\377S\275N\200\0\0\0\0\324\352\24\0\26\0\0\0\0\0\0\0\26\0\0\0s\0r\0v\00\01\0.\0d\0e\0b\0e\0l\0i\0z\0o\0m\0b\0i\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 444, 452, 1653, 0} "\2\212T\200\1\0\30\201\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 03554   452   NtClose  (380, ... ) == 0x0
 03555   452   NtClose  (376, ... ) == 0x0
 03556   452   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 376, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 376, {status=0x0, info=0}, ) == 0x0
 03557   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 380, ) == 0x0
 03558   452   NtDeviceIoControlFile  (376, 380, 0x0, 0x0, 0xf14014,  (376, 380, 0x0, 0x0, 0xf14014, "\3\0\0\0srv01.debelizombi.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 03559   452   NtClose  (380, ... ) == 0x0
 03560   452   NtClose  (376, ... ) == 0x0
 03561   452   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 03562   452   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 03563   452   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 03564   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03565   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03566   452   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 03567   452   NtCreateKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 380, 2, ) }, 0, 0x0, 0, ... 380, 2, ) == 0x0
 03568   452   NtClose  (376, ... ) == 0x0
 03569   452   NtQueryValueKey  (380,  (380, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03570   452   NtClose  (380, ... ) == 0x0
 03571   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03572   452   NtOpenProcessToken  (-1, 0xc, ... 380, ) == 0x0
 03573   452   NtReleaseSemaphore  (164, 1, ... 0, ) == 0x0
 03574   452   NtWaitForSingleObject  (164, 0, {0, 0}, ... ) == 0x0
 03575   452   NtClose  (380, ... ) == 0x0
 03576   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 03577   452   NtQueryDirectoryFile  (380, 0, 0, 0, 1236376, 616, BothDirectory, 1,  (380, 0, 0, 0, 1236376, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 03578   452   NtClose  (380, ... ) == 0x0
 03579   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Ras\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 03580   452   NtQueryDirectoryFile  (380, 0, 0, 0, 1236376, 616, BothDirectory, 1,  (380, 0, 0, 0, 1236376, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 03581   452   NtClose  (380, ... ) == 0x0
 03582   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03583   452   NtOpenProcessToken  (-1, 0xc, ... 380, ) == 0x0
 03584   452   NtQueryInformationToken  (380, User, 64, ... {token info, class 1, size 36}, 36, ) == 0x0
 03585   452   NtOpenKey  (0x2001f, {24, 324, 0x40, 0, 0,  (0x2001f, {24, 324, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 376, ) }, ... 376, ) == 0x0
 03586   452   NtCreateKey  (0x2000000, {24, 376, 0x40, 0, 0,  (0x2000000, {24, 376, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 384, 2, ) }, 0, 0x0, 0, ... 384, 2, ) == 0x0
 03587   452   NtClose  (376, ... ) == 0x0
 03588   452   NtQueryValueKey  (384,  (384, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (384, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) }, 74, ) == 0x0
 03589   452   NtAllocateVirtualMemory  (-1, 0, 0, 1, 4096, 4, ... 9895936, 4096, ) == 0x0
 03590   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03591   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03592   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 376, ) }, ... 376, ) == 0x0
 03593   452   NtQueryValueKey  (376,  (376, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (376, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 03594   452   NtClose  (376, ... ) == 0x0
 03595   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 376, ) }, ... 376, ) == 0x0
 03596   452   NtQueryValueKey  (376,  (376, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) }, 32, ) == 0x0
 03597   452   NtClose  (376, ... ) == 0x0
 03598   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03599   452   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\Environment"}, ... 376, ) }, ... 376, ) == 0x0
 03600   452   NtQueryKey  (376, Full, 176, ... {LastWrite={0x7838d13c,0x1c73999}, TitleIdx=0, Subkeys=0, Values=12, Class=""}, 44, ) == 0x0
 03601   452   NtQuerySecurityObject  (376, 7, 0, ... ) == STATUS_ACCESS_DENIED
 03602   452   NtEnumerateValueKey  (376, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (376, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 03603   452   NtEnumerateValueKey  (376, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (376, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 03604   452   NtEnumerateValueKey  (376, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (376, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 03605   452   NtEnumerateValueKey  (376, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (376, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 03606   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03607   452   NtEnumerateValueKey  (376, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (376, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 03608   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03609   452   NtEnumerateValueKey  (376, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (376, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 03610   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03611   452   NtEnumerateValueKey  (376, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (376, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 03612   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03613   452   NtEnumerateValueKey  (376, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (376, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 03614   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03615   452   NtEnumerateValueKey  (376, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (376, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 03616   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03617   452   NtEnumerateValueKey  (376, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (376, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 03618   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03619   452   NtEnumerateValueKey  (376, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (376, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 03620   452   NtEnumerateValueKey  (376, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (376, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 03621   452   NtEnumerateValueKey  (376, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (376, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 03622   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03623   452   NtEnumerateValueKey  (376, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (376, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 03624   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03625   452   NtEnumerateValueKey  (376, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (376, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 03626   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03627   452   NtEnumerateValueKey  (376, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (376, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 03628   452   NtEnumerateValueKey  (376, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (376, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 03629   452   NtEnumerateValueKey  (376, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (376, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 03630   452   NtEnumerateValueKey  (376, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (376, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 03631   452   NtEnumerateValueKey  (376, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (376, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 03632   452   NtEnumerateValueKey  (376, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (376, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 03633   452   NtEnumerateValueKey  (376, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (376, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 03634   452   NtEnumerateValueKey  (376, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (376, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 03635   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03636   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03637   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 1235448, ... ) }, 1235448, ... ) == 0x0
 03638   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03639   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03640   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03641   452   NtEnumerateValueKey  (376, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (376, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 03642   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03643   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03644   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 1235448, ... ) }, 1235448, ... ) == 0x0
 03645   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03646   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03647   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03648   452   NtClose  (376, ... ) == 0x0
 03649   452   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 376, ) }, ... 376, ) == 0x0
 03650   452   NtOpenKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "ActiveComputerName"}, ... 388, ) }, ... 388, ) == 0x0
 03651   452   NtQueryValueKey  (388,  (388, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (388, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (388, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 03652   452   NtClose  (388, ... ) == 0x0
 03653   452   NtClose  (376, ... ) == 0x0
 03654   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03655   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 376, ) }, ... 376, ) == 0x0
 03656   452   NtQueryValueKey  (376,  (376, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (376, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 03657   452   NtClose  (376, ... ) == 0x0
 03658   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 376, ) }, ... 376, ) == 0x0
 03659   452   NtQueryValueKey  (376,  (376, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) }, 38, ) == 0x0
 03660   452   NtClose  (376, ... ) == 0x0
 03661   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03662   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 376, ) }, ... 376, ) == 0x0
 03663   452   NtQueryValueKey  (376,  (376, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 03664   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03665   452   NtQueryValueKey  (376,  (376, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) }, 72, ) == 0x0
 03666   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03667   452   NtClose  (376, ... ) == 0x0
 03668   452   NtQueryInformationToken  (380, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 03669   452   NtOpenKey  (0x20019, {24, 324, 0x40, 0, 0,  (0x20019, {24, 324, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 376, ) }, ... 376, ) == 0x0
 03670   452   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 03671   452   NtQueryInformationToken  (380, Type, 4, ... {token info, class 8, size 4}, 4, ) == 0x0
 03672   452   NtDuplicateToken  (380, 0xc, {24, 0, 0x0, 0, 1236832, 0x0}, 0, 2, ... ) == STATUS_ACCESS_DENIED
 03673   452   NtQueryInformationToken  (380, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 03674   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03675   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 388, ) == 0x0
 03676   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03677   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03678   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1235036,  (0xc0100080, {24, 0, 0x40, 0, 1235036, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 392, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 392, {status=0x0, info=1}, ) == 0x0
 03679   452   NtSetInformationFile  (392, 1235092, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03680   452   NtSetInformationFile  (392, 1235084, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03681   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03682   452   NtWriteFile  (392, 293, 0, 0,  (392, 293, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03683   452   NtReadFile  (392, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (392, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\21\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03684   452   NtFsControlFile  (392, 293, 0x0, 0x0, 0x11c017,  (392, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\337\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\21\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (392, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\337\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\21\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03685   452   NtFsControlFile  (392, 293, 0x0, 0x0, 0x11c017,  (392, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\3263\307A\344\200\334\21\261\310\0\14)\371\246\305\1\0\0\0H\337\22\0\1\0\0\0\320\270\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0o\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\3263\307A\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (392, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\3263\307A\344\200\334\21\261\310\0\14)\371\246\305\1\0\0\0H\337\22\0\1\0\0\0\320\270\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0o\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\3263\307A\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03686   452   NtFsControlFile  (392, 293, 0x0, 0x0, 0x11c017,  (392, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\3263\307A\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\320\260\25\0\1\0\0\0\334\260\25\0 \0\0\0\1\0\0\0\16\0\20\0\350\260\25\0\370\260\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\350\213\25\0\1\0\0\0\1\0\0\0\20\0\22\0\374\213\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (392, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\3263\307A\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\320\260\25\0\1\0\0\0\334\260\25\0 \0\0\0\1\0\0\0\16\0\20\0\350\260\25\0\370\260\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\350\213\25\0\1\0\0\0\1\0\0\0\20\0\22\0\374\213\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 03687   452   NtClose  (388, ... ) == 0x0
 03688   452   NtClose  (392, ... ) == 0x0
 03689   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03690   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 392, ) == 0x0
 03691   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03692   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03693   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1235032,  (0xc0100080, {24, 0, 0x40, 0, 1235032, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 388, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 388, {status=0x0, info=1}, ) == 0x0
 03694   452   NtSetInformationFile  (388, 1235088, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03695   452   NtSetInformationFile  (388, 1235080, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03696   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03697   452   NtWriteFile  (388, 293, 0, 0,  (388, 293, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03698   452   NtReadFile  (388, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (388, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\22\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03699   452   NtFsControlFile  (388, 293, 0x0, 0x0, 0x11c017,  (388, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\337\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\22\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (388, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\14\337\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\22\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03700   452   NtFsControlFile  (388, 293, 0x0, 0x0, 0x11c017,  (388, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\3273\307A\344\200\334\21\261\310\0\14)\371\246\305\1\0\0\0D\337\22\0\1\0\0\0\320\270\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0o\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\3273\307A\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (388, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\3273\307A\344\200\334\21\261\310\0\14)\371\246\305\1\0\0\0D\337\22\0\1\0\0\0\320\270\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0o\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\3273\307A\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03701   452   NtFsControlFile  (388, 293, 0x0, 0x0, 0x11c017,  (388, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\3273\307A\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\320\260\25\0\1\0\0\0\334\260\25\0 \0\0\0\1\0\0\0\16\0\20\0\350\260\25\0\370\260\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\350\213\25\0\1\0\0\0\1\0\0\0\20\0\22\0\374\213\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (388, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\3273\307A\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\320\260\25\0\1\0\0\0\334\260\25\0 \0\0\0\1\0\0\0\16\0\20\0\350\260\25\0\370\260\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\350\213\25\0\1\0\0\0\1\0\0\0\20\0\22\0\374\213\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 03702   452   NtClose  (392, ... ) == 0x0
 03703   452   NtClose  (388, ... ) == 0x0
 03704   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03705   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03706   452   NtQueryInformationToken  (380, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 03707   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 388, ) }, ... 388, ) == 0x0
 03708   452   NtQueryValueKey  (388,  (388, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (388, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) }, 104, ) == 0x0
 03709   452   NtClose  (388, ... ) == 0x0
 03710   452   NtCreateKey  (0x2001f, {24, 376, 0x40, 0, 0,  (0x2001f, {24, 376, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Winlogon"}, 0, 0x0, 0, ... 388, 2, ) }, 0, 0x0, 0, ... 388, 2, ) == 0x0
 03711   452   NtQueryValueKey  (388,  (388, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (388, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03712   452   NtClose  (388, ... ) == 0x0
 03713   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03714   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03715   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\c:\autoexec.bat"}, 1236736, ... ) }, 1236736, ... ) == 0x0
 03716   452   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1236744,  (0x80100080, {24, 0, 0x40, 0, 1236744, "\??\c:\autoexec.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 388, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 388, {status=0x0, info=1}, ) == 0x0
 03717   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03718   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03719   452   NtQueryInformationFile  (388, 1236760, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03720   452   NtReadFile  (388, 0, 0, 0, 0, 0x0, 0, ... {status=0x0, info=0}, "", ) == 0x0
 03721   452   NtClose  (388, ... ) == 0x0
 03722   452   NtOpenKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "Environment"}, ... 388, ) }, ... 388, ) == 0x0
 03723   452   NtEnumerateValueKey  (388, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (388, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (388, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 03724   452   NtEnumerateValueKey  (388, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (388, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (388, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 03725   452   NtEnumerateValueKey  (388, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 03726   452   NtEnumerateValueKey  (388, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (388, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (388, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 03727   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03728   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03729   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 1235476, ... ) }, 1235476, ... ) == 0x0
 03730   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 392, {status=0x0, info=1}, ) }, 3, 16417, ... 392, {status=0x0, info=1}, ) == 0x0
 03731   452   NtQueryDirectoryFile  (392, 0, 0, 0, 1234836, 616, BothDirectory, 1,  (392, 0, 0, 0, 1234836, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 03732   452   NtClose  (392, ... ) == 0x0
 03733   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 392, {status=0x0, info=1}, ) }, 3, 16417, ... 392, {status=0x0, info=1}, ) == 0x0
 03734   452   NtQueryDirectoryFile  (392, 0, 0, 0, 1234836, 616, BothDirectory, 1,  (392, 0, 0, 0, 1234836, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 03735   452   NtClose  (392, ... ) == 0x0
 03736   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03737   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03738   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03739   452   NtEnumerateValueKey  (388, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (388, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (388, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 03740   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03741   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03742   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 1235476, ... ) }, 1235476, ... ) == 0x0
 03743   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 392, {status=0x0, info=1}, ) }, 3, 16417, ... 392, {status=0x0, info=1}, ) == 0x0
 03744   452   NtQueryDirectoryFile  (392, 0, 0, 0, 1234836, 616, BothDirectory, 1,  (392, 0, 0, 0, 1234836, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 03745   452   NtClose  (392, ... ) == 0x0
 03746   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 392, {status=0x0, info=1}, ) }, 3, 16417, ... 392, {status=0x0, info=1}, ) == 0x0
 03747   452   NtQueryDirectoryFile  (392, 0, 0, 0, 1234836, 616, BothDirectory, 1,  (392, 0, 0, 0, 1234836, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 03748   452   NtClose  (392, ... ) == 0x0
 03749   452   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03750   452   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03751   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03752   452   NtEnumerateValueKey  (388, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 03753   452   NtClose  (388, ... ) == 0x0
 03754   452   NtOpenKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "Volatile Environment"}, ... 388, ) }, ... 388, ) == 0x0
 03755   452   NtEnumerateValueKey  (388, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (388, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 03756   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03757   452   NtEnumerateValueKey  (388, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (388, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 03758   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03759   452   NtEnumerateValueKey  (388, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (388, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 03760   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03761   452   NtEnumerateValueKey  (388, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (388, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 03762   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03763   452   NtEnumerateValueKey  (388, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (388, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 03764   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03765   452   NtEnumerateValueKey  (388, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (388, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 03766   452   NtQueryVirtualMemory  (-1, 0x970000, Basic, 28, ... {BaseAddress=0x970000,AllocationBase=0x970000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03767   452   NtEnumerateValueKey  (388, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (388, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 03768   452   NtEnumerateValueKey  (388, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 03769   452   NtEnumerateValueKey  (388, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (388, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 03770   452   NtEnumerateValueKey  (388, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (388, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 03771   452   NtEnumerateValueKey  (388, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (388, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 03772   452   NtEnumerateValueKey  (388, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (388, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 03773   452   NtEnumerateValueKey  (388, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (388, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 03774   452   NtEnumerateValueKey  (388, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (388, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 03775   452   NtEnumerateValueKey  (388, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (388, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 03776   452   NtEnumerateValueKey  (388, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 03777   452   NtClose  (388, ... ) == 0x0
 03778   452   NtClose  (376, ... ) == 0x0
 03779   452   NtFreeVirtualMemory  (-1, (0x970000), 0, 32768, ... (0x970000), 4096, ) == 0x0
 03780   452   NtClose  (384, ... ) == 0x0
 03781   452   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data"}, 1237400, ... ) }, 1237400, ... ) == 0x0
 03782   452   NtQueryInformationToken  (380, User, 64, ... {token info, class 1, size 36}, 36, ) == 0x0
 03783   452   NtOpenKey  (0x2001f, {24, 324, 0x40, 0, 0,  (0x2001f, {24, 324, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 384, ) }, ... 384, ) == 0x0
 03784   452   NtCreateKey  (0x2000000, {24, 384, 0x40, 0, 0,  (0x2000000, {24, 384, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 03785   452   NtClose  (384, ... ) == 0x0
 03786   452   NtSetValueKey  (376,  (376, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 0, 1,  (376, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 104, ... ) == 0x0
 03787   452   NtClose  (376, ... ) == 0x0
 03788   452   NtClose  (380, ... ) == 0x0
 03789   452   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data\Microsoft\Network\Connections\Pbk\"}, 3, 16417, ... ) }, 3, 16417, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03790   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 03791   452   NtQueryInformationFile  (148, 1238448, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03792   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 03793   452   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 03794   452   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 03795   452   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 03796   452   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 03797   452   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 03798   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 380, ) == 0x0
 03799   452   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 1236588, 112, ... 376, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1236588, 112, ... 376, 0x0, 0x0, 0x0, 112, ) == 0x0
 03800   452   NtRequestWaitReplyPort  (376, {128, 152, new_msg, 0, 1310720, 121920, 1310720, 1236352}  (376, {128, 152, new_msg, 0, 1310720, 121920, 1310720, 1236352} "\0$\370w0\344\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0h\212\25\0\4\0\0\0h\212\25\0\20\344\314wh\212\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\23\0\350\261\25\0h\272\25\0\0\0\0\0f\0\0\03\0\0\0 \345\22\0\0\0\0\0\0\0\22\0\34\336\22\0\220,\25\0\0\0\0\0\2$\370w\5\0\0\0" ... {128, 152, reply, 0, 444, 452, 1656, 0} "\7$\370w0\344\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0h\212\25\0\377\377\377\377h\212\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\23\0\350\261\25\0h\272\25\0\0\0\0\0f\0\0\03\0\0\0 \345\22\0\0\0\0\0\0\0\22\0\34\336\22\0\220,\25\0\0\0\0\0\2$\370w\5\0\0\0" )  ... {128, 152, reply, 0, 444, 452, 1656, 0}  (376, {128, 152, new_msg, 0, 1310720, 121920, 1310720, 1236352} "\0$\370w0\344\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0h\212\25\0\4\0\0\0h\212\25\0\20\344\314wh\212\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\23\0\350\261\25\0h\272\25\0\0\0\0\0f\0\0\03\0\0\0 \345\22\0\0\0\0\0\0\0\22\0\34\336\22\0\220,\25\0\0\0\0\0\2$\370w\5\0\0\0" ... {128, 152, reply, 0, 444, 452, 1656, 0} "\7$\370w0\344\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0h\212\25\0\377\377\377\377h\212\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\23\0\350\261\25\0h\272\25\0\0\0\0\0f\0\0\03\0\0\0 \345\22\0\0\0\0\0\0\0\22\0\34\336\22\0\220,\25\0\0\0\0\0\2$\370w\5\0\0\0" )  ) == 0x0
 03801   452   NtRequestWaitReplyPort  (376, {112, 136, new_msg, 0, 44, 3, 20, 0}  (376, {112, 136, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\11\0\344\200\334\21\261\310\0\14)\371\246\305\1\0\0\0\377\377\377\377\1\0\0\0\0\0\0\0\324\352\24\0\26\0\0\0\0\0\0\0\26\0\0\0s\0r\0v\00\01\0.\0d\0e\0b\0e\0l\0i\0z\0o\0m\0b\0i\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 444, 452, 1657, 0} "\2\212T\200\1\0\30\201\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\0\0\0\0\264\5\0\0\1\0\0\0" )  ... {44, 68, reply, 0, 444, 452, 1657, 0}  (376, {112, 136, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\11\0\344\200\334\21\261\310\0\14)\371\246\305\1\0\0\0\377\377\377\377\1\0\0\0\0\0\0\0\324\352\24\0\26\0\0\0\0\0\0\0\26\0\0\0s\0r\0v\00\01\0.\0d\0e\0b\0e\0l\0i\0z\0o\0m\0b\0i\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 444, 452, 1657, 0} "\2\212T\200\1\0\30\201\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 03802   452   NtClose  (380, ... ) == 0x0
 03803   452   NtClose  (376, ... ) == 0x0
 03804   452   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 376, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 376, {status=0x0, info=0}, ) == 0x0
 03805   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 380, ) == 0x0
 03806   452   NtDeviceIoControlFile  (376, 380, 0x0, 0x0, 0xf14014,  (376, 380, 0x0, 0x0, 0xf14014, "\3\0\0\0srv01.debelizombi.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 03807   452   NtClose  (380, ... ) == 0x0
 03808   452   NtClose  (376, ... ) == 0x0
 03809   452   NtClearEvent  (348, ... ) == 0x0
 03810   452   NtSetEvent  (348, ... 0x0, ) == 0x0
 03811   452   NtClose  (348, ... ) == 0x0
 03812   452   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241700,  (0x80100080, {24, 0, 0x40, 0, 1241700, "\??\C:\WINDOWS\imon.cfg"}, 0x0, 0, 1, 1, 96, 0, 0, ... ) }, 0x0, 0, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03813   452   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 03814   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 348, ) == 0x0
 03815   452   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 1238512, 112, ... 376, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1238512, 112, ... 376, 0x0, 0x0, 0x0, 112, ) == 0x0
 03816   452   NtRequestWaitReplyPort  (376, {128, 152, new_msg, 0, 123844, 1310720, 1238276, 2012750850}  (376, {128, 152, new_msg, 0, 123844, 1310720, 1238276, 2012750850} "\0\353\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\320\212\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\24\0\30\301\25\0`\262\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 444, 452, 1660, 0} "\7\353\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\24\0\30\301\25\0`\262\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 444, 452, 1660, 0}  (376, {128, 152, new_msg, 0, 123844, 1310720, 1238276, 2012750850} "\0\353\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\320\212\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\24\0\30\301\25\0`\262\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 444, 452, 1660, 0} "\7\353\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\24\0\30\301\25\0`\262\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 03817   452   NtRequestWaitReplyPort  (376, {64, 88, new_msg, 0, 444, 452, 1657, 0}  (376, {64, 88, new_msg, 0, 444, 452, 1657, 0} "\1\212\0\0A\2\10\0\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\377\377\377\377S\275N\200\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\26\0\0\0s\0r\0v\00\01\0.\0" ... {52, 76, reply, 0, 444, 452, 1661, 0} "\2\212T\200\1\0\30\201\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 444, 452, 1661, 0}  (376, {64, 88, new_msg, 0, 444, 452, 1657, 0} "\1\212\0\0A\2\10\0\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\377\377\377\377S\275N\200\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\26\0\0\0s\0r\0v\00\01\0.\0" ... {52, 76, reply, 0, 444, 452, 1661, 0} "\2\212T\200\1\0\30\201\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 03818   452   NtClose  (348, ... ) == 0x0
 03819   452   NtClose  (376, ... ) == 0x0
 03820   452   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 376, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 376, 2, ) , 0, ... 376, 2, ) == 0x0
 03821   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 348, ) }, ... 348, ) == 0x0
 03822   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03823   452   NtQueryValueKey  (376,  (376, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03824   452   NtQueryValueKey  (376,  (376, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03825   452   NtClose  (376, ... ) == 0x0
 03826   452   NtClose  (348, ... ) == 0x0
 03827   452   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 348, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 348, 2, ) , 0, ... 348, 2, ) == 0x0
 03828   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 376, ) }, ... 376, ) == 0x0
 03829   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03830   452   NtQueryValueKey  (348,  (348, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03831   452   NtQueryValueKey  (348,  (348, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03832   452   NtClose  (348, ... ) == 0x0
 03833   452   NtClose  (376, ... ) == 0x0
 03834   452   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 03835   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 376, ) == 0x0
 03836   452   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 1238312, 112, ... 348, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1238312, 112, ... 348, 0x0, 0x0, 0x0, 112, ) == 0x0
 03837   452   NtRequestWaitReplyPort  (348, {128, 152, new_msg, 0, 123644, 1310720, 1238076, 2012750850}  (348, {128, 152, new_msg, 0, 123644, 1310720, 1238076, 2012750850} "\0\352\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\320\212\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\25\0\30\301\25\0\230\217\25\0\0\0\0\0\254\347\22\0\\347\22\0L\351\22\0\0\0\0\0\0\0\25\0\377\377\377\377\365\26\365w\315\27\365w\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 444, 452, 1664, 0} "\7\352\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\25\0\30\301\25\0\230\217\25\0\0\0\0\0\254\347\22\0\\347\22\0L\351\22\0\0\0\0\0\0\0\25\0\377\377\377\377\365\26\365w\315\27\365w\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 444, 452, 1664, 0}  (348, {128, 152, new_msg, 0, 123644, 1310720, 1238076, 2012750850} "\0\352\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\320\212\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\25\0\30\301\25\0\230\217\25\0\0\0\0\0\254\347\22\0\\347\22\0L\351\22\0\0\0\0\0\0\0\25\0\377\377\377\377\365\26\365w\315\27\365w\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 444, 452, 1664, 0} "\7\352\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\25\0\30\301\25\0\230\217\25\0\0\0\0\0\254\347\22\0\\347\22\0L\351\22\0\0\0\0\0\0\0\25\0\377\377\377\377\365\26\365w\315\27\365w\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 03838   452   NtRequestWaitReplyPort  (348, {64, 88, new_msg, 0, 444, 452, 1661, 0}  (348, {64, 88, new_msg, 0, 444, 452, 1661, 0} "\1\212\0\0A\2\10\0\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\377\377\377\377S\275N\200\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0s\0r\0v\00\01\0.\0" ... {52, 76, reply, 0, 444, 452, 1665, 0} "\2\212T\200\1\0\30\201\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 444, 452, 1665, 0}  (348, {64, 88, new_msg, 0, 444, 452, 1661, 0} "\1\212\0\0A\2\10\0\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\377\377\377\377S\275N\200\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0s\0r\0v\00\01\0.\0" ... {52, 76, reply, 0, 444, 452, 1665, 0} "\2\212T\200\1\0\30\201\214\353\361\371\231\254N\200\242\254N\200\274\212T\200\1\0\0\0S\275N\200\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 03839   452   NtClose  (376, ... ) == 0x0
 03840   452   NtClose  (348, ... ) == 0x0
 03841   452   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 348, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 348, 2, ) , 0, ... 348, 2, ) == 0x0
 03842   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 376, ) }, ... 376, ) == 0x0
 03843   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03844   452   NtQueryValueKey  (348,  (348, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03845   452   NtQueryValueKey  (348,  (348, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03846   452   NtClose  (348, ... ) == 0x0
 03847   452   NtClose  (376, ... ) == 0x0
 03848   452   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 376, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 376, 2, ) , 0, ... 376, 2, ) == 0x0
 03849   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 348, ) }, ... 348, ) == 0x0
 03850   452   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03851   452   NtQueryValueKey  (376,  (376, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03852   452   NtQueryValueKey  (376,  (376, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03853   452   NtClose  (376, ... ) == 0x0
 03854   452   NtClose  (348, ... ) == 0x0
 03855   452   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 348, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 348, {status=0x0, info=0}, ) == 0x0
 03856   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 376, ) == 0x0
 03857   452   NtDeviceIoControlFile  (348, 376, 0x0, 0x0, 0xf14014,  (348, 376, 0x0, 0x0, 0xf14014, "\3\0\0\0MYWORLD\0\231%\362v\2\0\0\200\330\304\362v\0\0\0\0\244\352\22\0O\345\367w{\30\335w\0\0\0\0\300.\24\0\360\212\25\0"\2\373\177\264\353\22\0\0\0\0\0\263\26\365w\240\263\25\0q\26\365w\350\6\24\0\215\26\365w\0\0\0\0\0\303\25\08!\25\0\24\232\347wc\303\26\0\360\212\25\0\376\212\25\0d\303\25\0\377\377\0\0\0\0\0\0d\303\25\0\7\0\0\0\360\212\25\0`\353\22\0\177;\245q\0\0\0\0\0\0\0\0\360\212\25\0\0\0\0\0d\303\25\0\377\377\0\0\1\0\0\0\0\0\0\0\350\212\25\0d\303\25\0\320\212\25\0\240\353\22\0}<\245qd\303\25\0\0\0\0\0\360\212\25\0\365<\245qX\303\25\0D\303\25\0\2\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\20\0\0\08!\1\0\0\0\24\0\370\352\22\0\330\357\22\0\324\374\22\0\2$\370w\370T\367wa/\245q\2642\250q\0\0\0\0\0\0\0\0:/\245q8!\25\0\230\252\25\0x\226\25\0\220\226\25\0\360\212\25\0\376\212\25\0d\303\25\0\377\377\0\0\0\0\0\0d\303\25\0\7\0\0\0\360\212\25\0(\354\22\0\177;\245q\0\0\0\0\0\0\0\0\360\212\25\0\0\0\0\0d\303\25\0\377\377\0\0\1\0\0\0\0\0\0\0\350\212\25\0d\303\25\0\320\212\25\0h\354\22\0}<\245qd\303\25\0\0\0\0\0\360\212\25\0\365<\245qX\303\25\0D\303\25\0\2\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\10\375\1\0\0\0\24\0\300\353\22\0\240\360\22\0\324\374\22\0\2$\370w\370T\367wa/\245q\2642\250q\0\0\0\0\0\0\0\0:/\245q\10\375\24\0\330\302\25\0x\226\25\0", 1552, 0, ... {status=0x0, info=0}, 0x0, ) \2\373\177\264\353\22\0\0\0\0\0\263\26\365w\240\263\25\0q\26\365w\350\6\24\0\215\26\365w\0\0\0\0\0\303\25\08!\25\0\24\232\347wc\303\26\0\360\212\25\0\376\212\25\0d\303\25\0\377\377\0\0\0\0\0\0d\303\25\0\7\0\0\0\360\212\25\0`\353\22\0\177;\245q\0\0\0\0\0\0\0\0\360\212\25\0\0\0\0\0d\303\25\0\377\377\0\0\1\0\0\0\0\0\0\0\350\212\25\0d\303\25\0\320\212\25\0\240\353\22\0}<\245qd\303\25\0\0\0\0\0\360\212\25\0\365<\245qX\303\25\0D\303\25\0\2\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\20\0\0\08!\1\0\0\0\24\0\370\352\22\0\330\357\22\0\324\374\22\0\2$\370w\370T\367wa/\245q\2642\250q\0\0\0\0\0\0\0\0:/\245q8!\25\0\230\252\25\0x\226\25\0\220\226\25\0\360\212\25\0\376\212\25\0d\303\25\0\377\377\0\0\0\0\0\0d\303\25\0\7\0\0\0\360\212\25\0(\354\22\0\177;\245q\0\0\0\0\0\0\0\0\360\212\25\0\0\0\0\0d\303\25\0\377\377\0\0\1\0\0\0\0\0\0\0\350\212\25\0d\303\25\0\320\212\25\0h\354\22\0}<\245qd\303\25\0\0\0\0\0\360\212\25\0\365<\245qX\303\25\0D\303\25\0\2\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\10\375\1\0\0\0\24\0\300\353\22\0\240\360\22\0\324\374\22\0\2$\370w\370T\367wa/\245q\2642\250q\0\0\0\0\0\0\0\0:/\245q\10\375\24\0\330\302\25\0x\226\25\0", 1552, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03858   452   NtClose  (376, ... ) == 0x0
 03859   452   NtClose  (348, ... ) == 0x0
 03860   452   NtUserGetMessage  (0, 0, 0, ... {0x200b2, WM_TIMER, 0x65, 0x0, 0x7b5a, {512, 384}}, ) == 0x1
 03861   452   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 03862   452   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 03863   452   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 03864   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03865   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03866   452   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 03867   452   NtCreateKey  (0x20019, {24, 348, 0x40, 0, 0,  (0x20019, {24, 348, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 03868   452   NtClose  (348, ... ) == 0x0
 03869   452   NtQueryValueKey  (376,  (376, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03870   452   NtClose  (376, ... ) == 0x0
 03871   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 03872   452   NtQueryInformationFile  (148, 1242300, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03873   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 03874   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 03875   452   NtQueryInformationFile  (148, 1242456, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03876   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 03877   452   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 03878   452   NtUserGetMessage  (0, 0, 0, ... {0x200b2, WM_TIMER, 0x65, 0x0, 0x8339, {512, 384}}, ) == 0x1
 03879   452   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 03880   452   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 03881   452   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 376, ) }, ... 376, ) == 0x0
 03882   452   NtWaitForSingleObject  (376, 0, {-1800000000, -1}, ... ) == 0x0
 03883   452   NtClose  (376, ... ) == 0x0
 03884   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03885   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 376, ) == 0x0
 03886   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03887   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03888   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1240880,  (0xc0100080, {24, 0, 0x40, 0, 1240880, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 348, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 348, {status=0x0, info=1}, ) == 0x0
 03889   452   NtSetInformationFile  (348, 1240936, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03890   452   NtSetInformationFile  (348, 1240928, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03891   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03892   452   NtWriteFile  (348, 293, 0, 0,  (348, 293, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03893   452   NtReadFile  (348, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (348, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\276\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03894   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\276\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\276\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03895   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\270h\365H\344\200\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\270h\365H\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 76, 1024, ... {status=0x103, info=48},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\270h\365H\344\200\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\270h\365H\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03896   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\271h\365H\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\271h\365H\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\271h\365H\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\271h\365H\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03897   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\271h\365H\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\271h\365H\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 03898   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\270h\365H\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\270h\365H\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 03899   452   NtClose  (376, ... ) == 0x0
 03900   452   NtClose  (348, ... ) == 0x0
 03901   452   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 03902   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03903   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03904   452   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 03905   452   NtCreateKey  (0x20019, {24, 348, 0x40, 0, 0,  (0x20019, {24, 348, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 03906   452   NtClose  (348, ... ) == 0x0
 03907   452   NtQueryValueKey  (376,  (376, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03908   452   NtClose  (376, ... ) == 0x0
 03909   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 03910   452   NtQueryInformationFile  (148, 1242300, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03911   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 03912   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 03913   452   NtQueryInformationFile  (148, 1242456, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03914   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 03915   452   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 03916   452   NtUserGetMessage  (0, 0, 0, ... {0x200b2, WM_TIMER, 0x65, 0x0, 0x8b09, {512, 384}}, ) == 0x1
 03917   452   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 03918   452   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 03919   452   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 03920   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03921   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03922   452   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 03923   452   NtCreateKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 03924   452   NtClose  (376, ... ) == 0x0
 03925   452   NtQueryValueKey  (348,  (348, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03926   452   NtClose  (348, ... ) == 0x0
 03927   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 03928   452   NtQueryInformationFile  (148, 1242300, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03929   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 03930   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 03931   452   NtQueryInformationFile  (148, 1242456, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03932   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 03933   452   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 03934   452   NtUserGetMessage  (0, 0, 0, ... {0x200b2, WM_TIMER, 0x65, 0x0, 0x92d9, {512, 384}}, ) == 0x1
 03935   452   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 03936   452   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 03937   452   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 348, ) }, ... 348, ) == 0x0
 03938   452   NtWaitForSingleObject  (348, 0, {-1800000000, -1}, ... ) == 0x0
 03939   452   NtClose  (348, ... ) == 0x0
 03940   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03941   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 348, ) == 0x0
 03942   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03943   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03944   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1240880,  (0xc0100080, {24, 0, 0x40, 0, 1240880, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 376, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 376, {status=0x0, info=1}, ) == 0x0
 03945   452   NtSetInformationFile  (376, 1240936, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03946   452   NtSetInformationFile  (376, 1240928, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03947   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03948   452   NtWriteFile  (376, 293, 0, 0,  (376, 293, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03949   452   NtReadFile  (376, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (376, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\277\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03950   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\277\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\277\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03951   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\272h\365H\344\200\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\272h\365H\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 76, 1024, ... {status=0x103, info=48},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\272h\365H\344\200\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\272h\365H\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03952   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\273h\365H\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\273h\365H\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\273h\365H\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\273h\365H\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03953   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\273h\365H\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\273h\365H\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 03954   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\272h\365H\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\272h\365H\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 03955   452   NtClose  (348, ... ) == 0x0
 03956   452   NtClose  (376, ... ) == 0x0
 03957   452   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 03958   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03959   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03960   452   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 03961   452   NtCreateKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 03962   452   NtClose  (376, ... ) == 0x0
 03963   452   NtQueryValueKey  (348,  (348, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03964   452   NtClose  (348, ... ) == 0x0
 03965   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 03966   452   NtQueryInformationFile  (148, 1242300, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03967   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 03968   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 03969   452   NtQueryInformationFile  (148, 1242456, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03970   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 03971   452   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 03972   452   NtUserGetMessage  (0, 0, 0, ... {0x200b2, WM_TIMER, 0x65, 0x0, 0x9aa9, {512, 384}}, ) == 0x1
 03973   452   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 03974   452   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 03975   452   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 03976   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03977   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03978   452   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 03979   452   NtCreateKey  (0x20019, {24, 348, 0x40, 0, 0,  (0x20019, {24, 348, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 03980   452   NtClose  (348, ... ) == 0x0
 03981   452   NtQueryValueKey  (376,  (376, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03982   452   NtClose  (376, ... ) == 0x0
 03983   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 03984   452   NtQueryInformationFile  (148, 1242300, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03985   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 03986   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 03987   452   NtQueryInformationFile  (148, 1242456, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03988   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 03989   452   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 03990   452   NtUserGetMessage  (0, 0, 0, ... {0x200b2, WM_TIMER, 0x65, 0x0, 0xa279, {512, 384}}, ) == 0x1
 03991   452   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 03992   452   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 03993   452   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 376, ) }, ... 376, ) == 0x0
 03994   452   NtWaitForSingleObject  (376, 0, {-1800000000, -1}, ... ) == 0x0
 03995   452   NtClose  (376, ... ) == 0x0
 03996   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03997   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 376, ) == 0x0
 03998   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03999   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 04000   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1240880,  (0xc0100080, {24, 0, 0x40, 0, 1240880, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 348, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 348, {status=0x0, info=1}, ) == 0x0
 04001   452   NtSetInformationFile  (348, 1240936, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 04002   452   NtSetInformationFile  (348, 1240928, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 04003   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 04004   452   NtWriteFile  (348, 293, 0, 0,  (348, 293, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 04005   452   NtReadFile  (348, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (348, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\301\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 04006   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\301\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\301\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 04007   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\276h\365H\344\200\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\276h\365H\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 76, 1024, ... {status=0x103, info=48},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\276h\365H\344\200\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\276h\365H\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 04008   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\277h\365H\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\277h\365H\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\277h\365H\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\277h\365H\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 04009   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\277h\365H\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\277h\365H\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 04010   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\276h\365H\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\276h\365H\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 04011   452   NtClose  (376, ... ) == 0x0
 04012   452   NtClose  (348, ... ) == 0x0
 04013   452   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 04014   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04015   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04016   452   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 04017   452   NtCreateKey  (0x20019, {24, 348, 0x40, 0, 0,  (0x20019, {24, 348, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 04018   452   NtClose  (348, ... ) == 0x0
 04019   452   NtQueryValueKey  (376,  (376, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04020   452   NtClose  (376, ... ) == 0x0
 04021   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04022   452   NtQueryInformationFile  (148, 1242300, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04023   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04024   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04025   452   NtQueryInformationFile  (148, 1242456, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04026   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04027   452   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 04028   452   NtUserGetMessage  (0, 0, 0, ... {0x200b2, WM_TIMER, 0x65, 0x0, 0xaa49, {512, 384}}, ) == 0x1
 04029   452   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 04030   452   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 04031   452   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 04032   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04033   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04034   452   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 04035   452   NtCreateKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 04036   452   NtClose  (376, ... ) == 0x0
 04037   452   NtQueryValueKey  (348,  (348, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04038   452   NtClose  (348, ... ) == 0x0
 04039   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04040   452   NtQueryInformationFile  (148, 1242300, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04041   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04042   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04043   452   NtQueryInformationFile  (148, 1242456, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04044   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04045   452   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 04046   452   NtUserGetMessage  (0, 0, 0, ... {0x200b2, WM_TIMER, 0x65, 0x0, 0xb219, {512, 384}}, ) == 0x1
 04047   452   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 04048   452   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 04049   452   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 348, ) }, ... 348, ) == 0x0
 04050   452   NtWaitForSingleObject  (348, 0, {-1800000000, -1}, ... ) == 0x0
 04051   452   NtClose  (348, ... ) == 0x0
 04052   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04053   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 348, ) == 0x0
 04054   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04055   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 04056   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1240880,  (0xc0100080, {24, 0, 0x40, 0, 1240880, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 376, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 376, {status=0x0, info=1}, ) == 0x0
 04057   452   NtSetInformationFile  (376, 1240936, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 04058   452   NtSetInformationFile  (376, 1240928, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 04059   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 04060   452   NtWriteFile  (376, 293, 0, 0,  (376, 293, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 04061   452   NtReadFile  (376, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (376, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\303\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 04062   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\303\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\303\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 04063   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\22\254\355N\344\200\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\22\254\355N\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 76, 1024, ... {status=0x103, info=48},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\22\254\355N\344\200\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\22\254\355N\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 04064   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\23\254\355N\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\23\254\355N\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\23\254\355N\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\23\254\355N\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 04065   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\23\254\355N\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\23\254\355N\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 04066   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\22\254\355N\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\22\254\355N\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 04067   452   NtClose  (348, ... ) == 0x0
 04068   452   NtClose  (376, ... ) == 0x0
 04069   452   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 04070   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04071   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04072   452   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 04073   452   NtCreateKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 04074   452   NtClose  (376, ... ) == 0x0
 04075   452   NtQueryValueKey  (348,  (348, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04076   452   NtClose  (348, ... ) == 0x0
 04077   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04078   452   NtQueryInformationFile  (148, 1242300, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04079   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04080   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04081   452   NtQueryInformationFile  (148, 1242456, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04082   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04083   452   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 04084   452   NtUserGetMessage  (0, 0, 0, ... {0x200b2, WM_TIMER, 0x65, 0x0, 0xb9f9, {512, 384}}, ) == 0x1
 04085   452   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 04086   452   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 04087   452   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 04088   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04089   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04090   452   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 04091   452   NtCreateKey  (0x20019, {24, 348, 0x40, 0, 0,  (0x20019, {24, 348, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 04092   452   NtClose  (348, ... ) == 0x0
 04093   452   NtQueryValueKey  (376,  (376, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04094   452   NtClose  (376, ... ) == 0x0
 04095   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04096   452   NtQueryInformationFile  (148, 1242300, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04097   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04098   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04099   452   NtQueryInformationFile  (148, 1242456, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04100   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04101   452   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 04102   452   NtUserGetMessage  (0, 0, 0, ... {0x200b2, WM_TIMER, 0x65, 0x0, 0xc1d9, {512, 384}}, ) == 0x1
 04103   452   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 04104   452   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 04105   452   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 376, ) }, ... 376, ) == 0x0
 04106   452   NtWaitForSingleObject  (376, 0, {-1800000000, -1}, ... ) == 0x0
 04107   452   NtClose  (376, ... ) == 0x0
 04108   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04109   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 376, ) == 0x0
 04110   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04111   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 04112   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1240880,  (0xc0100080, {24, 0, 0x40, 0, 1240880, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 348, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 348, {status=0x0, info=1}, ) == 0x0
 04113   452   NtSetInformationFile  (348, 1240936, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 04114   452   NtSetInformationFile  (348, 1240928, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 04115   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 04116   452   NtWriteFile  (348, 293, 0, 0,  (348, 293, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 04117   452   NtReadFile  (348, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (348, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\305\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 04118   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\305\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\305\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 04119   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\26\254\355N\344\200\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\26\254\355N\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 76, 1024, ... {status=0x103, info=48},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\26\254\355N\344\200\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\26\254\355N\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 04120   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\27\254\355N\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\27\254\355N\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\27\254\355N\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\27\254\355N\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 04121   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\27\254\355N\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\27\254\355N\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 04122   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\26\254\355N\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\26\254\355N\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 04123   452   NtClose  (376, ... ) == 0x0
 04124   452   NtClose  (348, ... ) == 0x0
 04125   452   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 04126   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04127   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04128   452   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 04129   452   NtCreateKey  (0x20019, {24, 348, 0x40, 0, 0,  (0x20019, {24, 348, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 04130   452   NtClose  (348, ... ) == 0x0
 04131   452   NtQueryValueKey  (376,  (376, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04132   452   NtClose  (376, ... ) == 0x0
 04133   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04134   452   NtQueryInformationFile  (148, 1242300, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04135   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04136   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04137   452   NtQueryInformationFile  (148, 1242456, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04138   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04139   452   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 04140   452   NtUserGetMessage  (0, 0, 0, ... {0x200b2, WM_TIMER, 0x65, 0x0, 0xc9b8, {512, 384}}, ) == 0x1
 04141   452   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 04142   452   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 04143   452   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 04144   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04145   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04146   452   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 04147   452   NtCreateKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 04148   452   NtClose  (376, ... ) == 0x0
 04149   452   NtQueryValueKey  (348,  (348, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04150   452   NtClose  (348, ... ) == 0x0
 04151   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04152   452   NtQueryInformationFile  (148, 1242300, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04153   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04154   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04155   452   NtQueryInformationFile  (148, 1242456, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04156   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04157   452   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 04158   452   NtUserGetMessage  (0, 0, 0, ... {0x200b2, WM_TIMER, 0x65, 0x0, 0xd188, {512, 384}}, ) == 0x1
 04159   452   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 04160   452   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 04161   452   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 348, ) }, ... 348, ) == 0x0
 04162   452   NtWaitForSingleObject  (348, 0, {-1800000000, -1}, ... ) == 0x0
 04163   452   NtClose  (348, ... ) == 0x0
 04164   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04165   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 348, ) == 0x0
 04166   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04167   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 04168   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1240880,  (0xc0100080, {24, 0, 0x40, 0, 1240880, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 376, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 376, {status=0x0, info=1}, ) == 0x0
 04169   452   NtSetInformationFile  (376, 1240936, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 04170   452   NtSetInformationFile  (376, 1240928, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 04171   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 04172   452   NtWriteFile  (376, 293, 0, 0,  (376, 293, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 04173   452   NtReadFile  (376, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (376, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\307\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 04174   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\307\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\307\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 04175   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\06\301yU\344\200\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\06\301yU\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 76, 1024, ... {status=0x103, info=48},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\06\301yU\344\200\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\06\301yU\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 04176   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\07\301yU\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\07\301yU\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\07\301yU\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\07\301yU\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 04177   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\07\301yU\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\07\301yU\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 04178   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\06\301yU\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\06\301yU\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 04179   452   NtClose  (348, ... ) == 0x0
 04180   452   NtClose  (376, ... ) == 0x0
 04181   452   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 04182   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04183   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04184   452   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 04185   452   NtCreateKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 04186   452   NtClose  (376, ... ) == 0x0
 04187   452   NtQueryValueKey  (348,  (348, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04188   452   NtClose  (348, ... ) == 0x0
 04189   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04190   452   NtQueryInformationFile  (148, 1242300, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04191   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04192   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04193   452   NtQueryInformationFile  (148, 1242456, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04194   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04195   452   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 04196   452   NtUserGetMessage  (0, 0, 0, ... {0x200b2, WM_TIMER, 0x65, 0x0, 0xd958, {512, 384}}, ) == 0x1
 04197   452   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 04198   452   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 04199   452   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 04200   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04201   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04202   452   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 04203   452   NtCreateKey  (0x20019, {24, 348, 0x40, 0, 0,  (0x20019, {24, 348, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 04204   452   NtClose  (348, ... ) == 0x0
 04205   452   NtQueryValueKey  (376,  (376, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04206   452   NtClose  (376, ... ) == 0x0
 04207   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04208   452   NtQueryInformationFile  (148, 1242300, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04209   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04210   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04211   452   NtQueryInformationFile  (148, 1242456, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04212   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04213   452   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 04214   452   NtUserGetMessage  (0, 0, 0, ... {0x200b2, WM_TIMER, 0x65, 0x0, 0xe128, {512, 384}}, ) == 0x1
 04215   452   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 04216   452   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 04217   452   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 376, ) }, ... 376, ) == 0x0
 04218   452   NtWaitForSingleObject  (376, 0, {-1800000000, -1}, ... ) == 0x0
 04219   452   NtClose  (376, ... ) == 0x0
 04220   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04221   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 376, ) == 0x0
 04222   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04223   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 04224   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1240880,  (0xc0100080, {24, 0, 0x40, 0, 1240880, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 348, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 348, {status=0x0, info=1}, ) == 0x0
 04225   452   NtSetInformationFile  (348, 1240936, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 04226   452   NtSetInformationFile  (348, 1240928, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 04227   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 04228   452   NtWriteFile  (348, 293, 0, 0,  (348, 293, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 04229   452   NtReadFile  (348, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (348, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\310\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 04230   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\310\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\310\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 04231   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\08\301yU\344\200\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\08\301yU\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 76, 1024, ... {status=0x103, info=48},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\08\301yU\344\200\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\08\301yU\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 04232   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\09\301yU\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\09\301yU\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\09\301yU\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\09\301yU\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 04233   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\09\301yU\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\09\301yU\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 04234   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\08\301yU\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\08\301yU\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 04235   452   NtClose  (376, ... ) == 0x0
 04236   452   NtClose  (348, ... ) == 0x0
 04237   452   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 04238   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04239   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04240   452   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 04241   452   NtCreateKey  (0x20019, {24, 348, 0x40, 0, 0,  (0x20019, {24, 348, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 04242   452   NtClose  (348, ... ) == 0x0
 04243   452   NtQueryValueKey  (376,  (376, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04244   452   NtClose  (376, ... ) == 0x0
 04245   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04246   452   NtQueryInformationFile  (148, 1242300, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04247   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04248   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04249   452   NtQueryInformationFile  (148, 1242456, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04250   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04251   452   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 04252   452   NtUserGetMessage  (0, 0, 0, ... {0x200b2, WM_TIMER, 0x65, 0x0, 0xe8f8, {512, 384}}, ) == 0x1
 04253   452   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 04254   452   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 04255   452   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 04256   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04257   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04258   452   NtWaitForMultipleObjects  (2, (260, 276, ), 1, 0, {0, 0}, ... ) == 0x0
 04259   452   NtQueryValueKey  (272,  (272, "EnableFileTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "EnableFileTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 04260   452   NtQueryValueKey  (272,  (272, "FileTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "FileTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) }, 16, ) == 0x0
 04261   452   NtQueryValueKey  (272,  (272, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 04262   452   NtQueryValueKey  (272,  (272, "ConsoleTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "ConsoleTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) }, 16, ) == 0x0
 04263   452   NtQueryValueKey  (272,  (272, "MaxFileSize", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\20\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "MaxFileSize", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\20\0"}, 16, ) }, 16, ) == 0x0
 04264   452   NtQueryValueKey  (272,  (272, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (272, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) }, 46, ) == 0x0
 04265   452   NtQueryValueKey  (272,  (272, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (272, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) }, 46, ) == 0x0
 04266   452   NtNotifyChangeKey  (272, 276, 0, 0, 2011390432, 14, 0, 0, 0, 1, ... ) == 0x103
 04267   452   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 04268   452   NtCreateKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 04269   452   NtClose  (376, ... ) == 0x0
 04270   452   NtQueryValueKey  (348,  (348, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04271   452   NtClose  (348, ... ) == 0x0
 04272   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04273   452   NtQueryInformationFile  (148, 1242300, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04274   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04275   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04276   452   NtQueryInformationFile  (148, 1242456, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04277   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04278   452   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 04279   452   NtUserGetMessage  (0, 0, 0, ... {0x200b2, WM_TIMER, 0x65, 0x0, 0xf0d8, {512, 384}}, ) == 0x1
 04280   452   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 04281   452   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 04282   452   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 348, ) }, ... 348, ) == 0x0
 04283   452   NtWaitForSingleObject  (348, 0, {-1800000000, -1}, ... ) == 0x0
 04284   452   NtClose  (348, ... ) == 0x0
 04285   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04286   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 348, ) == 0x0
 04287   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04288   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 04289   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1240880,  (0xc0100080, {24, 0, 0x40, 0, 1240880, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 376, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 376, {status=0x0, info=1}, ) == 0x0
 04290   452   NtSetInformationFile  (376, 1240936, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 04291   452   NtSetInformationFile  (376, 1240928, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 04292   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 04293   452   NtWriteFile  (376, 293, 0, 0,  (376, 293, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 04294   452   NtReadFile  (376, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (376, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\312\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 04295   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\312\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\312\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 04296   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0<\301yU\344\200\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0<\301yU\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 76, 1024, ... {status=0x103, info=48},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0<\301yU\344\200\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0<\301yU\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 04297   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0=\301yU\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0=\301yU\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0=\301yU\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0=\301yU\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 04298   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0=\301yU\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0=\301yU\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 04299   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0<\301yU\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0<\301yU\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 04300   452   NtClose  (348, ... ) == 0x0
 04301   452   NtClose  (376, ... ) == 0x0
 04302   452   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 04303   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04304   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04305   452   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 04306   452   NtCreateKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 04307   452   NtClose  (376, ... ) == 0x0
 04308   452   NtQueryValueKey  (348,  (348, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04309   452   NtClose  (348, ... ) == 0x0
 04310   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04311   452   NtQueryInformationFile  (148, 1242300, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04312   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04313   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04314   452   NtQueryInformationFile  (148, 1242456, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04315   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04316   452   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 04317   452   NtUserGetMessage  (0, 0, 0, ... {0x200b2, WM_TIMER, 0x65, 0x0, 0xf8a8, {512, 384}}, ) == 0x1
 04318   452   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 04319   452   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 04320   452   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 04321   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04322   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04323   452   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 04324   452   NtCreateKey  (0x20019, {24, 348, 0x40, 0, 0,  (0x20019, {24, 348, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 04325   452   NtClose  (348, ... ) == 0x0
 04326   452   NtQueryValueKey  (376,  (376, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04327   452   NtClose  (376, ... ) == 0x0
 04328   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04329   452   NtQueryInformationFile  (148, 1242300, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04330   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04331   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04332   452   NtQueryInformationFile  (148, 1242456, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04333   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04334   452   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 04335   452   NtUserGetMessage  (0, 0, 0, ... {0x200b2, WM_TIMER, 0x65, 0x0, 0x10087, {512, 384}}, ) == 0x1
 04336   452   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 04337   452   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 04338   452   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 376, ) }, ... 376, ) == 0x0
 04339   452   NtWaitForSingleObject  (376, 0, {-1800000000, -1}, ... ) == 0x0
 04340   452   NtClose  (376, ... ) == 0x0
 04341   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04342   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 376, ) == 0x0
 04343   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04344   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 04345   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1240880,  (0xc0100080, {24, 0, 0x40, 0, 1240880, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 348, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 348, {status=0x0, info=1}, ) == 0x0
 04346   452   NtSetInformationFile  (348, 1240936, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 04347   452   NtSetInformationFile  (348, 1240928, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 04348   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 04349   452   NtWriteFile  (348, 293, 0, 0,  (348, 293, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 04350   452   NtReadFile  (348, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (348, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\314\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 04351   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\314\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\314\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 04352   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\352\223\245\\344\200\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\352\223\245\\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 76, 1024, ... {status=0x103, info=48},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\352\223\245\\344\200\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\352\223\245\\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 04353   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\353\223\245\\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\353\223\245\\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\353\223\245\\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\353\223\245\\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 04354   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\353\223\245\\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\353\223\245\\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 04355   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\352\223\245\\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\352\223\245\\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 04356   452   NtClose  (376, ... ) == 0x0
 04357   452   NtClose  (348, ... ) == 0x0
 04358   452   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 04359   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04360   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04361   452   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 04362   452   NtCreateKey  (0x20019, {24, 348, 0x40, 0, 0,  (0x20019, {24, 348, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 04363   452   NtClose  (348, ... ) == 0x0
 04364   452   NtQueryValueKey  (376,  (376, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04365   452   NtClose  (376, ... ) == 0x0
 04366   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04367   452   NtQueryInformationFile  (148, 1242300, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04368   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04369   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04370   452   NtQueryInformationFile  (148, 1242456, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04371   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04372   452   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 04373   452   NtUserGetMessage  (0, 0, 0, ... {0x200b2, WM_TIMER, 0x65, 0x0, 0x10857, {512, 384}}, ) == 0x1
 04374   452   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 04375   452   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 04376   452   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 04377   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04378   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04379   452   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 04380   452   NtCreateKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 04381   452   NtClose  (376, ... ) == 0x0
 04382   452   NtQueryValueKey  (348,  (348, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04383   452   NtClose  (348, ... ) == 0x0
 04384   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04385   452   NtQueryInformationFile  (148, 1242300, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04386   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04387   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04388   452   NtQueryInformationFile  (148, 1242456, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04389   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04390   452   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 04391   452   NtUserGetMessage  (0, 0, 0, ... {0x200b2, WM_TIMER, 0x65, 0x0, 0x11027, {512, 384}}, ) == 0x1
 04392   452   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 04393   452   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 04394   452   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 348, ) }, ... 348, ) == 0x0
 04395   452   NtWaitForSingleObject  (348, 0, {-1800000000, -1}, ... ) == 0x0
 04396   452   NtClose  (348, ... ) == 0x0
 04397   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04398   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 348, ) == 0x0
 04399   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04400   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 04401   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1240880,  (0xc0100080, {24, 0, 0x40, 0, 1240880, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 376, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 376, {status=0x0, info=1}, ) == 0x0
 04402   452   NtSetInformationFile  (376, 1240936, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 04403   452   NtSetInformationFile  (376, 1240928, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 04404   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 04405   452   NtWriteFile  (376, 293, 0, 0,  (376, 293, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 04406   452   NtReadFile  (376, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (376, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\316\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 04407   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\316\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\316\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 04408   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\356\223\245\\344\200\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\356\223\245\\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 76, 1024, ... {status=0x103, info=48},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\356\223\245\\344\200\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\356\223\245\\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 04409   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\357\223\245\\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\357\223\245\\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\357\223\245\\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\357\223\245\\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 04410   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\357\223\245\\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\357\223\245\\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 04411   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\356\223\245\\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\356\223\245\\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 04412   452   NtClose  (348, ... ) == 0x0
 04413   452   NtClose  (376, ... ) == 0x0
 04414   452   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 04415   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04416   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04417   452   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 04418   452   NtCreateKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 04419   452   NtClose  (376, ... ) == 0x0
 04420   452   NtQueryValueKey  (348,  (348, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04421   452   NtClose  (348, ... ) == 0x0
 04422   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04423   452   NtQueryInformationFile  (148, 1242300, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04424   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04425   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04426   452   NtQueryInformationFile  (148, 1242456, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04427   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04428   452   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 04429   452   NtUserGetMessage  (0, 0, 0, ... {0x200b2, WM_TIMER, 0x65, 0x0, 0x117f7, {512, 384}}, ) == 0x1
 04430   452   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 04431   452   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 04432   452   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 04433   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04434   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04435   452   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 04436   452   NtCreateKey  (0x20019, {24, 348, 0x40, 0, 0,  (0x20019, {24, 348, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 04437   452   NtClose  (348, ... ) == 0x0
 04438   452   NtQueryValueKey  (376,  (376, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04439   452   NtClose  (376, ... ) == 0x0
 04440   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04441   452   NtQueryInformationFile  (148, 1242300, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04442   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04443   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04444   452   NtQueryInformationFile  (148, 1242456, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04445   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04446   452   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 04447   452   NtUserGetMessage  (0, 0, 0, ... {0x200b2, WM_TIMER, 0x65, 0x0, 0x11fc7, {512, 384}}, ) == 0x1
 04448   452   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 04449   452   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 04450   452   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 376, ) }, ... 376, ) == 0x0
 04451   452   NtWaitForSingleObject  (376, 0, {-1800000000, -1}, ... ) == 0x0
 04452   452   NtClose  (376, ... ) == 0x0
 04453   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04454   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 376, ) == 0x0
 04455   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04456   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 04457   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1240880,  (0xc0100080, {24, 0, 0x40, 0, 1240880, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 348, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 348, {status=0x0, info=1}, ) == 0x0
 04458   452   NtSetInformationFile  (348, 1240936, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 04459   452   NtSetInformationFile  (348, 1240928, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 04460   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 04461   452   NtWriteFile  (348, 293, 0, 0,  (348, 293, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 04462   452   NtReadFile  (348, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (348, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\320\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 04463   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\320\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\320\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 04464   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\362\223\245\\344\200\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\362\223\245\\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 76, 1024, ... {status=0x103, info=48},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\362\223\245\\344\200\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\362\223\245\\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 04465   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\363\223\245\\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\363\223\245\\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\363\223\245\\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\363\223\245\\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 04466   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\363\223\245\\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\363\223\245\\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 04467   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\362\223\245\\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\362\223\245\\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 04468   452   NtClose  (376, ... ) == 0x0
 04469   452   NtClose  (348, ... ) == 0x0
 04470   452   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 04471   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04472   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04473   452   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 04474   452   NtCreateKey  (0x20019, {24, 348, 0x40, 0, 0,  (0x20019, {24, 348, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 04475   452   NtClose  (348, ... ) == 0x0
 04476   452   NtQueryValueKey  (376,  (376, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04477   452   NtClose  (376, ... ) == 0x0
 04478   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04479   452   NtQueryInformationFile  (148, 1242300, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04480   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04481   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04482   452   NtQueryInformationFile  (148, 1242456, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04483   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04484   452   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 04485   452   NtUserGetMessage  (0, 0, 0, ... {0x200b2, WM_TIMER, 0x65, 0x0, 0x12797, {512, 384}}, ) == 0x1
 04486   452   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 04487   452   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 04488   452   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 04489   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04490   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04491   452   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 04492   452   NtCreateKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 04493   452   NtClose  (376, ... ) == 0x0
 04494   452   NtQueryValueKey  (348,  (348, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04495   452   NtClose  (348, ... ) == 0x0
 04496   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04497   452   NtQueryInformationFile  (148, 1242300, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04498   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04499   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04500   452   NtQueryInformationFile  (148, 1242456, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04501   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04502   452   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 04503   452   NtUserGetMessage  (0, 0, 0, ... {0x200b2, WM_TIMER, 0x65, 0x0, 0x12f67, {512, 384}}, ) == 0x1
 04504   452   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 04505   452   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 04506   452   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 348, ) }, ... 348, ) == 0x0
 04507   452   NtWaitForSingleObject  (348, 0, {-1800000000, -1}, ... ) == 0x0
 04508   452   NtClose  (348, ... ) == 0x0
 04509   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04510   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 348, ) == 0x0
 04511   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04512   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 04513   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1240880,  (0xc0100080, {24, 0, 0x40, 0, 1240880, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 376, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 376, {status=0x0, info=1}, ) == 0x0
 04514   452   NtSetInformationFile  (376, 1240936, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 04515   452   NtSetInformationFile  (376, 1240928, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 04516   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 04517   452   NtWriteFile  (376, 293, 0, 0,  (376, 293, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 04518   452   NtReadFile  (376, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (376, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\322\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 04519   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\322\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\322\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 04520   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\354\241\314c\344\200\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\354\241\314c\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 76, 1024, ... {status=0x103, info=48},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\354\241\314c\344\200\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\354\241\314c\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 04521   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\355\241\314c\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\355\241\314c\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\355\241\314c\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\355\241\314c\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 04522   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\355\241\314c\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\355\241\314c\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 04523   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\354\241\314c\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\354\241\314c\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 04524   452   NtClose  (348, ... ) == 0x0
 04525   452   NtClose  (376, ... ) == 0x0
 04526   452   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 04527   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04528   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04529   452   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 04530   452   NtCreateKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 04531   452   NtClose  (376, ... ) == 0x0
 04532   452   NtQueryValueKey  (348,  (348, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04533   452   NtClose  (348, ... ) == 0x0
 04534   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04535   452   NtQueryInformationFile  (148, 1242300, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04536   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04537   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04538   452   NtQueryInformationFile  (148, 1242456, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04539   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04540   452   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 04541   452   NtUserGetMessage  (0, 0, 0, ... {0x200b2, WM_TIMER, 0x65, 0x0, 0x13737, {512, 384}}, ) == 0x1
 04542   452   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 04543   452   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 04544   452   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 04545   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04546   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04547   452   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 04548   452   NtCreateKey  (0x20019, {24, 348, 0x40, 0, 0,  (0x20019, {24, 348, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 04549   452   NtClose  (348, ... ) == 0x0
 04550   452   NtQueryValueKey  (376,  (376, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04551   452   NtClose  (376, ... ) == 0x0
 04552   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04553   452   NtQueryInformationFile  (148, 1242300, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04554   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04555   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04556   452   NtQueryInformationFile  (148, 1242456, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04557   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04558   452   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 04559   452   NtUserGetMessage  (0, 0, 0, ... {0x200b2, WM_TIMER, 0x65, 0x0, 0x13f07, {512, 384}}, ) == 0x1
 04560   452   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 04561   452   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 04562   452   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 376, ) }, ... 376, ) == 0x0
 04563   452   NtWaitForSingleObject  (376, 0, {-1800000000, -1}, ... ) == 0x0
 04564   452   NtClose  (376, ... ) == 0x0
 04565   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04566   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 376, ) == 0x0
 04567   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04568   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 04569   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1240880,  (0xc0100080, {24, 0, 0x40, 0, 1240880, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 348, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 348, {status=0x0, info=1}, ) == 0x0
 04570   452   NtSetInformationFile  (348, 1240936, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 04571   452   NtSetInformationFile  (348, 1240928, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 04572   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 04573   452   NtWriteFile  (348, 293, 0, 0,  (348, 293, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 04574   452   NtReadFile  (348, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (348, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\324\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 04575   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\324\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\324\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 04576   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\362\241\314c\344\200\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\362\241\314c\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 76, 1024, ... {status=0x103, info=48},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\362\241\314c\344\200\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\362\241\314c\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 04577   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\363\241\314c\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\363\241\314c\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\363\241\314c\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\363\241\314c\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 04578   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\363\241\314c\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\363\241\314c\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 04579   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\362\241\314c\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\362\241\314c\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 04580   452   NtClose  (376, ... ) == 0x0
 04581   452   NtClose  (348, ... ) == 0x0
 04582   452   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 04583   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04584   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04585   452   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 04586   452   NtCreateKey  (0x20019, {24, 348, 0x40, 0, 0,  (0x20019, {24, 348, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 04587   452   NtClose  (348, ... ) == 0x0
 04588   452   NtQueryValueKey  (376,  (376, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04589   452   NtClose  (376, ... ) == 0x0
 04590   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04591   452   NtQueryInformationFile  (148, 1242300, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04592   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04593   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04594   452   NtQueryInformationFile  (148, 1242456, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04595   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04596   452   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 04597   452   NtUserGetMessage  (0, 0, 0, ... {0x200b2, WM_TIMER, 0x65, 0x0, 0x146d7, {512, 384}}, ) == 0x1
 04598   452   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 04599   452   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 04600   452   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 04601   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04602   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04603   452   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 04604   452   NtCreateKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 04605   452   NtClose  (376, ... ) == 0x0
 04606   452   NtQueryValueKey  (348,  (348, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04607   452   NtClose  (348, ... ) == 0x0
 04608   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04609   452   NtQueryInformationFile  (148, 1242300, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04610   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04611   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04612   452   NtQueryInformationFile  (148, 1242456, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04613   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04614   452   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 04615   452   NtUserGetMessage  (0, 0, 0, ... {0x200b2, WM_TIMER, 0x65, 0x0, 0x14ea7, {512, 384}}, ) == 0x1
 04616   452   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 04617   452   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 04618   452   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 348, ) }, ... 348, ) == 0x0
 04619   452   NtWaitForSingleObject  (348, 0, {-1800000000, -1}, ... ) == 0x0
 04620   452   NtClose  (348, ... ) == 0x0
 04621   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04622   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 348, ) == 0x0
 04623   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04624   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 04625   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1240880,  (0xc0100080, {24, 0, 0x40, 0, 1240880, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 376, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 376, {status=0x0, info=1}, ) == 0x0
 04626   452   NtSetInformationFile  (376, 1240936, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 04627   452   NtSetInformationFile  (376, 1240928, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 04628   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 04629   452   NtWriteFile  (376, 293, 0, 0,  (376, 293, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 04630   452   NtReadFile  (376, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (376, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\326\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 04631   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\326\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\326\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 04632   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\366\241\314c\344\200\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\366\241\314c\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 76, 1024, ... {status=0x103, info=48},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\366\241\314c\344\200\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\366\241\314c\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 04633   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\367\241\314c\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\367\241\314c\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\367\241\314c\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\367\241\314c\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 04634   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\367\241\314c\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\367\241\314c\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 04635   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\366\241\314c\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\366\241\314c\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 04636   452   NtClose  (348, ... ) == 0x0
 04637   452   NtClose  (376, ... ) == 0x0
 04638   452   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 04639   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04640   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04641   452   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 04642   452   NtCreateKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 04643   452   NtClose  (376, ... ) == 0x0
 04644   452   NtQueryValueKey  (348,  (348, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04645   452   NtClose  (348, ... ) == 0x0
 04646   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04647   452   NtQueryInformationFile  (148, 1242300, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04648   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04649   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04650   452   NtQueryInformationFile  (148, 1242456, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04651   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04652   452   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 04653   452   NtUserGetMessage  (0, 0, 0, ... {0x200b2, WM_TIMER, 0x65, 0x0, 0x15677, {512, 384}}, ) == 0x1
 04654   452   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 04655   452   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 04656   452   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 04657   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04658   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04659   452   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 04660   452   NtCreateKey  (0x20019, {24, 348, 0x40, 0, 0,  (0x20019, {24, 348, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 04661   452   NtClose  (348, ... ) == 0x0
 04662   452   NtQueryValueKey  (376,  (376, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04663   452   NtClose  (376, ... ) == 0x0
 04664   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04665   452   NtQueryInformationFile  (148, 1242300, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04666   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04667   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04668   452   NtQueryInformationFile  (148, 1242456, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04669   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04670   452   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 04671   452   NtUserGetMessage  (0, 0, 0, ... {0x200b2, WM_TIMER, 0x65, 0x0, 0x15e47, {512, 384}}, ) == 0x1
 04672   452   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 04673   452   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 04674   452   NtWaitForMultipleObjects  (2, (260, 276, ), 1, 0, {0, 0}, ... ) == 0x102
 04675   452   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 376, ) }, ... 376, ) == 0x0
 04676   452   NtWaitForSingleObject  (376, 0, {-1800000000, -1}, ... ) == 0x0
 04677   452   NtClose  (376, ... ) == 0x0
 04678   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04679   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 376, ) == 0x0
 04680   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04681   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 04682   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1240880,  (0xc0100080, {24, 0, 0x40, 0, 1240880, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 348, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 348, {status=0x0, info=1}, ) == 0x0
 04683   452   NtSetInformationFile  (348, 1240936, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 04684   452   NtSetInformationFile  (348, 1240928, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 04685   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 04686   452   NtWriteFile  (348, 293, 0, 0,  (348, 293, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 04687   452   NtReadFile  (348, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (348, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\330\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 04688   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\330\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\330\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 04689   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\352\257\363j\344\200\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\352\257\363j\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 76, 1024, ... {status=0x103, info=48},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\352\257\363j\344\200\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\352\257\363j\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 04690   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\353\257\363j\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\353\257\363j\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\353\257\363j\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\353\257\363j\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 04691   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\353\257\363j\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\353\257\363j\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 04692   452   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\352\257\363j\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\352\257\363j\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 04693   452   NtClose  (376, ... ) == 0x0
 04694   452   NtClose  (348, ... ) == 0x0
 04695   452   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 04696   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04697   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04698   452   NtWaitForMultipleObjects  (2, (260, 276, ), 1, 0, {0, 0}, ... ) == 0x102
 04699   452   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 04700   452   NtCreateKey  (0x20019, {24, 348, 0x40, 0, 0,  (0x20019, {24, 348, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 04701   452   NtClose  (348, ... ) == 0x0
 04702   452   NtQueryValueKey  (376,  (376, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04703   452   NtClose  (376, ... ) == 0x0
 04704   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04705   452   NtQueryInformationFile  (148, 1242300, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04706   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04707   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04708   452   NtQueryInformationFile  (148, 1242456, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04709   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04710   452   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 04711   452   NtUserGetMessage  (0, 0, 0, ... {0x200b2, WM_TIMER, 0x65, 0x0, 0x16617, {512, 384}}, ) == 0x1
 04712   452   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 04713   452   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 04714   452   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 04715   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04716   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04717   452   NtWaitForMultipleObjects  (2, (260, 276, ), 1, 0, {0, 0}, ... ) == 0x102
 04718   452   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 04719   452   NtCreateKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 04720   452   NtClose  (376, ... ) == 0x0
 04721   452   NtQueryValueKey  (348,  (348, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04722   452   NtClose  (348, ... ) == 0x0
 04723   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04724   452   NtQueryInformationFile  (148, 1242300, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04725   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04726   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04727   452   NtQueryInformationFile  (148, 1242456, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04728   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04729   452   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 04730   452   NtUserGetMessage  (0, 0, 0, ... {0x200b2, WM_TIMER, 0x65, 0x0, 0x16de7, {512, 384}}, ) == 0x1
 04731   452   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 04732   452   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 04733   452   NtWaitForMultipleObjects  (2, (260, 276, ), 1, 0, {0, 0}, ... ) == 0x102
 04734   452   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 348, ) }, ... 348, ) == 0x0
 04735   452   NtWaitForSingleObject  (348, 0, {-1800000000, -1}, ... ) == 0x0
 04736   452   NtClose  (348, ... ) == 0x0
 04737   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04738   452   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 348, ) == 0x0
 04739   452   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04740   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 04741   452   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1240880,  (0xc0100080, {24, 0, 0x40, 0, 1240880, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 376, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 376, {status=0x0, info=1}, ) == 0x0
 04742   452   NtSetInformationFile  (376, 1240936, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 04743   452   NtSetInformationFile  (376, 1240928, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 04744   452   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 04745   452   NtWriteFile  (376, 293, 0, 0,  (376, 293, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 04746   452   NtReadFile  (376, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (376, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\332\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 04747   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\332\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\332\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 04748   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\356\257\363j\344\200\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\356\257\363j\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 76, 1024, ... {status=0x103, info=48},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\356\257\363j\344\200\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\356\257\363j\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 04749   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\357\257\363j\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\357\257\363j\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\357\257\363j\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\357\257\363j\344\200\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 04750   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\357\257\363j\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\357\257\363j\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 04751   452   NtFsControlFile  (376, 293, 0x0, 0x0, 0x11c017,  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\356\257\363j\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (376, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\356\257\363j\344\200\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 04752   452   NtClose  (348, ... ) == 0x0
 04753   452   NtClose  (376, ... ) == 0x0
 04754   452   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 04755   452   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04756   452   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04757   452   NtWaitForMultipleObjects  (2, (260, 276, ), 1, 0, {0, 0}, ... ) == 0x102
 04758   452   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 04759   452   NtCreateKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 04760   452   NtClose  (376, ... ) == 0x0
 04761   452   NtQueryValueKey  (348,  (348, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04762   452   NtClose  (348, ... ) == 0x0
 04763   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04764   452   NtQueryInformationFile  (148, 1242300, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04765   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04766   452   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 04767   452   NtQueryInformationFile  (148, 1242456, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04768   452   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 04769   452   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 04770   452   NtUserGetMessage  (0, 0, 0, ...
NtAccessCheck(>)	1	NtGdiCreateSolidBrush(>)	2	NtQueryVolumeInformationFile(>)	11	NtAllocateVirtualMemory(>)	52
NtAddAtom(>)	1	NtGdiHfontCreate(>)	2	NtUserCallOneParam(>)	11	NtSetValueKey(>)	52
NtCallbackReturn(>)	1	NtOpenDirectoryObject(>)	2	NtUserSystemParametersInfo(>)	11	NtQueryInformationProcess(>)	54
NtContinue(>)	1	NtQueryInstallUILanguage(>)	2	NtCreateSemaphore(>)	12	NtRequestWaitReplyPort(>)	55
NtGdiCreateBitmap(>)	1	NtUserCreateWindowEx(>)	2	NtEnumerateKey(>)	12	NtCreateFile(>)	57
NtGdiCreatePatternBrushInternal(>)	1	NtUserGetObjectInformation(>)	2	NtOpenProcessToken(>)	12	NtSetInformationThread(>)	61
NtGdiInit(>)	1	NtUserMessageCall(>)	2	NtQueryDefaultUILanguage(>)	12	NtMapViewOfSection(>)	63
NtGdiQueryFontAssocInfo(>)	1	NtGdiCreateCompatibleDC(>)	3	NtSetEvent(>)	12	NtUserRegisterClassExWOW(>)	64
NtGdiSelectBitmap(>)	1	NtDuplicateObject(>)	4	NtOpenProcessTokenEx(>)	16	NtOpenThreadToken(>)	77
NtOpenKeyedEvent(>)	1	NtUserRegisterWindowMessage(>)	4	NtOpenThreadTokenEx(>)	16	NtCreateEvent(>)	86
NtOpenProcess(>)	1	NtDuplicateToken(>)	5	NtProtectVirtualMemory(>)	16	NtSetInformationFile(>)	96
NtOpenSymbolicLinkObject(>)	1	NtGdiGetStockObject(>)	5	NtQuerySection(>)	18	NtQueryDefaultLocale(>)	99
NtQueryEvent(>)	1	NtQuerySecurityObject(>)	5	NtUnmapViewOfSection(>)	20	NtQueryInformationFile(>)	108
NtQueryObject(>)	1	NtSetInformationObject(>)	5	NtConnectPort(>)	22	NtQueryAttributesFile(>)	110
NtQuerySymbolicLinkObject(>)	1	NtCreateMutant(>)	6	NtOpenEvent(>)	23	NtOpenFile(>)	114
NtQuerySystemTime(>)	1	NtFreeVirtualMemory(>)	6	NtQuerySystemInformation(>)	25	NtFsControlFile(>)	125
NtQueryTimerResolution(>)	1	NtNotifyChangeKey(>)	6	NtQueryDirectoryFile(>)	28	NtQueryVirtualMemory(>)	147
NtRegisterThreadTerminatePort(>)	1	NtWaitForMultipleObjects(>)	6	NtQueryDebugFilterState(>)	29	NtCreateKey(>)	163
NtSecureConnectPort(>)	1	NtReleaseSemaphore(>)	7	NtCreateSection(>)	32	NtReleaseMutant(>)	185
NtTestAlert(>)	1	NtUserCallNoParam(>)	7	NtWriteFile(>)	32	NtEnumerateValueKey(>)	231
NtUserGetDC(>)	1	NtFlushInstructionCache(>)	8	NtUserGetMessage(>)	34	NtWaitForSingleObject(>)	253
NtUserGetGUIThreadInfo(>)	1	NtQueryKey(>)	8	NtReadFile(>)	35	NtOpenKey(>)	339
NtUserGetProcessWindowStation(>)	1	NtOpenMutant(>)	9	NtUserGetClassInfo(>)	37	NtQueryValueKey(>)	649
NtUserGetThreadDesktop(>)	1	NtDeviceIoControlFile(>)	10	NtOpenSection(>)	45	NtClose(>)	709
NtUserSetProp(>)	1	NtUserGetWindowDC(>)	10	NtQueryInformationToken(>)	48
NtUserSetTimer(>)	1	NtClearEvent(>)	11	NtUserFindExistingCursorIcon(>)	48
NtCreateIoCompletion(>)	2