Summary:


NtAccessCheck(>)  1 
NtUserSetWindowsHookEx(>)  1 
NtGdiGetStockObject(>)  5 
NtQueryInformationToken(>)  25 

NtAddAtom(>)  1 
NtUserShowWindow(>)  1 
NtNotifyChangeKey(>)  5 
NtCreateSection(>)  31 

NtClearEvent(>)  1 
NtCallbackReturn(>)  2 
NtWaitForMultipleObjects(>)  5 
NtProtectVirtualMemory(>)  35 

NtCreateThread(>)  1 
NtContinue(>)  2 
NtOpenProcessToken(>)  6 
NtQueryDefaultLocale(>)  36 

NtGdiCreateBitmap(>)  1 
NtCreateIoCompletion(>)  2 
NtUserCallNoParam(>)  7 
NtUserGetClassInfo(>)  37 

NtGdiDeleteObjectApp(>)  1 
NtDuplicateToken(>)  2 
NtCreateSemaphore(>)  9 
NtOpenSection(>)  40 

NtGdiInit(>)  1 
NtGdiCreatePatternBrushInternal(>)  2 
NtOpenMutant(>)  9 
NtSetInformationThread(>)  43 

NtGdiQueryFontAssocInfo(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtQueryVolumeInformationFile(>)  9 
NtQueryInformationFile(>)  47 

NtGdiSelectBitmap(>)  1 
NtGdiHfontCreate(>)  2 
NtQueryDefaultUILanguage(>)  10 
NtAllocateVirtualMemory(>)  49 

NtOpenKeyedEvent(>)  1 
NtOpenDirectoryObject(>)  2 
NtQueryDirectoryFile(>)  10 
NtCreateFile(>)  49 

NtOpenProcess(>)  1 
NtQueryInstallUILanguage(>)  2 
NtOpenProcessTokenEx(>)  11 
NtOpenThreadToken(>)  50 

NtOpenSymbolicLinkObject(>)  1 
NtQueryKey(>)  2 
NtOpenThreadTokenEx(>)  11 
NtRequestWaitReplyPort(>)  50 

NtQueryEvent(>)  1 
NtQuerySecurityObject(>)  2 
NtUserSystemParametersInfo(>)  11 
NtUserFindExistingCursorIcon(>)  51 

NtQueryInformationThread(>)  1 
NtRegisterThreadTerminatePort(>)  2 
NtDelayExecution(>)  14 
NtCreateKey(>)  55 

NtQueryObject(>)  1 
NtSetEvent(>)  2 
NtDeviceIoControlFile(>)  14 
NtMapViewOfSection(>)  57 

NtQuerySymbolicLinkObject(>)  1 
NtTestAlert(>)  2 
NtUnmapViewOfSection(>)  16 
NtQueryVirtualMemory(>)  60 

NtQuerySystemTime(>)  1 
NtUserCreateWindowEx(>)  2 
NtFlushInstructionCache(>)  17 
NtSetInformationFile(>)  61 

NtQueryTimerResolution(>)  1 
NtUserGetThreadDesktop(>)  2 
NtConnectPort(>)  19 
NtOpenFile(>)  64 

NtResumeThread(>)  1 
NtUserMessageCall(>)  2 
NtQuerySection(>)  19 
NtUserRegisterClassExWOW(>)  64 

NtSecureConnectPort(>)  1 
NtDeleteValueKey(>)  3 
NtUserGetWindowDC(>)  19 
NtReleaseMutant(>)  71 

NtUserGetAncestor(>)  1 
NtFreeVirtualMemory(>)  3 
NtOpenEvent(>)  20 
NtCreateEvent(>)  73 

NtUserGetClassName(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtSetInformationProcess(>)  20 
NtFsControlFile(>)  92 

NtUserGetDC(>)  1 
NtUserGetObjectInformation(>)  3 
NtUserCallOneParam(>)  20 
NtQueryAttributesFile(>)  92 

NtUserGetGUIThreadInfo(>)  1 
NtCreateMutant(>)  4 
NtQueryDebugFilterState(>)  22 
NtEnumerateValueKey(>)  93 

NtUserGetMessage(>)  1 
NtEnumerateKey(>)  4 
NtQuerySystemInformation(>)  22 
NtWaitForSingleObject(>)  109 

NtUserGetProcessWindowStation(>)  1 
NtReleaseSemaphore(>)  4 
NtSetValueKey(>)  22 
NtOpenKey(>)  180 

NtUserRemoveProp(>)  1 
NtSetInformationObject(>)  4 
NtQueryInformationProcess(>)  23 
NtQueryValueKey(>)  429 

NtUserSetProp(>)  1 
NtUserRegisterWindowMessage(>)  4 
NtReadFile(>)  23 
NtClose(>)  438 

NtUserSetWindowPos(>)  1 
NtDuplicateObject(>)  5 
NtWriteFile(>)  23 

Trace:
 00001   416   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   416   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   416   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 2359296, 1048576, ) == 0x0
 00005   416   NtAllocateVirtualMemory  (-1, 2359296, 0, 4096, 4096, 4, ... 2359296, 4096, ) == 0x0
 00006   416   NtAllocateVirtualMemory  (-1, 2363392, 0, 8192, 4096, 4, ... 2363392, 8192, ) == 0x0
 00007   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   416   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3407872, 65536, ) == 0x0
 00009   416   NtAllocateVirtualMemory  (-1, 3407872, 0, 24576, 4096, 4, ... 3407872, 24576, ) == 0x0
 00010   416   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   416   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   416   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   416   NtClose  (12, ... ) == 0x0
 00014   416   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   416   NtQueryVolumeInformationFile  (12, 2292424, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   416   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 2292408, ... ) }, 2292408, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   416   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   416   NtClose  (16, ... ) == 0x0
 00021   416   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   416   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   416   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 2368312, {12, 0, 0}, 2290592, 44, ... 24, {24, 16, 0, 65536, 3473408, 18677760}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 2368312, {12, 0, 0}, 2290592, 44, ... 24, {24, 16, 0, 65536, 3473408, 18677760}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   416   NtClose  (16, ... ) == 0x0
 00026   416   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   416   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   416   NtQueryVirtualMemory  (-1, 0x350000, Basic, 28, ... {BaseAddress=0x350000,AllocationBase=0x350000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   416   NtAllocateVirtualMemory  (-1, 3473408, 0, 4096, 4096, 4, ... 3473408, 4096, ) == 0x0
 00031   416   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" ... {28, 56, reply, 0, 412, 416, 1484, 0} "\220;\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" )  ... {28, 56, reply, 0, 412, 416, 1484, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" ... {28, 56, reply, 0, 412, 416, 1484, 0} "\220;\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" )  ) == 0x0
 00032   416   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   416   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   416   NtClose  (16, ... ) == 0x0
 00036   416   NtAllocateVirtualMemory  (-1, 2281472, 0, 4096, 4096, 260, ... 2281472, 4096, ) == 0x0
 00037   416   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   416   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x360000), 0x0, 90112, ) == 0x0
 00040   416   NtClose  (28, ... ) == 0x0
 00041   416   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   416   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x380000), 0x0, 212992, ) == 0x0
 00044   416   NtClose  (28, ... ) == 0x0
 00045   416   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x420000), 0x0, 266240, ) == 0x0
 00047   416   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   416   NtClose  (28, ... ) == 0x0
 00049   416   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x3c0000), 0x0, 24576, ) == 0x0
 00051   416   NtClose  (28, ... ) == 0x0
 00052   416   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   416   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   416   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   416   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" ... {28, 56, reply, 0, 412, 416, 1487, 0} "\200\324\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" )  ... {28, 56, reply, 0, 412, 416, 1487, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" ... {28, 56, reply, 0, 412, 416, 1487, 0} "\200\324\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" )  ) == 0x0
 00056   416   NtProtectVirtualMemory  (-1, (0x411000), 4096, 4, ... (0x411000), 4096, 8, ) == 0x0
 00057   416   NtProtectVirtualMemory  (-1, (0x411000), 4096, 8, ... (0x411000), 4096, 4, ) == 0x0
 00058   416   NtFlushInstructionCache  (-1, 4263936, 4096, ... ) == 0x0
 00059   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.DLL"}, ... 28, ) }, ... 28, ) == 0x0
 00060   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00061   416   NtClose  (28, ... ) == 0x0
 00062   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00064   416   NtClose  (28, ... ) == 0x0
 00065   416   NtProtectVirtualMemory  (-1, (0x411000), 4096, 4, ... (0x411000), 4096, 4, ) == 0x0
 00066   416   NtProtectVirtualMemory  (-1, (0x411000), 4096, 4, ... (0x411000), 4096, 4, ) == 0x0
 00067   416   NtFlushInstructionCache  (-1, 4263936, 4096, ... ) == 0x0
 00068   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00070   416   NtClose  (28, ... ) == 0x0
 00071   416   NtProtectVirtualMemory  (-1, (0x411000), 4096, 4, ... (0x411000), 4096, 4, ) == 0x0
 00072   416   NtProtectVirtualMemory  (-1, (0x411000), 4096, 4, ... (0x411000), 4096, 4, ) == 0x0
 00073   416   NtFlushInstructionCache  (-1, 4263936, 4096, ... ) == 0x0
 00074   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00075   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00076   416   NtClose  (28, ... ) == 0x0
 00077   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00078   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00079   416   NtClose  (28, ... ) == 0x0
 00080   416   NtProtectVirtualMemory  (-1, (0x411000), 4096, 4, ... (0x411000), 4096, 4, ) == 0x0
 00081   416   NtProtectVirtualMemory  (-1, (0x411000), 4096, 4, ... (0x411000), 4096, 4, ) == 0x0
 00082   416   NtFlushInstructionCache  (-1, 4263936, 4096, ... ) == 0x0
 00083   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.DLL"}, ... 28, ) }, ... 28, ) == 0x0
 00084   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00085   416   NtClose  (28, ... ) == 0x0
 00086   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00087   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00088   416   NtClose  (28, ... ) == 0x0
 00089   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00090   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00091   416   NtClose  (28, ... ) == 0x0
 00092   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00093   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00094   416   NtClose  (28, ... ) == 0x0
 00095   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00096   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00097   416   NtClose  (28, ... ) == 0x0
 00098   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 28, ) }, ... 28, ) == 0x0
 00099   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00100   416   NtClose  (28, ... ) == 0x0
 00101   416   NtProtectVirtualMemory  (-1, (0x411000), 4096, 4, ... (0x411000), 4096, 4, ) == 0x0
 00102   416   NtProtectVirtualMemory  (-1, (0x411000), 4096, 4, ... (0x411000), 4096, 4, ) == 0x0
 00103   416   NtFlushInstructionCache  (-1, 4263936, 4096, ... ) == 0x0
 00104   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WSOCK32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00105   416   NtAllocateVirtualMemory  (-1, 2371584, 0, 4096, 4096, 4, ... 2371584, 4096, ) == 0x0
 00106   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WSOCK32.DLL"}, 2291200, ... ) }, 2291200, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00107   416   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WSOCK32.DLL"}, 2291200, ... ) }, 2291200, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00108   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WSOCK32.DLL"}, 2291200, ... ) }, 2291200, ... ) == 0x0
 00109   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WSOCK32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00110   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00111   416   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00112   416   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00113   416   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00114   416   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00115   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00116   416   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00117   416   NtClose  (40, ... ) == 0x0
 00118   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00119   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00120   416   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00121   416   NtClose  (40, ... ) == 0x0
 00122   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00123   416   NtClose  (36, ... ) == 0x0
 00124   416   NtClose  (28, ... ) == 0x0
 00125   416   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ad0000), 0x0, 32768, ) == 0x0
 00126   416   NtClose  (32, ... ) == 0x0
 00127   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00128   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 2290396, ... ) }, 2290396, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00129   416   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 2290396, ... ) }, 2290396, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00130   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 2290396, ... ) }, 2290396, ... ) == 0x0
 00131   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00132   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 28, ) == 0x0
 00133   416   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00134   416   NtClose  (32, ... ) == 0x0
 00135   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00136   416   NtClose  (28, ... ) == 0x0
 00137   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00138   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 2289592, ... ) }, 2289592, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00139   416   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 2289592, ... ) }, 2289592, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00140   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 2289592, ... ) }, 2289592, ... ) == 0x0
 00141   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00142   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00143   416   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00144   416   NtClose  (28, ... ) == 0x0
 00145   416   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00146   416   NtClose  (32, ... ) == 0x0
 00147   416   NtProtectVirtualMemory  (-1, (0x411000), 4096, 4, ... (0x411000), 4096, 4, ) == 0x0
 00148   416   NtProtectVirtualMemory  (-1, (0x411000), 4096, 4, ... (0x411000), 4096, 4, ) == 0x0
 00149   416   NtFlushInstructionCache  (-1, 4263936, 4096, ... ) == 0x0
 00150   416   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00151   416   NtQueryInformationToken  (32, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00152   416   NtClose  (32, ... ) == 0x0
 00153   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 32, ) }, ... 32, ) == 0x0
 00154   416   NtQueryValueKey  (32,  (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00155   416   NtClose  (32, ... ) == 0x0
 00156   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 32, ) }, ... 32, ) == 0x0
 00157   416   NtQueryValueKey  (32,  (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00158   416   NtQueryValueKey  (32,  (32, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00159   416   NtClose  (32, ... ) == 0x0
 00160   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 32, ) }, ... 32, ) == 0x0
 00161   416   NtQueryValueKey  (32,  (32, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00162   416   NtClose  (32, ... ) == 0x0
 00163   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 32, ) }, ... 32, ) == 0x0
 00164   416   NtSetInformationObject  (32, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00165   416   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00166   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00167   416   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3997696, 65536, ) == 0x0
 00168   416   NtAllocateVirtualMemory  (-1, 3997696, 0, 4096, 4096, 4, ... 3997696, 4096, ) == 0x0
 00169   416   NtAllocateVirtualMemory  (-1, 4001792, 0, 8192, 4096, 4, ... 4001792, 8192, ) == 0x0
 00170   416   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 28, ) }, ... 28, ) == 0x0
 00171   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x3e0000), 0x0, 12288, ) == 0x0
 00172   416   NtClose  (28, ... ) == 0x0
 00173   416   NtAllocateVirtualMemory  (-1, 4009984, 0, 4096, 4096, 4, ... 4009984, 4096, ) == 0x0
 00174   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00175   416   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2291696, 256, 2291440, 256}  (24, {28, 56, new_msg, 0, 2291696, 256, 2291440, 256} "\210\6\35\1\0\0\0\0\1\0\0\0\360\367"\0\3\0\0\0\234\6\35\1$\1\0\0" ... {28, 56, reply, 0, 412, 416, 1497, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367"\0\3\0\0\0\234\6\35\1$\1\0\0" ) \0\3\0\0\0\234\6\35\1$\1\0\0 (24, {28, 56, new_msg, 0, 2291696, 256, 2291440, 256} "\210\6\35\1\0\0\0\0\1\0\0\0\360\367"\0\3\0\0\0\234\6\35\1$\1\0\0" ... {28, 56, reply, 0, 412, 416, 1497, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367"\0\3\0\0\0\234\6\35\1$\1\0\0" ) XQ\26\0\0\0\0\0\0\0\0\0\360\367 (24, {28, 56, new_msg, 0, 2291696, 256, 2291440, 256} "\210\6\35\1\0\0\0\0\1\0\0\0\360\367"\0\3\0\0\0\234\6\35\1$\1\0\0" ... {28, 56, reply, 0, 412, 416, 1497, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367"\0\3\0\0\0\234\6\35\1$\1\0\0" )  ) == 0x0
 00176   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00177   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x540000), 0x0, 1060864, ) == 0x0
 00178   416   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00179   416   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00180   416   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00181   416   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00182   416   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00183   416   NtClose  (-2147482020, ... ) == 0x0
 00184   416   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00185   416   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00186   416   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00187   416   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482024, ) }, ... -2147482024, ) == 0x0
 00188   416   NtQueryValueKey  (-2147482024,  (-2147482024, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00189   416   NtClose  (-2147482024, ... ) == 0x0
 00190   416   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482024, ) }, ... -2147482024, ) == 0x0
 00191   416   NtQueryValueKey  (-2147482024,  (-2147482024, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00192   416   NtClose  (-2147482024, ... ) == 0x0
 00193   416   NtQueryDefaultLocale  (0, -104879604, ... ) == 0x0
 00194   416   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00195   416   NtUserCallNoParam  (24, ... ) == 0x0
 00196   416   NtGdiCreateCompatibleDC  (0, ...
 00197   416   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00196   416   NtGdiCreateCompatibleDC  ... ) == 0x190103c3
 00198   416   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00199   416   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00200   416   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x100503cd
 00201   416   NtGdiCreateSolidBrush  (0, 0, ...
 00202   416   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 9764864, 4096, ) == 0x0
 00201   416   NtGdiCreateSolidBrush  ... ) == 0x101003cc
 00203   416   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00204   416   NtGdiCreateCompatibleDC  (0, ... ) == 0x3e01040c
 00205   416   NtGdiSelectBitmap  (1040253964, 268764109, ... ) == 0x185000f
 00206   416   NtUserGetThreadDesktop  (416, 0, ... ) == 0x2c
 00207   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00208   416   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00209   416   NtClose  (52, ... ) == 0x0
 00210   416   NtUserFindExistingCursorIcon  (2289780, 2289796, 2290364, ... ) == 0x10011
 00211   416   NtUserRegisterClassExWOW  (2290300, 2290380, 2290364, 2290396, 673, 128, 0, ... ) == 0x810cc017
 00212   416   NtUserFindExistingCursorIcon  (2289780, 2289796, 2290364, ... ) == 0x10011
 00213   416   NtUserRegisterClassExWOW  (2290300, 2290380, 2290364, 2290396, 674, 128, 0, ... ) == 0x810cc01c
 00214   416   NtUserFindExistingCursorIcon  (2289780, 2289796, 2290364, ... ) == 0x10011
 00215   416   NtUserRegisterClassExWOW  (2290300, 2290380, 2290364, 2290396, 675, 128, 0, ... ) == 0x810cc01e
 00216   416   NtUserFindExistingCursorIcon  (2289780, 2289796, 2290364, ... ) == 0x10011
 00217   416   NtUserRegisterClassExWOW  (2290300, 2290380, 2290364, 2290396, 676, 128, 0, ... ) == 0x810c8002
 00218   416   NtUserFindExistingCursorIcon  (2289780, 2289796, 2290364, ... ) == 0x10013
 00219   416   NtUserRegisterClassExWOW  (2290300, 2290380, 2290364, 2290396, 677, 128, 0, ... ) == 0x810cc018
 00220   416   NtUserFindExistingCursorIcon  (2289780, 2289796, 2290364, ... ) == 0x10011
 00221   416   NtUserRegisterClassExWOW  (2290300, 2290380, 2290364, 2290396, 678, 128, 0, ... ) == 0x810cc01a
 00222   416   NtUserFindExistingCursorIcon  (2289780, 2289796, 2290364, ... ) == 0x10011
 00223   416   NtUserRegisterClassExWOW  (2290300, 2290380, 2290364, 2290396, 679, 128, 0, ... ) == 0x810cc01d
 00224   416   NtUserFindExistingCursorIcon  (2289780, 2289796, 2290364, ... ) == 0x10011
 00225   416   NtUserRegisterClassExWOW  (2290300, 2290380, 2290364, 2290396, 681, 128, 0, ... ) == 0x810cc026
 00226   416   NtUserFindExistingCursorIcon  (2289780, 2289796, 2290364, ... ) == 0x10011
 00227   416   NtUserRegisterClassExWOW  (2290300, 2290380, 2290364, 2290396, 680, 128, 0, ... ) == 0x810cc019
 00228   416   NtUserRegisterClassExWOW  (2290252, 2290332, 2290316, 2290348, 0, 128, 0, ...
 00229   416   NtAllocateVirtualMemory  (-1, 6713344, 0, 4096, 4096, 32, ... 6713344, 4096, ) == 0x0
 00228   416   NtUserRegisterClassExWOW  ... ) == 0x810cc020
 00230   416   NtUserRegisterClassExWOW  (2290252, 2290328, 2290344, 2290316, 0, 130, 0, ... ) == 0x810cc022
 00231   416   NtUserRegisterClassExWOW  (2290252, 2290332, 2290316, 2290348, 0, 128, 0, ... ) == 0x810cc023
 00232   416   NtUserRegisterClassExWOW  (2290252, 2290328, 2290344, 2290316, 0, 130, 0, ... ) == 0x810cc024
 00233   416   NtUserRegisterClassExWOW  (2290252, 2290332, 2290316, 2290348, 0, 128, 0, ... ) == 0x810cc025
 00234   416   NtCallbackReturn  (0, 0, 0, ...
 00235   416   NtGdiInit  (... ) == 0x1
 00236   416   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00237   416   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00238   416   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00239   416   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00240   416   NtAllocateVirtualMemory  (-1, 2375680, 0, 4096, 4096, 4, ... 2375680, 4096, ) == 0x0
 00241   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00242   416   NtQueryValueKey  (52,  (52, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00243   416   NtClose  (52, ... ) == 0x0
 00244   416   NtAllocateVirtualMemory  (-1, 2379776, 0, 4096, 4096, 4, ... 2379776, 4096, ) == 0x0
 00245   416   NtAllocateVirtualMemory  (-1, 2383872, 0, 4096, 4096, 4, ... 2383872, 4096, ) == 0x0
 00246   416   NtAllocateVirtualMemory  (-1, 2387968, 0, 4096, 4096, 4, ... 2387968, 4096, ) == 0x0
 00247   416   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00248   416   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 2292108, 0,  (0x1f0003, {24, 52, 0x80, 2292108, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00249   416   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 56, ) }, ... 56, ) == 0x0
 00250   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00251   416   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00252   416   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 60, ) }, ... 60, ) == 0x0
 00253   416   NtQueryValueKey  (60,  (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00254   416   NtClose  (60, ... ) == 0x0
 00255   416   NtAllocateVirtualMemory  (-1, 2392064, 0, 4096, 4096, 4, ... 2392064, 4096, ) == 0x0
 00256   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00257   416   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00258   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00259   416   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00260   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 60, ) }, ... 60, ) == 0x0
 00261   416   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00262   416   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00263   416   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00264   416   NtClose  (60, ... ) == 0x0
 00265   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 60, ) }, ... 60, ) == 0x0
 00266   416   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00267   416   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00268   416   NtClose  (60, ... ) == 0x0
 00269   416   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00270   416   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00271   416   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00272   416   NtOpenKey  (0x9, {24, 32, 0x40, 0, 0,  (0x9, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00273   416   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00274   416   NtAllocateVirtualMemory  (-1, 2396160, 0, 8192, 4096, 4, ... 2396160, 8192, ) == 0x0
 00275   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00276   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 60, ) == 0x0
 00277   416   NtQueryInformationToken  (60, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00278   416   NtClose  (60, ... ) == 0x0
 00279   416   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 60, ) }, ... 60, ) == 0x0
 00280   416   NtSetInformationObject  (60, Handle, {Inherit=0,ProtectFromClose=1,}, 2228480, ... ) == 0x0
 00281   416   NtCreateKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 64, 2, ) }, 0, 0x0, 0, ... 64, 2, ) == 0x0
 00282   416   NtQueryDefaultUILanguage  (2290344, ...
 00283   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00284   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00285   416   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00286   416   NtClose  (-2147482020, ... ) == 0x0
 00287   416   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00288   416   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00289   416   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00290   416   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00291   416   NtClose  (-2147482032, ... ) == 0x0
 00292   416   NtClose  (-2147482020, ... ) == 0x0
 00282   416   NtQueryDefaultUILanguage  ... ) == 0x0
 00293   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00294   416   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00295   416   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.DLL"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00296   416   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 72, ) == 0x0
 00297   416   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x960000), 0x0, 593920, ) == 0x0
 00298   416   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.DLL.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00299   416   NtQueryDefaultUILanguage  (2013024600, ...
 00300   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00301   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00302   416   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00303   416   NtClose  (-2147482020, ... ) == 0x0
 00304   416   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00305   416   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00306   416   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00307   416   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00308   416   NtClose  (-2147482032, ... ) == 0x0
 00309   416   NtClose  (-2147482020, ... ) == 0x0
 00299   416   NtQueryDefaultUILanguage  ... ) == 0x0
 00310   416   NtAllocateVirtualMemory  (-1, 2277376, 0, 4096, 4096, 260, ... 2277376, 4096, ) == 0x0
 00311   416   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00312   416   NtQueryDefaultLocale  (1, 2288380, ... ) == 0x0
 00313   416   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.DLL.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00314   416   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2289236, 1, 96, 0}  (24, {128, 156, new_msg, 0, 2289236, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\361"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1D\0\0\0\377\377\377\377\0\0\0\0P\275\235\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0T\365"\0\0\0\0\0" ... {128, 156, reply, 0, 412, 416, 1500, 0} " S\26\0\33\0\1\0\0\0\0\0\1\361"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1D\0\0\0\377\377\377\377\0\0\0\0P\275\235\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0T\365"\0\0\0\0\0" ) \0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1D\0\0\0\377\377\377\377\0\0\0\0P\275\235\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0T\365 (24, {128, 156, new_msg, 0, 2289236, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\361"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1D\0\0\0\377\377\377\377\0\0\0\0P\275\235\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0T\365"\0\0\0\0\0" ... {128, 156, reply, 0, 412, 416, 1500, 0} " S\26\0\33\0\1\0\0\0\0\0\1\361"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1D\0\0\0\377\377\377\377\0\0\0\0P\275\235\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0T\365"\0\0\0\0\0" )  ... {128, 156, reply, 0, 412, 416, 1500, 0}  (24, {128, 156, new_msg, 0, 2289236, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\361"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1D\0\0\0\377\377\377\377\0\0\0\0P\275\235\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0T\365"\0\0\0\0\0" ... {128, 156, reply, 0, 412, 416, 1500, 0} " S\26\0\33\0\1\0\0\0\0\0\1\361"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1D\0\0\0\377\377\377\377\0\0\0\0P\275\235\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0T\365"\0\0\0\0\0" ) \0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1D\0\0\0\377\377\377\377\0\0\0\0P\275\235\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0T\365 (24, {128, 156, new_msg, 0, 2289236, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\361"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1D\0\0\0\377\377\377\377\0\0\0\0P\275\235\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0T\365"\0\0\0\0\0" ... {128, 156, reply, 0, 412, 416, 1500, 0} " S\26\0\33\0\1\0\0\0\0\0\1\361"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1D\0\0\0\377\377\377\377\0\0\0\0P\275\235\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0T\365"\0\0\0\0\0" )  ) == 0x0
 00315   416   NtClose  (68, ... ) == 0x0
 00316   416   NtClose  (72, ... ) == 0x0
 00317   416   NtUnmapViewOfSection  (-1, 0x960000, ... ) == 0x0
 00318   416   NtUnmapViewOfSection  (-1, 0x22f554, ... ) == STATUS_NOT_MAPPED_VIEW
 00319   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00320   416   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00321   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00322   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00323   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 2286920, ... ) }, 2286920, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00324   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00325   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00326   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00327   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 2287512, ... ) }, 2287512, ... ) == 0x0
 00328   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 72, {status=0x0, info=1}, ) }, 3, 33, ... 72, {status=0x0, info=1}, ) == 0x0
 00329   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00330   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00331   416   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00332   416   NtClose  (68, ... ) == 0x0
 00333   416   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa10000), 0x0, 921600, ) == 0x0
 00334   416   NtClose  (76, ... ) == 0x0
 00335   416   NtUnmapViewOfSection  (-1, 0xa10000, ... ) == 0x0
 00336   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 00337   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 76, ... 68, ) == 0x0
 00338   416   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00339   416   NtClose  (76, ... ) == 0x0
 00340   416   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00341   416   NtClose  (68, ... ) == 0x0
 00342   416   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00343   416   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00344   416   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00345   416   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00346   416   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00347   416   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00348   416   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00349   416   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00350   416   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00351   416   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00352   416   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00353   416   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00354   416   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00355   416   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00356   416   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00357   416   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00358   416   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00359   416   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00360   416   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00361   416   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00362   416   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00363   416   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 2288696, ... ) , 42, 2288696, ... ) == 0x0
 00364   416   NtQueryDefaultUILanguage  (2287412, ...
 00365   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00366   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00367   416   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00368   416   NtClose  (-2147482020, ... ) == 0x0
 00369   416   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00370   416   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00371   416   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00372   416   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00373   416   NtClose  (-2147482032, ... ) == 0x0
 00374   416   NtClose  (-2147482020, ... ) == 0x0
 00364   416   NtQueryDefaultUILanguage  ... ) == 0x0
 00375   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00376   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 2286264, ... ) }, 2286264, ... ) == 0x0
 00377   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00378   416   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00379   416   NtClose  (68, ... ) == 0x0
 00380   416   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x960000), 0x0, 4096, ) == 0x0
 00381   416   NtClose  (76, ... ) == 0x0
 00382   416   NtUnmapViewOfSection  (-1, 0x960000, ... ) == 0x0
 00383   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 2285904, ... ) }, 2285904, ... ) == 0x0
 00384   416   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 2286604,  (0x80100080, {24, 0, 0x40, 0, 2286604, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) == 0x0
 00385   416   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 76, ... 68, ) == 0x0
 00386   416   NtClose  (76, ... ) == 0x0
 00387   416   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x960000), {0, 0}, 4096, ) == 0x0
 00388   416   NtClose  (68, ... ) == 0x0
 00389   416   NtUnmapViewOfSection  (-1, 0x960000, ... ) == 0x0
 00390   416   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00391   416   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 76, ) == 0x0
 00392   416   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x960000), 0x0, 4096, ) == 0x0
 00393   416   NtQueryInformationFile  (68, 2286224, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00394   416   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00395   416   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2286304, 1, 96, 0}  (24, {128, 156, new_msg, 0, 2286304, 1, 96, 0} "\210\6\35\1\33\0\1\0\2405\37[\2319\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\340\351"\0\0\0\0\0" ... {128, 156, reply, 0, 412, 416, 1501, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2319\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\340\351"\0\0\0\0\0" ) \0\0\0\0\0 (24, {128, 156, new_msg, 0, 2286304, 1, 96, 0} "\210\6\35\1\33\0\1\0\2405\37[\2319\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\340\351"\0\0\0\0\0" ... {128, 156, reply, 0, 412, 416, 1501, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2319\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\340\351"\0\0\0\0\0" ) h\334\26\0\33\0\1\0\0\0\0\0\2319\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\340\351 (24, {128, 156, new_msg, 0, 2286304, 1, 96, 0} "\210\6\35\1\33\0\1\0\2405\37[\2319\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\340\351"\0\0\0\0\0" ... {128, 156, reply, 0, 412, 416, 1501, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2319\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\340\351"\0\0\0\0\0" )  ) == 0x0
 00396   416   NtClose  (68, ... ) == 0x0
 00397   416   NtClose  (76, ... ) == 0x0
 00398   416   NtUnmapViewOfSection  (-1, 0x960000, ... ) == 0x0
 00399   416   NtUnmapViewOfSection  (-1, 0x22e9e0, ... ) == STATUS_NOT_MAPPED_VIEW
 00400   416   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00401   416   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00402   416   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00403   416   NtUserGetDC  (0, ... ) == 0x1010052
 00404   416   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00405   416   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00406   416   NtUserSystemParametersInfo  (66, 12, 2288716, 0, ... ) == 0x1
 00407   416   NtOpenProcessToken  (-1, 0x8, ... 76, ) == 0x0
 00408   416   NtAccessCheck  (2393000, 76, 0x1, 2288120, 2288064, 56, 2288148, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00409   416   NtClose  (76, ... ) == 0x0
 00410   416   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 76, ) }, ... 76, ) == 0x0
 00411   416   NtQueryValueKey  (76,  (76, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00412   416   NtClose  (76, ... ) == 0x0
 00413   416   NtUserSystemParametersInfo  (41, 500, 2288216, 0, ... ) == 0x1
 00414   416   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 76, ) }, ... 76, ) == 0x0
 00415   416   NtQueryValueKey  (76,  (76, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00416   416   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 68, ) }, ... 68, ) == 0x0
 00417   416   NtQueryValueKey  (68,  (68, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00418   416   NtClose  (68, ... ) == 0x0
 00419   416   NtClose  (76, ... ) == 0x0
 00420   416   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00421   416   NtUserSystemParametersInfo  (4130, 0, 2288740, 0, ... ) == 0x1
 00422   416   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 76, ) }, ... 76, ) == 0x0
 00423   416   NtEnumerateValueKey  (76, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00424   416   NtClose  (76, ... ) == 0x0
 00425   416   NtUserFindExistingCursorIcon  (2288024, 2288040, 2288608, ... ) == 0x10011
 00426   416   NtUserRegisterClassExWOW  (2288476, 2288556, 2288540, 2288572, 0, 384, 0, ... ) == 0x810cc03b
 00427   416   NtUserRegisterClassExWOW  (2288476, 2288556, 2288540, 2288572, 0, 384, 0, ... ) == 0x810cc03d
 00428   416   NtUserFindExistingCursorIcon  (2288020, 2288036, 2288604, ... ) == 0x10011
 00429   416   NtUserRegisterClassExWOW  (2288472, 2288552, 2288536, 2288568, 0, 384, 0, ... ) == 0x810cc03f
 00430   416   NtUserFindExistingCursorIcon  (2288024, 2288040, 2288608, ... ) == 0x10011
 00431   416   NtUserRegisterClassExWOW  (2288476, 2288556, 2288540, 2288572, 0, 384, 0, ... ) == 0x810cc041
 00432   416   NtUserFindExistingCursorIcon  (2288024, 2288040, 2288608, ... ) == 0x10011
 00433   416   NtUserRegisterClassExWOW  (2288476, 2288556, 2288540, 2288572, 0, 384, 0, ... ) == 0x810cc043
 00434   416   NtUserRegisterClassExWOW  (2288476, 2288556, 2288540, 2288572, 0, 384, 0, ... ) == 0x810cc045
 00435   416   NtUserFindExistingCursorIcon  (2288024, 2288040, 2288608, ... ) == 0x10011
 00436   416   NtUserRegisterClassExWOW  (2288476, 2288556, 2288540, 2288572, 0, 384, 0, ... ) == 0x810cc047
 00437   416   NtUserFindExistingCursorIcon  (2288020, 2288036, 2288604, ... ) == 0x10011
 00438   416   NtUserRegisterClassExWOW  (2288472, 2288552, 2288536, 2288568, 0, 384, 0, ... ) == 0x810cc049
 00439   416   NtUserGetClassInfo  (1905590272, 2288636, 2288588, 2288664, 0, ... ) == 0xc049
 00440   416   NtUserFindExistingCursorIcon  (2288024, 2288040, 2288608, ... ) == 0x10011
 00441   416   NtUserRegisterClassExWOW  (2288476, 2288556, 2288540, 2288572, 0, 384, 0, ... ) == 0x810cc04b
 00442   416   NtUserFindExistingCursorIcon  (2288024, 2288040, 2288608, ... ) == 0x10011
 00443   416   NtUserRegisterClassExWOW  (2288476, 2288556, 2288540, 2288572, 0, 384, 0, ... ) == 0x810cc04d
 00444   416   NtUserFindExistingCursorIcon  (2288024, 2288040, 2288608, ... ) == 0x10011
 00445   416   NtUserRegisterClassExWOW  (2288476, 2288556, 2288540, 2288572, 0, 384, 0, ... ) == 0x810cc04f
 00446   416   NtUserRegisterClassExWOW  (2288476, 2288556, 2288540, 2288572, 0, 384, 0, ... ) == 0x810cc051
 00447   416   NtUserFindExistingCursorIcon  (2288024, 2288040, 2288608, ... ) == 0x10011
 00448   416   NtUserRegisterClassExWOW  (2288476, 2288556, 2288540, 2288572, 0, 384, 0, ... ) == 0x810cc053
 00449   416   NtUserFindExistingCursorIcon  (2288020, 2288036, 2288604, ... ) == 0x10011
 00450   416   NtUserRegisterClassExWOW  (2288472, 2288552, 2288536, 2288568, 0, 384, 0, ... ) == 0x810cc055
 00451   416   NtUserRegisterClassExWOW  (2288472, 2288552, 2288536, 2288568, 0, 384, 0, ... ) == 0x810cc057
 00452   416   NtUserFindExistingCursorIcon  (2288024, 2288040, 2288608, ... ) == 0x10011
 00453   416   NtUserRegisterClassExWOW  (2288476, 2288556, 2288540, 2288572, 0, 384, 0, ... ) == 0x810cc059
 00454   416   NtUserFindExistingCursorIcon  (2288024, 2288040, 2288608, ... ) == 0x10013
 00455   416   NtUserRegisterClassExWOW  (2288476, 2288556, 2288540, 2288572, 0, 384, 0, ... ) == 0x810cc05b
 00456   416   NtUserFindExistingCursorIcon  (2288024, 2288040, 2288608, ... ) == 0x10011
 00457   416   NtUserRegisterClassExWOW  (2288476, 2288556, 2288540, 2288572, 0, 384, 0, ... ) == 0x810cc05d
 00458   416   NtUserFindExistingCursorIcon  (2288024, 2288040, 2288608, ... ) == 0x10011
 00459   416   NtUserRegisterClassExWOW  (2288476, 2288556, 2288540, 2288572, 0, 384, 0, ... ) == 0x810cc05f
 00460   416   NtUserFindExistingCursorIcon  (2288020, 2288036, 2288604, ... ) == 0x10011
 00461   416   NtUserRegisterClassExWOW  (2288472, 2288552, 2288536, 2288568, 0, 384, 0, ... ) == 0x810cc017
 00462   416   NtUserFindExistingCursorIcon  (2288020, 2288036, 2288604, ... ) == 0x10011
 00463   416   NtUserRegisterClassExWOW  (2288472, 2288552, 2288536, 2288568, 0, 384, 0, ... ) == 0x810cc019
 00464   416   NtUserFindExistingCursorIcon  (2288020, 2288036, 2288604, ... ) == 0x10013
 00465   416   NtUserRegisterClassExWOW  (2288472, 2288552, 2288536, 2288568, 0, 384, 0, ... ) == 0x810cc018
 00466   416   NtUserFindExistingCursorIcon  (2288024, 2288040, 2288608, ... ) == 0x10011
 00467   416   NtUserRegisterClassExWOW  (2288476, 2288556, 2288540, 2288572, 0, 384, 0, ... ) == 0x810cc01a
 00468   416   NtUserFindExistingCursorIcon  (2288020, 2288036, 2288604, ... ) == 0x10011
 00469   416   NtUserRegisterClassExWOW  (2288472, 2288552, 2288536, 2288568, 0, 384, 0, ... ) == 0x810cc01c
 00470   416   NtUserFindExistingCursorIcon  (2288024, 2288040, 2288608, ... ) == 0x10011
 00471   416   NtUserRegisterClassExWOW  (2288476, 2288556, 2288540, 2288572, 0, 384, 0, ...
 00472   416   NtAllocateVirtualMemory  (-1, 6717440, 0, 4096, 4096, 32, ... 6717440, 4096, ) == 0x0
 00471   416   NtUserRegisterClassExWOW  ... ) == 0x810cc01e
 00473   416   NtUserFindExistingCursorIcon  (2288020, 2288036, 2288604, ... ) == 0x10011
 00474   416   NtUserRegisterClassExWOW  (2288532, 2288612, 2288596, 2288628, 0, 384, 0, ... ) == 0x810cc01b
 00475   416   NtUserFindExistingCursorIcon  (2288016, 2288032, 2288600, ... ) == 0x10011
 00476   416   NtUserRegisterClassExWOW  (2288528, 2288608, 2288592, 2288624, 0, 384, 0, ... ) == 0x810cc068
 00477   416   NtUserFindExistingCursorIcon  (2288024, 2288040, 2288608, ... ) == 0x10011
 00478   416   NtUserRegisterClassExWOW  (2288476, 2288556, 2288540, 2288572, 0, 384, 0, ... ) == 0x810cc06a
 00479   416   NtCreateKey  (0x2001f, {24, 60, 0x40, 0, 0,  (0x2001f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 76, 2, ) }, 0, 0x0, 0, ... 76, 2, ) == 0x0
 00480   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00481   416   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00482   416   NtTestAlert  (... ) == 0x0
 00483   416   NtContinue  (2293040, 1, ...
 00484   416   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x410300,}, 4, ... ) == 0x0
 00485   416   NtAllocateVirtualMemory  (-1, 0, 0, 131064, 8192, 4, ... 9961472, 131072, ) == 0x0
 00486   416   NtAllocateVirtualMemory  (-1, 9961472, 0, 4096, 4096, 4, ... 9961472, 4096, ) == 0x0
 00487   416   NtUserFindExistingCursorIcon  (2292756, 2292772, 2293340, ... ) == 0x10003
 00488   416   NtUserFindExistingCursorIcon  (2292756, 2292772, 2293340, ... ) == 0x10003
 00489   416   NtUserFindExistingCursorIcon  (2292756, 2292772, 2293340, ... ) == 0x10011
 00490   416   NtUserRegisterClassExWOW  (2293268, 2293344, 2293360, 2293332, 0, 386, 0, ... ) == 0x810cc0cb
 00491   416   NtUserCreateWindowEx  (-2147483648, 2293252, 2293064, "13565952, -2147483648, -2147483648, 544, 375, 0, 0, 4194304, 0, 1073742848, 0, ...
 00492   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 2289448, ... ) }, 2289448, ... ) == 0x0
 00493   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00494   416   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 80, ) == 0x0
 00495   416   NtClose  (68, ... ) == 0x0
 00496   416   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x9a0000), 0x0, 204800, ) == 0x0
 00497   416   NtClose  (80, ... ) == 0x0
 00498   416   NtUnmapViewOfSection  (-1, 0x9a0000, ... ) == 0x0
 00499   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 2289764, ... ) }, 2289764, ... ) == 0x0
 00500   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00501   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 80, ... 68, ) == 0x0
 00502   416   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00503   416   NtClose  (80, ... ) == 0x0
 00504   416   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 00505   416   NtClose  (68, ... ) == 0x0
 00506   416   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00507   416   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00508   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00509   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 68, ) == 0x0
 00510   416   NtQueryInformationToken  (68, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00511   416   NtClose  (68, ... ) == 0x0
 00512   416   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 68, ) }, ... 68, ) == 0x0
 00513   416   NtOpenKey  (0x1, {24, 68, 0x40, 0, 0,  (0x1, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 80, ) }, ... 80, ) == 0x0
 00514   416   NtQueryValueKey  (80,  (80, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00515   416   NtClose  (80, ... ) == 0x0
 00516   416   NtClose  (68, ... ) == 0x0
 00517   416   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00518   416   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 68, ) == 0x0
 00519   416   NtQueryInformationToken  (68, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00520   416   NtClose  (68, ... ) == 0x0
 00521   416   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 68, ) }, ... 68, ) == 0x0
 00522   416   NtOpenKey  (0x1, {24, 68, 0x40, 0, 0,  (0x1, {24, 68, 0x40, 0, 0, "Control Panel\Desktop"}, ... 80, ) }, ... 80, ) == 0x0
 00523   416   NtQueryValueKey  (80,  (80, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00524   416   NtClose  (80, ... ) == 0x0
 00525   416   NtClose  (68, ... ) == 0x0
 00526   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 2289264, ... ) }, 2289264, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00527   416   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "UxTheme.dll"}, 2289264, ... ) }, 2289264, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00528   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 2289264, ... ) }, 2289264, ... ) == 0x0
 00529   416   NtUserGetProcessWindowStation  (... ) == 0x28
 00530   416   NtUserGetObjectInformation  (40, 2, 0, 0, 2291560, ... ) == 0x0
 00531   416   NtUserGetObjectInformation  (40, 2, 2401656, 16, 2291560, ... ) == 0x1
 00532   416   NtUserGetGUIThreadInfo  (416, 2291516, ... ) == 0x1
 00533   416   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 2291336, 64, ... 68, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 2291336, 64, ... 68, 0x0, 0x0, 0x0, 64, ) == 0x0
 00534   416   NtRequestWaitReplyPort  (68, {32, 56, new_msg, 0, 0, 0, 0, 0}  (68, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 412, 416, 1503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 412, 416, 1503, 0}  (68, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 412, 416, 1503, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00535   416   NtRequestWaitReplyPort  (68, {32, 56, new_msg, 0, 0, 0, 0, 0}  (68, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 412, 416, 1504, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 412, 416, 1504, 0}  (68, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 412, 416, 1504, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00536   416   NtUserCallNoParam  (29, ...
 00537   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 2288808, ... ) }, 2288808, ... ) == 0x0
 00536   416   NtUserCallNoParam  ... ) == 0x0
 00538   416   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 00539   416   NtGdiHfontCreate  (2290888, 356, 0, 0, 2403736, ... ) == 0x170a040b
 00540   416   NtGdiHfontCreate  (2290888, 356, 0, 0, 2403728, ... ) == 0xa0a03ba
 00541   416   NtRequestWaitReplyPort  (68, {32, 56, new_msg, 0, 0, 0, 0, 0}  (68, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 412, 416, 1505, 0} "\0\0\0\0\0\0\0\0P\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 412, 416, 1505, 0}  (68, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 412, 416, 1505, 0} "\0\0\0\0\0\0\0\0P\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00542   416   NtMapViewOfSection  (80, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x9a0000), {0, 0}, 331776, ) == 0x0
 00543   416   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00544   416   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00545   416   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00546   416   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00547   416   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00548   416   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00549   416   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00550   416   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00551   416   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00552   416   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00553   416   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00554   416   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00555   416   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00556   416   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00557   416   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00558   416   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00559   416   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00560   416   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x2b10040d
 00561   416   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00562   416   NtUserCallNoParam  (29, ...
 00563   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 2288252, ... ) }, 2288252, ... ) == 0x0
 00562   416   NtUserCallNoParam  ... ) == 0x0
 00564   416   NtUserCallNoParam  (29, ...
 00565   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 2288248, ... ) }, 2288248, ... ) == 0x0
 00564   416   NtUserCallNoParam  ... ) == 0x0
 00566   416   NtUserMessageCall  (0x200b0, WM_NCCREATE, 0x0, 0x22f870, 0, 670, 1, ... ) == 0x1
 00567   416   NtUserMessageCall  (0x200b0, WM_NCCALCSIZE, 0x0, 0x22f8a8, 0, 670, 1, ... ) == 0x0
 00568   416   NtUserGetClassName  (131248, 0, 2291032, ... ) == 0x9
 00569   416   NtUserRemoveProp  (131248, 43282, ... ) == 0x0
 00570   416   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 36, 0, 4194366, 2290632}  (24, {24, 52, new_msg, 0, 36, 0, 4194366, 2290632} "\0\0\0\0\5\4\3\0C\0:\0\\0W\0\240\1\0\0\0\0\0\0" ... {24, 52, reply, 0, 412, 416, 1506, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\\0W\0\240\1\0\0\0\0\0\0" )  ... {24, 52, reply, 0, 412, 416, 1506, 0}  (24, {24, 52, new_msg, 0, 36, 0, 4194366, 2290632} "\0\0\0\0\5\4\3\0C\0:\0\\0W\0\240\1\0\0\0\0\0\0" ... {24, 52, reply, 0, 412, 416, 1506, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\\0W\0\240\1\0\0\0\0\0\0" )  ) == 0x0
 00571   416   NtUserGetThreadDesktop  (416, 0, ... ) == 0x2c
 00572   416   NtUserGetObjectInformation  (44, 2, 2290708, 520, 0, ... ) == 0x1
 00573   416   NtGdiDeleteObjectApp  (722469901, ... ) == 0x1
 00574   416   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00575   416   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00576   416   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00577   416   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00578   416   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00579   416   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00580   416   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00581   416   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00582   416   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00583   416   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00584   416   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00585   416   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00586   416   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00587   416   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00588   416   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00589   416   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00590   416   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00591   416   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x2c10040d
 00592   416   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00593   416   NtAllocateVirtualMemory  (-1, 4014080, 0, 4096, 4096, 4, ... 4014080, 4096, ) == 0x0
 00594   416   NtUserSetProp  (131248, 43288, 4013896, ... ) == 0x1
 00595   416   NtUserGetAncestor  (131248, 1, ... ) == 0x10014
 00596   416   NtUserSetWindowPos  (131248, 0, 132, 174, 544, 375, 1047, ... ) == 0x1
 00491   416   NtUserCreateWindowEx  ... ) == 0x200b0
 00597   416   NtUserShowWindow  (131248, 0, ... ) == 0x0
 00598   416   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "KGAELICAE2"}, 1, ... 84, ) }, 1, ... 84, ) == 0x0
 00599   416   NtAllocateVirtualMemory  (-1, 2404352, 0, 4096, 4096, 4, ... 2404352, 4096, ) == 0x0
 00600   416   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 7, 2113568, ... 88, {status=0x0, info=1}, ) }, 7, 2113568, ... 88, {status=0x0, info=1}, ) == 0x0
 00601   416   NtSetInformationFile  (88, 2292848, 40, Basic, ... ) == STATUS_ACCESS_DENIED
 00602   416   NtClose  (88, ... ) == 0x0
 00603   416   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 88, ) }, ... 88, ) == 0x0
 00604   416   NtQueryValueKey  (88,  (88, "Common Startup", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0S\0t\0a\0r\0t\0 \0M\0e\0n\0u\0\\0P\0r\0o\0g\0r\0a\0m\0s\0\\0S\0t\0a\0r\0t\0u\0p\0\0\0"}, 140, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "Common Startup", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0S\0t\0a\0r\0t\0 \0M\0e\0n\0u\0\\0P\0r\0o\0g\0r\0a\0m\0s\0\\0S\0t\0a\0r\0t\0u\0p\0\0\0"}, 140, ) }, 140, ) == 0x0
 00605   416   NtQueryValueKey  (88,  (88, "Common Startup", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0S\0t\0a\0r\0t\0 \0M\0e\0n\0u\0\\0P\0r\0o\0g\0r\0a\0m\0s\0\\0S\0t\0a\0r\0t\0u\0p\0\0\0"}, 140, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "Common Startup", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0S\0t\0a\0r\0t\0 \0M\0e\0n\0u\0\\0P\0r\0o\0g\0r\0a\0m\0s\0\\0S\0t\0a\0r\0t\0u\0p\0\0\0"}, 140, ) }, 140, ) == 0x0
 00606   416   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 2291788,  (0x80100080, {24, 0, 0x40, 0, 2291788, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 92, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 92, {status=0x0, info=1}, ) == 0x0
 00607   416   NtQueryInformationFile  (92, 2292724, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 00608   416   NtQueryInformationFile  (92, 2292696, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00609   416   NtQueryInformationFile  (92, 2292648, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00610   416   NtAllocateVirtualMemory  (-1, 2408448, 0, 8192, 4096, 4, ... 2408448, 8192, ) == 0x0
 00611   416   NtQueryInformationFile  (92, 2405040, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 00612   416   NtQueryInformationFile  (92, 2291192, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00613   416   NtQueryInformationFile  (92, 2291036, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 00614   416   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 2291044,  (0x40110080, {24, 0, 0x40, 0, 2291044, "\??\C:\Documents and Settings\All Users\Start Menu\Programs\Startup\packed.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 00615   416   NtClose  (-2147482020, ... ) == 0x0
 00614   416   NtCreateFile  ... 96, {status=0x0, info=2}, ) == 0x0
 00616   416   NtQueryVolumeInformationFile  (96, 2290416, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 00617   416   NtQueryInformationFile  (96, 2290376, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00618   416   NtQueryVolumeInformationFile  (92, 2290416, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00619   416   NtSetInformationFile  (96, 2290204, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00620   416   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 92, ... 100, ) == 0x0
 00621   416   NtMapViewOfSection  (100, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x960000), {0, 0}, 16384, ) == 0x0
 00622   416   NtClose  (100, ... ) == 0x0
 00623   416   NtWriteFile  (96, 0, 0, 0,  (96, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0PE\0\0L\1\3\0\202\255\350B\0\0\0\0\0\0\0\0\340\0\17\2\13\1\28\0@\0\0\0\20\0\0\0\300\0\0\0\3\1\0\0\320\0\0\0\20\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\1\0\0\0\4\0\0\0\0\0\0\0\0 \1\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0 \0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\20\1\0|\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0UPX0\0\0\0\0\0\300\0\0\0\20\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\340UPX1\0\0\0\0\0@\0\0\0\320\0\0\06\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\340UPX2\0\0\0\0\0\20\0\0\0\20\1\0\0\2\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\3001.25", 14848, 0x0, 0, ... {status=0x0, info=14848}, ) , 14848, 0x0, 0, ... {status=0x0, info=14848}, ) == 0x0
 00624   416   NtUnmapViewOfSection  (-1, 0x960000, ... ) == 0x0
 00625   416   NtSetInformationFile  (96, 2292648, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00626   416   NtClose  (92, ... ) == 0x0
 00627   416   NtClose  (96, ... ) == 0x0
 00628   416   NtClose  (88, ... ) == 0x0
 00629   416   NtOpenKey  (0x20006, {24, 32, 0x40, 0, 0,  (0x20006, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 88, ) }, ... 88, ) == 0x0
 00630   416   NtSetValueKey  (88,  (88, "REGSRV64", 0, 1, ""\0u\0:\0\\0w\0o\0r\0k\0\\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0\0\0", 42, ... , 0, 1, " (88, "REGSRV64", 0, 1, ""\0u\0:\0\\0w\0o\0r\0k\0\\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0\0\0", 42, ... \0\0\0", 42, ...
 00631   416   NtSetInformationFile  (-2147482808, -104880332, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00632   416   NtSetInformationFile  (-2147482808, -104880424, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00633   416   NtSetInformationFile  (-2147482808, -104880732, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00630   416   NtSetValueKey  ... ) == 0x0
 00634   416   NtClose  (88, ... ) == 0x0
 00635   416   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 2292832,  (0x40100080, {24, 0, 0x40, 0, 2292832, "\??\C:\WINDOWS\System32\KEYGAEL.DLL"}, 0x0, 6, 1, 5, 96, 0, 0, ... }, 0x0, 6, 1, 5, 96, 0, 0, ...
 00636   416   NtClose  (-2147482020, ... ) == 0x0
 00635   416   NtCreateFile  ... 88, {status=0x0, info=2}, ) == 0x0
 00637   416   NtWriteFile  (88, 0, 0, 0,  (88, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0PE\0\0L\1\7\0\377\246\350B\02\0\0\204\2\0\0\340\0\6"\13\1\28\0\36\0\0\0.\0\0\0\10\0\0\0\20\0\0\0\20\0\0\00\0\0\0\0Ho\0\20\0\0\0\2\0\0\4\0\0\0\1\0\0\0\4\0\0\0\0\0\0\0\0\220\0\0\0\4\0\0\240\10\1\0\3\0\0\0\0\0 \0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0`\0\0\220\0\0\0\0p\0\0t\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\234\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\270\35\0\0\0\20\0\0\0\36\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\0\0p.data\0\0\0`\0\0\0\00\0\0\0\2\0\0\0"\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\320.rdata\0\0l\3\0\0\0@\0\0\0\4\0\0\0$\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\320.bss", 27254, 0x0, 0, ... {status=0x0, info=27254}, ) \13\1\28\0\36\0\0\0.\0\0\0\10\0\0\0\20\0\0\0\20\0\0\00\0\0\0\0Ho\0\20\0\0\0\2\0\0\4\0\0\0\1\0\0\0\4\0\0\0\0\0\0\0\0\220\0\0\0\4\0\0\240\10\1\0\3\0\0\0\0\0 \0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0`\0\0\220\0\0\0\0p\0\0t\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\234\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\270\35\0\0\0\20\0\0\0\36\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\0\0p.data\0\0\0`\0\0\0\00\0\0\0\2\0\0\0 (88, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0PE\0\0L\1\7\0\377\246\350B\02\0\0\204\2\0\0\340\0\6"\13\1\28\0\36\0\0\0.\0\0\0\10\0\0\0\20\0\0\0\20\0\0\00\0\0\0\0Ho\0\20\0\0\0\2\0\0\4\0\0\0\1\0\0\0\4\0\0\0\0\0\0\0\0\220\0\0\0\4\0\0\240\10\1\0\3\0\0\0\0\0 \0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0`\0\0\220\0\0\0\0p\0\0t\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\234\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\270\35\0\0\0\20\0\0\0\36\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\0\0p.data\0\0\0`\0\0\0\00\0\0\0\2\0\0\0"\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\320.rdata\0\0l\3\0\0\0@\0\0\0\4\0\0\0$\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\320.bss", 27254, 0x0, 0, ... {status=0x0, info=27254}, ) , 27254, 0x0, 0, ... {status=0x0, info=27254}, ) == 0x0
 00638   416   NtClose  (88, ... ) == 0x0
 00639   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\KEYGAEL.DLL"}, 2290640, ... ) }, 2290640, ... ) == 0x0
 00640   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\KEYGAEL.DLL"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00641   416   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 88, ... 96, ) == 0x0
 00642   416   NtClose  (88, ... ) == 0x0
 00643   416   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x960000), 0x0, 28672, ) == 0x0
 00644   416   NtClose  (96, ... ) == 0x0
 00645   416   NtUnmapViewOfSection  (-1, 0x960000, ... ) == 0x0
 00646   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\KEYGAEL.DLL"}, 2290956, ... ) }, 2290956, ... ) == 0x0
 00647   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\KEYGAEL.DLL"}, 5, 96, ... 96, {status=0x0, info=1}, ) }, 5, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00648   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 96, ... 88, ) == 0x0
 00649   416   NtQuerySection  (88, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00650   416   NtClose  (96, ... ) == 0x0
 00651   416   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x6f480000), 0x0, 36864, ) == 0x0
 00652   416   NtClose  (88, ... ) == 0x0
 00653   416   NtProtectVirtualMemory  (-1, (0x6f487000), 1140, 4, ... (0x6f487000), 4096, 4, ) == 0x0
 00654   416   NtProtectVirtualMemory  (-1, (0x6f487000), 4096, 4, ... (0x6f487000), 4096, 4, ) == 0x0
 00655   416   NtFlushInstructionCache  (-1, 1867018240, 1140, ... ) == 0x0
 00656   416   NtProtectVirtualMemory  (-1, (0x6f487000), 1140, 4, ... (0x6f487000), 4096, 4, ) == 0x0
 00657   416   NtProtectVirtualMemory  (-1, (0x6f487000), 4096, 4, ... (0x6f487000), 4096, 4, ) == 0x0
 00658   416   NtFlushInstructionCache  (-1, 1867018240, 1140, ... ) == 0x0
 00659   416   NtProtectVirtualMemory  (-1, (0x6f487000), 1140, 4, ... (0x6f487000), 4096, 4, ) == 0x0
 00660   416   NtProtectVirtualMemory  (-1, (0x6f487000), 4096, 4, ... (0x6f487000), 4096, 4, ) == 0x0
 00661   416   NtFlushInstructionCache  (-1, 1867018240, 1140, ... ) == 0x0
 00662   416   NtProtectVirtualMemory  (-1, (0x6f487000), 1140, 4, ... (0x6f487000), 4096, 4, ) == 0x0
 00663   416   NtProtectVirtualMemory  (-1, (0x6f487000), 4096, 4, ... (0x6f487000), 4096, 4, ) == 0x0
 00664   416   NtFlushInstructionCache  (-1, 1867018240, 1140, ... ) == 0x0
 00665   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00666   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\Secur32.dll"}, 2290816, ... ) }, 2290816, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00667   416   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "Secur32.dll"}, 2290816, ... ) }, 2290816, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00668   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 2290816, ... ) }, 2290816, ... ) == 0x0
 00669   416   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00670   416   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 88, ... 96, ) == 0x0
 00671   416   NtQuerySection  (96, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00672   416   NtClose  (88, ... ) == 0x0
 00673   416   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f90000), 0x0, 65536, ) == 0x0
 00674   416   NtClose  (96, ... ) == 0x0
 00675   416   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 96, ) == 0x0
 00676   416   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 88, ) == 0x0
 00677   416   NtOpenEvent  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\SECURITY\LSA_AUTHENTICATION_INITIALIZED"}, ... 92, ) }, ... 92, ) == 0x0
 00678   416   NtQueryEvent  (92, Basic, 8, ... {EventType=0,SignalState=1,}, 0x0, ) == 0x0
 00679   416   NtClose  (92, ... ) == 0x0
 00680   416   NtConnectPort  ( ("\LsaAuthenticationPort", {12, 2, 1, 0}, 0x0, 0x0, 2292300, 140, ... 92, 0x0, 0x0, 256, 140, ) , {12, 2, 1, 0}, 0x0, 0x0, 2292300, 140, ... 92, 0x0, 0x0, 256, 140, ) == 0x0
 00681   416   NtRequestWaitReplyPort  (92, {28, 52, new_msg, 0, 0, 0, 0, 0}  (92, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\0\1\200\251$\0" ... {176, 200, reply, 0, 412, 416, 1508, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\0\1\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ... {176, 200, reply, 0, 412, 416, 1508, 0}  (92, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\0\1\200\251$\0" ... {176, 200, reply, 0, 412, 416, 1508, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\0\1\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ) == 0x0
 00682   416   NtUserSetWindowsHookEx  (1866989568, 2292336, 0, 3, 1866994232, 2, ... ) == 0x3006d
 00683   416   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 100, ) }, ... 100, ) == 0x0
 00684   416   NtQueryValueKey  (100,  (100, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (100, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00685   416   NtQueryValueKey  (100,  (100, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (100, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00686   416   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 104, ) == 0x0
 00687   416   NtOpenKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "Protocol_Catalog9"}, ... 108, ) }, ... 108, ) == 0x0
 00688   416   NtQueryValueKey  (108,  (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00689   416   NtNotifyChangeKey  (108, 104, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00690   416   NtQueryValueKey  (108,  (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00691   416   NtOpenKey  (0x2000000, {24, 108, 0x40, 0, 0,  (0x2000000, {24, 108, 0x40, 0, 0, "00000019"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00692   416   NtQueryValueKey  (108,  (108, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) }, 16, ) == 0x0
 00693   416   NtQueryValueKey  (108,  (108, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00694   416   NtOpenKey  (0x2000000, {24, 108, 0x40, 0, 0,  (0x2000000, {24, 108, 0x40, 0, 0, "Catalog_Entries"}, ... 112, ) }, ... 112, ) == 0x0
 00695   416   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000001"}, ... 116, ) }, ... 116, ) == 0x0
 00696   416   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00697   416   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00698   416   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\273\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\273\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\274\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0\324\373"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\274\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\275\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\275\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\276\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\273\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\273\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\274\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0\324\373"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\274\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\275\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\275\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\276\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\274\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\275\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0 (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\273\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\273\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\274\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0\324\373"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\274\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\275\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\275\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\276\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00699   416   NtClose  (116, ... ) == 0x0
 00700   416   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000002"}, ... 116, ) }, ... 116, ) == 0x0
 00701   416   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00702   416   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00703   416   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\300\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\300\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\301\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0\324\373"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\301\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\302\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\302\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\303\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\300\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\300\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\301\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0\324\373"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\301\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\302\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\302\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\303\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\301\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\302\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0 (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\300\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\300\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\301\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0\324\373"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\301\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\302\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\302\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\303\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00704   416   NtClose  (116, ... ) == 0x0
 00705   416   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000003"}, ... 116, ) }, ... 116, ) == 0x0
 00706   416   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00707   416   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00708   416   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\305\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\305\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\306\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0\324\373"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\306\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\307\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\307\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\310\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\305\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\305\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\306\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0\324\373"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\306\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\307\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\307\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\310\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\306\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\307\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0 (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\305\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\305\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\306\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0\324\373"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\306\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\307\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\307\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\310\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00709   416   NtClose  (116, ... ) == 0x0
 00710   416   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000004"}, ... 116, ) }, ... 116, ) == 0x0
 00711   416   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00712   416   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00713   416   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\312\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\312\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\313\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0\324\373"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\313\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\314\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\314\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\315\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\312\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\312\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\313\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0\324\373"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\313\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\314\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\314\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\315\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\313\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\314\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0 (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\312\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\312\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\313\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0\324\373"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\313\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\314\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\314\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\315\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00714   416   NtClose  (116, ... ) == 0x0
 00715   416   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000005"}, ... 116, ) }, ... 116, ) == 0x0
 00716   416   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00717   416   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00718   416   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\317\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\317\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\320\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0\324\373"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\320\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\321\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\321\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\322\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\317\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\317\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\320\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0\324\373"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\320\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\321\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\321\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\322\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\320\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\321\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0 (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\317\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\317\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\320\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0\324\373"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\320\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\321\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\321\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\322\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00719   416   NtClose  (116, ... ) == 0x0
 00720   416   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000006"}, ... 116, ) }, ... 116, ) == 0x0
 00721   416   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00722   416   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00723   416   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\324\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\324\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\325\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0\324\373"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\325\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\326\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\326\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\327\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\324\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\324\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\325\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0\324\373"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\325\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\326\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\326\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\327\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\325\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\326\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0 (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\324\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\324\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\325\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0\324\373"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\325\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\326\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\326\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\327\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00724   416   NtClose  (116, ... ) == 0x0
 00725   416   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000007"}, ... 116, ) }, ... 116, ) == 0x0
 00726   416   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00727   416   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00728   416   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\331\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\331\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\332\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0\324\373"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\332\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\333\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\333\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\334\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\331\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\331\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\332\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0\324\373"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\332\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\333\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\333\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\334\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\332\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\333\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0 (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\331\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\331\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\332\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0\324\373"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\332\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\333\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\333\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\334\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00729   416   NtClose  (116, ... ) == 0x0
 00730   416   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000008"}, ... 116, ) }, ... 116, ) == 0x0
 00731   416   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00732   416   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00733   416   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\336\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\336\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\337\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0\324\373"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\337\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\340\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\340\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\341\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\336\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\336\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\337\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0\324\373"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\337\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\340\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\340\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\341\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\337\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\340\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0 (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\336\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\336\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\337\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0\324\373"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\337\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\340\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\340\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\341\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00734   416   NtClose  (116, ... ) == 0x0
 00735   416   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000009"}, ... 116, ) }, ... 116, ) == 0x0
 00736   416   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00737   416   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00738   416   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\343\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\343\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\344\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0\324\373"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\344\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\345\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\345\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\346\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\343\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\343\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\344\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0\324\373"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\344\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\345\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\345\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\346\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\344\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\345\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0 (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\343\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\343\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\344\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0\324\373"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\344\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\345\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\345\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\346\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00739   416   NtClose  (116, ... ) == 0x0
 00740   416   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000010"}, ... 116, ) }, ... 116, ) == 0x0
 00741   416   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00742   416   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00743   416   NtAllocateVirtualMemory  (-1, 2416640, 0, 4096, 4096, 4, ... 2416640, 4096, ) == 0x0
 00744   416   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\351\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\351\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\352\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0\324\373"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\352\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\353\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\353\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\354\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\351\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\351\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\352\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0\324\373"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\352\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\353\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\353\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\354\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\352\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\353\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0 (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\351\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\351\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\352\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0\324\373"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0h\265$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\352\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\353\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\353\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\354\2\0\0\234\1\0\0\240\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00745   416   NtClose  (116, ... ) == 0x0
 00746   416   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000011"}, ... 116, ) }, ... 116, ) == 0x0
 00747   416   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00748   416   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00749   416   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\356\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\356\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\357\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0\357\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\360\2\0\0\234\1\0\0\240\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0h\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\2\0\0\234\1\0\0\240\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\361\2\0\0\234\1\0\0\240\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\361\2\0\0\234\1\0\0\240\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0\362\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0d\0\0\0\360\373"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\08\265$\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\356\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\356\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\357\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0\357\2\0\0\234\1\0\0\240\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\360\2\0\0\234\1\0\0\240\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0h\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\2\0\0\234\1\0\0\240\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\361\2\0\0\234\1\0\0\240\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\361\2\0\0\234\1\0\0\240\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0\362\2\0\0\234\1\0\0\240\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0d\0\0\0\360\373"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\08\265$\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\08\265$\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 00750   416   NtClose  (116, ... ) == 0x0
 00751   416   NtClose  (112, ... ) == 0x0
 00752   416   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 00753   416   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 112, ) == 0x0
 00754   416   NtOpenKey  (0x2000000, {24, 100, 0x40, 0, 0,  (0x2000000, {24, 100, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 116, ) }, ... 116, ) == 0x0
 00755   416   NtQueryValueKey  (116,  (116, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00756   416   NtNotifyChangeKey  (116, 112, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00757   416   NtQueryValueKey  (116,  (116, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00758   416   NtOpenKey  (0x2000000, {24, 116, 0x40, 0, 0,  (0x2000000, {24, 116, 0x40, 0, 0, "00000004"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00759   416   NtQueryValueKey  (116,  (116, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 00760   416   NtOpenKey  (0x2000000, {24, 116, 0x40, 0, 0,  (0x2000000, {24, 116, 0x40, 0, 0, "Catalog_Entries"}, ... 120, ) }, ... 120, ) == 0x0
 00761   416   NtOpenKey  (0x20019, {24, 120, 0x40, 0, 0,  (0x20019, {24, 120, 0x40, 0, 0, "000000000001"}, ... 124, ) }, ... 124, ) == 0x0
 00762   416   NtQueryValueKey  (124,  (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00763   416   NtQueryValueKey  (124,  (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00764   416   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00765   416   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00766   416   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00767   416   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00768   416   NtQueryValueKey  (124,  (124, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (124, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00769   416   NtQueryValueKey  (124,  (124, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00770   416   NtQueryValueKey  (124,  (124, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00771   416   NtQueryValueKey  (124,  (124, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00772   416   NtQueryValueKey  (124,  (124, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00773   416   NtQueryValueKey  (124,  (124, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00774   416   NtClose  (124, ... ) == 0x0
 00775   416   NtOpenKey  (0x20019, {24, 120, 0x40, 0, 0,  (0x20019, {24, 120, 0x40, 0, 0, "000000000002"}, ... 124, ) }, ... 124, ) == 0x0
 00776   416   NtQueryValueKey  (124,  (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00777   416   NtQueryValueKey  (124,  (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00778   416   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00779   416   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00780   416   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00781   416   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00782   416   NtQueryValueKey  (124,  (124, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (124, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 00783   416   NtQueryValueKey  (124,  (124, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00784   416   NtQueryValueKey  (124,  (124, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 00785   416   NtQueryValueKey  (124,  (124, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00786   416   NtQueryValueKey  (124,  (124, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00787   416   NtQueryValueKey  (124,  (124, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00788   416   NtClose  (124, ... ) == 0x0
 00789   416   NtOpenKey  (0x20019, {24, 120, 0x40, 0, 0,  (0x20019, {24, 120, 0x40, 0, 0, "000000000003"}, ... 124, ) }, ... 124, ) == 0x0
 00790   416   NtQueryValueKey  (124,  (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00791   416   NtQueryValueKey  (124,  (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00792   416   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00793   416   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00794   416   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00795   416   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00796   416   NtQueryValueKey  (124,  (124, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (124, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 00797   416   NtQueryValueKey  (124,  (124, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00798   416   NtQueryValueKey  (124,  (124, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 00799   416   NtQueryValueKey  (124,  (124, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00800   416   NtQueryValueKey  (124,  (124, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00801   416   NtQueryValueKey  (124,  (124, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00802   416   NtClose  (124, ... ) == 0x0
 00803   416   NtClose  (120, ... ) == 0x0
 00804   416   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 00805   416   NtClose  (100, ... ) == 0x0
 00806   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00807   416   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00808   416   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 100, ) }, ... 100, ) == 0x0
 00809   416   NtQueryValueKey  (100,  (100, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00810   416   NtClose  (100, ... ) == 0x0
 00811   416   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 100, ) == 0x0
 00812   416   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 10551296, 2097152, ) == 0x0
 00813   416   NtAllocateVirtualMemory  (-1, 12640256, 0, 8192, 4096, 4, ... 12640256, 8192, ) == 0x0
 00814   416   NtProtectVirtualMemory  (-1, (0xc0e000), 4096, 260, ... (0xc0e000), 4096, 4, ) == 0x0
 00815   416   NtCreateThread  (0x1f03ff, 0x0, -1, 2292572, 2293288, 1, ... 120, {412, 568}, ) == 0x0
 00816   416   NtQueryInformationThread  (120, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=412,Tid=568,}, 0x0, ) == 0x0
 00817   416   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2361544, 2359296, 2419632, 2292312}  (24, {28, 56, new_msg, 0, 2361544, 2359296, 2419632, 2292312} "\0\0\0\0\1\0\1\0\2$\370w U\367wx\0\0\0\234\1\0\08\2\0\0" ... {28, 56, reply, 0, 412, 416, 1509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0 U\367wx\0\0\0\234\1\0\08\2\0\0" )  ... {28, 56, reply, 0, 412, 416, 1509, 0}  (24, {28, 56, new_msg, 0, 2361544, 2359296, 2419632, 2292312} "\0\0\0\0\1\0\1\0\2$\370w U\367wx\0\0\0\234\1\0\08\2\0\0" ... {28, 56, reply, 0, 412, 416, 1509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0 U\367wx\0\0\0\234\1\0\08\2\0\0" )  ) == 0x0
 00818   416   NtResumeThread  (120, ... 1, ) == 0x0
 00819   416   NtClose  (120, ... ) == 0x0
 00820   416   NtUserGetMessage  (0, 0, 0, ...
 00821   568   NtTestAlert  (... ) == 0x0
 00822   568   NtContinue  (12647728, 1, ...
 00823   568   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00824   568   NtQueryValueKey  (76,  (76, "FromCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00825   568   NtQueryValueKey  (76,  (76, "SecureProtocols", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00826   568   NtQueryValueKey  (76,  (76, "CertificateRevocation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00827   568   NtQueryValueKey  (76,  (76, "DisableKeepAlive", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00828   568   NtQueryValueKey  (76,  (76, "DisablePassport", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00829   568   NtQueryValueKey  (76,  (76, "CacheMode", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00830   568   NtQueryValueKey  (76,  (76, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00831   568   NtQueryValueKey  (76,  (76, "ProxyHttp1.1", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00832   568   NtQueryValueKey  (76,  (76, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00833   568   NtRequestWaitReplyPort  (92, {28, 52, new_msg, 0, 0, 0, 0, 0}  (92, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\220\36$\0" ... {176, 200, reply, 0, 412, 568, 1510, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ... {176, 200, reply, 0, 412, 568, 1510, 0}  (92, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\220\36$\0" ... {176, 200, reply, 0, 412, 568, 1510, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ) == 0x0
 00834   568   NtQueryValueKey  (76,  (76, "SyncMode5", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00835   568   NtOpenKey  (0xf, {24, 32, 0x40, 0, 0,  (0xf, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache"}, ... 120, ) }, ... 120, ) == 0x0
 00836   568   NtQueryValueKey  (120,  (120, "FixupKey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00837   568   NtClose  (120, ... ) == 0x0
 00838   568   NtOpenKey  (0xf, {24, 32, 0x40, 0, 0,  (0xf, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 120, ) }, ... 120, ) == 0x0
 00839   568   NtQueryValueKey  (120,  (120, "SessionStartTimeDefaultDeltaSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00840   568   NtClose  (120, ... ) == 0x0
 00841   568   NtAllocateVirtualMemory  (-1, 12636160, 0, 4096, 4096, 260, ... 12636160, 4096, ) == 0x0
 00842   568   NtOpenKey  (0xf, {24, 32, 0x40, 0, 0,  (0xf, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 120, ) }, ... 120, ) == 0x0
 00843   568   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\Setup"}, ... 124, ) }, ... 124, ) == 0x0
 00844   568   NtQueryValueKey  (124,  (124, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00845   568   NtClose  (124, ... ) == 0x0
 00846   568   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 124, ) }, ... 124, ) == 0x0
 00847   568   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 128, ) }, ... 128, ) == 0x0
 00848   568   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 132, ) }, ... 132, ) == 0x0
 00849   568   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 136, ) }, ... 136, ) == 0x0
 00850   568   NtQueryValueKey  (136,  (136, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (136, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 00851   568   NtQueryValueKey  (136,  (136, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (136, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 00852   568   NtClose  (136, ... ) == 0x0
 00853   568   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 136, ) }, ... 136, ) == 0x0
 00854   568   NtQueryValueKey  (136,  (136, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (136, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 00855   568   NtQueryValueKey  (136,  (136, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (136, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 00856   568   NtQueryValueKey  (136,  (136, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (136, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 00857   568   NtQueryValueKey  (136,  (136, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (136, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 00858   568   NtQueryValueKey  (136,  (136, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (136, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 00859   568   NtQueryValueKey  (136,  (136, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (136, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 00860   568   NtClose  (136, ... ) == 0x0
 00861   568   NtOpenKey  (0xf, {24, 128, 0x40, 0, 0,  (0xf, {24, 128, 0x40, 0, 0, "Content"}, ... 136, ) }, ... 136, ) == 0x0
 00862   568   NtQueryValueKey  (136,  (136, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (136, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00863   568   NtClose  (136, ... ) == 0x0
 00864   568   NtOpenKey  (0xf, {24, 128, 0x40, 0, 0,  (0xf, {24, 128, 0x40, 0, 0, "Content"}, ... 136, ) }, ... 136, ) == 0x0
 00865   568   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "shell32.dll"}, ... 140, ) }, ... 140, ) == 0x0
 00866   568   NtMapViewOfSection  (140, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00867   568   NtClose  (140, ... ) == 0x0
 00868   568   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SYSTEM\Setup"}, ... 140, ) }, ... 140, ) == 0x0
 00869   568   NtQueryValueKey  (140,  (140, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (140, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00870   568   NtClose  (140, ... ) == 0x0
 00871   568   NtAllocateVirtualMemory  (-1, 12632064, 0, 4096, 4096, 260, ... 12632064, 4096, ) == 0x0
 00872   568   NtQueryDefaultUILanguage  (12641416, ...
 00873   568   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00874   568   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00875   568   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00876   568   NtClose  (-2147482020, ... ) == 0x0
 00877   568   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00878   568   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00879   568   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00880   568   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00881   568   NtClose  (-2147482032, ... ) == 0x0
 00882   568   NtClose  (-2147482020, ... ) == 0x0
 00872   568   NtQueryDefaultUILanguage  ... ) == 0x0
 00883   568   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00884   568   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll"}, 1, 96, ... 140, {status=0x0, info=1}, ) }, 1, 96, ... 140, {status=0x0, info=1}, ) == 0x0
 00885   568   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 140, ... 144, ) == 0x0
 00886   568   NtMapViewOfSection  (144, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xc10000), 0x0, 8323072, ) == 0x0
 00887   568   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00888   568   NtAllocateVirtualMemory  (-1, 12627968, 0, 4096, 4096, 260, ... 12627968, 4096, ) == 0x0
 00889   568   NtQueryDefaultLocale  (1, 12639452, ... ) == 0x0
 00890   568   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00891   568   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 12640308, 1, 96, 0}  (24, {128, 156, new_msg, 0, 12640308, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\343\300\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\214\0\0\0\377\377\377\377\0\0\0\0\20\311\370\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\04\347\300\0\0\0\0\0" ... {128, 156, reply, 0, 412, 568, 1511, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\343\300\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\214\0\0\0\377\377\377\377\0\0\0\0\20\311\370\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\04\347\300\0\0\0\0\0" )  ... {128, 156, reply, 0, 412, 568, 1511, 0}  (24, {128, 156, new_msg, 0, 12640308, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\343\300\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\214\0\0\0\377\377\377\377\0\0\0\0\20\311\370\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\04\347\300\0\0\0\0\0" ... {128, 156, reply, 0, 412, 568, 1511, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\343\300\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1\214\0\0\0\377\377\377\377\0\0\0\0\20\311\370\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\04\347\300\0\0\0\0\0" )  ) == 0x0
 00892   568   NtClose  (140, ... ) == 0x0
 00893   568   NtClose  (144, ... ) == 0x0
 00894   568   NtUnmapViewOfSection  (-1, 0xc10000, ... ) == 0x0
 00895   568   NtUnmapViewOfSection  (-1, 0xc0e734, ... ) == STATUS_NOT_MAPPED_VIEW
 00896   568   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00897   568   NtAllocateVirtualMemory  (-1, 2420736, 0, 4096, 4096, 4, ... 2420736, 4096, ) == 0x0
 00898   568   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00899   568   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00900   568   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00901   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 12638536, ... ) }, 12638536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00902   568   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00903   568   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00904   568   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00905   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 12639128, ... ) }, 12639128, ... ) == 0x0
 00906   568   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 144, {status=0x0, info=1}, ) }, 3, 33, ... 144, {status=0x0, info=1}, ) == 0x0
 00907   568   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00908   568   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 140, ) }, ... 140, ) == 0x0
 00909   568   NtMapViewOfSection  (140, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00910   568   NtClose  (140, ... ) == 0x0
 00911   568   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {412, 0}, ... 140, ) == 0x0
 00912   568   NtQueryInformationProcess  (140, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00913   568   NtClose  (140, ... ) == 0x0
 00914   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 140, ) == 0x0
 00915   568   NtCallbackReturn  (0, 0, 0, ...
 00916   568   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00917   568   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00918   568   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00919   568   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 148, ) }, ... 148, ) == 0x0
 00920   568   NtQueryValueKey  (148,  (148, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00921   568   NtClose  (148, ... ) == 0x0
 00922   568   NtUserSystemParametersInfo  (41, 500, 12640992, 0, ... ) == 0x1
 00923   568   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00924   568   NtUserGetClassInfo  (1999896576, 12641400, 12641352, 12641428, 0, ... ) == 0x0
 00925   568   NtUserFindExistingCursorIcon  (12640784, 12640800, 12641368, ... ) == 0x10011
 00926   568   NtUserRegisterClassExWOW  (12641236, 12641316, 12641300, 12641332, 0, 384, 0, ... ) == 0x810ac03b
 00927   568   NtUserGetClassInfo  (1999896576, 12641400, 12641352, 12641428, 0, ... ) == 0x0
 00928   568   NtUserRegisterClassExWOW  (12641236, 12641316, 12641300, 12641332, 0, 384, 0, ... ) == 0x810ac03d
 00929   568   NtUserGetClassInfo  (1999896576, 12641400, 12641352, 12641428, 0, ... ) == 0x0
 00930   568   NtUserFindExistingCursorIcon  (12640784, 12640800, 12641368, ... ) == 0x10011
 00931   568   NtUserRegisterClassExWOW  (12641236, 12641316, 12641300, 12641332, 0, 384, 0, ... ) == 0x810ac03f
 00932   568   NtUserGetClassInfo  (1999896576, 12641400, 12641352, 12641428, 0, ... ) == 0x0
 00933   568   NtUserFindExistingCursorIcon  (12640784, 12640800, 12641368, ... ) == 0x10011
 00934   568   NtUserRegisterClassExWOW  (12641236, 12641316, 12641300, 12641332, 0, 384, 0, ... ) == 0x810ac041
 00935   568   NtUserGetClassInfo  (1999896576, 12641400, 12641352, 12641428, 0, ... ) == 0x0
 00936   568   NtUserFindExistingCursorIcon  (12640784, 12640800, 12641368, ... ) == 0x10011
 00937   568   NtUserRegisterClassExWOW  (12641236, 12641316, 12641300, 12641332, 0, 384, 0, ... ) == 0x810ac043
 00938   568   NtUserGetClassInfo  (1999896576, 12641400, 12641352, 12641428, 0, ... ) == 0x0
 00939   568   NtUserRegisterClassExWOW  (12641236, 12641316, 12641300, 12641332, 0, 384, 0, ... ) == 0x810ac045
 00940   568   NtUserGetClassInfo  (1999896576, 12641400, 12641352, 12641428, 0, ... ) == 0x0
 00941   568   NtUserFindExistingCursorIcon  (12640784, 12640800, 12641368, ... ) == 0x10011
 00942   568   NtUserRegisterClassExWOW  (12641236, 12641316, 12641300, 12641332, 0, 384, 0, ... ) == 0x810ac047
 00943   568   NtUserGetClassInfo  (1999896576, 12641400, 12641352, 12641428, 0, ... ) == 0x0
 00944   568   NtUserFindExistingCursorIcon  (12640780, 12640796, 12641364, ... ) == 0x10011
 00945   568   NtUserRegisterClassExWOW  (12641232, 12641312, 12641296, 12641328, 0, 384, 0, ... ) == 0x810ac049
 00946   568   NtUserGetClassInfo  (1999896576, 12641400, 12641352, 12641428, 0, ... ) == 0x0
 00947   568   NtUserFindExistingCursorIcon  (12640784, 12640800, 12641368, ... ) == 0x10011
 00948   568   NtUserRegisterClassExWOW  (12641236, 12641316, 12641300, 12641332, 0, 384, 0, ... ) == 0x810ac04b
 00949   568   NtUserGetClassInfo  (1999896576, 12641400, 12641352, 12641428, 0, ... ) == 0x0
 00950   568   NtUserFindExistingCursorIcon  (12640784, 12640800, 12641368, ... ) == 0x10011
 00951   568   NtUserRegisterClassExWOW  (12641236, 12641316, 12641300, 12641332, 0, 384, 0, ... ) == 0x810ac04d
 00952   568   NtUserGetClassInfo  (1999896576, 12641400, 12641352, 12641428, 0, ... ) == 0x0
 00953   568   NtUserFindExistingCursorIcon  (12640784, 12640800, 12641368, ... ) == 0x10011
 00954   568   NtUserRegisterClassExWOW  (12641236, 12641316, 12641300, 12641332, 0, 384, 0, ... ) == 0x810ac04f
 00955   568   NtUserGetClassInfo  (1999896576, 12641404, 12641356, 12641432, 0, ... ) == 0x0
 00956   568   NtUserRegisterClassExWOW  (12641240, 12641320, 12641304, 12641336, 0, 384, 0, ... ) == 0x810ac051
 00957   568   NtUserGetClassInfo  (1999896576, 12641400, 12641352, 12641428, 0, ... ) == 0x0
 00958   568   NtUserFindExistingCursorIcon  (12640784, 12640800, 12641368, ... ) == 0x10011
 00959   568   NtUserRegisterClassExWOW  (12641236, 12641316, 12641300, 12641332, 0, 384, 0, ... ) == 0x810ac053
 00960   568   NtUserGetClassInfo  (1999896576, 12641400, 12641352, 12641428, 0, ... ) == 0x0
 00961   568   NtUserFindExistingCursorIcon  (12640784, 12640800, 12641368, ... ) == 0x10011
 00962   568   NtUserRegisterClassExWOW  (12641236, 12641316, 12641300, 12641332, 0, 384, 0, ... ) == 0x810ac055
 00963   568   NtUserRegisterClassExWOW  (12641236, 12641316, 12641300, 12641332, 0, 384, 0, ... ) == 0x810ac057
 00964   568   NtUserGetClassInfo  (1999896576, 12641400, 12641352, 12641428, 0, ... ) == 0x0
 00965   568   NtUserFindExistingCursorIcon  (12640784, 12640800, 12641368, ... ) == 0x10011
 00966   568   NtUserRegisterClassExWOW  (12641236, 12641316, 12641300, 12641332, 0, 384, 0, ... ) == 0x810ac059
 00967   568   NtUserGetClassInfo  (1999896576, 12641400, 12641352, 12641428, 0, ... ) == 0x0
 00968   568   NtUserFindExistingCursorIcon  (12640784, 12640800, 12641368, ... ) == 0x10013
 00969   568   NtUserRegisterClassExWOW  (12641236, 12641316, 12641300, 12641332, 0, 384, 0, ... ) == 0x810ac05b
 00970   568   NtUserGetClassInfo  (1999896576, 12641400, 12641352, 12641428, 0, ... ) == 0x0
 00971   568   NtUserFindExistingCursorIcon  (12640784, 12640800, 12641368, ... ) == 0x10011
 00972   568   NtUserRegisterClassExWOW  (12641236, 12641316, 12641300, 12641332, 0, 384, 0, ... ) == 0x810ac05d
 00973   568   NtUserGetClassInfo  (1999896576, 12641400, 12641352, 12641428, 0, ... ) == 0x0
 00974   568   NtUserFindExistingCursorIcon  (12640784, 12640800, 12641368, ... ) == 0x10011
 00975   568   NtUserRegisterClassExWOW  (12641236, 12641316, 12641300, 12641332, 0, 384, 0, ... ) == 0x810ac05f
 00976   568   NtUserGetClassInfo  (1999896576, 12643152, 12643104, 12643180, 0, ... ) == 0xc03b
 00977   568   NtUserGetClassInfo  (1999896576, 12643152, 12643104, 12643180, 0, ... ) == 0xc03d
 00978   568   NtUserGetClassInfo  (1999896576, 12643152, 12643104, 12643180, 0, ... ) == 0xc03f
 00979   568   NtUserGetClassInfo  (1999896576, 12643152, 12643104, 12643180, 0, ... ) == 0xc041
 00980   568   NtUserGetClassInfo  (1999896576, 12643152, 12643104, 12643180, 0, ... ) == 0xc043
 00981   568   NtUserGetClassInfo  (1999896576, 12643152, 12643104, 12643180, 0, ... ) == 0xc045
 00982   568   NtUserGetClassInfo  (1999896576, 12643152, 12643104, 12643180, 0, ... ) == 0xc047
 00983   568   NtUserGetClassInfo  (1999896576, 12643152, 12643104, 12643180, 0, ... ) == 0xc049
 00984   568   NtUserGetClassInfo  (1999896576, 12643152, 12643104, 12643180, 0, ... ) == 0xc04b
 00985   568   NtUserGetClassInfo  (1999896576, 12643152, 12643104, 12643180, 0, ... ) == 0xc04d
 00986   568   NtUserGetClassInfo  (1999896576, 12643152, 12643104, 12643180, 0, ... ) == 0xc04f
 00987   568   NtUserGetClassInfo  (1999896576, 12643156, 12643108, 12643184, 0, ... ) == 0xc051
 00988   568   NtUserGetClassInfo  (1999896576, 12643152, 12643104, 12643180, 0, ... ) == 0xc053
 00989   568   NtUserGetClassInfo  (1999896576, 12643152, 12643104, 12643180, 0, ... ) == 0xc055
 00990   568   NtUserGetClassInfo  (1999896576, 12643152, 12643104, 12643180, 0, ... ) == 0xc059
 00991   568   NtUserGetClassInfo  (1999896576, 12643152, 12643104, 12643180, 0, ... ) == 0xc05b
 00992   568   NtUserGetClassInfo  (1999896576, 12643152, 12643104, 12643180, 0, ... ) == 0xc05d
 00993   568   NtUserGetClassInfo  (1999896576, 12643152, 12643104, 12643180, 0, ... ) == 0xc05f
 00994   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00995   568   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 2405040, 0,  (0x1f0003, {24, 52, 0x80, 2405040, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 148, ) }, 0, 2147483647, ... 148, ) == STATUS_OBJECT_NAME_EXISTS
 00996   568   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 00997   568   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 00998   568   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 152, 2, ) }, 0, 0x0, 0, ... 152, 2, ) == 0x0
 00999   568   NtQueryValueKey  (152,  (152, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (152, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 01000   568   NtClose  (152, ... ) == 0x0
 01001   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 12643676, ... ) }, 12643676, ... ) == 0x0
 01002   568   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 152, 2, ) }, 0, 0x0, 0, ... 152, 2, ) == 0x0
 01003   568   NtSetValueKey  (152,  (152, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 150, ... ) , 0, 1,  (152, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 150, ... ) , 150, ... ) == 0x0
 01004   568   NtClose  (152, ... ) == 0x0
 01005   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 12645008, ... ) }, 12645008, ... ) == 0x0
 01006   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 12644740, ... ) }, 12644740, ... ) == 0x0
 01007   568   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 7, 2113568, ... 152, {status=0x0, info=1}, ) }, 7, 2113568, ... 152, {status=0x0, info=1}, ) == 0x0
 01008   568   NtSetInformationFile  (152, 12644716, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01009   568   NtClose  (152, ... ) == 0x0
 01010   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\desktop.ini"}, 12644740, ... ) }, 12644740, ... ) == 0x0
 01011   568   NtQueryValueKey  (136,  (136, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (136, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01012   568   NtQueryValueKey  (136,  (136, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (136, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01013   568   NtQueryValueKey  (136,  (136, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\251~\1\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (136, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\251~\1\0"}, 16, ) }, 16, ) == 0x0
 01014   568   NtOpenKey  (0xf, {24, 32, 0x40, 0, 0,  (0xf, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache"}, ... 152, ) }, ... 152, ) == 0x0
 01015   568   NtOpenKey  (0xf, {24, 152, 0x40, 0, 0,  (0xf, {24, 152, 0x40, 0, 0, "Paths"}, ... 156, ) }, ... 156, ) == 0x0
 01016   568   NtOpenKey  (0xf, {24, 156, 0x40, 0, 0,  (0xf, {24, 156, 0x40, 0, 0, "Path1"}, ... 160, ) }, ... 160, ) == 0x0
 01017   568   NtOpenKey  (0xf, {24, 156, 0x40, 0, 0,  (0xf, {24, 156, 0x40, 0, 0, "Path2"}, ... 164, ) }, ... 164, ) == 0x0
 01018   568   NtOpenKey  (0xf, {24, 156, 0x40, 0, 0,  (0xf, {24, 156, 0x40, 0, 0, "Path3"}, ... 168, ) }, ... 168, ) == 0x0
 01019   568   NtOpenKey  (0xf, {24, 156, 0x40, 0, 0,  (0xf, {24, 156, 0x40, 0, 0, "Path4"}, ... 172, ) }, ... 172, ) == 0x0
 01020   568   NtOpenKey  (0xf, {24, 152, 0x40, 0, 0,  (0xf, {24, 152, 0x40, 0, 0, "Special Paths"}, ... 176, ) }, ... 176, ) == 0x0
 01021   568   NtSetValueKey  (156,  (156, "Directory", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\0\0", 174, ... ) , 0, 1,  (156, "Directory", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\0\0", 174, ... ) , 174, ... ) == 0x0
 01022   568   NtSetValueKey  (156,  (156, "Paths", 0, 4, "\4\0\0\0", 4, ... ) , 0, 4,  (156, "Paths", 0, 4, "\4\0\0\0", 4, ... ) , 4, ... ) == 0x0
 01023   568   NtSetValueKey  (160,  (160, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\01\0\0\0", 188, ... ) , 0, 1,  (160, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\01\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01024   568   NtSetValueKey  (164,  (164, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\02\0\0\0", 188, ... ) , 0, 1,  (164, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\02\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01025   568   NtSetValueKey  (168,  (168, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\03\0\0\0", 188, ... ) , 0, 1,  (168, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\03\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01026   568   NtSetValueKey  (172,  (172, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\04\0\0\0", 188, ... ) , 0, 1,  (172, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\04\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01027   568   NtSetValueKey  (160,  (160, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (160, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01028   568   NtSetValueKey  (164,  (164, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (164, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01029   568   NtSetValueKey  (168,  (168, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (168, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01030   568   NtSetValueKey  (172,  (172, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (172, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01031   568   NtClose  (172, ... ) == 0x0
 01032   568   NtClose  (168, ... ) == 0x0
 01033   568   NtClose  (164, ... ) == 0x0
 01034   568   NtClose  (160, ... ) == 0x0
 01035   568   NtClose  (156, ... ) == 0x0
 01036   568   NtClose  (176, ... ) == 0x0
 01037   568   NtClose  (152, ... ) == 0x0
 01038   568   NtOpenKey  (0xf, {24, 128, 0x40, 0, 0,  (0xf, {24, 128, 0x40, 0, 0, "Cookies"}, ... 152, ) }, ... 152, ) == 0x0
 01039   568   NtQueryValueKey  (152,  (152, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (152, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01040   568   NtClose  (152, ... ) == 0x0
 01041   568   NtClose  (136, ... ) == 0x0
 01042   568   NtOpenKey  (0xf, {24, 128, 0x40, 0, 0,  (0xf, {24, 128, 0x40, 0, 0, "Cookies"}, ... 136, ) }, ... 136, ) == 0x0
 01043   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01044   568   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01045   568   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01046   568   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 152, 2, ) }, 0, 0x0, 0, ... 152, 2, ) == 0x0
 01047   568   NtQueryValueKey  (152,  (152, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (152, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 01048   568   NtClose  (152, ... ) == 0x0
 01049   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies"}, 12643676, ... ) }, 12643676, ... ) == 0x0
 01050   568   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 152, 2, ) }, 0, 0x0, 0, ... 152, 2, ) == 0x0
 01051   568   NtSetValueKey  (152,  (152, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 86, ... ) , 0, 1,  (152, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 86, ... ) , 86, ... ) == 0x0
 01052   568   NtClose  (152, ... ) == 0x0
 01053   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies"}, 12645008, ... ) }, 12645008, ... ) == 0x0
 01054   568   NtQueryValueKey  (136,  (136, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (136, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 01055   568   NtQueryValueKey  (136,  (136, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (136, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 01056   568   NtQueryValueKey  (136,  (136, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (136, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01057   568   NtOpenKey  (0xf, {24, 128, 0x40, 0, 0,  (0xf, {24, 128, 0x40, 0, 0, "History"}, ... 152, ) }, ... 152, ) == 0x0
 01058   568   NtQueryValueKey  (152,  (152, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (152, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01059   568   NtClose  (152, ... ) == 0x0
 01060   568   NtClose  (136, ... ) == 0x0
 01061   568   NtOpenKey  (0xf, {24, 128, 0x40, 0, 0,  (0xf, {24, 128, 0x40, 0, 0, "History"}, ... 136, ) }, ... 136, ) == 0x0
 01062   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01063   568   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01064   568   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01065   568   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 152, 2, ) }, 0, 0x0, 0, ... 152, 2, ) == 0x0
 01066   568   NtQueryValueKey  (152,  (152, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (152, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 01067   568   NtClose  (152, ... ) == 0x0
 01068   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 12643676, ... ) }, 12643676, ... ) == 0x0
 01069   568   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 152, 2, ) }, 0, 0x0, 0, ... 152, 2, ) == 0x0
 01070   568   NtSetValueKey  (152,  (152, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 116, ... ) , 0, 1,  (152, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 116, ... ) , 116, ... ) == 0x0
 01071   568   NtClose  (152, ... ) == 0x0
 01072   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 12645008, ... ) }, 12645008, ... ) == 0x0
 01073   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 12644740, ... ) }, 12644740, ... ) == 0x0
 01074   568   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 7, 2113568, ... 152, {status=0x0, info=1}, ) }, 7, 2113568, ... 152, {status=0x0, info=1}, ) == 0x0
 01075   568   NtSetInformationFile  (152, 12644716, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01076   568   NtClose  (152, ... ) == 0x0
 01077   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\desktop.ini"}, 12644740, ... ) }, 12644740, ... ) == 0x0
 01078   568   NtQueryValueKey  (136,  (136, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (136, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 01079   568   NtQueryValueKey  (136,  (136, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (136, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 01080   568   NtQueryValueKey  (136,  (136, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (136, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01081   568   NtClose  (136, ... ) == 0x0
 01082   568   NtClose  (132, ... ) == 0x0
 01083   568   NtClose  (124, ... ) == 0x0
 01084   568   NtClose  (128, ... ) == 0x0
 01085   568   NtClose  (120, ... ) == 0x0
 01086   568   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "_!MSFTHISTORY!_"}, ... 120, ) }, ... 120, ) == 0x0
 01087   568   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "c:!documents and settings!sri-user!local settings!temporary internet files!content.ie5!"}, ... 128, ) }, ... 128, ) == 0x0
 01088   568   NtWaitForSingleObject  (128, 0, 0x0, ... ) == 0x0
 01089   568   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 3, 8388641, ... 124, {status=0x0, info=1}, ) }, 3, 8388641, ... 124, {status=0x0, info=1}, ) == 0x0
 01090   568   NtQueryVolumeInformationFile  (124, 12646260, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01091   568   NtClose  (124, ... ) == 0x0
 01092   568   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 124, {status=0x0, info=1}, ) }, 3, 8388641, ... 124, {status=0x0, info=1}, ) == 0x0
 01093   568   NtQueryVolumeInformationFile  (124, 12646284, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01094   568   NtClose  (124, ... ) == 0x0
 01095   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 12646612, ... ) }, 12646612, ... ) == 0x0
 01096   568   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 124, {status=0x0, info=1}, ) }, 7, 2113568, ... 124, {status=0x0, info=1}, ) == 0x0
 01097   568   NtSetInformationFile  (124, 12646588, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01098   568   NtClose  (124, ... ) == 0x0
 01099   568   NtCreateFile  (0xc0100080, {24, 0, 0x40, 2405040, 12646604,  (0xc0100080, {24, 0, 0x40, 2405040, 12646604, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 124, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 124, {status=0x0, info=1}, ) == 0x0
 01100   568   NtSetInformationFile  (124, 12646656, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01101   568   NtQueryInformationFile  (124, 12646656, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01102   568   NtClose  (124, ... ) == 0x0
 01103   568   NtCreateFile  (0xc0100080, {24, 0, 0x40, 2405040, 12646588,  (0xc0100080, {24, 0, 0x40, 2405040, 12646588, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 124, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 124, {status=0x0, info=1}, ) == 0x0
 01104   568   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Local Settings_Temporary Internet Files_Content.IE5_index.dat_32768"}, ... 132, ) }, ... 132, ) == 0x0
 01105   568   NtMapViewOfSection  (132, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc10000), {0, 0}, 32768, ) == 0x0
 01106   568   NtReleaseMutant  (128, ... 0x0, ) == 0x0
 01107   568   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "c:!documents and settings!sri-user!cookies!"}, ... 136, ) }, ... 136, ) == 0x0
 01108   568   NtWaitForSingleObject  (136, 0, 0x0, ... ) == 0x0
 01109   568   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 3, 8388641, ... 152, {status=0x0, info=1}, ) }, 3, 8388641, ... 152, {status=0x0, info=1}, ) == 0x0
 01110   568   NtQueryVolumeInformationFile  (152, 12646260, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01111   568   NtClose  (152, ... ) == 0x0
 01112   568   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 152, {status=0x0, info=1}, ) }, 3, 8388641, ... 152, {status=0x0, info=1}, ) == 0x0
 01113   568   NtQueryVolumeInformationFile  (152, 12646284, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01114   568   NtClose  (152, ... ) == 0x0
 01115   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 12646612, ... ) }, 12646612, ... ) == 0x0
 01116   568   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 7, 2113568, ... 152, {status=0x0, info=1}, ) }, 7, 2113568, ... 152, {status=0x0, info=1}, ) == 0x0
 01117   568   NtSetInformationFile  (152, 12646588, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01118   568   NtClose  (152, ... ) == 0x0
 01119   568   NtCreateFile  (0xc0100080, {24, 0, 0x40, 2405040, 12646604,  (0xc0100080, {24, 0, 0x40, 2405040, 12646604, "\??\C:\Documents and Settings\SRI-user\Cookies\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 152, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 152, {status=0x0, info=1}, ) == 0x0
 01120   568   NtSetInformationFile  (152, 12646656, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01121   568   NtQueryInformationFile  (152, 12646656, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01122   568   NtClose  (152, ... ) == 0x0
 01123   568   NtCreateFile  (0xc0100080, {24, 0, 0x40, 2405040, 12646588,  (0xc0100080, {24, 0, 0x40, 2405040, 12646588, "\??\C:\Documents and Settings\SRI-user\Cookies\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 152, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 152, {status=0x0, info=1}, ) == 0x0
 01124   568   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Cookies_index.dat_16384"}, ... 176, ) }, ... 176, ) == 0x0
 01125   568   NtMapViewOfSection  (176, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc20000), {0, 0}, 16384, ) == 0x0
 01126   568   NtReleaseMutant  (136, ... 0x0, ) == 0x0
 01127   568   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "c:!documents and settings!sri-user!local settings!history!history.ie5!"}, ... 156, ) }, ... 156, ) == 0x0
 01128   568   NtWaitForSingleObject  (156, 0, 0x0, ... ) == 0x0
 01129   568   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 3, 8388641, ... 160, {status=0x0, info=1}, ) }, 3, 8388641, ... 160, {status=0x0, info=1}, ) == 0x0
 01130   568   NtQueryVolumeInformationFile  (160, 12646260, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01131   568   NtClose  (160, ... ) == 0x0
 01132   568   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 160, {status=0x0, info=1}, ) }, 3, 8388641, ... 160, {status=0x0, info=1}, ) == 0x0
 01133   568   NtQueryVolumeInformationFile  (160, 12646284, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01134   568   NtClose  (160, ... ) == 0x0
 01135   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 12646612, ... ) }, 12646612, ... ) == 0x0
 01136   568   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 7, 2113568, ... 160, {status=0x0, info=1}, ) }, 7, 2113568, ... 160, {status=0x0, info=1}, ) == 0x0
 01137   568   NtSetInformationFile  (160, 12646588, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01138   568   NtClose  (160, ... ) == 0x0
 01139   568   NtCreateFile  (0xc0100080, {24, 0, 0x40, 2405040, 12646604,  (0xc0100080, {24, 0, 0x40, 2405040, 12646604, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 160, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 160, {status=0x0, info=1}, ) == 0x0
 01140   568   NtSetInformationFile  (160, 12646656, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01141   568   NtQueryInformationFile  (160, 12646656, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01142   568   NtClose  (160, ... ) == 0x0
 01143   568   NtCreateFile  (0xc0100080, {24, 0, 0x40, 2405040, 12646588,  (0xc0100080, {24, 0, 0x40, 2405040, 12646588, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 160, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 160, {status=0x0, info=1}, ) == 0x0
 01144   568   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Local Settings_History_History.IE5_index.dat_32768"}, ... 164, ) }, ... 164, ) == 0x0
 01145   568   NtMapViewOfSection  (164, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc30000), {0, 0}, 32768, ) == 0x0
 01146   568   NtReleaseMutant  (156, ... 0x0, ) == 0x0
 01147   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 12646668, ... ) }, 12646668, ... ) == 0x0
 01148   568   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 168, {status=0x0, info=1}, ) }, 7, 2113568, ... 168, {status=0x0, info=1}, ) == 0x0
 01149   568   NtSetInformationFile  (168, 12646644, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01150   568   NtClose  (168, ... ) == 0x0
 01151   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini"}, 12646668, ... ) }, 12646668, ... ) == 0x0
 01152   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 12646668, ... ) }, 12646668, ... ) == 0x0
 01153   568   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 7, 2113568, ... 168, {status=0x0, info=1}, ) }, 7, 2113568, ... 168, {status=0x0, info=1}, ) == 0x0
 01154   568   NtSetInformationFile  (168, 12646644, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01155   568   NtClose  (168, ... ) == 0x0
 01156   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\desktop.ini"}, 12646668, ... ) }, 12646668, ... ) == 0x0
 01157   568   NtWaitForSingleObject  (128, 0, 0x0, ... ) == 0x0
 01158   568   NtQueryInformationFile  (124, 12645052, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01159   568   NtReleaseMutant  (128, ... 0x0, ) == 0x0
 01160   568   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 168, ) }, ... 168, ) == 0x0
 01161   568   NtOpenKey  (0xf, {24, 168, 0x40, 0, 0,  (0xf, {24, 168, 0x40, 0, 0, "Extensible Cache"}, ... 172, ) }, ... 172, ) == 0x0
 01162   568   NtClose  (168, ... ) == 0x0
 01163   568   NtWaitForSingleObject  (120, 0, {-600000000, -1}, ... ) == 0x0
 01164   568   NtEnumerateKey  (172, 0, Basic, 288, ... {LastWrite={0x89210de2,0x1c79d95}, TitleIdx=0, Name= (172, 0, Basic, 288, ... {LastWrite={0x89210de2,0x1c79d95}, TitleIdx=0, Name="MSHist012007051420070521"}, 64, ) }, 64, ) == 0x0
 01165   568   NtOpenKey  (0xf, {24, 172, 0x40, 0, 0,  (0xf, {24, 172, 0x40, 0, 0, "MSHist012007051420070521"}, ... 168, ) }, ... 168, ) == 0x0
 01166   568   NtQueryValueKey  (168,  (168, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01167   568   NtQueryValueKey  (168,  (168, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01168   568   NtQueryValueKey  (168,  (168, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (168, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01169   568   NtQueryValueKey  (168,  (168, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01170   568   NtQueryValueKey  (168,  (168, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (168, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01171   568   NtQueryValueKey  (168,  (168, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01172   568   NtQueryValueKey  (168,  (168, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01173   568   NtQueryValueKey  (168,  (168, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01174   568   NtQueryValueKey  (168,  (168, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 01175   568   NtClose  (168, ... ) == 0x0
 01176   568   NtEnumerateKey  (172, 1, Basic, 288, ... {LastWrite={0xfe4bb184,0x1c7a3a9}, TitleIdx=0, Name= (172, 1, Basic, 288, ... {LastWrite={0xfe4bb184,0x1c7a3a9}, TitleIdx=0, Name="MSHist012007052120070528"}, 64, ) }, 64, ) == 0x0
 01177   568   NtOpenKey  (0xf, {24, 172, 0x40, 0, 0,  (0xf, {24, 172, 0x40, 0, 0, "MSHist012007052120070528"}, ... 168, ) }, ... 168, ) == 0x0
 01178   568   NtQueryValueKey  (168,  (168, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01179   568   NtQueryValueKey  (168,  (168, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01180   568   NtQueryValueKey  (168,  (168, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (168, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01181   568   NtQueryValueKey  (168,  (168, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01182   568   NtQueryValueKey  (168,  (168, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (168, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01183   568   NtQueryValueKey  (168,  (168, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01184   568   NtQueryValueKey  (168,  (168, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01185   568   NtQueryValueKey  (168,  (168, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01186   568   NtQueryValueKey  (168,  (168, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 01187   568   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 01188   568   NtClose  (168, ... ) == 0x0
 01189   568   NtEnumerateKey  (172, 2, Basic, 288, ... {LastWrite={0xfe4e13de,0x1c7a3a9}, TitleIdx=0, Name= (172, 2, Basic, 288, ... {LastWrite={0xfe4e13de,0x1c7a3a9}, TitleIdx=0, Name="MSHist012007053120070601"}, 64, ) }, 64, ) == 0x0
 01190   568   NtOpenKey  (0xf, {24, 172, 0x40, 0, 0,  (0xf, {24, 172, 0x40, 0, 0, "MSHist012007053120070601"}, ... 168, ) }, ... 168, ) == 0x0
 01191   568   NtQueryValueKey  (168,  (168, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01192   568   NtQueryValueKey  (168,  (168, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01193   568   NtQueryValueKey  (168,  (168, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (168, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01194   568   NtQueryValueKey  (168,  (168, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01195   568   NtQueryValueKey  (168,  (168, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (168, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01196   568   NtQueryValueKey  (168,  (168, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01197   568   NtQueryValueKey  (168,  (168, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01198   568   NtQueryValueKey  (168,  (168, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01199   568   NtQueryValueKey  (168,  (168, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 01200   568   NtClose  (168, ... ) == 0x0
 01201   568   NtEnumerateKey  (172, 3, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 01202   568   NtReleaseMutant  (120, ... 0x0, ) == 0x0
 01203   568   NtClose  (172, ... ) == 0x0
 01204   568   NtWaitForSingleObject  (128, 0, 0x0, ... ) == 0x0
 01205   568   NtQueryInformationFile  (124, 12646980, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01206   568   NtReleaseMutant  (128, ... 0x0, ) == 0x0
 01207   568   NtWaitForSingleObject  (128, 0, 0x0, ... ) == 0x0
 01208   568   NtQueryInformationFile  (124, 12647052, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01209   568   NtReleaseMutant  (128, ... 0x0, ) == 0x0
 01210   568   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01211   568   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01212   568   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01213   568   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01214   568   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01215   568   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 172, ) }, ... 172, ) == 0x0
 01216   568   NtQueryValueKey  (172,  (172, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01217   568   NtClose  (172, ... ) == 0x0
 01218   568   NtQueryValueKey  (76,  (76, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01219   568   NtQueryValueKey  (76,  (76, "DisableReadRange", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01220   568   NtQueryValueKey  (76,  (76, "SocketSendBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01221   568   NtQueryValueKey  (76,  (76, "SocketReceiveBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01222   568   NtQueryValueKey  (76,  (76, "KeepAliveTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01223   568   NtQueryValueKey  (76,  (76, "MaxHttpRedirects", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01224   568   NtQueryValueKey  (76,  (76, "MaxConnectionsPerServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01225   568   NtQueryValueKey  (76,  (76, "MaxConnectionsPer1_0Server", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01226   568   NtQueryValueKey  (76,  (76, "ServerInfoTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01227   568   NtQueryValueKey  (76,  (76, "ReceiveTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01228   568   NtQueryValueKey  (76,  (76, "DisableNTLMPreAuth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01229   568   NtQueryValueKey  (76,  (76, "ScavengeCacheLowerBound", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01230   568   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 172, ) }, ... 172, ) == 0x0
 01231   568   NtQueryValueKey  (172,  (172, "ScavengeCacheFileLifeTime", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01232   568   NtClose  (172, ... ) == 0x0
 01233   568   NtQueryValueKey  (76,  (76, "HttpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01234   568   NtQueryValueKey  (76,  (76, "FtpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01235   568   NtQueryValueKey  (76,  (76, "GopherDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01236   568   NtQueryValueKey  (76,  (76, "DisableCachingOfSSLPages", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01237   568   NtQueryValueKey  (76,  (76, "PerUserCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01238   568   NtQueryValueKey  (76,  (76, "LeashLegacyCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01239   568   NtQueryValueKey  (76,  (76, "DisableNT4RasCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01240   568   NtQueryValueKey  (76,  (76, "DialupUseLanSettings", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01241   568   NtQueryValueKey  (76,  (76, "SendExtraCRLF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01242   568   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 172, ) }, ... 172, ) == 0x0
 01243   568   NtQueryValueKey  (172,  (172, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01244   568   NtClose  (172, ... ) == 0x0
 01245   568   NtQueryValueKey  (76,  (76, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01246   568   NtQueryValueKey  (76,  (76, "NonBlockingClient32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01247   568   NtQueryValueKey  (76,  (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01248   568   NtQueryValueKey  (76,  (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01249   568   NtQueryValueKey  (76,  (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01250   568   NtQueryValueKey  (76,  (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01251   568   NtQueryValueKey  (76,  (76, "HeaderExclusionListForCache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01252   568   NtQueryValueKey  (76,  (76, "DnsCacheEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01253   568   NtQueryValueKey  (76,  (76, "DnsCacheEntries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01254   568   NtQueryValueKey  (76,  (76, "DnsCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01255   568   NtQueryValueKey  (76,  (76, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01256   568   NtQueryValueKey  (76,  (76, "WarnAlwaysOnPost", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01257   568   NtQueryValueKey  (76,  (76, "WarnOnZoneCrossing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01258   568   NtQueryValueKey  (76,  (76, "WarnOnBadCertSending", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01259   568   NtQueryValueKey  (76,  (76, "WarnOnBadCertRecving", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01260   568   NtQueryValueKey  (76,  (76, "WarnOnPostRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01261   568   NtQueryValueKey  (76,  (76, "AlwaysDrainOnRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01262   568   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "WininetStartupMutex"}, ... 172, ) }, ... 172, ) == 0x0
 01263   568   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 168, ) == 0x0
 01264   568   NtQueryValueKey  (76,  (76, "GlobalUserOffline", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01265   568   NtWaitForSingleObject  (128, 0, 0x0, ... ) == 0x0
 01266   568   NtQueryInformationFile  (124, 12647028, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01267   568   NtReleaseMutant  (128, ... 0x0, ) == 0x0
 01268   568   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "WininetConnectionMutex"}, ... 180, ) }, ... 180, ) == 0x0
 01269   568   NtCreateMutant  (0x1f0001, 0x0, 0, ... 184, ) == 0x0
 01270   568   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "WininetProxyRegistryMutex"}, ... 188, ) }, ... 188, ) == 0x0
 01271   568   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01272   568   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01273   568   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 192, ) }, ... 192, ) == 0x0
 01274   568   NtQueryValueKey  (192,  (192, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (192, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 01275   568   NtQueryValueKey  (192,  (192, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (192, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 01276   568   NtClose  (192, ... ) == 0x0
 01277   568   NtWaitForSingleObject  (180, 0, 0x0, ... ) == 0x0
 01278   568   NtWaitForSingleObject  (184, 0, 0x0, ... ) == 0x0
 01279   568   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RASAPI32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01280   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\RASAPI32.DLL"}, 12645416, ... ) }, 12645416, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01281   568   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "RASAPI32.DLL"}, 12645416, ... ) }, 12645416, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01282   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\RASAPI32.DLL"}, 12645416, ... ) }, 12645416, ... ) == 0x0
 01283   568   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\RASAPI32.DLL"}, 5, 96, ... 192, {status=0x0, info=1}, ) }, 5, 96, ... 192, {status=0x0, info=1}, ) == 0x0
 01284   568   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 192, ... 196, ) == 0x0
 01285   568   NtQuerySection  (196, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01286   568   NtClose  (192, ... ) == 0x0
 01287   568   NtMapViewOfSection  (196, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76ee0000), 0x0, 225280, ) == 0x0
 01288   568   NtClose  (196, ... ) == 0x0
 01289   568   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rasman.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01290   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rasman.dll"}, 12644612, ... ) }, 12644612, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01291   568   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rasman.dll"}, 12644612, ... ) }, 12644612, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01292   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman.dll"}, 12644612, ... ) }, 12644612, ... ) == 0x0
 01293   568   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman.dll"}, 5, 96, ... 196, {status=0x0, info=1}, ) }, 5, 96, ... 196, {status=0x0, info=1}, ) == 0x0
 01294   568   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 196, ... 192, ) == 0x0
 01295   568   NtQuerySection  (192, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01296   568   NtClose  (196, ... ) == 0x0
 01297   568   NtMapViewOfSection  (192, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e90000), 0x0, 69632, ) == 0x0
 01298   568   NtClose  (192, ... ) == 0x0
 01299   568   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01300   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\NETAPI32.dll"}, 12643808, ... ) }, 12643808, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01301   568   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "NETAPI32.dll"}, 12643808, ... ) }, 12643808, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01302   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 12643808, ... ) }, 12643808, ... ) == 0x0
 01303   568   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 5, 96, ... 192, {status=0x0, info=1}, ) }, 5, 96, ... 192, {status=0x0, info=1}, ) == 0x0
 01304   568   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 192, ... 196, ) == 0x0
 01305   568   NtQuerySection  (196, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01306   568   NtClose  (192, ... ) == 0x0
 01307   568   NtMapViewOfSection  (196, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 01308   568   NtClose  (196, ... ) == 0x0
 01309   568   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "TAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01310   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\TAPI32.dll"}, 12644612, ... ) }, 12644612, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01311   568   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "TAPI32.dll"}, 12644612, ... ) }, 12644612, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01312   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 12644612, ... ) }, 12644612, ... ) == 0x0
 01313   568   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 5, 96, ... 196, {status=0x0, info=1}, ) }, 5, 96, ... 196, {status=0x0, info=1}, ) == 0x0
 01314   568   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 196, ... 192, ) == 0x0
 01315   568   NtQuerySection  (192, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01316   568   NtClose  (196, ... ) == 0x0
 01317   568   NtMapViewOfSection  (192, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76eb0000), 0x0, 172032, ) == 0x0
 01318   568   NtClose  (192, ... ) == 0x0
 01319   568   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rtutils.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01320   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rtutils.dll"}, 12643808, ... ) }, 12643808, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01321   568   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rtutils.dll"}, 12643808, ... ) }, 12643808, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01322   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rtutils.dll"}, 12643808, ... ) }, 12643808, ... ) == 0x0
 01323   568   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rtutils.dll"}, 5, 96, ... 192, {status=0x0, info=1}, ) }, 5, 96, ... 192, {status=0x0, info=1}, ) == 0x0
 01324   568   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 192, ... 196, ) == 0x0
 01325   568   NtQuerySection  (196, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01326   568   NtClose  (192, ... ) == 0x0
 01327   568   NtMapViewOfSection  (196, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e80000), 0x0, 53248, ) == 0x0
 01328   568   NtClose  (196, ... ) == 0x0
 01329   568   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINMM.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01330   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINMM.dll"}, 12643808, ... ) }, 12643808, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01331   568   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WINMM.dll"}, 12643808, ... ) }, 12643808, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01332   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINMM.dll"}, 12643808, ... ) }, 12643808, ... ) == 0x0
 01333   568   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINMM.dll"}, 5, 96, ... 196, {status=0x0, info=1}, ) }, 5, 96, ... 196, {status=0x0, info=1}, ) == 0x0
 01334   568   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 196, ... 192, ) == 0x0
 01335   568   NtQuerySection  (192, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01336   568   NtClose  (196, ... ) == 0x0
 01337   568   NtMapViewOfSection  (192, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b40000), 0x0, 180224, ) == 0x0
 01338   568   NtClose  (192, ... ) == 0x0
 01339   568   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 192, ) == 0x0
 01340   568   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 196, ) == 0x0
 01341   568   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 200, ) == 0x0
 01342   568   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32"}, ... 204, ) }, ... 204, ) == 0x0
 01343   568   NtQueryValueKey  (204,  (204, "wave", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01344   568   NtQueryValueKey  (204,  (204, "wave1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01345   568   NtQueryValueKey  (204,  (204, "wave2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01346   568   NtQueryValueKey  (204,  (204, "wave3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01347   568   NtQueryValueKey  (204,  (204, "wave4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01348   568   NtQueryValueKey  (204,  (204, "wave5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01349   568   NtQueryValueKey  (204,  (204, "wave6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01350   568   NtQueryValueKey  (204,  (204, "wave7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01351   568   NtQueryValueKey  (204,  (204, "wave8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01352   568   NtQueryValueKey  (204,  (204, "wave9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01353   568   NtQueryValueKey  (204,  (204, "midi", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01354   568   NtQueryValueKey  (204,  (204, "midi1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01355   568   NtQueryValueKey  (204,  (204, "midi2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01356   568   NtQueryValueKey  (204,  (204, "midi3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01357   568   NtQueryValueKey  (204,  (204, "midi4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01358   568   NtQueryValueKey  (204,  (204, "midi5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01359   568   NtQueryValueKey  (204,  (204, "midi6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01360   568   NtQueryValueKey  (204,  (204, "midi7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01361   568   NtQueryValueKey  (204,  (204, "midi8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01362   568   NtQueryValueKey  (204,  (204, "midi9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01363   568   NtQueryTimerResolution  (... 156250, 10000, 156250, ) == 0x0
 01364   568   NtQueryValueKey  (204,  (204, "aux", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01365   568   NtQueryValueKey  (204,  (204, "aux1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01366   568   NtQueryValueKey  (204,  (204, "aux2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01367   568   NtQueryValueKey  (204,  (204, "aux3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01368   568   NtQueryValueKey  (204,  (204, "aux4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01369   568   NtQueryValueKey  (204,  (204, "aux5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01370   568   NtQueryValueKey  (204,  (204, "aux6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01371   568   NtQueryValueKey  (204,  (204, "aux7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01372   568   NtQueryValueKey  (204,  (204, "aux8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01373   568   NtQueryValueKey  (204,  (204, "aux9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01374   568   NtUserRegisterWindowMessage  ( ("MSJSTICK_VJOYD_MSGSTR", ... ) , ... ) == 0xc07c
 01375   568   NtOpenKey  (0xf003f, {24, 32, 0x40, 0, 0,  (0xf003f, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm"}, ... 208, ) }, ... 208, ) == 0x0
 01376   568   NtQueryValueKey  (208,  (208, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01377   568   NtClose  (208, ... ) == 0x0
 01378   568   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 0, 0,  (0x1f0003, {24, 52, 0x80, 0, 0, "DINPUTWINMM"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 01379   568   NtQueryValueKey  (204,  (204, "mixer", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01380   568   NtQueryValueKey  (204,  (204, "mixer1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01381   568   NtQueryValueKey  (204,  (204, "mixer2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01382   568   NtQueryValueKey  (204,  (204, "mixer3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01383   568   NtQueryValueKey  (204,  (204, "mixer4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01384   568   NtQueryValueKey  (204,  (204, "mixer5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01385   568   NtQueryValueKey  (204,  (204, "mixer6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01386   568   NtQueryValueKey  (204,  (204, "mixer7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01387   568   NtQueryValueKey  (204,  (204, "mixer8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01388   568   NtQueryValueKey  (204,  (204, "mixer9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01389   568   NtQueryDefaultUILanguage  (12643808, ...
 01390   568   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01391   568   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 01392   568   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01393   568   NtClose  (-2147482020, ... ) == 0x0
 01394   568   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 01395   568   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01396   568   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 01397   568   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01398   568   NtClose  (-2147482032, ... ) == 0x0
 01399   568   NtClose  (-2147482020, ... ) == 0x0
 01389   568   NtQueryDefaultUILanguage  ... ) == 0x0
 01400   568   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01401   568   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 1, 96, ... 208, {status=0x0, info=1}, ) }, 1, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 01402   568   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 208, ... 212, ) == 0x0
 01403   568   NtMapViewOfSection  (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xc40000), 0x0, 163840, ) == 0x0
 01404   568   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01405   568   NtQueryDefaultLocale  (1, 12641844, ... ) == 0x0
 01406   568   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01407   568   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 12642700, 1, 96, 0}  (24, {128, 156, new_msg, 0, 12642700, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\354\300\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\35\1\320\0\0\0\377\377\377\377\0\0\0\0\360Z\306\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\214\360\300\0\0\0\0\0" ... {128, 156, reply, 0, 412, 568, 1512, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\354\300\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\35\1\320\0\0\0\377\377\377\377\0\0\0\0\360Z\306\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\214\360\300\0\0\0\0\0" )  ... {128, 156, reply, 0, 412, 568, 1512, 0}  (24, {128, 156, new_msg, 0, 12642700, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\354\300\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\35\1\320\0\0\0\377\377\377\377\0\0\0\0\360Z\306\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\214\360\300\0\0\0\0\0" ... {128, 156, reply, 0, 412, 568, 1512, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\354\300\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\35\1\320\0\0\0\377\377\377\377\0\0\0\0\360Z\306\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0\214\360\300\0\0\0\0\0" )  ) == 0x0
 01408   568   NtClose  (208, ... ) == 0x0
 01409   568   NtClose  (212, ... ) == 0x0
 01410   568   NtUnmapViewOfSection  (-1, 0xc40000, ... ) == 0x0
 01411   568   NtUnmapViewOfSection  (-1, 0xc0f08c, ... ) == STATUS_NOT_MAPPED_VIEW
 01412   568   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01413   568   NtAllocateVirtualMemory  (-1, 2428928, 0, 4096, 4096, 4, ... 2428928, 4096, ) == 0x0
 01414   568   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01415   568   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01416   568   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01417   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 12640928, ... ) }, 12640928, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01418   568   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01419   568   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01420   568   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01421   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 12641520, ... ) }, 12641520, ... ) == 0x0
 01422   568   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 212, {status=0x0, info=1}, ) }, 3, 33, ... 212, {status=0x0, info=1}, ) == 0x0
 01423   568   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01424   568   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Telephony"}, ... 208, ) }, ... 208, ) == 0x0
 01425   568   NtQueryValueKey  (208,  (208, "Tapi32MaxNumRequestRetries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01426   568   NtQueryValueKey  (208,  (208, "Tapi32RequestRetryTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01427   568   NtClose  (208, ... ) == 0x0
 01428   568   NtCreateMutant  (0x1f0001, 0x0, 0, ... 208, ) == 0x0
 01429   568   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 2430584, 0,  (0x1f0001, {24, 52, 0x80, 2430584, 0, "RasPbFile"}, 0, ... ) }, 0, ... ) == STATUS_ACCESS_DENIED
 01430   568   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "RasPbFile"}, ... 216, ) }, ... 216, ) == 0x0
 01431   568   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 220, ) == 0x0
 01432   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 224, ) == 0x0
 01433   568   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 228, ) == 0x0
 01434   568   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 232, ) == 0x0
 01435   568   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 236, ) == 0x0
 01436   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 240, ) == 0x0
 01437   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 244, ) == 0x0
 01438   568   NtCreateKey  (0xf003f, {24, 32, 0x40, 0, 0,  (0xf003f, {24, 32, 0x40, 0, 0, "Software\Microsoft\Tracing"}, 0, 0x0, 0, ... 248, 2, ) }, 0, 0x0, 0, ... 248, 2, ) == 0x0
 01439   568   NtQueryValueKey  (248,  (248, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (248, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01440   568   NtClose  (248, ... ) == 0x0
 01441   568   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 248, ) == 0x0
 01442   568   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 252, ) == 0x0
 01443   568   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Tracing\RASAPI32"}, ... 256, ) }, ... 256, ) == 0x0
 01444   568   NtQueryValueKey  (256,  (256, "EnableFileTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (256, "EnableFileTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01445   568   NtQueryValueKey  (256,  (256, "FileTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (256, "FileTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) }, 16, ) == 0x0
 01446   568   NtQueryValueKey  (256,  (256, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (256, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01447   568   NtQueryValueKey  (256,  (256, "ConsoleTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (256, "ConsoleTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) }, 16, ) == 0x0
 01448   568   NtQueryValueKey  (256,  (256, "MaxFileSize", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\20\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (256, "MaxFileSize", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\20\0"}, 16, ) }, 16, ) == 0x0
 01449   568   NtQueryValueKey  (256,  (256, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (256, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) }, 46, ) == 0x0
 01450   568   NtQueryValueKey  (256,  (256, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (256, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) }, 46, ) == 0x0
 01451   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 260, ) == 0x0
 01452   568   NtNotifyChangeKey  (256, 260, 0, 0, 2011390432, 14, 0, 0, 0, 1, ... ) == 0x103
 01453   568   NtQueryValueKey  (256,  (256, "EnableFileTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (256, "EnableFileTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01454   568   NtQueryValueKey  (256,  (256, "FileTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (256, "FileTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) }, 16, ) == 0x0
 01455   568   NtQueryValueKey  (256,  (256, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (256, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01456   568   NtQueryValueKey  (256,  (256, "ConsoleTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (256, "ConsoleTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) }, 16, ) == 0x0
 01457   568   NtQueryValueKey  (256,  (256, "MaxFileSize", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\20\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (256, "MaxFileSize", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\20\0"}, 16, ) }, 16, ) == 0x0
 01458   568   NtQueryValueKey  (256,  (256, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (256, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) }, 46, ) == 0x0
 01459   568   NtQueryValueKey  (256,  (256, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (256, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) }, 46, ) == 0x0
 01460   568   NtNotifyChangeKey  (256, 260, 0, 0, 2011390432, 14, 0, 0, 0, 1, ... ) == 0x103
 01461   568   NtSetEvent  (244, ... 0x0, ) == 0x0
 01462   568   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 264, ) }, ... 264, ) == 0x0
 01463   568   NtWaitForSingleObject  (264, 0, {-1800000000, -1}, ... ) == 0x0
 01464   568   NtClose  (264, ... ) == 0x0
 01465   568   NtAllocateVirtualMemory  (-1, 2433024, 0, 4096, 4096, 4, ... 2433024, 4096, ) == 0x0
 01466   568   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01467   568   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01468   568   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 264, ) }, ... 264, ) == 0x0
 01469   568   NtQueryValueKey  (264,  (264, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01470   568   NtClose  (264, ... ) == 0x0
 01471   568   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01472   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 264, ) == 0x0
 01473   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 268, ) == 0x0
 01474   568   NtQuerySystemTime  (... {1599928550, 29891200}, ) == 0x0
 01475   568   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 272, ) == 0x0
 01476   568   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01477   568   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01478   568   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01479   568   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01480   568   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 276, ) == 0x0
 01481   568   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 280, ) == 0x0
 01482   568   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 284, ) }, ... 284, ) == 0x0
 01483   568   NtOpenKey  (0x20019, {24, 284, 0x40, 0, 0,  (0x20019, {24, 284, 0x40, 0, 0, "ActiveComputerName"}, ... 288, ) }, ... 288, ) == 0x0
 01484   568   NtQueryValueKey  (288,  (288, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (288, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (288, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01485   568   NtClose  (288, ... ) == 0x0
 01486   568   NtClose  (284, ... ) == 0x0
 01487   568   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 284, ) == 0x0
 01488   568   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 288, ) == 0x0
 01489   568   NtDuplicateObject  (-1, 284, -1, 0x0, 0, 2, ... 292, ) == 0x0
 01490   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01491   568   NtAllocateVirtualMemory  (-1, 2437120, 0, 4096, 4096, 4, ... 2437120, 4096, ) == 0x0
 01492   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 296, ) == 0x0
 01493   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01494   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01495   568   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 12645576,  (0xc0100080, {24, 0, 0x40, 0, 12645576, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 300, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 300, {status=0x0, info=1}, ) == 0x0
 01496   568   NtSetInformationFile  (300, 12645632, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01497   568   NtSetInformationFile  (300, 12645624, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01498   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01499   568   NtWriteFile  (300, 277, 0, 0,  (300, 277, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01500   568   NtReadFile  (300, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (300, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\226!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01501   568   NtFsControlFile  (300, 277, 0x0, 0x0, 0x11c017,  (300, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\226!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (300, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\226!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01502   568   NtFsControlFile  (300, 277, 0x0, 0x0, 0x11c017,  (300, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\337-i\232s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\337-i\232s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 76, 1024, ... {status=0x103, info=48},  (300, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\337-i\232s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\337-i\232s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01503   568   NtFsControlFile  (300, 277, 0x0, 0x0, 0x11c017,  (300, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\340-i\232s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\340-i\232s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (300, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\340-i\232s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\340-i\232s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01504   568   NtFsControlFile  (300, 277, 0x0, 0x0, 0x11c017,  (300, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\340-i\232s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (300, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\340-i\232s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01505   568   NtFsControlFile  (300, 277, 0x0, 0x0, 0x11c017,  (300, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\337-i\232s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (300, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\337-i\232s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01506   568   NtClose  (296, ... ) == 0x0
 01507   568   NtClose  (300, ... ) == 0x0
 01508   568   NtReleaseMutant  (184, ... 0x0, ) == 0x0
 01509   568   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01510   568   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01511   568   NtOpenEvent  (0x100000, {24, 0, 0x0, 0, 0,  (0x100000, {24, 0, 0x0, 0, 0, "\INSTALLATION_SECURITY_HOLD"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01512   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01513   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 300, ) == 0x0
 01514   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01515   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01516   568   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 12643080,  (0xc0100080, {24, 0, 0x40, 0, 12643080, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 296, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 296, {status=0x0, info=1}, ) == 0x0
 01517   568   NtSetInformationFile  (296, 12643136, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01518   568   NtSetInformationFile  (296, 12643128, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01519   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01520   568   NtWriteFile  (296, 277, 0, 0,  (296, 277, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0j(\319\14\261\320\21\233\250\0\300O\331.\365\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01521   568   NtReadFile  (296, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (296, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20" \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", )  \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x0
 01522   568   NtFsControlFile  (296, 277, 0x0, 0x0, 0x11c017,  (296, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\32\0\0\0\1\0\0\0\2\0\0\0\0\0\0\0\1\0", 26, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20" \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 26, 1024, ... {status=0x103, info=68},  (296, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\32\0\0\0\1\0\0\0\2\0\0\0\0\0\0\0\1\0", 26, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20" \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", )  \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x103
 01523   568   NtClose  (300, ... ) == 0x0
 01524   568   NtClose  (296, ... ) == 0x0
 01525   568   NtCreateKey  (0x2001d, {24, 32, 0x40, 0, 0,  (0x2001d, {24, 32, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 296, 2, ) }, 0, 0x0, 0, ... 296, 2, ) == 0x0
 01526   568   NtCreateKey  (0x20019, {24, 296, 0x40, 0, 0,  (0x20019, {24, 296, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 300, 2, ) }, 0, 0x0, 0, ... 300, 2, ) == 0x0
 01527   568   NtClose  (296, ... ) == 0x0
 01528   568   NtQueryValueKey  (300,  (300, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01529   568   NtClose  (300, ... ) == 0x0
 01530   568   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 300, ) }, ... 300, ) == 0x0
 01531   568   NtWaitForSingleObject  (300, 0, {-1800000000, -1}, ... ) == 0x0
 01532   568   NtClose  (300, ... ) == 0x0
 01533   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01534   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 300, ) == 0x0
 01535   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01536   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01537   568   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 12645164,  (0xc0100080, {24, 0, 0x40, 0, 12645164, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 296, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 296, {status=0x0, info=1}, ) == 0x0
 01538   568   NtSetInformationFile  (296, 12645220, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01539   568   NtSetInformationFile  (296, 12645212, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01540   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01541   568   NtWriteFile  (296, 277, 0, 0,  (296, 277, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01542   568   NtReadFile  (296, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (296, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\227!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01543   568   NtFsControlFile  (296, 277, 0x0, 0x0, 0x11c017,  (296, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\33\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\227!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (296, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\33\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\227!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01544   568   NtFsControlFile  (296, 277, 0x0, 0x0, 0x11c017,  (296, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\2\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\341-i\232s\206\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\370\373\300\0\0\0\0\0", 64, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\341-i\232s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 64, 1024, ... {status=0x103, info=48},  (296, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\2\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\341-i\232s\206\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\370\373\300\0\0\0\0\0", 64, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\341-i\232s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01545   568   NtWaitForSingleObject  (277, 0, 0x0, ... ) == 0x0
 01546   568   NtFsControlFile  (296, 277, 0x0, 0x0, 0x11c017,  (296, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\3\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\341-i\232s\206\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\370\373\300\02\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\2\0\0\0X\2\0\0\0\0\0\0@\2\0\0.\2\0\0\22\2\0\0 \0\0\0\4\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\2\0\0\340\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\316\1\0\0\240\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\226\1\0\0~\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\1\0\0B\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\1\0\0\32\1\0\0 \0\0\0\4\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\16\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0E\0R\0S\0v\0c\0\0\0DNS Client\0\0i\0e\0n\0t\0\0\0Dnscache\0\0c\0h\0e\0\0\0Logical Disk Manager\0\0k\0 \0M\0a\0n\0a\0g\0e\0r\0\0\0dmserver\0\0v\0e\0r\0\0\0DHCP Client\0l\0i\0e\0n\0t\0\0\0Dhcp\0\0p\0\0\0Cryptographic Services\0\0c\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0CryptSvc\0\0", ) , 64, 1024, ... {status=0x103, info=624},  (296, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\3\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\341-i\232s\206\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\370\373\300\02\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\2\0\0\0X\2\0\0\0\0\0\0@\2\0\0.\2\0\0\22\2\0\0 \0\0\0\4\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\2\0\0\340\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\316\1\0\0\240\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\226\1\0\0~\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\1\0\0B\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\1\0\0\32\1\0\0 \0\0\0\4\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\16\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0E\0R\0S\0v\0c\0\0\0DNS Client\0\0i\0e\0n\0t\0\0\0Dnscache\0\0c\0h\0e\0\0\0Logical Disk Manager\0\0k\0 \0M\0a\0n\0a\0g\0e\0r\0\0\0dmserver\0\0v\0e\0r\0\0\0DHCP Client\0l\0i\0e\0n\0t\0\0\0Dhcp\0\0p\0\0\0Cryptographic Services\0\0c\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0CryptSvc\0\0", ) , ) == 0x103
 01547   568   NtFsControlFile  (296, 277, 0x0, 0x0, 0x11c017,  (296, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\4\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\341-i\232s\206\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\370\373\300\0>\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\3\0\0\0X\2\0\0\0\0\0\0@\2\0\04\2\0\0\4\2\0\0 \0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\362\1\0\0\336\1\0\0 \0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\306\1\0\0\242\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0d\1\0\0 \1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\1\0\0\356\0\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Help and Support\0\0S\0u\0p\0p\0o\0r\0t\0\0\0helpsvc\0s\0v\0c\0\0\0Fast User Switching Compatibility\0n\0g\0 \0C\0o\0m\0p\0a\0t\0i\0b\0i\0l\0i\0t\0y\0\0\0FastUserSwitchingCompatibility\0\0g\0C\0o\0m\0p\0a\0t\0i\0b\0i\0l\0i\0t\0y\0\0\0COM+ Event System\0t\0 \0S\0y\0s\0t\0e\0m\0\0\0EventSystem\0y\0s\0t\0", ) , 64, 1024, ... {status=0x103, info=624},  (296, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\4\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\341-i\232s\206\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\370\373\300\0>\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\3\0\0\0X\2\0\0\0\0\0\0@\2\0\04\2\0\0\4\2\0\0 \0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\362\1\0\0\336\1\0\0 \0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\306\1\0\0\242\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0d\1\0\0 \1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\1\0\0\356\0\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Help and Support\0\0S\0u\0p\0p\0o\0r\0t\0\0\0helpsvc\0s\0v\0c\0\0\0Fast User Switching Compatibility\0n\0g\0 \0C\0o\0m\0p\0a\0t\0i\0b\0i\0l\0i\0t\0y\0\0\0FastUserSwitchingCompatibility\0\0g\0C\0o\0m\0p\0a\0t\0i\0b\0i\0l\0i\0t\0y\0\0\0COM+ Event System\0t\0 \0S\0y\0s\0t\0e\0m\0\0\0EventSystem\0y\0s\0t\0", ) , ) == 0x103
 01548   568   NtWaitForSingleObject  (277, 0, 0x0, ... ) == 0x0
 01549   568   NtFsControlFile  (296, 277, 0x0, 0x0, 0x11c017,  (296, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\5\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\341-i\232s\206\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\370\373\300\0p\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\4\0\0\0X\2\0\0\0\0\0\0@\2\0\0&\2\0\0\30\2\0\0 \0\0\0\4\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\364\1\0\0\334\1\0\0 \0\0\0\4\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\314\1\0\0\240\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\214\1\0\0x\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0j\1\0\0B\1\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\1\0\0\370\0\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Network Location Awareness (NLA)\0\0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0\0\0Nla\0a\0\0\0Network Connections\0n\0n\0e\0c\0t\0i\0o\0n\0s\0\0\0Netman\0\0a\0n\0\0\0Messenger\0n\0g\0e\0r\0\0\0Messenger\0n\0g\0e\0r\0\0\0TCP/IP NetBIOS Helper\0I\0O\0S\0 \0H\0e\0l\0p\0e\0r\0\0\0LmHosts\0s\0t\0", ) , 64, 1024, ... {status=0x103, info=624},  (296, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\5\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\341-i\232s\206\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\370\373\300\0p\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\4\0\0\0X\2\0\0\0\0\0\0@\2\0\0&\2\0\0\30\2\0\0 \0\0\0\4\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\364\1\0\0\334\1\0\0 \0\0\0\4\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\314\1\0\0\240\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\214\1\0\0x\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0j\1\0\0B\1\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\1\0\0\370\0\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Network Location Awareness (NLA)\0\0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0\0\0Nla\0a\0\0\0Network Connections\0n\0n\0e\0c\0t\0i\0o\0n\0s\0\0\0Netman\0\0a\0n\0\0\0Messenger\0n\0g\0e\0r\0\0\0Messenger\0n\0g\0e\0r\0\0\0TCP/IP NetBIOS Helper\0I\0O\0S\0 \0H\0e\0l\0p\0e\0r\0\0\0LmHosts\0s\0t\0", ) , ) == 0x103
 01550   568   NtFsControlFile  (296, 277, 0x0, 0x0, 0x11c017,  (296, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\6\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\341-i\232s\206\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\370\373\300\0\242\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\5\0\0\0X\2\0\0\0\0\0\0@\2\0\0.\2\0\0\22\2\0\0 \0\0\0\4\0\0\0\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\372\1\0\0\334\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\272\1\0\0\226\1\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\0\0X\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0L\1\0\0\24\1\0\0 \0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0a\0m\0S\0s\0\0\0Remote Procedure Call (RPC)\0r\0e\0 \0C\0a\0l\0l\0 \0(\0R\0P\0C\0)\0\0\0RpcSs\0S\0s\0\0\0Remote Registry\0e\0g\0i\0s\0t\0r\0y\0\0\0RemoteRegistry\0\0g\0i\0s\0t\0r\0y\0\0\0Protected Storage\0 \0S\0t\0o\0r\0a\0g\0e\0\0\0ProtectedStorage\0\0S\0t\0o\0r\0a\0g\0", ) , 64, 1024, ... {status=0x103, info=624},  (296, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\6\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\341-i\232s\206\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\370\373\300\0\242\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\5\0\0\0X\2\0\0\0\0\0\0@\2\0\0.\2\0\0\22\2\0\0 \0\0\0\4\0\0\0\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\372\1\0\0\334\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\272\1\0\0\226\1\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\0\0X\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0L\1\0\0\24\1\0\0 \0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0a\0m\0S\0s\0\0\0Remote Procedure Call (RPC)\0r\0e\0 \0C\0a\0l\0l\0 \0(\0R\0P\0C\0)\0\0\0RpcSs\0S\0s\0\0\0Remote Registry\0e\0g\0i\0s\0t\0r\0y\0\0\0RemoteRegistry\0\0g\0i\0s\0t\0r\0y\0\0\0Protected Storage\0 \0S\0t\0o\0r\0a\0g\0e\0\0\0ProtectedStorage\0\0S\0t\0o\0r\0a\0g\0", ) , ) == 0x103
 01551   568   NtFsControlFile  (296, 277, 0x0, 0x0, 0x11c017,  (296, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\7\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\341-i\232s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\6\0\0\0X\2\0\0\0\0\0\0@\2\0\04\2\0\0\0\2\0\0 \0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\356\1\0\0\320\1\0\0 \1\0\0\4\0\0\0G\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\276\1\0\0\236\1\0\0 \1\0\0\4\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\1\0\0`\1\0\0 \0\0\0\4\0\0\0A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0>\1\0\0\14\1\0\0 \0\0\0\4\0\0\0\207\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\374\0\0\0\340\0\0\0\20\1\0\0\4\0\0\0E\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Print Spooler\0p\0o\0o\0l\0e\0r\0\0\0Spooler\0l\0e\0r\0\0\0Shell Hardware Detection\0\0e\0 \0D\0e\0t\0e\0c\0t\0i\0o\0n\0\0\0ShellHWDetection\0\0t\0e\0c\0t\0i\0o\0n\0\0\0System Event Notification\0N\0o\0t\0i\0f\0i\0c\0a\0t\0i\0o\0n\0\0\0SENS\0\0S\0\0\0Secondary Logon\0y\0 \0L\0o\0g\0o\0n\0\0\0seclogon\0\0g\0o\0n\0\0\0Task Sch", ) , 44, 1024, ... {status=0x103, info=624},  (296, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\7\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\341-i\232s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\6\0\0\0X\2\0\0\0\0\0\0@\2\0\04\2\0\0\0\2\0\0 \0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\356\1\0\0\320\1\0\0 \1\0\0\4\0\0\0G\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\276\1\0\0\236\1\0\0 \1\0\0\4\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\1\0\0`\1\0\0 \0\0\0\4\0\0\0A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0>\1\0\0\14\1\0\0 \0\0\0\4\0\0\0\207\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\374\0\0\0\340\0\0\0\20\1\0\0\4\0\0\0E\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Print Spooler\0p\0o\0o\0l\0e\0r\0\0\0Spooler\0l\0e\0r\0\0\0Shell Hardware Detection\0\0e\0 \0D\0e\0t\0e\0c\0t\0i\0o\0n\0\0\0ShellHWDetection\0\0t\0e\0c\0t\0i\0o\0n\0\0\0System Event Notification\0N\0o\0t\0i\0f\0i\0c\0a\0t\0i\0o\0n\0\0\0SENS\0\0S\0\0\0Secondary Logon\0y\0 \0L\0o\0g\0o\0n\0\0\0seclogon\0\0g\0o\0n\0\0\0Task Sch", ) , ) == 0x103
 01552   568   NtClose  (300, ... ) == 0x0
 01553   568   NtClose  (296, ... ) == 0x0
 01554   568   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "sensapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01555   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\sensapi.dll"}, 12645424, ... ) }, 12645424, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01556   568   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "sensapi.dll"}, 12645424, ... ) }, 12645424, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01557   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sensapi.dll"}, 12645424, ... ) }, 12645424, ... ) == 0x0
 01558   568   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sensapi.dll"}, 5, 96, ... 296, {status=0x0, info=1}, ) }, 5, 96, ... 296, {status=0x0, info=1}, ) == 0x0
 01559   568   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 296, ... 300, ) == 0x0
 01560   568   NtQuerySection  (300, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01561   568   NtClose  (296, ... ) == 0x0
 01562   568   NtMapViewOfSection  (300, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x722b0000), 0x0, 20480, ) == 0x0
 01563   568   NtClose  (300, ... ) == 0x0
 01564   568   NtOpenSection  (0x4, {24, 52, 0x0, 0, 0,  (0x4, {24, 52, 0x0, 0, 0, "SENS Information Cache"}, ... 300, ) }, ... 300, ) == 0x0
 01565   568   NtMapViewOfSection  (300, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xc40000), {0, 0}, 4096, ) == 0x0
 01566   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 296, ) == 0x0
 01567   568   NtConnectPort  ( ("\RPC Control\senssvc", {12, 2, 1, 1}, 0x0, 0x0, 12645888, 112, ... 304, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 12645888, 112, ... 304, 0x0, 0x0, 0x0, 112, ) == 0x0
 01568   568   NtRequestWaitReplyPort  (304, {128, 152, new_msg, 0, 127956, 2359296, 12645652, 2012750850}  (304, {128, 152, new_msg, 0, 127956, 2359296, 12645652, 2012750850} "\0\373\300\0\2$\370w\370T\367w$\344\373c) \321\21\215\270\0\252\0J\275^\1\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314wH %\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\0\0\3108%\0\320/%\0\240\1$\0\4\0\0\0\3008%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\0\0\0\0*\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 568, 1514, 0} "\7\373\300\0\2$\370w\370T\367w$\344\373c) \321\21\215\270\0\252\0J\275^\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\0\0\3108%\0\320/%\0\240\1$\0\4\0\0\0\3008%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\0\0\0\0*\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 412, 568, 1514, 0}  (304, {128, 152, new_msg, 0, 127956, 2359296, 12645652, 2012750850} "\0\373\300\0\2$\370w\370T\367w$\344\373c) \321\21\215\270\0\252\0J\275^\1\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314wH %\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\0\0\3108%\0\320/%\0\240\1$\0\4\0\0\0\3008%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\0\0\0\0*\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 568, 1514, 0} "\7\373\300\0\2$\370w\370T\367w$\344\373c) \321\21\215\270\0\252\0J\275^\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\0\0\3108%\0\320/%\0\240\1$\0\4\0\0\0\3008%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\0\0\0\0*\0\0\0\5\0\0\0" )  ) == 0x0
 01569   568   NtRequestWaitReplyPort  (304, {32, 56, new_msg, 0, 44, 7, 20, 0}  (304, {32, 56, new_msg, 0, 44, 7, 20, 0} "\1\0\0\0A\2\0\0s\206\334\21\261\310\0\14)\371\246\3050\0\0\0\377\377\377\377@\2\0\0" ... {124, 148, reply, 0, 412, 568, 1515, 0} "\2\360\371\177\1\00\300\0\0\0\0\232\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\304\333\0\370X\5O\200\0\360\371\177\0\0\0\0\0\0\0\0\260\5\22\201x\327\33\201\1\330\33\201\0\0\0\0|\376\37\300x\327\33\201\0\0\0\0\0\0\340\0\377\377\337\0\0\0\0\0\0\0\340\0\0\0\0\0x\327\33\201<\333\0\370" )  ... {124, 148, reply, 0, 412, 568, 1515, 0}  (304, {32, 56, new_msg, 0, 44, 7, 20, 0} "\1\0\0\0A\2\0\0s\206\334\21\261\310\0\14)\371\246\3050\0\0\0\377\377\377\377@\2\0\0" ... {124, 148, reply, 0, 412, 568, 1515, 0} "\2\360\371\177\1\00\300\0\0\0\0\232\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\304\333\0\370X\5O\200\0\360\371\177\0\0\0\0\0\0\0\0\260\5\22\201x\327\33\201\1\330\33\201\0\0\0\0|\376\37\300x\327\33\201\0\0\0\0\0\0\340\0\377\377\337\0\0\0\0\0\0\0\340\0\0\0\0\0x\327\33\201<\333\0\370" )  ) == 0x0
 01570   568   NtWaitForSingleObject  (128, 0, 0x0, ... ) == 0x0
 01571   568   NtQueryInformationFile  (124, 12646996, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01572   568   NtReleaseMutant  (128, ... 0x0, ) == 0x0
 01573   568   NtAllocateVirtualMemory  (-1, 2441216, 0, 4096, 4096, 4, ... 2441216, 4096, ) == 0x0
 01574   568   NtRequestWaitReplyPort  (92, {28, 52, new_msg, 0, 0, 0, 0, 0}  (92, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\0\2\270>%\0" ... {176, 200, reply, 0, 412, 568, 1516, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\0\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ... {176, 200, reply, 0, 412, 568, 1516, 0}  (92, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\0\2\270>%\0" ... {176, 200, reply, 0, 412, 568, 1516, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\0\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ) == 0x0
 01575   568   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01576   568   NtOpenThreadToken  (-2, 0x20008, 1, ... ) == STATUS_NO_TOKEN
 01577   568   NtOpenProcessToken  (-1, 0x20008, ... 308, ) == 0x0
 01578   568   NtQueryInformationToken  (308, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01579   568   NtClose  (308, ... ) == 0x0
 01580   568   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER"}, ... 308, ) }, ... 308, ) == 0x0
 01581   568   NtSetInformationObject  (308, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 01582   568   NtOpenKey  (0x3, {24, 308, 0x40, 0, 0,  (0x3, {24, 308, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 312, ) }, ... 312, ) == 0x0
 01583   568   NtOpenKey  (0x1, {24, 312, 0x40, 0, 0,  (0x1, {24, 312, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, ... 316, ) }, ... 316, ) == 0x0
 01584   568   NtQueryValueKey  (316,  (316, "MigrateProxy", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (316, "MigrateProxy", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01585   568   NtClose  (316, ... ) == 0x0
 01586   568   NtAllocateVirtualMemory  (-1, 2445312, 0, 20480, 4096, 4, ... 2445312, 20480, ) == 0x0
 01587   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01588   568   NtOpenProcessToken  (-1, 0xc, ... 316, ) == 0x0
 01589   568   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01590   568   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01591   568   NtCreateKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 320, 2, ) }, 0, 0x0, 0, ... 320, 2, ) == 0x0
 01592   568   NtQueryValueKey  (320,  (320, "Common AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (320, "Common AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 82, ) }, 82, ) == 0x0
 01593   568   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USERENV.dll"}, ... 324, ) }, ... 324, ) == 0x0
 01594   568   NtMapViewOfSection  (324, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75a70000), 0x0, 667648, ) == 0x0
 01595   568   NtClose  (324, ... ) == 0x0
 01596   568   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 324, ) }, ... 324, ) == 0x0
 01597   568   NtQueryValueKey  (324,  (324, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01598   568   NtClose  (324, ... ) == 0x0
 01599   568   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 324, ) }, ... 324, ) == 0x0
 01600   568   NtQueryValueKey  (324,  (324, "ChkAccDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01601   568   NtClose  (324, ... ) == 0x0
 01602   568   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Control\ProductOptions"}, ... 324, ) }, ... 324, ) == 0x0
 01603   568   NtQueryValueKey  (324,  (324, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (324, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) }, 24, ) == 0x0
 01604   568   NtClose  (324, ... ) == 0x0
 01605   568   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 12642208, 0,  (0x1f0003, {24, 52, 0x80, 12642208, 0, "Global\userenv:  User Profile setup event"}, 0, 1, ... 324, ) }, 0, 1, ... 324, ) == STATUS_OBJECT_NAME_EXISTS
 01606   568   NtQueryDefaultLocale  (1, 12640044, ... ) == 0x0
 01607   568   NtQueryDefaultLocale  (1, 12640044, ... ) == 0x0
 01608   568   NtQueryDefaultLocale  (1, 12640044, ... ) == 0x0
 01609   568   NtQueryDefaultLocale  (1, 12640044, ... ) == 0x0
 01610   568   NtQueryDefaultLocale  (1, 12640044, ... ) == 0x0
 01611   568   NtQueryDefaultLocale  (1, 12640044, ... ) == 0x0
 01612   568   NtQueryDefaultLocale  (1, 12640044, ... ) == 0x0
 01613   568   NtQueryDefaultLocale  (1, 12640044, ... ) == 0x0
 01614   568   NtQueryDefaultLocale  (1, 12640044, ... ) == 0x0
 01615   568   NtQueryDefaultLocale  (1, 12640044, ... ) == 0x0
 01616   568   NtQueryDefaultLocale  (1, 12640044, ... ) == 0x0
 01617   568   NtQueryDefaultLocale  (1, 12640044, ... ) == 0x0
 01618   568   NtQueryDefaultLocale  (1, 12640044, ... ) == 0x0
 01619   568   NtQueryDefaultLocale  (1, 12640044, ... ) == 0x0
 01620   568   NtQueryDefaultLocale  (1, 12640044, ... ) == 0x0
 01621   568   NtQueryDefaultLocale  (1, 12640044, ... ) == 0x0
 01622   568   NtQueryDefaultLocale  (1, 12640044, ... ) == 0x0
 01623   568   NtQueryDefaultLocale  (1, 12640044, ... ) == 0x0
 01624   568   NtQueryDefaultLocale  (1, 12640044, ... ) == 0x0
 01625   568   NtQueryDefaultLocale  (1, 12640044, ... ) == 0x0
 01626   568   NtQueryDefaultLocale  (1, 12640044, ... ) == 0x0
 01627   568   NtQueryDefaultLocale  (1, 12640044, ... ) == 0x0
 01628   568   NtQueryDefaultLocale  (1, 12640044, ... ) == 0x0
 01629   568   NtQueryDefaultLocale  (1, 12640044, ... ) == 0x0
 01630   568   NtQueryDefaultLocale  (1, 12640044, ... ) == 0x0
 01631   568   NtQueryDefaultLocale  (1, 12640044, ... ) == 0x0
 01632   568   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01633   568   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 328, ) == 0x0
 01634   568   NtQueryInformationToken  (328, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01635   568   NtClose  (328, ... ) == 0x0
 01636   568   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 328, ) }, ... 328, ) == 0x0
 01637   568   NtOpenKey  (0x20019, {24, 328, 0x40, 0, 0,  (0x20019, {24, 328, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 332, ) }, ... 332, ) == 0x0
 01638   568   NtQueryValueKey  (332,  (332, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (332, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) }, 66, ) == 0x0
 01639   568   NtQueryDefaultLocale  (1, 12640044, ... ) == 0x0
 01640   568   NtQueryValueKey  (332,  (332, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (332, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) }, 70, ) == 0x0
 01641   568   NtQueryDefaultLocale  (1, 12640044, ... ) == 0x0
 01642   568   NtQueryDefaultLocale  (1, 12640044, ... ) == 0x0
 01643   568   NtQueryDefaultLocale  (1, 12640044, ... ) == 0x0
 01644   568   NtQueryDefaultLocale  (1, 12640044, ... ) == 0x0
 01645   568   NtClose  (332, ... ) == 0x0
 01646   568   NtClose  (328, ... ) == 0x0
 01647   568   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 328, ) }, ... 328, ) == 0x0
 01648   568   NtQueryValueKey  (328,  (328, "RsopDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01649   568   NtClose  (328, ... ) == 0x0
 01650   568   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 328, ) }, ... 328, ) == 0x0
 01651   568   NtQueryValueKey  (328,  (328, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01652   568   NtQueryValueKey  (328,  (328, "RsopLogging", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01653   568   NtClose  (328, ... ) == 0x0
 01654   568   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01655   568   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 328, ) }, ... 328, ) == 0x0
 01656   568   NtQueryValueKey  (328,  (328, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01657   568   NtClose  (328, ... ) == 0x0
 01658   568   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01659   568   NtAllocateVirtualMemory  (-1, 0, 0, 1, 4096, 4, ... 12910592, 4096, ) == 0x0
 01660   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01661   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01662   568   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 328, ) }, ... 328, ) == 0x0
 01663   568   NtQueryValueKey  (328,  (328, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (328, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 01664   568   NtClose  (328, ... ) == 0x0
 01665   568   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 328, ) }, ... 328, ) == 0x0
 01666   568   NtQueryValueKey  (328,  (328, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (328, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) }, 32, ) == 0x0
 01667   568   NtClose  (328, ... ) == 0x0
 01668   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01669   568   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\Environment"}, ... 328, ) }, ... 328, ) == 0x0
 01670   568   NtQueryKey  (328, Full, 176, ... {LastWrite={0x7838d13c,0x1c73999}, TitleIdx=0, Subkeys=0, Values=12, Class=""}, 44, ) == 0x0
 01671   568   NtQuerySecurityObject  (328, 7, 0, ... ) == STATUS_ACCESS_DENIED
 01672   568   NtEnumerateValueKey  (328, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (328, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (328, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 01673   568   NtEnumerateValueKey  (328, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (328, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (328, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 01674   568   NtEnumerateValueKey  (328, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (328, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (328, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 01675   568   NtEnumerateValueKey  (328, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (328, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (328, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 01676   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01677   568   NtEnumerateValueKey  (328, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (328, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (328, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 01678   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01679   568   NtEnumerateValueKey  (328, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (328, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (328, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 01680   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01681   568   NtEnumerateValueKey  (328, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (328, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (328, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 01682   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01683   568   NtEnumerateValueKey  (328, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (328, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (328, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 01684   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01685   568   NtEnumerateValueKey  (328, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (328, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (328, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 01686   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01687   568   NtEnumerateValueKey  (328, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (328, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (328, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 01688   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01689   568   NtEnumerateValueKey  (328, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (328, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (328, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 01690   568   NtEnumerateValueKey  (328, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (328, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (328, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 01691   568   NtEnumerateValueKey  (328, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (328, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (328, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 01692   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01693   568   NtEnumerateValueKey  (328, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (328, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (328, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 01694   568   NtAllocateVirtualMemory  (-1, 2465792, 0, 4096, 4096, 4, ... 2465792, 4096, ) == 0x0
 01695   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01696   568   NtEnumerateValueKey  (328, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (328, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (328, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 01697   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01698   568   NtEnumerateValueKey  (328, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (328, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (328, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 01699   568   NtEnumerateValueKey  (328, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (328, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (328, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 01700   568   NtEnumerateValueKey  (328, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (328, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (328, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 01701   568   NtEnumerateValueKey  (328, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (328, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (328, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 01702   568   NtEnumerateValueKey  (328, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (328, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (328, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 01703   568   NtEnumerateValueKey  (328, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (328, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (328, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 01704   568   NtEnumerateValueKey  (328, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (328, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (328, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 01705   568   NtEnumerateValueKey  (328, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (328, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (328, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 01706   568   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01707   568   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01708   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 12643132, ... ) }, 12643132, ... ) == 0x0
 01709   568   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01710   568   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01711   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01712   568   NtEnumerateValueKey  (328, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (328, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (328, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 01713   568   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01714   568   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01715   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 12643132, ... ) }, 12643132, ... ) == 0x0
 01716   568   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01717   568   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01718   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01719   568   NtClose  (328, ... ) == 0x0
 01720   568   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 328, ) }, ... 328, ) == 0x0
 01721   568   NtOpenKey  (0x20019, {24, 328, 0x40, 0, 0,  (0x20019, {24, 328, 0x40, 0, 0, "ActiveComputerName"}, ... 332, ) }, ... 332, ) == 0x0
 01722   568   NtQueryValueKey  (332,  (332, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (332, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (332, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01723   568   NtClose  (332, ... ) == 0x0
 01724   568   NtClose  (328, ... ) == 0x0
 01725   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01726   568   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 328, ) }, ... 328, ) == 0x0
 01727   568   NtQueryValueKey  (328,  (328, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (328, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 01728   568   NtClose  (328, ... ) == 0x0
 01729   568   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 328, ) }, ... 328, ) == 0x0
 01730   568   NtQueryValueKey  (328,  (328, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (328, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) }, 38, ) == 0x0
 01731   568   NtClose  (328, ... ) == 0x0
 01732   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01733   568   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 328, ) }, ... 328, ) == 0x0
 01734   568   NtQueryValueKey  (328,  (328, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (328, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 01735   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01736   568   NtQueryValueKey  (328,  (328, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (328, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) }, 72, ) == 0x0
 01737   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01738   568   NtClose  (328, ... ) == 0x0
 01739   568   NtQueryInformationToken  (316, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 01740   568   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 328, ) }, ... 328, ) == 0x0
 01741   568   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 01742   568   NtQueryInformationToken  (316, Type, 4, ... {token info, class 8, size 4}, 4, ) == 0x0
 01743   568   NtDuplicateToken  (316, 0xc, {24, 0, 0x0, 0, 12644516, 0x0}, 0, 2, ... ) == STATUS_ACCESS_DENIED
 01744   568   NtQueryInformationToken  (316, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 01745   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01746   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 332, ) == 0x0
 01747   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01748   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01749   568   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 12642720,  (0xc0100080, {24, 0, 0x40, 0, 12642720, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 336, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 336, {status=0x0, info=1}, ) == 0x0
 01750   568   NtSetInformationFile  (336, 12642776, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01751   568   NtSetInformationFile  (336, 12642768, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01752   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01753   568   NtWriteFile  (336, 277, 0, 0,  (336, 277, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01754   568   NtReadFile  (336, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (336, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20# \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01755   568   NtFsControlFile  (336, 277, 0x0, 0x0, 0x11c017,  (336, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0T\360\300\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20# \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (336, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0T\360\300\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20# \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01756   568   NtFsControlFile  (336, 277, 0x0, 0x0, 0x11c017,  (336, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\375\343\375\231s\206\334\21\261\310\0\14)\371\246\305\1\0\0\0\214\360\300\0\1\0\0\00\231%\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\375\343\375\231s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (336, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\375\343\375\231s\206\334\21\261\310\0\14)\371\246\305\1\0\0\0\214\360\300\0\1\0\0\00\231%\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\375\343\375\231s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01757   568   NtFsControlFile  (336, 277, 0x0, 0x0, 0x11c017,  (336, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\375\343\375\231s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0X\231%\0\1\0\0\0d\231%\0 \0\0\0\1\0\0\0\16\0\20\0p\231%\0\200\231%\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\20\234%\0\1\0\0\0\1\0\0\0\20\0\22\0$\234%\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (336, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\375\343\375\231s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0X\231%\0\1\0\0\0d\231%\0 \0\0\0\1\0\0\0\16\0\20\0p\231%\0\200\231%\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\20\234%\0\1\0\0\0\1\0\0\0\20\0\22\0$\234%\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01758   568   NtClose  (332, ... ) == 0x0
 01759   568   NtClose  (336, ... ) == 0x0
 01760   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01761   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 336, ) == 0x0
 01762   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01763   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01764   568   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 12642716,  (0xc0100080, {24, 0, 0x40, 0, 12642716, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 332, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 332, {status=0x0, info=1}, ) == 0x0
 01765   568   NtSetInformationFile  (332, 12642772, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01766   568   NtSetInformationFile  (332, 12642764, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01767   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01768   568   NtWriteFile  (332, 277, 0, 0,  (332, 277, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01769   568   NtReadFile  (332, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (332, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20$ \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01770   568   NtFsControlFile  (332, 277, 0x0, 0x0, 0x11c017,  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\360\300\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20$ \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\360\300\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20$ \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01771   568   NtFsControlFile  (332, 277, 0x0, 0x0, 0x11c017,  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\376\343\375\231s\206\334\21\261\310\0\14)\371\246\305\1\0\0\0\210\360\300\0\1\0\0\00\231%\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\376\343\375\231s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\376\343\375\231s\206\334\21\261\310\0\14)\371\246\305\1\0\0\0\210\360\300\0\1\0\0\00\231%\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\376\343\375\231s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01772   568   NtFsControlFile  (332, 277, 0x0, 0x0, 0x11c017,  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\376\343\375\231s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0X\231%\0\1\0\0\0d\231%\0 \0\0\0\1\0\0\0\16\0\20\0p\231%\0\200\231%\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\20\234%\0\1\0\0\0\1\0\0\0\20\0\22\0$\234%\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\376\343\375\231s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0X\231%\0\1\0\0\0d\231%\0 \0\0\0\1\0\0\0\16\0\20\0p\231%\0\200\231%\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\20\234%\0\1\0\0\0\1\0\0\0\20\0\22\0$\234%\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01773   568   NtClose  (336, ... ) == 0x0
 01774   568   NtClose  (332, ... ) == 0x0
 01775   568   NtOpenEvent  (0x100000, {24, 0, 0x0, 0, 0,  (0x100000, {24, 0, 0x0, 0, 0, "\INSTALLATION_SECURITY_HOLD"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01776   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01777   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 332, ) == 0x0
 01778   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01779   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01780   568   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 12642348,  (0xc0100080, {24, 0, 0x40, 0, 12642348, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 336, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 336, {status=0x0, info=1}, ) == 0x0
 01781   568   NtSetInformationFile  (336, 12642404, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01782   568   NtSetInformationFile  (336, 12642396, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01783   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01784   568   NtWriteFile  (336, 277, 0, 0,  (336, 277, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0j(\319\14\261\320\21\233\250\0\300O\331.\365\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01785   568   NtReadFile  (336, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (336, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20% \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01786   568   NtFsControlFile  (336, 277, 0x0, 0x0, 0x11c017,  (336, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\32\0\0\0\1\0\0\0\2\0\0\0\0\0\0\0\1\0", 26, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20% \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 26, 1024, ... {status=0x103, info=68},  (336, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\32\0\0\0\1\0\0\0\2\0\0\0\0\0\0\0\1\0", 26, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20% \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01787   568   NtClose  (332, ... ) == 0x0
 01788   568   NtClose  (336, ... ) == 0x0
 01789   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01790   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01791   568   NtQueryInformationToken  (316, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 01792   568   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 336, ) }, ... 336, ) == 0x0
 01793   568   NtQueryValueKey  (336,  (336, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (336, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) }, 104, ) == 0x0
 01794   568   NtClose  (336, ... ) == 0x0
 01795   568   NtCreateKey  (0x2001f, {24, 328, 0x40, 0, 0,  (0x2001f, {24, 328, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Winlogon"}, 0, 0x0, 0, ... 336, 2, ) }, 0, 0x0, 0, ... 336, 2, ) == 0x0
 01796   568   NtQueryValueKey  (336,  (336, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (336, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01797   568   NtClose  (336, ... ) == 0x0
 01798   568   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01799   568   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01800   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\c:\autoexec.bat"}, 12644420, ... ) }, 12644420, ... ) == 0x0
 01801   568   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 12644428,  (0x80100080, {24, 0, 0x40, 0, 12644428, "\??\c:\autoexec.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 336, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 336, {status=0x0, info=1}, ) == 0x0
 01802   568   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01803   568   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01804   568   NtQueryInformationFile  (336, 12644444, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01805   568   NtReadFile  (336, 0, 0, 0, 0, 0x0, 0, ... {status=0x0, info=0}, "", ) == 0x0
 01806   568   NtClose  (336, ... ) == 0x0
 01807   568   NtOpenKey  (0x20019, {24, 328, 0x40, 0, 0,  (0x20019, {24, 328, 0x40, 0, 0, "Environment"}, ... 336, ) }, ... 336, ) == 0x0
 01808   568   NtAllocateVirtualMemory  (-1, 2469888, 0, 12288, 4096, 4, ... 2469888, 12288, ) == 0x0
 01809   568   NtEnumerateValueKey  (336, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (336, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (336, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 01810   568   NtEnumerateValueKey  (336, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (336, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (336, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 01811   568   NtEnumerateValueKey  (336, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01812   568   NtEnumerateValueKey  (336, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (336, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (336, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 01813   568   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01814   568   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01815   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 12643160, ... ) }, 12643160, ... ) == 0x0
 01816   568   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 332, {status=0x0, info=1}, ) }, 3, 16417, ... 332, {status=0x0, info=1}, ) == 0x0
 01817   568   NtQueryDirectoryFile  (332, 0, 0, 0, 12642520, 616, BothDirectory, 1,  (332, 0, 0, 0, 12642520, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01818   568   NtClose  (332, ... ) == 0x0
 01819   568   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 332, {status=0x0, info=1}, ) }, 3, 16417, ... 332, {status=0x0, info=1}, ) == 0x0
 01820   568   NtQueryDirectoryFile  (332, 0, 0, 0, 12642520, 616, BothDirectory, 1,  (332, 0, 0, 0, 12642520, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 01821   568   NtClose  (332, ... ) == 0x0
 01822   568   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01823   568   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01824   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01825   568   NtEnumerateValueKey  (336, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (336, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (336, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 01826   568   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01827   568   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01828   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 12643160, ... ) }, 12643160, ... ) == 0x0
 01829   568   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 332, {status=0x0, info=1}, ) }, 3, 16417, ... 332, {status=0x0, info=1}, ) == 0x0
 01830   568   NtQueryDirectoryFile  (332, 0, 0, 0, 12642520, 616, BothDirectory, 1,  (332, 0, 0, 0, 12642520, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01831   568   NtClose  (332, ... ) == 0x0
 01832   568   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 332, {status=0x0, info=1}, ) }, 3, 16417, ... 332, {status=0x0, info=1}, ) == 0x0
 01833   568   NtQueryDirectoryFile  (332, 0, 0, 0, 12642520, 616, BothDirectory, 1,  (332, 0, 0, 0, 12642520, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 01834   568   NtClose  (332, ... ) == 0x0
 01835   568   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01836   568   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01837   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01838   568   NtEnumerateValueKey  (336, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01839   568   NtClose  (336, ... ) == 0x0
 01840   568   NtOpenKey  (0x20019, {24, 328, 0x40, 0, 0,  (0x20019, {24, 328, 0x40, 0, 0, "Volatile Environment"}, ... 336, ) }, ... 336, ) == 0x0
 01841   568   NtEnumerateValueKey  (336, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (336, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 01842   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01843   568   NtEnumerateValueKey  (336, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (336, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 01844   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01845   568   NtEnumerateValueKey  (336, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (336, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 01846   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01847   568   NtEnumerateValueKey  (336, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (336, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 01848   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01849   568   NtEnumerateValueKey  (336, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (336, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 01850   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01851   568   NtEnumerateValueKey  (336, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (336, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 01852   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01853   568   NtEnumerateValueKey  (336, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (336, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 01854   568   NtEnumerateValueKey  (336, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01855   568   NtEnumerateValueKey  (336, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (336, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 01856   568   NtEnumerateValueKey  (336, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (336, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 01857   568   NtEnumerateValueKey  (336, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (336, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 01858   568   NtEnumerateValueKey  (336, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (336, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 01859   568   NtEnumerateValueKey  (336, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (336, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 01860   568   NtEnumerateValueKey  (336, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (336, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 01861   568   NtEnumerateValueKey  (336, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (336, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 01862   568   NtEnumerateValueKey  (336, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01863   568   NtClose  (336, ... ) == 0x0
 01864   568   NtClose  (328, ... ) == 0x0
 01865   568   NtFreeVirtualMemory  (-1, (0xc50000), 0, 32768, ... (0xc50000), 4096, ) == 0x0
 01866   568   NtClose  (320, ... ) == 0x0
 01867   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Application Data"}, 12645084, ... ) }, 12645084, ... ) == 0x0
 01868   568   NtCreateKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 320, 2, ) }, 0, 0x0, 0, ... 320, 2, ) == 0x0
 01869   568   NtSetValueKey  (320,  (320, "Common AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 106, ... ) , 0, 1,  (320, "Common AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 106, ... ) , 106, ... ) == 0x0
 01870   568   NtClose  (320, ... ) == 0x0
 01871   568   NtClose  (316, ... ) == 0x0
 01872   568   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\"}, 3, 16417, ... 316, {status=0x0, info=1}, ) }, 3, 16417, ... 316, {status=0x0, info=1}, ) == 0x0
 01873   568   NtQueryDirectoryFile  (316, 0, 0, 0, 12644060, 616, BothDirectory, 1,  (316, 0, 0, 0, 12644060, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 01874   568   NtClose  (316, ... ) == 0x0
 01875   568   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Ras\"}, 3, 16417, ... 316, {status=0x0, info=1}, ) }, 3, 16417, ... 316, {status=0x0, info=1}, ) == 0x0
 01876   568   NtQueryDirectoryFile  (316, 0, 0, 0, 12644060, 616, BothDirectory, 1,  (316, 0, 0, 0, 12644060, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 01877   568   NtClose  (316, ... ) == 0x0
 01878   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01879   568   NtOpenProcessToken  (-1, 0xc, ... 316, ) == 0x0
 01880   568   NtQueryInformationToken  (316, User, 64, ... {token info, class 1, size 36}, 36, ) == 0x0
 01881   568   NtOpenKey  (0x2001f, {24, 308, 0x40, 0, 0,  (0x2001f, {24, 308, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 320, ) }, ... 320, ) == 0x0
 01882   568   NtCreateKey  (0x2000000, {24, 320, 0x40, 0, 0,  (0x2000000, {24, 320, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 328, 2, ) }, 0, 0x0, 0, ... 328, 2, ) == 0x0
 01883   568   NtClose  (320, ... ) == 0x0
 01884   568   NtQueryValueKey  (328,  (328, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (328, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) }, 74, ) == 0x0
 01885   568   NtAllocateVirtualMemory  (-1, 0, 0, 1, 4096, 4, ... 12910592, 4096, ) == 0x0
 01886   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01887   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01888   568   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 320, ) }, ... 320, ) == 0x0
 01889   568   NtQueryValueKey  (320,  (320, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (320, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 01890   568   NtClose  (320, ... ) == 0x0
 01891   568   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 320, ) }, ... 320, ) == 0x0
 01892   568   NtQueryValueKey  (320,  (320, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) }, 32, ) == 0x0
 01893   568   NtClose  (320, ... ) == 0x0
 01894   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01895   568   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\Environment"}, ... 320, ) }, ... 320, ) == 0x0
 01896   568   NtQueryKey  (320, Full, 176, ... {LastWrite={0x7838d13c,0x1c73999}, TitleIdx=0, Subkeys=0, Values=12, Class=""}, 44, ) == 0x0
 01897   568   NtQuerySecurityObject  (320, 7, 0, ... ) == STATUS_ACCESS_DENIED
 01898   568   NtEnumerateValueKey  (320, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (320, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (320, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 01899   568   NtEnumerateValueKey  (320, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (320, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (320, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 01900   568   NtEnumerateValueKey  (320, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (320, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (320, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 01901   568   NtEnumerateValueKey  (320, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (320, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 01902   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01903   568   NtEnumerateValueKey  (320, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (320, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 01904   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01905   568   NtEnumerateValueKey  (320, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (320, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 01906   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01907   568   NtEnumerateValueKey  (320, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (320, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 01908   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01909   568   NtEnumerateValueKey  (320, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (320, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 01910   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01911   568   NtEnumerateValueKey  (320, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (320, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 01912   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01913   568   NtEnumerateValueKey  (320, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (320, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 01914   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01915   568   NtEnumerateValueKey  (320, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (320, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (320, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 01916   568   NtEnumerateValueKey  (320, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (320, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (320, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 01917   568   NtEnumerateValueKey  (320, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (320, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (320, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 01918   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01919   568   NtEnumerateValueKey  (320, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (320, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (320, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 01920   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01921   568   NtEnumerateValueKey  (320, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (320, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (320, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 01922   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01923   568   NtEnumerateValueKey  (320, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (320, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 01924   568   NtEnumerateValueKey  (320, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (320, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 01925   568   NtEnumerateValueKey  (320, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (320, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 01926   568   NtEnumerateValueKey  (320, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (320, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 01927   568   NtEnumerateValueKey  (320, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (320, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 01928   568   NtEnumerateValueKey  (320, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (320, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 01929   568   NtEnumerateValueKey  (320, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (320, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (320, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 01930   568   NtEnumerateValueKey  (320, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (320, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (320, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 01931   568   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01932   568   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01933   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 12643132, ... ) }, 12643132, ... ) == 0x0
 01934   568   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01935   568   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01936   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01937   568   NtEnumerateValueKey  (320, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (320, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (320, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 01938   568   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01939   568   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01940   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 12643132, ... ) }, 12643132, ... ) == 0x0
 01941   568   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01942   568   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01943   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01944   568   NtClose  (320, ... ) == 0x0
 01945   568   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 320, ) }, ... 320, ) == 0x0
 01946   568   NtOpenKey  (0x20019, {24, 320, 0x40, 0, 0,  (0x20019, {24, 320, 0x40, 0, 0, "ActiveComputerName"}, ... 336, ) }, ... 336, ) == 0x0
 01947   568   NtQueryValueKey  (336,  (336, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (336, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (336, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01948   568   NtClose  (336, ... ) == 0x0
 01949   568   NtClose  (320, ... ) == 0x0
 01950   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01951   568   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 320, ) }, ... 320, ) == 0x0
 01952   568   NtQueryValueKey  (320,  (320, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (320, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 01953   568   NtClose  (320, ... ) == 0x0
 01954   568   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 320, ) }, ... 320, ) == 0x0
 01955   568   NtQueryValueKey  (320,  (320, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) }, 38, ) == 0x0
 01956   568   NtClose  (320, ... ) == 0x0
 01957   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01958   568   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 320, ) }, ... 320, ) == 0x0
 01959   568   NtQueryValueKey  (320,  (320, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 01960   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01961   568   NtQueryValueKey  (320,  (320, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (320, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) }, 72, ) == 0x0
 01962   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01963   568   NtClose  (320, ... ) == 0x0
 01964   568   NtQueryInformationToken  (316, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 01965   568   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 320, ) }, ... 320, ) == 0x0
 01966   568   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 01967   568   NtQueryInformationToken  (316, Type, 4, ... {token info, class 8, size 4}, 4, ) == 0x0
 01968   568   NtDuplicateToken  (316, 0xc, {24, 0, 0x0, 0, 12644516, 0x0}, 0, 2, ... ) == STATUS_ACCESS_DENIED
 01969   568   NtQueryInformationToken  (316, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 01970   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01971   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 336, ) == 0x0
 01972   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01973   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01974   568   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 12642720,  (0xc0100080, {24, 0, 0x40, 0, 12642720, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 332, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 332, {status=0x0, info=1}, ) == 0x0
 01975   568   NtSetInformationFile  (332, 12642776, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01976   568   NtSetInformationFile  (332, 12642768, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01977   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01978   568   NtWriteFile  (332, 277, 0, 0,  (332, 277, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01979   568   NtReadFile  (332, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (332, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20& \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01980   568   NtFsControlFile  (332, 277, 0x0, 0x0, 0x11c017,  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0T\360\300\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20& \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0T\360\300\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20& \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01981   568   NtFsControlFile  (332, 277, 0x0, 0x0, 0x11c017,  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\377\343\375\231s\206\334\21\261\310\0\14)\371\246\305\1\0\0\0\214\360\300\0\1\0\0\0\300\231%\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\377\343\375\231s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\377\343\375\231s\206\334\21\261\310\0\14)\371\246\305\1\0\0\0\214\360\300\0\1\0\0\0\300\231%\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\377\343\375\231s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01982   568   NtFsControlFile  (332, 277, 0x0, 0x0, 0x11c017,  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\377\343\375\231s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\250\206%\0\1\0\0\0\264\206%\0 \0\0\0\1\0\0\0\16\0\20\0\300\206%\0\320\206%\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\20\234%\0\1\0\0\0\1\0\0\0\20\0\22\0$\234%\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\377\343\375\231s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\250\206%\0\1\0\0\0\264\206%\0 \0\0\0\1\0\0\0\16\0\20\0\300\206%\0\320\206%\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\20\234%\0\1\0\0\0\1\0\0\0\20\0\22\0$\234%\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01983   568   NtClose  (336, ... ) == 0x0
 01984   568   NtClose  (332, ... ) == 0x0
 01985   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01986   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 332, ) == 0x0
 01987   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01988   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01989   568   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 12642716,  (0xc0100080, {24, 0, 0x40, 0, 12642716, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 336, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 336, {status=0x0, info=1}, ) == 0x0
 01990   568   NtSetInformationFile  (336, 12642772, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01991   568   NtSetInformationFile  (336, 12642764, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01992   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01993   568   NtWriteFile  (336, 277, 0, 0,  (336, 277, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01994   568   NtReadFile  (336, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (336, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20' \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01995   568   NtFsControlFile  (336, 277, 0x0, 0x0, 0x11c017,  (336, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\360\300\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20' \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (336, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\360\300\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20' \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01996   568   NtFsControlFile  (336, 277, 0x0, 0x0, 0x11c017,  (336, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\0\344\375\231s\206\334\21\261\310\0\14)\371\246\305\1\0\0\0\210\360\300\0\1\0\0\0\300\231%\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\344\375\231s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (336, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\0\344\375\231s\206\334\21\261\310\0\14)\371\246\305\1\0\0\0\210\360\300\0\1\0\0\0\300\231%\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\344\375\231s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01997   568   NtFsControlFile  (336, 277, 0x0, 0x0, 0x11c017,  (336, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\344\375\231s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\250\206%\0\1\0\0\0\264\206%\0 \0\0\0\1\0\0\0\16\0\20\0\300\206%\0\320\206%\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\20\234%\0\1\0\0\0\1\0\0\0\20\0\22\0$\234%\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (336, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\344\375\231s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\250\206%\0\1\0\0\0\264\206%\0 \0\0\0\1\0\0\0\16\0\20\0\300\206%\0\320\206%\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\20\234%\0\1\0\0\0\1\0\0\0\20\0\22\0$\234%\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01998   568   NtClose  (332, ... ) == 0x0
 01999   568   NtClose  (336, ... ) == 0x0
 02000   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02001   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02002   568   NtQueryInformationToken  (316, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 02003   568   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 336, ) }, ... 336, ) == 0x0
 02004   568   NtQueryValueKey  (336,  (336, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (336, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) }, 104, ) == 0x0
 02005   568   NtClose  (336, ... ) == 0x0
 02006   568   NtCreateKey  (0x2001f, {24, 320, 0x40, 0, 0,  (0x2001f, {24, 320, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Winlogon"}, 0, 0x0, 0, ... 336, 2, ) }, 0, 0x0, 0, ... 336, 2, ) == 0x0
 02007   568   NtQueryValueKey  (336,  (336, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (336, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02008   568   NtClose  (336, ... ) == 0x0
 02009   568   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02010   568   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02011   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\c:\autoexec.bat"}, 12644420, ... ) }, 12644420, ... ) == 0x0
 02012   568   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 12644428,  (0x80100080, {24, 0, 0x40, 0, 12644428, "\??\c:\autoexec.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 336, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 336, {status=0x0, info=1}, ) == 0x0
 02013   568   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02014   568   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02015   568   NtQueryInformationFile  (336, 12644444, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02016   568   NtReadFile  (336, 0, 0, 0, 0, 0x0, 0, ... {status=0x0, info=0}, "", ) == 0x0
 02017   568   NtClose  (336, ... ) == 0x0
 02018   568   NtOpenKey  (0x20019, {24, 320, 0x40, 0, 0,  (0x20019, {24, 320, 0x40, 0, 0, "Environment"}, ... 336, ) }, ... 336, ) == 0x0
 02019   568   NtEnumerateValueKey  (336, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (336, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (336, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02020   568   NtEnumerateValueKey  (336, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (336, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (336, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02021   568   NtEnumerateValueKey  (336, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02022   568   NtEnumerateValueKey  (336, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (336, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (336, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02023   568   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02024   568   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02025   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 12643160, ... ) }, 12643160, ... ) == 0x0
 02026   568   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 332, {status=0x0, info=1}, ) }, 3, 16417, ... 332, {status=0x0, info=1}, ) == 0x0
 02027   568   NtQueryDirectoryFile  (332, 0, 0, 0, 12642520, 616, BothDirectory, 1,  (332, 0, 0, 0, 12642520, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 02028   568   NtClose  (332, ... ) == 0x0
 02029   568   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 332, {status=0x0, info=1}, ) }, 3, 16417, ... 332, {status=0x0, info=1}, ) == 0x0
 02030   568   NtQueryDirectoryFile  (332, 0, 0, 0, 12642520, 616, BothDirectory, 1,  (332, 0, 0, 0, 12642520, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 02031   568   NtClose  (332, ... ) == 0x0
 02032   568   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02033   568   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02034   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02035   568   NtEnumerateValueKey  (336, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (336, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (336, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02036   568   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02037   568   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02038   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 12643160, ... ) }, 12643160, ... ) == 0x0
 02039   568   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 332, {status=0x0, info=1}, ) }, 3, 16417, ... 332, {status=0x0, info=1}, ) == 0x0
 02040   568   NtQueryDirectoryFile  (332, 0, 0, 0, 12642520, 616, BothDirectory, 1,  (332, 0, 0, 0, 12642520, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 02041   568   NtClose  (332, ... ) == 0x0
 02042   568   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 332, {status=0x0, info=1}, ) }, 3, 16417, ... 332, {status=0x0, info=1}, ) == 0x0
 02043   568   NtQueryDirectoryFile  (332, 0, 0, 0, 12642520, 616, BothDirectory, 1,  (332, 0, 0, 0, 12642520, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 02044   568   NtClose  (332, ... ) == 0x0
 02045   568   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02046   568   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02047   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02048   568   NtEnumerateValueKey  (336, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02049   568   NtClose  (336, ... ) == 0x0
 02050   568   NtOpenKey  (0x20019, {24, 320, 0x40, 0, 0,  (0x20019, {24, 320, 0x40, 0, 0, "Volatile Environment"}, ... 336, ) }, ... 336, ) == 0x0
 02051   568   NtEnumerateValueKey  (336, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (336, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 02052   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02053   568   NtEnumerateValueKey  (336, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (336, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 02054   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02055   568   NtEnumerateValueKey  (336, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (336, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 02056   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02057   568   NtEnumerateValueKey  (336, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (336, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 02058   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02059   568   NtEnumerateValueKey  (336, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (336, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 02060   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02061   568   NtEnumerateValueKey  (336, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (336, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 02062   568   NtQueryVirtualMemory  (-1, 0xc50000, Basic, 28, ... {BaseAddress=0xc50000,AllocationBase=0xc50000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02063   568   NtEnumerateValueKey  (336, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (336, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 02064   568   NtEnumerateValueKey  (336, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02065   568   NtEnumerateValueKey  (336, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (336, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 02066   568   NtEnumerateValueKey  (336, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (336, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 02067   568   NtEnumerateValueKey  (336, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (336, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 02068   568   NtEnumerateValueKey  (336, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (336, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 02069   568   NtEnumerateValueKey  (336, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (336, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 02070   568   NtEnumerateValueKey  (336, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (336, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 02071   568   NtEnumerateValueKey  (336, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (336, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 02072   568   NtEnumerateValueKey  (336, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02073   568   NtClose  (336, ... ) == 0x0
 02074   568   NtClose  (320, ... ) == 0x0
 02075   568   NtFreeVirtualMemory  (-1, (0xc50000), 0, 32768, ... (0xc50000), 4096, ) == 0x0
 02076   568   NtClose  (328, ... ) == 0x0
 02077   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data"}, 12645084, ... ) }, 12645084, ... ) == 0x0
 02078   568   NtQueryInformationToken  (316, User, 64, ... {token info, class 1, size 36}, 36, ) == 0x0
 02079   568   NtOpenKey  (0x2001f, {24, 308, 0x40, 0, 0,  (0x2001f, {24, 308, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 328, ) }, ... 328, ) == 0x0
 02080   568   NtCreateKey  (0x2000000, {24, 328, 0x40, 0, 0,  (0x2000000, {24, 328, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 320, 2, ) }, 0, 0x0, 0, ... 320, 2, ) == 0x0
 02081   568   NtClose  (328, ... ) == 0x0
 02082   568   NtSetValueKey  (320,  (320, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 0, 1,  (320, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 104, ... ) == 0x0
 02083   568   NtClose  (320, ... ) == 0x0
 02084   568   NtClose  (316, ... ) == 0x0
 02085   568   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data\Microsoft\Network\Connections\Pbk\"}, 3, 16417, ... ) }, 3, 16417, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02086   568   NtCreateKey  (0x2, {24, 312, 0x40, 0, 0,  (0x2, {24, 312, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, 0, "", 0, ... 316, 2, ) }, 0, "", 0, ... 316, 2, ) == 0x0
 02087   568   NtSetValueKey  (316,  (316, "MigrateProxy", 0, 4, "\1\0\0\0", 4, ... ) , 0, 4,  (316, "MigrateProxy", 0, 4, "\1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 02088   568   NtClose  (316, ... ) == 0x0
 02089   568   NtOpenKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, ... 316, ) }, ... 316, ) == 0x0
 02090   568   NtQueryValueKey  (316,  (316, "ProxyEnable", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (316, "ProxyEnable", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02091   568   NtQueryValueKey  (316,  (316, "ProxyServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02092   568   NtQueryValueKey  (316,  (316, "ProxyOverride", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02093   568   NtQueryValueKey  (316,  (316, "AutoConfigURL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02094   568   NtClose  (316, ... ) == 0x0
 02095   568   NtWaitForSingleObject  (188, 0, 0x0, ... ) == 0x0
 02096   568   NtCreateKey  (0x1, {24, 312, 0x40, 0, 0,  (0x1, {24, 312, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections"}, 0, "", 0, ... 316, 2, ) }, 0, "", 0, ... 316, 2, ) == 0x0
 02097   568   NtQueryValueKey  (316,  (316, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (316, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 02098   568   NtQueryValueKey  (316,  (316, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (316, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 02099   568   NtReleaseMutant  (188, ... 0x0, ) == 0x0
 02100   568   NtClose  (316, ... ) == 0x0
 02101   568   NtWaitForSingleObject  (188, 0, 0x0, ... ) == 0x0
 02102   568   NtCreateKey  (0x1, {24, 312, 0x40, 0, 0,  (0x1, {24, 312, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections"}, 0, "", 0, ... 316, 2, ) }, 0, "", 0, ... 316, 2, ) == 0x0
 02103   568   NtQueryValueKey  (316,  (316, "DefaultConnectionSettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\3\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (316, "DefaultConnectionSettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\3\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 02104   568   NtQueryValueKey  (316,  (316, "DefaultConnectionSettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\3\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (316, "DefaultConnectionSettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\3\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 02105   568   NtReleaseMutant  (188, ... 0x0, ) == 0x0
 02106   568   NtClose  (316, ... ) == 0x0
 02107   568   NtWaitForSingleObject  (168, 0, 0x0, ... ) == 0x0
 02108   568   NtClearEvent  (168, ... ) == 0x0
 02109   568   NtSetEvent  (168, ... 0x0, ) == 0x0
 02110   568   NtCreateKey  (0x20006, {24, 312, 0x40, 0, 0,  (0x20006, {24, 312, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, 0, "", 0, ... 316, 2, ) }, 0, "", 0, ... 316, 2, ) == 0x0
 02111   568   NtSetValueKey  (316,  (316, "ProxyEnable", 0, 4, "\0\0\0\0", 4, ... ) , 0, 4,  (316, "ProxyEnable", 0, 4, "\0\0\0\0", 4, ... ) , 4, ... ) == 0x0
 02112   568   NtDeleteValueKey  (316,  (316, "ProxyServer", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02113   568   NtDeleteValueKey  (316,  (316, "ProxyOverride", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02114   568   NtDeleteValueKey  (316,  (316, "AutoConfigURL", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02115   568   NtClose  (316, ... ) == 0x0
 02116   568   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT"}, ... 316, ) }, ... 316, ) == 0x0
 02117   568   NtCreateKey  (0x2, {24, 316, 0x40, 0, 0,  (0x2, {24, 316, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, 0, "", 0, ... 320, 2, ) }, 0, "", 0, ... 320, 2, ) == 0x0
 02118   568   NtSetValueKey  (320,  (320, "ProxyEnable", 0, 4, "\0\0\0\0", 4, ... ) , 0, 4,  (320, "ProxyEnable", 0, 4, "\0\0\0\0", 4, ... ) , 4, ... ) == 0x0
 02119   568   NtClose  (320, ... ) == 0x0
 02120   568   NtWaitForSingleObject  (188, 0, 0x0, ... ) == 0x0
 02121   568   NtCreateKey  (0x1, {24, 312, 0x40, 0, 0,  (0x1, {24, 312, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections"}, 0, "", 0, ... 320, 2, ) }, 0, "", 0, ... 320, 2, ) == 0x0
 02122   568   NtQueryValueKey  (320,  (320, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (320, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 02123   568   NtQueryValueKey  (320,  (320, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (320, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 02124   568   NtCreateKey  (0x2, {24, 312, 0x40, 0, 0,  (0x2, {24, 312, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections"}, 0, "", 0, ... 328, 2, ) }, 0, "", 0, ... 328, 2, ) == 0x0
 02125   568   NtReleaseMutant  (188, ... 0x0, ) == 0x0
 02126   568   NtClose  (320, ... ) == 0x0
 02127   568   NtSetValueKey  (328,  (328, "SavedLegacySettings", 0, 3, "<\0\0\0\27\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0", 56, ... , 0, 3,  (328, "SavedLegacySettings", 0, 3, "<\0\0\0\27\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0", 56, ... , 56, ...
 02128   568   NtSetInformationFile  (-2147482732, -135985356, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02129   568   NtSetInformationFile  (-2147482732, -135985392, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02130   568   NtSetInformationFile  (-2147482732, -135985456, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02127   568   NtSetValueKey  ... ) == 0x0
 02131   568   NtClose  (328, ... ) == 0x0
 02132   568   NtWaitForSingleObject  (128, 0, 0x0, ... ) == 0x0
 02133   568   NtQueryInformationFile  (124, 12647152, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02134   568   NtReleaseMutant  (128, ... 0x0, ) == 0x0
 02135   568   NtReleaseMutant  (180, ... 0x0, ) == 0x0
 02136   568   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 328, ) == 0x0
 02137   568   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 02138   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 12644556, ... ) }, 12644556, ... ) == 0x0
 02139   568   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 5, 96, ... 320, {status=0x0, info=1}, ) }, 5, 96, ... 320, {status=0x0, info=1}, ) == 0x0
 02140   568   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 320, ... 336, ) == 0x0
 02141   568   NtClose  (320, ... ) == 0x0
 02142   568   NtMapViewOfSection  (336, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xc80000), 0x0, 229376, ) == 0x0
 02143   568   NtClose  (336, ... ) == 0x0
 02144   568   NtUnmapViewOfSection  (-1, 0xc80000, ... ) == 0x0
 02145   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 12644872, ... ) }, 12644872, ... ) == 0x0
 02146   568   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 5, 96, ... 336, {status=0x0, info=1}, ) }, 5, 96, ... 336, {status=0x0, info=1}, ) == 0x0
 02147   568   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 336, ... 320, ) == 0x0
 02148   568   NtQuerySection  (320, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02149   568   NtClose  (336, ... ) == 0x0
 02150   568   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 241664, ) == 0x0
 02151   568   NtClose  (320, ... ) == 0x0
 02152   568   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02153   568   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02154   568   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 320, ) == 0x0
 02155   568   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02156   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 12644672, ... ) }, 12644672, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02157   568   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DNSAPI.dll"}, 12644672, ... ) }, 12644672, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02158   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 12644672, ... ) }, 12644672, ... ) == 0x0
 02159   568   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 5, 96, ... 336, {status=0x0, info=1}, ) }, 5, 96, ... 336, {status=0x0, info=1}, ) == 0x0
 02160   568   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 336, ... 332, ) == 0x0
 02161   568   NtQuerySection  (332, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02162   568   NtClose  (336, ... ) == 0x0
 02163   568   NtMapViewOfSection  (332, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 151552, ) == 0x0
 02164   568   NtClose  (332, ... ) == 0x0
 02165   568   NtCreateKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 332, 2, ) }, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 332, 2, ) , 0, ... 332, 2, ) == 0x0
 02166   568   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 336, ) }, ... 336, ) == 0x0
 02167   568   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02168   568   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DNS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02169   568   NtQueryValueKey  (336,  (336, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02170   568   NtQueryValueKey  (332,  (332, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02171   568   NtQueryValueKey  (336,  (336, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02172   568   NtQueryValueKey  (332,  (332, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (332, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02173   568   NtQueryValueKey  (336,  (336, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02174   568   NtQueryValueKey  (332,  (332, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02175   568   NtQueryValueKey  (336,  (336, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02176   568   NtQueryValueKey  (332,  (332, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02177   568   NtQueryValueKey  (336,  (336, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02178   568   NtQueryValueKey  (336,  (336, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02179   568   NtQueryValueKey  (336,  (336, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02180   568   NtQueryValueKey  (336,  (336, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02181   568   NtQueryValueKey  (336,  (336, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02182   568   NtQueryValueKey  (336,  (336, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02183   568   NtQueryValueKey  (336,  (336, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02184   568   NtQueryValueKey  (332,  (332, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02185   568   NtQueryValueKey  (336,  (336, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02186   568   NtQueryValueKey  (336,  (336, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02187   568   NtQueryValueKey  (332,  (332, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02188   568   NtQueryValueKey  (336,  (336, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02189   568   NtQueryValueKey  (332,  (332, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02190   568   NtQueryValueKey  (336,  (336, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02191   568   NtQueryValueKey  (332,  (332, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02192   568   NtQueryValueKey  (336,  (336, "RegistrationOverwritesInConflict", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02193   568   NtQueryValueKey  (332,  (332, "DisableReplaceAddressesInConflicts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02194   568   NtQueryValueKey  (336,  (336, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02195   568   NtQueryValueKey  (332,  (332, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02196   568   NtQueryValueKey  (336,  (336, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02197   568   NtQueryValueKey  (332,  (332, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02198   568   NtQueryValueKey  (336,  (336, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02199   568   NtQueryValueKey  (332,  (332, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02200   568   NtQueryValueKey  (336,  (336, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02201   568   NtQueryValueKey  (332,  (332, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02202   568   NtQueryValueKey  (336,  (336, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02203   568   NtQueryValueKey  (336,  (336, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02204   568   NtQueryValueKey  (336,  (336, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02205   568   NtQueryValueKey  (336,  (336, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02206   568   NtQueryValueKey  (336,  (336, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02207   568   NtQueryValueKey  (336,  (336, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02208   568   NtQueryValueKey  (336,  (336, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02209   568   NtQueryValueKey  (336,  (336, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02210   568   NtQueryValueKey  (336,  (336, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02211   568   NtQueryValueKey  (336,  (336, "UseMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02212   568   NtQueryValueKey  (336,  (336, "MulticastOnNameError", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02213   568   NtQueryValueKey  (336,  (336, "UseDotLocalDomain", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02214   568   NtQueryValueKey  (336,  (336, "ListenOnMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02215   568   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\Setup"}, ... 340, ) }, ... 340, ) == 0x0
 02216   568   NtQueryValueKey  (340,  (340, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (340, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02217   568   NtClose  (340, ... ) == 0x0
 02218   568   NtClose  (332, ... ) == 0x0
 02219   568   NtClose  (336, ... ) == 0x0
 02220   568   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 336, ) }, ... 336, ) == 0x0
 02221   568   NtQueryValueKey  (336,  (336, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02222   568   NtQueryValueKey  (336,  (336, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02223   568   NtQueryValueKey  (336,  (336, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02224   568   NtClose  (336, ... ) == 0x0
 02225   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 336, ) == 0x0
 02226   568   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 12645148, 112, ... 332, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 12645148, 112, ... 332, 0x0, 0x0, 0x0, 112, ) == 0x0
 02227   568   NtRequestWaitReplyPort  (332, {128, 152, new_msg, 0, 2359296, 127216, 2359296, 12644912}  (332, {128, 152, new_msg, 0, 2359296, 127216, 2359296, 12644912} "\0$\370w\340\370\300\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0 <%\0\4\0\0\0 <%\0\20\344\314w <%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\3\0\10\326%\0\250\337%\0\0\0\0\0\240\337%\0\310\337%\0\340\330%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\204\0\0\0" ... {128, 152, reply, 0, 412, 568, 1518, 0} "\7$\370w\340\370\300\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0 <%\0\377\377\377\377 <%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\3\0\10\326%\0\250\337%\0\0\0\0\0\240\337%\0\310\337%\0\340\330%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\204\0\0\0" )  ... {128, 152, reply, 0, 412, 568, 1518, 0}  (332, {128, 152, new_msg, 0, 2359296, 127216, 2359296, 12644912} "\0$\370w\340\370\300\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0 <%\0\4\0\0\0 <%\0\20\344\314w <%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\3\0\10\326%\0\250\337%\0\0\0\0\0\240\337%\0\310\337%\0\340\330%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\204\0\0\0" ... {128, 152, reply, 0, 412, 568, 1518, 0} "\7$\370w\340\370\300\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0 <%\0\377\377\377\377 <%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\3\0\10\326%\0\250\337%\0\0\0\0\0\240\337%\0\310\337%\0\340\330%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\204\0\0\0" )  ) == 0x0
 02228   568   NtRequestWaitReplyPort  (332, {64, 88, new_msg, 0, 44, 3, 20, 0}  (332, {64, 88, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\10\0s\206\334\21\261\310\0\14)\371\246\305\1\0\0\0\377\377\377\377\1\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0\3757B@\335\350\344\34C\27\122" ... {52, 76, reply, 0, 412, 568, 1519, 0} "\2\226\0\0\1\0\221\200\30\342\34\201?\2\0\0C\6O\200?\2\0\0\30\342\34\201\0\20\342\0\360V\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 412, 568, 1519, 0}  (332, {64, 88, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\10\0s\206\334\21\261\310\0\14)\371\246\305\1\0\0\0\377\377\377\377\1\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0\3757B@\335\350\344\34C\27\122" ... {52, 76, reply, 0, 412, 568, 1519, 0} "\2\226\0\0\1\0\221\200\30\342\34\201?\2\0\0C\6O\200?\2\0\0\30\342\34\201\0\20\342\0\360V\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 02229   568   NtClose  (336, ... ) == 0x0
 02230   568   NtClose  (332, ... ) == 0x0
 02231   568   NtCreateKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 332, 2, ) }, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 332, 2, ) , 0, ... 332, 2, ) == 0x0
 02232   568   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 336, ) }, ... 336, ) == 0x0
 02233   568   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02234   568   NtQueryValueKey  (332,  (332, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (332, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02235   568   NtQueryValueKey  (332,  (332, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (332, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02236   568   NtClose  (332, ... ) == 0x0
 02237   568   NtClose  (336, ... ) == 0x0
 02238   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 336, ) == 0x0
 02239   568   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 12645012, 112, ... 332, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 12645012, 112, ... 332, 0x0, 0x0, 0x0, 112, ) == 0x0
 02240   568   NtRequestWaitReplyPort  (332, {128, 152, new_msg, 0, 2359296, 127080, 2359296, 12644776}  (332, {128, 152, new_msg, 0, 2359296, 127080, 2359296, 12644776} "\0$\370wX\370\300\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0 <%\0\4\0\0\0 <%\0\20\344\314w <%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\4\0\10\326%\0\320\337%\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\300\0\224\363\300\0\0\0\0\0\0\0\0\0\340\330%\0\5\0\0\0" ... {128, 152, reply, 0, 412, 568, 1522, 0} "\7$\370wX\370\300\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0 <%\0\377\377\377\377 <%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\4\0\10\326%\0\320\337%\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\300\0\224\363\300\0\0\0\0\0\0\0\0\0\340\330%\0\5\0\0\0" )  ... {128, 152, reply, 0, 412, 568, 1522, 0}  (332, {128, 152, new_msg, 0, 2359296, 127080, 2359296, 12644776} "\0$\370wX\370\300\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0 <%\0\4\0\0\0 <%\0\20\344\314w <%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\4\0\10\326%\0\320\337%\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\300\0\224\363\300\0\0\0\0\0\0\0\0\0\340\330%\0\5\0\0\0" ... {128, 152, reply, 0, 412, 568, 1522, 0} "\7$\370wX\370\300\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0 <%\0\377\377\377\377 <%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\4\0\10\326%\0\320\337%\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\300\0\224\363\300\0\0\0\0\0\0\0\0\0\340\330%\0\5\0\0\0" )  ) == 0x0
 02241   568   NtRequestWaitReplyPort  (332, {44, 68, new_msg, 0, 412, 568, 1519, 0}  (332, {44, 68, new_msg, 0, 412, 568, 1519, 0} "\1\226\0\0A\2\4\0\30\342\34\201?\2\0\0C\6O\200?\2\0\0\377\377\377\377\0\20\342\0\0\0\0\0\0\0\0\0\1\0\0\0" ... {40, 64, reply, 0, 412, 568, 1523, 0} "\2\226\0\0\4\0\221\200\30\342\34\201?\2\0\0C\6O\200?\2\0\0\30\342\34\201\0\20\342\0\324\1\0\0\240,\11\0" )  ... {40, 64, reply, 0, 412, 568, 1523, 0}  (332, {44, 68, new_msg, 0, 412, 568, 1519, 0} "\1\226\0\0A\2\4\0\30\342\34\201?\2\0\0C\6O\200?\2\0\0\377\377\377\377\0\20\342\0\0\0\0\0\0\0\0\0\1\0\0\0" ... {40, 64, reply, 0, 412, 568, 1523, 0} "\2\226\0\0\4\0\221\200\30\342\34\201?\2\0\0C\6O\200?\2\0\0\30\342\34\201\0\20\342\0\324\1\0\0\240,\11\0" )  ) == 0x0
 02242   568   NtRequestWaitReplyPort  (332, {64, 88, new_msg, 56, 0, 1, 0, 0}  (332, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\364\300\0@\0\314w\240\325%\0\\364\300\0\304\364\300\0\0\267\362v\304\364\300\0\240\325%\0\1\0\0\0\20\331%\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {64, 88, reply, 56, 412, 568, 1524, 0} "\10\364\300\0@\0\314w\240\325%\0\\364\300\0\304\364\300\0\0\267\362v\304\364\300\0\240\325%\0\1\0\0\0\20\331%\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {64, 88, reply, 56, 412, 568, 1524, 0}  (332, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\364\300\0@\0\314w\240\325%\0\\364\300\0\304\364\300\0\0\267\362v\304\364\300\0\240\325%\0\1\0\0\0\20\331%\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {64, 88, reply, 56, 412, 568, 1524, 0} "\10\364\300\0@\0\314w\240\325%\0\\364\300\0\304\364\300\0\0\267\362v\304\364\300\0\240\325%\0\1\0\0\0\20\331%\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02243   568   NtClose  (336, ... ) == 0x0
 02244   568   NtClose  (332, ... ) == 0x0
 02245   568   NtCreateKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 332, 2, ) }, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 332, 2, ) , 0, ... 332, 2, ) == 0x0
 02246   568   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 336, ) }, ... 336, ) == 0x0
 02247   568   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02248   568   NtQueryValueKey  (332,  (332, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (332, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02249   568   NtQueryValueKey  (332,  (332, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (332, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02250   568   NtClose  (332, ... ) == 0x0
 02251   568   NtClose  (336, ... ) == 0x0
 02252   568   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 336, ) }, ... 336, ) == 0x0
 02253   568   NtQueryValueKey  (336,  (336, "DnsNbtLookupOrder", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02254   568   NtClose  (336, ... ) == 0x0
 02255   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 12644556, ... ) }, 12644556, ... ) == 0x0
 02256   568   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 336, {status=0x0, info=1}, ) }, 5, 96, ... 336, {status=0x0, info=1}, ) == 0x0
 02257   568   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 336, ... 332, ) == 0x0
 02258   568   NtClose  (336, ... ) == 0x0
 02259   568   NtMapViewOfSection  (332, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xc50000), 0x0, 16384, ) == 0x0
 02260   568   NtClose  (332, ... ) == 0x0
 02261   568   NtUnmapViewOfSection  (-1, 0xc50000, ... ) == 0x0
 02262   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 12644872, ... ) }, 12644872, ... ) == 0x0
 02263   568   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 332, {status=0x0, info=1}, ) }, 5, 96, ... 332, {status=0x0, info=1}, ) == 0x0
 02264   568   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 332, ... 336, ) == 0x0
 02265   568   NtQuerySection  (336, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02266   568   NtClose  (332, ... ) == 0x0
 02267   568   NtMapViewOfSection  (336, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fb0000), 0x0, 28672, ) == 0x0
 02268   568   NtClose  (336, ... ) == 0x0
 02269   568   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... 336, ) }, ... 336, ) == 0x0
 02270   568   NtMapViewOfSection  (336, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 02271   568   NtClose  (336, ... ) == 0x0
 02272   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 336, ) == 0x0
 02273   568   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 332, ) }, ... 332, ) == 0x0
 02274   568   NtQueryValueKey  (332,  (332, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (332, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02275   568   NtClose  (332, ... ) == 0x0
 02276   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 12644556, ... ) }, 12644556, ... ) == 0x0
 02277   568   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02278   568   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 12910592, 65536, ) == 0x0
 02279   568   NtAllocateVirtualMemory  (-1, 12910592, 0, 4096, 4096, 4, ... 12910592, 4096, ) == 0x0
 02280   568   NtAllocateVirtualMemory  (-1, 12914688, 0, 8192, 4096, 4, ... 12914688, 8192, ) == 0x0
 02281   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 332, ) == 0x0
 02282   568   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 12644832, 112, ... 340, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 12644832, 112, ... 340, 0x0, 0x0, 0x0, 112, ) == 0x0
 02283   568   NtRequestWaitReplyPort  (340, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850}  (340, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850} "\0\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w <%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\5\0\10\326%\0@\222%\0\0\0\0\08\222%\0`\222%\0\320\223%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1$\0\0\0\0\0^\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 568, 1527, 0} "\7\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\5\0\10\326%\0@\222%\0\0\0\0\08\222%\0`\222%\0\320\223%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1$\0\0\0\0\0^\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 412, 568, 1527, 0}  (340, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850} "\0\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w <%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\5\0\10\326%\0@\222%\0\0\0\0\08\222%\0`\222%\0\320\223%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1$\0\0\0\0\0^\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 568, 1527, 0} "\7\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\5\0\10\326%\0@\222%\0\0\0\0\08\222%\0`\222%\0\320\223%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1$\0\0\0\0\0^\0\0\0\5\0\0\0" )  ) == 0x0
 02284   568   NtRequestWaitReplyPort  (340, {108, 132, new_msg, 0, 412, 568, 1523, 0}  (340, {108, 132, new_msg, 0, 412, 568, 1523, 0} "\1\226\0\0A\2\11\0\30\342\34\201?\2\0\0C\6O\200?\2\0\0\377\377\377\377\0\20\342\0\0\0\0\0\214\221%\0\24\0\0\0\0\0\0\0\24\0\0\0g\0s\0m\0t\0p\01\08\05\0.\0g\0o\0o\0g\0l\0e\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 412, 568, 1528, 0} "\2\226\0\0\1\0\221\200\30\342\34\201?\2\0\0C\6O\200?\2\0\0\30\342\34\201\0\20\342\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ... {44, 68, reply, 0, 412, 568, 1528, 0}  (340, {108, 132, new_msg, 0, 412, 568, 1523, 0} "\1\226\0\0A\2\11\0\30\342\34\201?\2\0\0C\6O\200?\2\0\0\377\377\377\377\0\20\342\0\0\0\0\0\214\221%\0\24\0\0\0\0\0\0\0\24\0\0\0g\0s\0m\0t\0p\01\08\05\0.\0g\0o\0o\0g\0l\0e\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 412, 568, 1528, 0} "\2\226\0\0\1\0\221\200\30\342\34\201?\2\0\0C\6O\200?\2\0\0\30\342\34\201\0\20\342\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 02285   568   NtClose  (332, ... ) == 0x0
 02286   568   NtClose  (340, ... ) == 0x0
 02287   568   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 340, ) }, ... 340, ) == 0x0
 02288   568   NtQueryValueKey  (340,  (340, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (340, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 02289   568   NtQueryValueKey  (340,  (340, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (340, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 02290   568   NtQueryValueKey  (340,  (340, "AutodialDLL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02291   568   NtClose  (340, ... ) == 0x0
 02292   568   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rasadhlp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02293   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rasadhlp.dll"}, 12645592, ... ) }, 12645592, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02294   568   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rasadhlp.dll"}, 12645592, ... ) }, 12645592, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02295   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasadhlp.dll"}, 12645592, ... ) }, 12645592, ... ) == 0x0
 02296   568   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasadhlp.dll"}, 5, 96, ... 340, {status=0x0, info=1}, ) }, 5, 96, ... 340, {status=0x0, info=1}, ) == 0x0
 02297   568   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 340, ... 332, ) == 0x0
 02298   568   NtQuerySection  (332, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02299   568   NtClose  (340, ... ) == 0x0
 02300   568   NtMapViewOfSection  (332, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fc0000), 0x0, 20480, ) == 0x0
 02301   568   NtClose  (332, ... ) == 0x0
 02302   568   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 332, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 332, {status=0x0, info=0}, ) == 0x0
 02303   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 340, ) == 0x0
 02304   568   NtDeviceIoControlFile  (332, 340, 0x0, 0x0, 0xf14014,  (332, 340, 0x0, 0x0, 0xf14014, "\3\0\0\0gsmtp185.google.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 02305   568   NtClose  (340, ... ) == 0x0
 02306   568   NtClose  (332, ... ) == 0x0
 02307   568   NtWaitForSingleObject  (180, 0, 0x0, ... ) == 0x0
 02308   568   NtWaitForSingleObject  (184, 0, 0x0, ... ) == 0x0
 02309   568   NtReleaseMutant  (184, ... 0x0, ) == 0x0
 02310   568   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02311   568   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02312   568   NtCreateKey  (0x2001d, {24, 32, 0x40, 0, 0,  (0x2001d, {24, 32, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 332, 2, ) }, 0, 0x0, 0, ... 332, 2, ) == 0x0
 02313   568   NtCreateKey  (0x20019, {24, 332, 0x40, 0, 0,  (0x20019, {24, 332, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 340, 2, ) }, 0, 0x0, 0, ... 340, 2, ) == 0x0
 02314   568   NtClose  (332, ... ) == 0x0
 02315   568   NtQueryValueKey  (340,  (340, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02316   568   NtClose  (340, ... ) == 0x0
 02317   568   NtWaitForSingleObject  (128, 0, 0x0, ... ) == 0x0
 02318   568   NtQueryInformationFile  (124, 12646996, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02319   568   NtReleaseMutant  (128, ... 0x0, ) == 0x0
 02320   568   NtWaitForSingleObject  (128, 0, 0x0, ... ) == 0x0
 02321   568   NtQueryInformationFile  (124, 12647152, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02322   568   NtReleaseMutant  (128, ... 0x0, ) == 0x0
 02323   568   NtReleaseMutant  (180, ... 0x0, ) == 0x0
 02324   568   NtDelayExecution  (0, {-50000000, -1}, ... ) == 0x0
 02325   568   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 02326   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 340, ) == 0x0
 02327   568   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 12644832, 112, ... 332, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 12644832, 112, ... 332, 0x0, 0x0, 0x0, 112, ) == 0x0
 02328   568   NtRequestWaitReplyPort  (332, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850}  (332, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850} "\0\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w <%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\6\0 \0\0\0\0\0\0\0\240\1$\0\240\1$\0T\1\0\0X\232%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 568, 1605, 0} "\7\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\6\0 \0\0\0\0\0\0\0\240\1$\0\240\1$\0T\1\0\0X\232%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 412, 568, 1605, 0}  (332, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850} "\0\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w <%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\6\0 \0\0\0\0\0\0\0\240\1$\0\240\1$\0T\1\0\0X\232%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 568, 1605, 0} "\7\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\6\0 \0\0\0\0\0\0\0\240\1$\0\240\1$\0T\1\0\0X\232%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 02329   568   NtRequestWaitReplyPort  (332, {108, 132, new_msg, 0, 412, 568, 1528, 0}  (332, {108, 132, new_msg, 0, 412, 568, 1528, 0} "\1\226\0\0A\2\11\0\30\342\34\201?\2\0\0C\6O\200?\2\0\0\377\377\377\377\0\20\342\0\0\0\0\0\214\221%\0\24\0\0\0\0\0\0\0\24\0\0\0g\0s\0m\0t\0p\01\08\05\0.\0g\0o\0o\0g\0l\0e\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 412, 568, 1606, 0} "\2\226\0\0\1\0\221\200\30\342\34\201?\2\0\0C\6O\200?\2\0\0\30\342\34\201\0\20\342\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ... {44, 68, reply, 0, 412, 568, 1606, 0}  (332, {108, 132, new_msg, 0, 412, 568, 1528, 0} "\1\226\0\0A\2\11\0\30\342\34\201?\2\0\0C\6O\200?\2\0\0\377\377\377\377\0\20\342\0\0\0\0\0\214\221%\0\24\0\0\0\0\0\0\0\24\0\0\0g\0s\0m\0t\0p\01\08\05\0.\0g\0o\0o\0g\0l\0e\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 412, 568, 1606, 0} "\2\226\0\0\1\0\221\200\30\342\34\201?\2\0\0C\6O\200?\2\0\0\30\342\34\201\0\20\342\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 02330   568   NtClose  (340, ... ) == 0x0
 02331   568   NtClose  (332, ... ) == 0x0
 02332   568   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 332, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 332, {status=0x0, info=0}, ) == 0x0
 02333   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 340, ) == 0x0
 02334   568   NtDeviceIoControlFile  (332, 340, 0x0, 0x0, 0xf14014,  (332, 340, 0x0, 0x0, 0xf14014, "\3\0\0\0gsmtp185.google.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 02335   568   NtClose  (340, ... ) == 0x0
 02336   568   NtClose  (332, ... ) == 0x0
 02337   568   NtWaitForSingleObject  (180, 0, 0x0, ... ) == 0x0
 02338   568   NtWaitForSingleObject  (184, 0, 0x0, ... ) == 0x0
 02339   568   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 332, ) }, ... 332, ) == 0x0
 02340   568   NtWaitForSingleObject  (332, 0, {-1800000000, -1}, ... ) == 0x0
 02341   568   NtClose  (332, ... ) == 0x0
 02342   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02343   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 332, ) == 0x0
 02344   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02345   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02346   568   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 12645576,  (0xc0100080, {24, 0, 0x40, 0, 12645576, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 340, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 340, {status=0x0, info=1}, ) == 0x0
 02347   568   NtSetInformationFile  (340, 12645632, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02348   568   NtSetInformationFile  (340, 12645624, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02349   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02350   568   NtWriteFile  (340, 277, 0, 0,  (340, 277, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02351   568   NtReadFile  (340, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (340, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\233!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02352   568   NtFsControlFile  (340, 277, 0x0, 0x0, 0x11c017,  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\233!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\233!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02353   568   NtFsControlFile  (340, 277, 0x0, 0x0, 0x11c017,  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\355-i\232s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\355-i\232s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 76, 1024, ... {status=0x103, info=48},  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\355-i\232s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\355-i\232s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02354   568   NtFsControlFile  (340, 277, 0x0, 0x0, 0x11c017,  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\356-i\232s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\356-i\232s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\356-i\232s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\356-i\232s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02355   568   NtFsControlFile  (340, 277, 0x0, 0x0, 0x11c017,  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\356-i\232s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\356-i\232s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02356   568   NtFsControlFile  (340, 277, 0x0, 0x0, 0x11c017,  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\355-i\232s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\355-i\232s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02357   568   NtClose  (332, ... ) == 0x0
 02358   568   NtClose  (340, ... ) == 0x0
 02359   568   NtReleaseMutant  (184, ... 0x0, ) == 0x0
 02360   568   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02361   568   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02362   568   NtCreateKey  (0x2001d, {24, 32, 0x40, 0, 0,  (0x2001d, {24, 32, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 340, 2, ) }, 0, 0x0, 0, ... 340, 2, ) == 0x0
 02363   568   NtCreateKey  (0x20019, {24, 340, 0x40, 0, 0,  (0x20019, {24, 340, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 332, 2, ) }, 0, 0x0, 0, ... 332, 2, ) == 0x0
 02364   568   NtClose  (340, ... ) == 0x0
 02365   568   NtQueryValueKey  (332,  (332, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02366   568   NtClose  (332, ... ) == 0x0
 02367   568   NtWaitForSingleObject  (128, 0, 0x0, ... ) == 0x0
 02368   568   NtQueryInformationFile  (124, 12646996, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02369   568   NtReleaseMutant  (128, ... 0x0, ) == 0x0
 02370   568   NtWaitForSingleObject  (128, 0, 0x0, ... ) == 0x0
 02371   568   NtQueryInformationFile  (124, 12647152, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02372   568   NtReleaseMutant  (128, ... 0x0, ) == 0x0
 02373   568   NtReleaseMutant  (180, ... 0x0, ) == 0x0
 02374   568   NtDelayExecution  (0, {-50000000, -1}, ... ) == 0x0
 02375   568   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 02376   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 332, ) == 0x0
 02377   568   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 12644832, 112, ... 340, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 12644832, 112, ... 340, 0x0, 0x0, 0x0, 112, ) == 0x0
 02378   568   NtRequestWaitReplyPort  (340, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850}  (340, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850} "\0\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w <%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\7\0\10\326%\0\0\226%\0\330\223%\0\240\1$\0L\1\0\0\320\225%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 568, 1616, 0} "\7\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\7\0\10\326%\0\0\226%\0\330\223%\0\240\1$\0L\1\0\0\320\225%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 412, 568, 1616, 0}  (340, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850} "\0\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w <%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\7\0\10\326%\0\0\226%\0\330\223%\0\240\1$\0L\1\0\0\320\225%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 568, 1616, 0} "\7\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\7\0\10\326%\0\0\226%\0\330\223%\0\240\1$\0L\1\0\0\320\225%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 02379   568   NtRequestWaitReplyPort  (340, {108, 132, new_msg, 0, 44, 5, 20, 0}  (340, {108, 132, new_msg, 0, 44, 5, 20, 0} "\1\0\0\0A\2\11\0s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\377\377\377\377\7\0\0\0\0\0\0\0\214\221%\0\24\0\0\0\0\0\0\0\24\0\0\0g\0s\0m\0t\0p\01\08\05\0.\0g\0o\0o\0g\0l\0e\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 412, 568, 1617, 0} "\2\226\0\0\1\0\221\200\30\342\34\201?\2\0\0C\6O\200?\2\0\0\30\342\34\201\0\20\342\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ... {44, 68, reply, 0, 412, 568, 1617, 0}  (340, {108, 132, new_msg, 0, 44, 5, 20, 0} "\1\0\0\0A\2\11\0s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\377\377\377\377\7\0\0\0\0\0\0\0\214\221%\0\24\0\0\0\0\0\0\0\24\0\0\0g\0s\0m\0t\0p\01\08\05\0.\0g\0o\0o\0g\0l\0e\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 412, 568, 1617, 0} "\2\226\0\0\1\0\221\200\30\342\34\201?\2\0\0C\6O\200?\2\0\0\30\342\34\201\0\20\342\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 02380   568   NtClose  (332, ... ) == 0x0
 02381   568   NtClose  (340, ... ) == 0x0
 02382   568   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 340, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 340, {status=0x0, info=0}, ) == 0x0
 02383   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 332, ) == 0x0
 02384   568   NtDeviceIoControlFile  (340, 332, 0x0, 0x0, 0xf14014,  (340, 332, 0x0, 0x0, 0xf14014, "\3\0\0\0gsmtp185.google.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 02385   568   NtClose  (332, ... ) == 0x0
 02386   568   NtClose  (340, ... ) == 0x0
 02387   568   NtWaitForSingleObject  (180, 0, 0x0, ... ) == 0x0
 02388   568   NtWaitForSingleObject  (184, 0, 0x0, ... ) == 0x0
 02389   568   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 340, ) }, ... 340, ) == 0x0
 02390   568   NtWaitForSingleObject  (340, 0, {-1800000000, -1}, ... ) == 0x0
 02391   568   NtClose  (340, ... ) == 0x0
 02392   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02393   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 340, ) == 0x0
 02394   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02395   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02396   568   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 12645576,  (0xc0100080, {24, 0, 0x40, 0, 12645576, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 332, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 332, {status=0x0, info=1}, ) == 0x0
 02397   568   NtSetInformationFile  (332, 12645632, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02398   568   NtSetInformationFile  (332, 12645624, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02399   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02400   568   NtWriteFile  (332, 277, 0, 0,  (332, 277, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02401   568   NtReadFile  (332, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (332, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\235!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02402   568   NtFsControlFile  (332, 277, 0x0, 0x0, 0x11c017,  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\235!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\235!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02403   568   NtFsControlFile  (332, 277, 0x0, 0x0, 0x11c017,  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\362%\273\241s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\362%\273\241s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 76, 1024, ... {status=0x103, info=48},  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\362%\273\241s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\362%\273\241s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02404   568   NtFsControlFile  (332, 277, 0x0, 0x0, 0x11c017,  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\363%\273\241s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\363%\273\241s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\363%\273\241s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\363%\273\241s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02405   568   NtFsControlFile  (332, 277, 0x0, 0x0, 0x11c017,  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\363%\273\241s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\363%\273\241s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02406   568   NtFsControlFile  (332, 277, 0x0, 0x0, 0x11c017,  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\362%\273\241s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\362%\273\241s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02407   568   NtClose  (340, ... ) == 0x0
 02408   568   NtClose  (332, ... ) == 0x0
 02409   568   NtReleaseMutant  (184, ... 0x0, ) == 0x0
 02410   568   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02411   568   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02412   568   NtCreateKey  (0x2001d, {24, 32, 0x40, 0, 0,  (0x2001d, {24, 32, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 332, 2, ) }, 0, 0x0, 0, ... 332, 2, ) == 0x0
 02413   568   NtCreateKey  (0x20019, {24, 332, 0x40, 0, 0,  (0x20019, {24, 332, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 340, 2, ) }, 0, 0x0, 0, ... 340, 2, ) == 0x0
 02414   568   NtClose  (332, ... ) == 0x0
 02415   568   NtQueryValueKey  (340,  (340, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02416   568   NtClose  (340, ... ) == 0x0
 02417   568   NtWaitForSingleObject  (128, 0, 0x0, ... ) == 0x0
 02418   568   NtQueryInformationFile  (124, 12646996, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02419   568   NtReleaseMutant  (128, ... 0x0, ) == 0x0
 02420   568   NtWaitForSingleObject  (128, 0, 0x0, ... ) == 0x0
 02421   568   NtQueryInformationFile  (124, 12647152, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02422   568   NtReleaseMutant  (128, ... 0x0, ) == 0x0
 02423   568   NtReleaseMutant  (180, ... 0x0, ) == 0x0
 02424   568   NtDelayExecution  (0, {-50000000, -1}, ... ) == 0x0
 02425   568   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 02426   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 340, ) == 0x0
 02427   568   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 12644832, 112, ... 332, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 12644832, 112, ... 332, 0x0, 0x0, 0x0, 112, ) == 0x0
 02428   568   NtRequestWaitReplyPort  (332, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850}  (332, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850} "\0\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w <%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\10\0\10\326%\0h\222%\0`\232%\0\240\1$\0T\1\0\08\222%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 568, 1623, 0} "\7\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\10\0\10\326%\0h\222%\0`\232%\0\240\1$\0T\1\0\08\222%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 412, 568, 1623, 0}  (332, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850} "\0\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w <%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\10\0\10\326%\0h\222%\0`\232%\0\240\1$\0T\1\0\08\222%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 568, 1623, 0} "\7\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\10\0\10\326%\0h\222%\0`\232%\0\240\1$\0T\1\0\08\222%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 02429   568   NtRequestWaitReplyPort  (332, {108, 132, new_msg, 0, 44, 5, 20, 0}  (332, {108, 132, new_msg, 0, 44, 5, 20, 0} "\1\0\0\0A\2\11\0s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\377\377\377\377\7\0\0\0\0\0\0\0\214\221%\0\24\0\0\0\0\0\0\0\24\0\0\0g\0s\0m\0t\0p\01\08\05\0.\0g\0o\0o\0g\0l\0e\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 412, 568, 1624, 0} "\2\226\0\0\1\0\221\200\30\342\34\201?\2\0\0C\6O\200?\2\0\0\30\342\34\201\0\20\342\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ... {44, 68, reply, 0, 412, 568, 1624, 0}  (332, {108, 132, new_msg, 0, 44, 5, 20, 0} "\1\0\0\0A\2\11\0s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\377\377\377\377\7\0\0\0\0\0\0\0\214\221%\0\24\0\0\0\0\0\0\0\24\0\0\0g\0s\0m\0t\0p\01\08\05\0.\0g\0o\0o\0g\0l\0e\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 412, 568, 1624, 0} "\2\226\0\0\1\0\221\200\30\342\34\201?\2\0\0C\6O\200?\2\0\0\30\342\34\201\0\20\342\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 02430   568   NtClose  (340, ... ) == 0x0
 02431   568   NtClose  (332, ... ) == 0x0
 02432   568   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 332, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 332, {status=0x0, info=0}, ) == 0x0
 02433   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 340, ) == 0x0
 02434   568   NtDeviceIoControlFile  (332, 340, 0x0, 0x0, 0xf14014,  (332, 340, 0x0, 0x0, 0xf14014, "\3\0\0\0gsmtp185.google.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 02435   568   NtClose  (340, ... ) == 0x0
 02436   568   NtClose  (332, ... ) == 0x0
 02437   568   NtWaitForSingleObject  (180, 0, 0x0, ... ) == 0x0
 02438   568   NtWaitForSingleObject  (184, 0, 0x0, ... ) == 0x0
 02439   568   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 332, ) }, ... 332, ) == 0x0
 02440   568   NtWaitForSingleObject  (332, 0, {-1800000000, -1}, ... ) == 0x0
 02441   568   NtClose  (332, ... ) == 0x0
 02442   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02443   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 332, ) == 0x0
 02444   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02445   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02446   568   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 12645576,  (0xc0100080, {24, 0, 0x40, 0, 12645576, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 340, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 340, {status=0x0, info=1}, ) == 0x0
 02447   568   NtSetInformationFile  (340, 12645632, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02448   568   NtSetInformationFile  (340, 12645624, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02449   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02450   568   NtWriteFile  (340, 277, 0, 0,  (340, 277, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02451   568   NtReadFile  (340, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (340, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\237!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02452   568   NtFsControlFile  (340, 277, 0x0, 0x0, 0x11c017,  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\237!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\237!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02453   568   NtFsControlFile  (340, 277, 0x0, 0x0, 0x11c017,  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\366%\273\241s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\366%\273\241s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 76, 1024, ... {status=0x103, info=48},  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\366%\273\241s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\366%\273\241s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02454   568   NtFsControlFile  (340, 277, 0x0, 0x0, 0x11c017,  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\367%\273\241s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\367%\273\241s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\367%\273\241s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\367%\273\241s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02455   568   NtFsControlFile  (340, 277, 0x0, 0x0, 0x11c017,  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\367%\273\241s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\367%\273\241s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02456   568   NtFsControlFile  (340, 277, 0x0, 0x0, 0x11c017,  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\366%\273\241s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\366%\273\241s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02457   568   NtClose  (332, ... ) == 0x0
 02458   568   NtClose  (340, ... ) == 0x0
 02459   568   NtReleaseMutant  (184, ... 0x0, ) == 0x0
 02460   568   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02461   568   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02462   568   NtCreateKey  (0x2001d, {24, 32, 0x40, 0, 0,  (0x2001d, {24, 32, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 340, 2, ) }, 0, 0x0, 0, ... 340, 2, ) == 0x0
 02463   568   NtCreateKey  (0x20019, {24, 340, 0x40, 0, 0,  (0x20019, {24, 340, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 332, 2, ) }, 0, 0x0, 0, ... 332, 2, ) == 0x0
 02464   568   NtClose  (340, ... ) == 0x0
 02465   568   NtQueryValueKey  (332,  (332, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02466   568   NtClose  (332, ... ) == 0x0
 02467   568   NtWaitForSingleObject  (128, 0, 0x0, ... ) == 0x0
 02468   568   NtQueryInformationFile  (124, 12646996, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02469   568   NtReleaseMutant  (128, ... 0x0, ) == 0x0
 02470   568   NtWaitForSingleObject  (128, 0, 0x0, ... ) == 0x0
 02471   568   NtQueryInformationFile  (124, 12647152, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02472   568   NtReleaseMutant  (128, ... 0x0, ) == 0x0
 02473   568   NtReleaseMutant  (180, ... 0x0, ) == 0x0
 02474   568   NtDelayExecution  (0, {-50000000, -1}, ... ) == 0x0
 02475   568   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 02476   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 332, ) == 0x0
 02477   568   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 12644832, 112, ... 340, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 12644832, 112, ... 340, 0x0, 0x0, 0x0, 112, ) == 0x0
 02478   568   NtRequestWaitReplyPort  (340, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850}  (340, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850} "\0\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w <%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\0\10\326%\0\0\226%\0h\222%\0\240\1$\0L\1\0\0\20\222%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 568, 1627, 0} "\7\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\0\10\326%\0\0\226%\0h\222%\0\240\1$\0L\1\0\0\20\222%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 412, 568, 1627, 0}  (340, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850} "\0\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w <%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\0\10\326%\0\0\226%\0h\222%\0\240\1$\0L\1\0\0\20\222%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 568, 1627, 0} "\7\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\0\10\326%\0\0\226%\0h\222%\0\240\1$\0L\1\0\0\20\222%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 02479   568   NtRequestWaitReplyPort  (340, {108, 132, new_msg, 0, 44, 5, 20, 0}  (340, {108, 132, new_msg, 0, 44, 5, 20, 0} "\1\0\0\0A\2\11\0s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\377\377\377\377\7\0\0\0\0\0\0\0\214\221%\0\24\0\0\0\0\0\0\0\24\0\0\0g\0s\0m\0t\0p\01\08\05\0.\0g\0o\0o\0g\0l\0e\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 412, 568, 1628, 0} "\2\226\0\0\1\0\221\200\30\342\34\201?\2\0\0C\6O\200?\2\0\0\30\342\34\201\0\20\342\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ... {44, 68, reply, 0, 412, 568, 1628, 0}  (340, {108, 132, new_msg, 0, 44, 5, 20, 0} "\1\0\0\0A\2\11\0s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\377\377\377\377\7\0\0\0\0\0\0\0\214\221%\0\24\0\0\0\0\0\0\0\24\0\0\0g\0s\0m\0t\0p\01\08\05\0.\0g\0o\0o\0g\0l\0e\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 412, 568, 1628, 0} "\2\226\0\0\1\0\221\200\30\342\34\201?\2\0\0C\6O\200?\2\0\0\30\342\34\201\0\20\342\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 02480   568   NtClose  (332, ... ) == 0x0
 02481   568   NtClose  (340, ... ) == 0x0
 02482   568   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 340, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 340, {status=0x0, info=0}, ) == 0x0
 02483   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 332, ) == 0x0
 02484   568   NtDeviceIoControlFile  (340, 332, 0x0, 0x0, 0xf14014,  (340, 332, 0x0, 0x0, 0xf14014, "\3\0\0\0gsmtp185.google.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 02485   568   NtClose  (332, ... ) == 0x0
 02486   568   NtClose  (340, ... ) == 0x0
 02487   568   NtWaitForSingleObject  (180, 0, 0x0, ... ) == 0x0
 02488   568   NtWaitForSingleObject  (184, 0, 0x0, ... ) == 0x0
 02489   568   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 340, ) }, ... 340, ) == 0x0
 02490   568   NtWaitForSingleObject  (340, 0, {-1800000000, -1}, ... ) == 0x0
 02491   568   NtClose  (340, ... ) == 0x0
 02492   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02493   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 340, ) == 0x0
 02494   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02495   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02496   568   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 12645576,  (0xc0100080, {24, 0, 0x40, 0, 12645576, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 332, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 332, {status=0x0, info=1}, ) == 0x0
 02497   568   NtSetInformationFile  (332, 12645632, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02498   568   NtSetInformationFile  (332, 12645624, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02499   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02500   568   NtWriteFile  (332, 277, 0, 0,  (332, 277, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02501   568   NtReadFile  (332, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (332, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\241!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02502   568   NtFsControlFile  (332, 277, 0x0, 0x0, 0x11c017,  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\241!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\241!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02503   568   NtFsControlFile  (332, 277, 0x0, 0x0, 0x11c017,  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0(\320\376\250s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0(\320\376\250s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 76, 1024, ... {status=0x103, info=48},  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0(\320\376\250s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0(\320\376\250s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02504   568   NtFsControlFile  (332, 277, 0x0, 0x0, 0x11c017,  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0)\320\376\250s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0)\320\376\250s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0)\320\376\250s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0)\320\376\250s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02505   568   NtFsControlFile  (332, 277, 0x0, 0x0, 0x11c017,  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0)\320\376\250s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0)\320\376\250s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02506   568   NtFsControlFile  (332, 277, 0x0, 0x0, 0x11c017,  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0(\320\376\250s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0(\320\376\250s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02507   568   NtClose  (340, ... ) == 0x0
 02508   568   NtClose  (332, ... ) == 0x0
 02509   568   NtReleaseMutant  (184, ... 0x0, ) == 0x0
 02510   568   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02511   568   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02512   568   NtCreateKey  (0x2001d, {24, 32, 0x40, 0, 0,  (0x2001d, {24, 32, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 332, 2, ) }, 0, 0x0, 0, ... 332, 2, ) == 0x0
 02513   568   NtCreateKey  (0x20019, {24, 332, 0x40, 0, 0,  (0x20019, {24, 332, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 340, 2, ) }, 0, 0x0, 0, ... 340, 2, ) == 0x0
 02514   568   NtClose  (332, ... ) == 0x0
 02515   568   NtQueryValueKey  (340,  (340, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02516   568   NtClose  (340, ... ) == 0x0
 02517   568   NtWaitForSingleObject  (128, 0, 0x0, ... ) == 0x0
 02518   568   NtQueryInformationFile  (124, 12646996, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02519   568   NtReleaseMutant  (128, ... 0x0, ) == 0x0
 02520   568   NtWaitForSingleObject  (128, 0, 0x0, ... ) == 0x0
 02521   568   NtQueryInformationFile  (124, 12647152, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02522   568   NtReleaseMutant  (128, ... 0x0, ) == 0x0
 02523   568   NtReleaseMutant  (180, ... 0x0, ) == 0x0
 02524   568   NtDelayExecution  (0, {-50000000, -1}, ... ) == 0x0
 02525   568   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 02526   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 340, ) == 0x0
 02527   568   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 12644832, 112, ... 332, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 12644832, 112, ... 332, 0x0, 0x0, 0x0, 112, ) == 0x0
 02528   568   NtRequestWaitReplyPort  (332, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850}  (332, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850} "\0\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w <%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\12\0\10\326%\0\330\225%\0`\232%\0\240\1$\0T\1\0\08\222%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 568, 1656, 0} "\7\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\12\0\10\326%\0\330\225%\0`\232%\0\240\1$\0T\1\0\08\222%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 412, 568, 1656, 0}  (332, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850} "\0\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w <%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\12\0\10\326%\0\330\225%\0`\232%\0\240\1$\0T\1\0\08\222%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 568, 1656, 0} "\7\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\12\0\10\326%\0\330\225%\0`\232%\0\240\1$\0T\1\0\08\222%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 02529   568   NtRequestWaitReplyPort  (332, {108, 132, new_msg, 0, 44, 5, 20, 0}  (332, {108, 132, new_msg, 0, 44, 5, 20, 0} "\1\0\0\0A\2\11\0s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\377\377\377\377\7\0\0\0\0\0\0\0\214\221%\0\24\0\0\0\0\0\0\0\24\0\0\0g\0s\0m\0t\0p\01\08\05\0.\0g\0o\0o\0g\0l\0e\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 412, 568, 1657, 0} "\2\226\0\0\1\0\221\200\30\342\34\201?\2\0\0C\6O\200?\2\0\0\30\342\34\201\0\20\342\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ... {44, 68, reply, 0, 412, 568, 1657, 0}  (332, {108, 132, new_msg, 0, 44, 5, 20, 0} "\1\0\0\0A\2\11\0s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\377\377\377\377\7\0\0\0\0\0\0\0\214\221%\0\24\0\0\0\0\0\0\0\24\0\0\0g\0s\0m\0t\0p\01\08\05\0.\0g\0o\0o\0g\0l\0e\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 412, 568, 1657, 0} "\2\226\0\0\1\0\221\200\30\342\34\201?\2\0\0C\6O\200?\2\0\0\30\342\34\201\0\20\342\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 02530   568   NtClose  (340, ... ) == 0x0
 02531   568   NtClose  (332, ... ) == 0x0
 02532   568   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 332, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 332, {status=0x0, info=0}, ) == 0x0
 02533   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 340, ) == 0x0
 02534   568   NtDeviceIoControlFile  (332, 340, 0x0, 0x0, 0xf14014,  (332, 340, 0x0, 0x0, 0xf14014, "\3\0\0\0gsmtp185.google.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 02535   568   NtClose  (340, ... ) == 0x0
 02536   568   NtClose  (332, ... ) == 0x0
 02537   568   NtWaitForSingleObject  (180, 0, 0x0, ... ) == 0x0
 02538   568   NtWaitForSingleObject  (184, 0, 0x0, ... ) == 0x0
 02539   568   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 332, ) }, ... 332, ) == 0x0
 02540   568   NtWaitForSingleObject  (332, 0, {-1800000000, -1}, ... ) == 0x0
 02541   568   NtClose  (332, ... ) == 0x0
 02542   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02543   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 332, ) == 0x0
 02544   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02545   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02546   568   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 12645576,  (0xc0100080, {24, 0, 0x40, 0, 12645576, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 340, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 340, {status=0x0, info=1}, ) == 0x0
 02547   568   NtSetInformationFile  (340, 12645632, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02548   568   NtSetInformationFile  (340, 12645624, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02549   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02550   568   NtWriteFile  (340, 277, 0, 0,  (340, 277, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02551   568   NtReadFile  (340, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (340, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\243!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02552   568   NtFsControlFile  (340, 277, 0x0, 0x0, 0x11c017,  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\243!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\243!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02553   568   NtFsControlFile  (340, 277, 0x0, 0x0, 0x11c017,  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0,\320\376\250s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0,\320\376\250s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 76, 1024, ... {status=0x103, info=48},  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0,\320\376\250s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0,\320\376\250s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02554   568   NtFsControlFile  (340, 277, 0x0, 0x0, 0x11c017,  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0-\320\376\250s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0-\320\376\250s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0-\320\376\250s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0-\320\376\250s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02555   568   NtFsControlFile  (340, 277, 0x0, 0x0, 0x11c017,  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0-\320\376\250s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0-\320\376\250s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02556   568   NtFsControlFile  (340, 277, 0x0, 0x0, 0x11c017,  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0,\320\376\250s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0,\320\376\250s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02557   568   NtClose  (332, ... ) == 0x0
 02558   568   NtClose  (340, ... ) == 0x0
 02559   568   NtReleaseMutant  (184, ... 0x0, ) == 0x0
 02560   568   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02561   568   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02562   568   NtCreateKey  (0x2001d, {24, 32, 0x40, 0, 0,  (0x2001d, {24, 32, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 340, 2, ) }, 0, 0x0, 0, ... 340, 2, ) == 0x0
 02563   568   NtCreateKey  (0x20019, {24, 340, 0x40, 0, 0,  (0x20019, {24, 340, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 332, 2, ) }, 0, 0x0, 0, ... 332, 2, ) == 0x0
 02564   568   NtClose  (340, ... ) == 0x0
 02565   568   NtQueryValueKey  (332,  (332, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02566   568   NtClose  (332, ... ) == 0x0
 02567   568   NtWaitForSingleObject  (128, 0, 0x0, ... ) == 0x0
 02568   568   NtQueryInformationFile  (124, 12646996, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02569   568   NtReleaseMutant  (128, ... 0x0, ) == 0x0
 02570   568   NtWaitForSingleObject  (128, 0, 0x0, ... ) == 0x0
 02571   568   NtQueryInformationFile  (124, 12647152, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02572   568   NtReleaseMutant  (128, ... 0x0, ) == 0x0
 02573   568   NtReleaseMutant  (180, ... 0x0, ) == 0x0
 02574   568   NtDelayExecution  (0, {-50000000, -1}, ... ) == 0x0
 02575   568   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 02576   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 332, ) == 0x0
 02577   568   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 12644832, 112, ... 340, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 12644832, 112, ... 340, 0x0, 0x0, 0x0, 112, ) == 0x0
 02578   568   NtRequestWaitReplyPort  (340, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850}  (340, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850} "\0\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w <%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\13\0\10\326%\0\0\226%\0\30\222%\0\240\1$\0L\1\0\0\320\223%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 568, 1667, 0} "\7\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\13\0\10\326%\0\0\226%\0\30\222%\0\240\1$\0L\1\0\0\320\223%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 412, 568, 1667, 0}  (340, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850} "\0\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w <%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\13\0\10\326%\0\0\226%\0\30\222%\0\240\1$\0L\1\0\0\320\223%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 568, 1667, 0} "\7\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\13\0\10\326%\0\0\226%\0\30\222%\0\240\1$\0L\1\0\0\320\223%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 02579   568   NtRequestWaitReplyPort  (340, {108, 132, new_msg, 0, 44, 5, 20, 0}  (340, {108, 132, new_msg, 0, 44, 5, 20, 0} "\1\0\0\0A\2\11\0s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\377\377\377\377\7\0\0\0\0\0\0\0\214\221%\0\24\0\0\0\0\0\0\0\24\0\0\0g\0s\0m\0t\0p\01\08\05\0.\0g\0o\0o\0g\0l\0e\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 412, 568, 1668, 0} "\2\226\0\0\1\0\221\200\30\342\34\201?\2\0\0C\6O\200?\2\0\0\30\342\34\201\0\20\342\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ... {44, 68, reply, 0, 412, 568, 1668, 0}  (340, {108, 132, new_msg, 0, 44, 5, 20, 0} "\1\0\0\0A\2\11\0s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\377\377\377\377\7\0\0\0\0\0\0\0\214\221%\0\24\0\0\0\0\0\0\0\24\0\0\0g\0s\0m\0t\0p\01\08\05\0.\0g\0o\0o\0g\0l\0e\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 412, 568, 1668, 0} "\2\226\0\0\1\0\221\200\30\342\34\201?\2\0\0C\6O\200?\2\0\0\30\342\34\201\0\20\342\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 02580   568   NtClose  (332, ... ) == 0x0
 02581   568   NtClose  (340, ... ) == 0x0
 02582   568   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 340, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 340, {status=0x0, info=0}, ) == 0x0
 02583   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 332, ) == 0x0
 02584   568   NtDeviceIoControlFile  (340, 332, 0x0, 0x0, 0xf14014,  (340, 332, 0x0, 0x0, 0xf14014, "\3\0\0\0gsmtp185.google.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 02585   568   NtClose  (332, ... ) == 0x0
 02586   568   NtClose  (340, ... ) == 0x0
 02587   568   NtWaitForSingleObject  (180, 0, 0x0, ... ) == 0x0
 02588   568   NtWaitForSingleObject  (184, 0, 0x0, ... ) == 0x0
 02589   568   NtWaitForMultipleObjects  (2, (244, 260, ), 1, 0, {0, 0}, ... ) == 0x0
 02590   568   NtQueryValueKey  (256,  (256, "EnableFileTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (256, "EnableFileTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02591   568   NtQueryValueKey  (256,  (256, "FileTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (256, "FileTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) }, 16, ) == 0x0
 02592   568   NtQueryValueKey  (256,  (256, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (256, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02593   568   NtQueryValueKey  (256,  (256, "ConsoleTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (256, "ConsoleTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) }, 16, ) == 0x0
 02594   568   NtQueryValueKey  (256,  (256, "MaxFileSize", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\20\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (256, "MaxFileSize", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\20\0"}, 16, ) }, 16, ) == 0x0
 02595   568   NtQueryValueKey  (256,  (256, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (256, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) }, 46, ) == 0x0
 02596   568   NtQueryValueKey  (256,  (256, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (256, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) }, 46, ) == 0x0
 02597   568   NtNotifyChangeKey  (256, 260, 0, 0, 2011390432, 14, 0, 0, 0, 1, ... ) == 0x103
 02598   568   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 340, ) }, ... 340, ) == 0x0
 02599   568   NtWaitForSingleObject  (340, 0, {-1800000000, -1}, ... ) == 0x0
 02600   568   NtClose  (340, ... ) == 0x0
 02601   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02602   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 340, ) == 0x0
 02603   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02604   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02605   568   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 12645576,  (0xc0100080, {24, 0, 0x40, 0, 12645576, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 332, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 332, {status=0x0, info=1}, ) == 0x0
 02606   568   NtSetInformationFile  (332, 12645632, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02607   568   NtSetInformationFile  (332, 12645624, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02608   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02609   568   NtWriteFile  (332, 277, 0, 0,  (332, 277, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02610   568   NtReadFile  (332, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (332, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\245!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02611   568   NtFsControlFile  (332, 277, 0x0, 0x0, 0x11c017,  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\245!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\245!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02612   568   NtFsControlFile  (332, 277, 0x0, 0x0, 0x11c017,  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\00\320\376\250s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\00\320\376\250s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 76, 1024, ... {status=0x103, info=48},  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\00\320\376\250s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\00\320\376\250s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02613   568   NtFsControlFile  (332, 277, 0x0, 0x0, 0x11c017,  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\01\320\376\250s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\01\320\376\250s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\01\320\376\250s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\01\320\376\250s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02614   568   NtFsControlFile  (332, 277, 0x0, 0x0, 0x11c017,  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\01\320\376\250s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\01\320\376\250s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02615   568   NtFsControlFile  (332, 277, 0x0, 0x0, 0x11c017,  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\00\320\376\250s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\00\320\376\250s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02616   568   NtClose  (340, ... ) == 0x0
 02617   568   NtClose  (332, ... ) == 0x0
 02618   568   NtReleaseMutant  (184, ... 0x0, ) == 0x0
 02619   568   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02620   568   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02621   568   NtCreateKey  (0x2001d, {24, 32, 0x40, 0, 0,  (0x2001d, {24, 32, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 332, 2, ) }, 0, 0x0, 0, ... 332, 2, ) == 0x0
 02622   568   NtCreateKey  (0x20019, {24, 332, 0x40, 0, 0,  (0x20019, {24, 332, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 340, 2, ) }, 0, 0x0, 0, ... 340, 2, ) == 0x0
 02623   568   NtClose  (332, ... ) == 0x0
 02624   568   NtQueryValueKey  (340,  (340, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02625   568   NtClose  (340, ... ) == 0x0
 02626   568   NtWaitForSingleObject  (128, 0, 0x0, ... ) == 0x0
 02627   568   NtQueryInformationFile  (124, 12646996, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02628   568   NtReleaseMutant  (128, ... 0x0, ) == 0x0
 02629   568   NtWaitForSingleObject  (128, 0, 0x0, ... ) == 0x0
 02630   568   NtQueryInformationFile  (124, 12647152, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02631   568   NtReleaseMutant  (128, ... 0x0, ) == 0x0
 02632   568   NtReleaseMutant  (180, ... 0x0, ) == 0x0
 02633   568   NtDelayExecution  (0, {-50000000, -1}, ... ) == 0x0
 02634   568   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 02635   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 340, ) == 0x0
 02636   568   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 12644832, 112, ... 332, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 12644832, 112, ... 332, 0x0, 0x0, 0x0, 112, ) == 0x0
 02637   568   NtRequestWaitReplyPort  (332, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850}  (332, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850} "\0\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w <%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\14\0\10\326%\0\330\225%\0`\232%\0\240\1$\0T\1\0\08\222%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 568, 1671, 0} "\7\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\14\0\10\326%\0\330\225%\0`\232%\0\240\1$\0T\1\0\08\222%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 412, 568, 1671, 0}  (332, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850} "\0\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w <%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\14\0\10\326%\0\330\225%\0`\232%\0\240\1$\0T\1\0\08\222%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 568, 1671, 0} "\7\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\14\0\10\326%\0\330\225%\0`\232%\0\240\1$\0T\1\0\08\222%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 02638   568   NtRequestWaitReplyPort  (332, {108, 132, new_msg, 0, 44, 5, 20, 0}  (332, {108, 132, new_msg, 0, 44, 5, 20, 0} "\1\0\0\0A\2\11\0s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\377\377\377\377\7\0\0\0\0\0\0\0\214\221%\0\24\0\0\0\0\0\0\0\24\0\0\0g\0s\0m\0t\0p\01\08\05\0.\0g\0o\0o\0g\0l\0e\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 412, 568, 1672, 0} "\2\226\0\0\1\0\221\200\30\342\34\201?\2\0\0C\6O\200?\2\0\0\30\342\34\201\0\20\342\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ... {44, 68, reply, 0, 412, 568, 1672, 0}  (332, {108, 132, new_msg, 0, 44, 5, 20, 0} "\1\0\0\0A\2\11\0s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\377\377\377\377\7\0\0\0\0\0\0\0\214\221%\0\24\0\0\0\0\0\0\0\24\0\0\0g\0s\0m\0t\0p\01\08\05\0.\0g\0o\0o\0g\0l\0e\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 412, 568, 1672, 0} "\2\226\0\0\1\0\221\200\30\342\34\201?\2\0\0C\6O\200?\2\0\0\30\342\34\201\0\20\342\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 02639   568   NtClose  (340, ... ) == 0x0
 02640   568   NtClose  (332, ... ) == 0x0
 02641   568   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 332, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 332, {status=0x0, info=0}, ) == 0x0
 02642   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 340, ) == 0x0
 02643   568   NtDeviceIoControlFile  (332, 340, 0x0, 0x0, 0xf14014,  (332, 340, 0x0, 0x0, 0xf14014, "\3\0\0\0gsmtp185.google.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 02644   568   NtClose  (340, ... ) == 0x0
 02645   568   NtClose  (332, ... ) == 0x0
 02646   568   NtWaitForSingleObject  (180, 0, 0x0, ... ) == 0x0
 02647   568   NtWaitForSingleObject  (184, 0, 0x0, ... ) == 0x0
 02648   568   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 332, ) }, ... 332, ) == 0x0
 02649   568   NtWaitForSingleObject  (332, 0, {-1800000000, -1}, ... ) == 0x0
 02650   568   NtClose  (332, ... ) == 0x0
 02651   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02652   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 332, ) == 0x0
 02653   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02654   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02655   568   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 12645576,  (0xc0100080, {24, 0, 0x40, 0, 12645576, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 340, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 340, {status=0x0, info=1}, ) == 0x0
 02656   568   NtSetInformationFile  (340, 12645632, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02657   568   NtSetInformationFile  (340, 12645624, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02658   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02659   568   NtWriteFile  (340, 277, 0, 0,  (340, 277, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02660   568   NtReadFile  (340, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (340, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\247!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02661   568   NtFsControlFile  (340, 277, 0x0, 0x0, 0x11c017,  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\247!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\247!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02662   568   NtFsControlFile  (340, 277, 0x0, 0x0, 0x11c017,  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\314:\244\260s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\314:\244\260s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 76, 1024, ... {status=0x103, info=48},  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\314:\244\260s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\314:\244\260s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02663   568   NtFsControlFile  (340, 277, 0x0, 0x0, 0x11c017,  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\315:\244\260s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\315:\244\260s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\315:\244\260s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\315:\244\260s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02664   568   NtFsControlFile  (340, 277, 0x0, 0x0, 0x11c017,  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\315:\244\260s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\315:\244\260s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02665   568   NtFsControlFile  (340, 277, 0x0, 0x0, 0x11c017,  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\314:\244\260s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\314:\244\260s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02666   568   NtClose  (332, ... ) == 0x0
 02667   568   NtClose  (340, ... ) == 0x0
 02668   568   NtReleaseMutant  (184, ... 0x0, ) == 0x0
 02669   568   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02670   568   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02671   568   NtCreateKey  (0x2001d, {24, 32, 0x40, 0, 0,  (0x2001d, {24, 32, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 340, 2, ) }, 0, 0x0, 0, ... 340, 2, ) == 0x0
 02672   568   NtCreateKey  (0x20019, {24, 340, 0x40, 0, 0,  (0x20019, {24, 340, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 332, 2, ) }, 0, 0x0, 0, ... 332, 2, ) == 0x0
 02673   568   NtClose  (340, ... ) == 0x0
 02674   568   NtQueryValueKey  (332,  (332, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02675   568   NtClose  (332, ... ) == 0x0
 02676   568   NtWaitForSingleObject  (128, 0, 0x0, ... ) == 0x0
 02677   568   NtQueryInformationFile  (124, 12646996, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02678   568   NtReleaseMutant  (128, ... 0x0, ) == 0x0
 02679   568   NtWaitForSingleObject  (128, 0, 0x0, ... ) == 0x0
 02680   568   NtQueryInformationFile  (124, 12647152, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02681   568   NtReleaseMutant  (128, ... 0x0, ) == 0x0
 02682   568   NtReleaseMutant  (180, ... 0x0, ) == 0x0
 02683   568   NtDelayExecution  (0, {-50000000, -1}, ... ) == 0x0
 02684   568   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 02685   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 332, ) == 0x0
 02686   568   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 12644832, 112, ... 340, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 12644832, 112, ... 340, 0x0, 0x0, 0x0, 112, ) == 0x0
 02687   568   NtRequestWaitReplyPort  (340, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850}  (340, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850} "\0\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w <%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\15\0\10\326%\0\30\222%\0\0\0\0\00\365\300\0L\1\0\0\30\0\0\0\0\0\0\0\0\0\300\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 568, 1683, 0} "\7\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\15\0\10\326%\0\30\222%\0\0\0\0\00\365\300\0L\1\0\0\30\0\0\0\0\0\0\0\0\0\300\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 412, 568, 1683, 0}  (340, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850} "\0\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w <%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\15\0\10\326%\0\30\222%\0\0\0\0\00\365\300\0L\1\0\0\30\0\0\0\0\0\0\0\0\0\300\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 568, 1683, 0} "\7\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\15\0\10\326%\0\30\222%\0\0\0\0\00\365\300\0L\1\0\0\30\0\0\0\0\0\0\0\0\0\300\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 02688   568   NtRequestWaitReplyPort  (340, {108, 132, new_msg, 0, 44, 5, 20, 0}  (340, {108, 132, new_msg, 0, 44, 5, 20, 0} "\1\0\0\0A\2\11\0s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\377\377\377\377\7\0\0\0\0\0\0\0\214\221%\0\24\0\0\0\0\0\0\0\24\0\0\0g\0s\0m\0t\0p\01\08\05\0.\0g\0o\0o\0g\0l\0e\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 412, 568, 1684, 0} "\2\220\372\177\1\00\300\0\0\0\0R\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ... {44, 68, reply, 0, 412, 568, 1684, 0}  (340, {108, 132, new_msg, 0, 44, 5, 20, 0} "\1\0\0\0A\2\11\0s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\377\377\377\377\7\0\0\0\0\0\0\0\214\221%\0\24\0\0\0\0\0\0\0\24\0\0\0g\0s\0m\0t\0p\01\08\05\0.\0g\0o\0o\0g\0l\0e\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 412, 568, 1684, 0} "\2\220\372\177\1\00\300\0\0\0\0R\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 02689   568   NtClose  (332, ... ) == 0x0
 02690   568   NtClose  (340, ... ) == 0x0
 02691   568   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 340, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 340, {status=0x0, info=0}, ) == 0x0
 02692   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 332, ) == 0x0
 02693   568   NtDeviceIoControlFile  (340, 332, 0x0, 0x0, 0xf14014,  (340, 332, 0x0, 0x0, 0xf14014, "\3\0\0\0gsmtp185.google.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 02694   568   NtClose  (332, ... ) == 0x0
 02695   568   NtClose  (340, ... ) == 0x0
 02696   568   NtWaitForSingleObject  (180, 0, 0x0, ... ) == 0x0
 02697   568   NtWaitForSingleObject  (184, 0, 0x0, ... ) == 0x0
 02698   568   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 340, ) }, ... 340, ) == 0x0
 02699   568   NtWaitForSingleObject  (340, 0, {-1800000000, -1}, ... ) == 0x0
 02700   568   NtClose  (340, ... ) == 0x0
 02701   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02702   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 340, ) == 0x0
 02703   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02704   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02705   568   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 12645576,  (0xc0100080, {24, 0, 0x40, 0, 12645576, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 332, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 332, {status=0x0, info=1}, ) == 0x0
 02706   568   NtSetInformationFile  (332, 12645632, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02707   568   NtSetInformationFile  (332, 12645624, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02708   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02709   568   NtWriteFile  (332, 277, 0, 0,  (332, 277, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02710   568   NtReadFile  (332, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (332, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\251!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02711   568   NtFsControlFile  (332, 277, 0x0, 0x0, 0x11c017,  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\251!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\251!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02712   568   NtFsControlFile  (332, 277, 0x0, 0x0, 0x11c017,  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\320:\244\260s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\320:\244\260s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 76, 1024, ... {status=0x103, info=48},  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\320:\244\260s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\320:\244\260s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02713   568   NtFsControlFile  (332, 277, 0x0, 0x0, 0x11c017,  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\321:\244\260s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\321:\244\260s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\321:\244\260s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\321:\244\260s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02714   568   NtFsControlFile  (332, 277, 0x0, 0x0, 0x11c017,  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\321:\244\260s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\321:\244\260s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02715   568   NtFsControlFile  (332, 277, 0x0, 0x0, 0x11c017,  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\320:\244\260s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\320:\244\260s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02716   568   NtClose  (340, ... ) == 0x0
 02717   568   NtClose  (332, ... ) == 0x0
 02718   568   NtReleaseMutant  (184, ... 0x0, ) == 0x0
 02719   568   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02720   568   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02721   568   NtCreateKey  (0x2001d, {24, 32, 0x40, 0, 0,  (0x2001d, {24, 32, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 332, 2, ) }, 0, 0x0, 0, ... 332, 2, ) == 0x0
 02722   568   NtCreateKey  (0x20019, {24, 332, 0x40, 0, 0,  (0x20019, {24, 332, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 340, 2, ) }, 0, 0x0, 0, ... 340, 2, ) == 0x0
 02723   568   NtClose  (332, ... ) == 0x0
 02724   568   NtQueryValueKey  (340,  (340, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02725   568   NtClose  (340, ... ) == 0x0
 02726   568   NtWaitForSingleObject  (128, 0, 0x0, ... ) == 0x0
 02727   568   NtQueryInformationFile  (124, 12646996, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02728   568   NtReleaseMutant  (128, ... 0x0, ) == 0x0
 02729   568   NtWaitForSingleObject  (128, 0, 0x0, ... ) == 0x0
 02730   568   NtQueryInformationFile  (124, 12647152, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02731   568   NtReleaseMutant  (128, ... 0x0, ) == 0x0
 02732   568   NtReleaseMutant  (180, ... 0x0, ) == 0x0
 02733   568   NtDelayExecution  (0, {-50000000, -1}, ... ) == 0x0
 02734   568   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 02735   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 340, ) == 0x0
 02736   568   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 12644832, 112, ... 332, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 12644832, 112, ... 332, 0x0, 0x0, 0x0, 112, ) == 0x0
 02737   568   NtRequestWaitReplyPort  (332, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850}  (332, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850} "\0\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w <%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\16\0\10\326%\0\260\225%\0\0\0\0\00\365\300\0T\1\0\0\30\0\0\0\0\0\0\0\0\0\300\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 568, 1694, 0} "\7\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\16\0\10\326%\0\260\225%\0\0\0\0\00\365\300\0T\1\0\0\30\0\0\0\0\0\0\0\0\0\300\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 412, 568, 1694, 0}  (332, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850} "\0\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w <%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\16\0\10\326%\0\260\225%\0\0\0\0\00\365\300\0T\1\0\0\30\0\0\0\0\0\0\0\0\0\300\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 568, 1694, 0} "\7\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\16\0\10\326%\0\260\225%\0\0\0\0\00\365\300\0T\1\0\0\30\0\0\0\0\0\0\0\0\0\300\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 02738   568   NtRequestWaitReplyPort  (332, {108, 132, new_msg, 0, 44, 5, 20, 0}  (332, {108, 132, new_msg, 0, 44, 5, 20, 0} "\1\0\0\0A\2\11\0s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\377\377\377\377\7\0\0\0\0\0\0\0\214\221%\0\24\0\0\0\0\0\0\0\24\0\0\0g\0s\0m\0t\0p\01\08\05\0.\0g\0o\0o\0g\0l\0e\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 412, 568, 1695, 0} "\2\226\0\0\1\0\221\200\30\342\34\201?\2\0\0C\6O\200?\2\0\0\30\342\34\201\0\20\342\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ... {44, 68, reply, 0, 412, 568, 1695, 0}  (332, {108, 132, new_msg, 0, 44, 5, 20, 0} "\1\0\0\0A\2\11\0s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\377\377\377\377\7\0\0\0\0\0\0\0\214\221%\0\24\0\0\0\0\0\0\0\24\0\0\0g\0s\0m\0t\0p\01\08\05\0.\0g\0o\0o\0g\0l\0e\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 412, 568, 1695, 0} "\2\226\0\0\1\0\221\200\30\342\34\201?\2\0\0C\6O\200?\2\0\0\30\342\34\201\0\20\342\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 02739   568   NtClose  (340, ... ) == 0x0
 02740   568   NtClose  (332, ... ) == 0x0
 02741   568   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 332, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 332, {status=0x0, info=0}, ) == 0x0
 02742   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 340, ) == 0x0
 02743   568   NtDeviceIoControlFile  (332, 340, 0x0, 0x0, 0xf14014,  (332, 340, 0x0, 0x0, 0xf14014, "\3\0\0\0gsmtp185.google.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 02744   568   NtClose  (340, ... ) == 0x0
 02745   568   NtClose  (332, ... ) == 0x0
 02746   568   NtWaitForSingleObject  (180, 0, 0x0, ... ) == 0x0
 02747   568   NtWaitForSingleObject  (184, 0, 0x0, ... ) == 0x0
 02748   568   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 332, ) }, ... 332, ) == 0x0
 02749   568   NtWaitForSingleObject  (332, 0, {-1800000000, -1}, ... ) == 0x0
 02750   568   NtClose  (332, ... ) == 0x0
 02751   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02752   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 332, ) == 0x0
 02753   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02754   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02755   568   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 12645576,  (0xc0100080, {24, 0, 0x40, 0, 12645576, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 340, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 340, {status=0x0, info=1}, ) == 0x0
 02756   568   NtSetInformationFile  (340, 12645632, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02757   568   NtSetInformationFile  (340, 12645624, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02758   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02759   568   NtWriteFile  (340, 277, 0, 0,  (340, 277, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02760   568   NtReadFile  (340, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (340, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\253!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02761   568   NtFsControlFile  (340, 277, 0x0, 0x0, 0x11c017,  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\253!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\253!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02762   568   NtFsControlFile  (340, 277, 0x0, 0x0, 0x11c017,  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\250\202\345\267s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\250\202\345\267s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 76, 1024, ... {status=0x103, info=48},  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\250\202\345\267s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\250\202\345\267s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02763   568   NtFsControlFile  (340, 277, 0x0, 0x0, 0x11c017,  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\251\202\345\267s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\251\202\345\267s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\251\202\345\267s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\251\202\345\267s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02764   568   NtFsControlFile  (340, 277, 0x0, 0x0, 0x11c017,  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\251\202\345\267s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\251\202\345\267s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02765   568   NtFsControlFile  (340, 277, 0x0, 0x0, 0x11c017,  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\250\202\345\267s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\250\202\345\267s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02766   568   NtClose  (332, ... ) == 0x0
 02767   568   NtClose  (340, ... ) == 0x0
 02768   568   NtReleaseMutant  (184, ... 0x0, ) == 0x0
 02769   568   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02770   568   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02771   568   NtCreateKey  (0x2001d, {24, 32, 0x40, 0, 0,  (0x2001d, {24, 32, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 340, 2, ) }, 0, 0x0, 0, ... 340, 2, ) == 0x0
 02772   568   NtCreateKey  (0x20019, {24, 340, 0x40, 0, 0,  (0x20019, {24, 340, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 332, 2, ) }, 0, 0x0, 0, ... 332, 2, ) == 0x0
 02773   568   NtClose  (340, ... ) == 0x0
 02774   568   NtQueryValueKey  (332,  (332, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02775   568   NtClose  (332, ... ) == 0x0
 02776   568   NtWaitForSingleObject  (128, 0, 0x0, ... ) == 0x0
 02777   568   NtQueryInformationFile  (124, 12646996, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02778   568   NtReleaseMutant  (128, ... 0x0, ) == 0x0
 02779   568   NtWaitForSingleObject  (128, 0, 0x0, ... ) == 0x0
 02780   568   NtQueryInformationFile  (124, 12647152, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02781   568   NtReleaseMutant  (128, ... 0x0, ) == 0x0
 02782   568   NtReleaseMutant  (180, ... 0x0, ) == 0x0
 02783   568   NtDelayExecution  (0, {-50000000, -1}, ... ) == 0x0
 02784   568   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 02785   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 332, ) == 0x0
 02786   568   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 12644832, 112, ... 340, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 12644832, 112, ... 340, 0x0, 0x0, 0x0, 112, ) == 0x0
 02787   568   NtRequestWaitReplyPort  (340, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850}  (340, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850} "\0\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w <%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\17\0\10\326%\0\0\226%\0\0\0\0\00\365\300\0L\1\0\0\30\0\0\0\0\0\0\0\0\0\300\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 568, 1698, 0} "\7\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\17\0\10\326%\0\0\226%\0\0\0\0\00\365\300\0L\1\0\0\30\0\0\0\0\0\0\0\0\0\300\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 412, 568, 1698, 0}  (340, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850} "\0\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w <%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\17\0\10\326%\0\0\226%\0\0\0\0\00\365\300\0L\1\0\0\30\0\0\0\0\0\0\0\0\0\300\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 568, 1698, 0} "\7\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\17\0\10\326%\0\0\226%\0\0\0\0\00\365\300\0L\1\0\0\30\0\0\0\0\0\0\0\0\0\300\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 02788   568   NtRequestWaitReplyPort  (340, {108, 132, new_msg, 0, 44, 5, 20, 0}  (340, {108, 132, new_msg, 0, 44, 5, 20, 0} "\1\0\0\0A\2\11\0s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\377\377\377\377\7\0\0\0\0\0\0\0\214\221%\0\24\0\0\0\0\0\0\0\24\0\0\0g\0s\0m\0t\0p\01\08\05\0.\0g\0o\0o\0g\0l\0e\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 412, 568, 1699, 0} "\2\226\0\0\1\0\221\200\30\342\34\201?\2\0\0C\6O\200?\2\0\0\30\342\34\201\0\20\342\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ... {44, 68, reply, 0, 412, 568, 1699, 0}  (340, {108, 132, new_msg, 0, 44, 5, 20, 0} "\1\0\0\0A\2\11\0s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\377\377\377\377\7\0\0\0\0\0\0\0\214\221%\0\24\0\0\0\0\0\0\0\24\0\0\0g\0s\0m\0t\0p\01\08\05\0.\0g\0o\0o\0g\0l\0e\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 412, 568, 1699, 0} "\2\226\0\0\1\0\221\200\30\342\34\201?\2\0\0C\6O\200?\2\0\0\30\342\34\201\0\20\342\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 02789   568   NtClose  (332, ... ) == 0x0
 02790   568   NtClose  (340, ... ) == 0x0
 02791   568   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 340, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 340, {status=0x0, info=0}, ) == 0x0
 02792   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 332, ) == 0x0
 02793   568   NtDeviceIoControlFile  (340, 332, 0x0, 0x0, 0xf14014,  (340, 332, 0x0, 0x0, 0xf14014, "\3\0\0\0gsmtp185.google.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 02794   568   NtClose  (332, ... ) == 0x0
 02795   568   NtClose  (340, ... ) == 0x0
 02796   568   NtWaitForSingleObject  (180, 0, 0x0, ... ) == 0x0
 02797   568   NtWaitForSingleObject  (184, 0, 0x0, ... ) == 0x0
 02798   568   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 340, ) }, ... 340, ) == 0x0
 02799   568   NtWaitForSingleObject  (340, 0, {-1800000000, -1}, ... ) == 0x0
 02800   568   NtClose  (340, ... ) == 0x0
 02801   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02802   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 340, ) == 0x0
 02803   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02804   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02805   568   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 12645576,  (0xc0100080, {24, 0, 0x40, 0, 12645576, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 332, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 332, {status=0x0, info=1}, ) == 0x0
 02806   568   NtSetInformationFile  (332, 12645632, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02807   568   NtSetInformationFile  (332, 12645624, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02808   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02809   568   NtWriteFile  (332, 277, 0, 0,  (332, 277, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02810   568   NtReadFile  (332, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (332, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\255!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02811   568   NtFsControlFile  (332, 277, 0x0, 0x0, 0x11c017,  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\255!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\255!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02812   568   NtFsControlFile  (332, 277, 0x0, 0x0, 0x11c017,  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\254\202\345\267s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\254\202\345\267s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 76, 1024, ... {status=0x103, info=48},  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\254\202\345\267s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\254\202\345\267s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02813   568   NtFsControlFile  (332, 277, 0x0, 0x0, 0x11c017,  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\255\202\345\267s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\255\202\345\267s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\255\202\345\267s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\255\202\345\267s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02814   568   NtFsControlFile  (332, 277, 0x0, 0x0, 0x11c017,  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\255\202\345\267s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\255\202\345\267s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02815   568   NtFsControlFile  (332, 277, 0x0, 0x0, 0x11c017,  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\254\202\345\267s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\254\202\345\267s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02816   568   NtClose  (340, ... ) == 0x0
 02817   568   NtClose  (332, ... ) == 0x0
 02818   568   NtReleaseMutant  (184, ... 0x0, ) == 0x0
 02819   568   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02820   568   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02821   568   NtCreateKey  (0x2001d, {24, 32, 0x40, 0, 0,  (0x2001d, {24, 32, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 332, 2, ) }, 0, 0x0, 0, ... 332, 2, ) == 0x0
 02822   568   NtCreateKey  (0x20019, {24, 332, 0x40, 0, 0,  (0x20019, {24, 332, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 340, 2, ) }, 0, 0x0, 0, ... 340, 2, ) == 0x0
 02823   568   NtClose  (332, ... ) == 0x0
 02824   568   NtQueryValueKey  (340,  (340, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02825   568   NtClose  (340, ... ) == 0x0
 02826   568   NtWaitForSingleObject  (128, 0, 0x0, ... ) == 0x0
 02827   568   NtQueryInformationFile  (124, 12646996, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02828   568   NtReleaseMutant  (128, ... 0x0, ) == 0x0
 02829   568   NtWaitForSingleObject  (128, 0, 0x0, ... ) == 0x0
 02830   568   NtQueryInformationFile  (124, 12647152, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02831   568   NtReleaseMutant  (128, ... 0x0, ) == 0x0
 02832   568   NtReleaseMutant  (180, ... 0x0, ) == 0x0
 02833   568   NtDelayExecution  (0, {-50000000, -1}, ... ) == 0x0
 02834   568   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 02835   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 340, ) == 0x0
 02836   568   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 12644832, 112, ... 332, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 12644832, 112, ... 332, 0x0, 0x0, 0x0, 112, ) == 0x0
 02837   568   NtRequestWaitReplyPort  (332, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850}  (332, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850} "\0\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w <%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\20\0\10\326%\0\330\223%\0\0\0\0\00\365\300\0T\1\0\0\30\0\0\0\0\0\0\0\0\0\300\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 568, 1713, 0} "\7\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\20\0\10\326%\0\330\223%\0\0\0\0\00\365\300\0T\1\0\0\30\0\0\0\0\0\0\0\0\0\300\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 412, 568, 1713, 0}  (332, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850} "\0\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w <%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\20\0\10\326%\0\330\223%\0\0\0\0\00\365\300\0T\1\0\0\30\0\0\0\0\0\0\0\0\0\300\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 568, 1713, 0} "\7\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\20\0\10\326%\0\330\223%\0\0\0\0\00\365\300\0T\1\0\0\30\0\0\0\0\0\0\0\0\0\300\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 02838   568   NtRequestWaitReplyPort  (332, {108, 132, new_msg, 0, 44, 5, 20, 0}  (332, {108, 132, new_msg, 0, 44, 5, 20, 0} "\1\0\0\0A\2\11\0s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\377\377\377\377\7\0\0\0\0\0\0\0\214\221%\0\24\0\0\0\0\0\0\0\24\0\0\0g\0s\0m\0t\0p\01\08\05\0.\0g\0o\0o\0g\0l\0e\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 412, 568, 1714, 0} "\2\226\0\0\1\0\221\200\30\342\34\201?\2\0\0C\6O\200?\2\0\0\30\342\34\201\0\20\342\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ... {44, 68, reply, 0, 412, 568, 1714, 0}  (332, {108, 132, new_msg, 0, 44, 5, 20, 0} "\1\0\0\0A\2\11\0s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\377\377\377\377\7\0\0\0\0\0\0\0\214\221%\0\24\0\0\0\0\0\0\0\24\0\0\0g\0s\0m\0t\0p\01\08\05\0.\0g\0o\0o\0g\0l\0e\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 412, 568, 1714, 0} "\2\226\0\0\1\0\221\200\30\342\34\201?\2\0\0C\6O\200?\2\0\0\30\342\34\201\0\20\342\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 02839   568   NtClose  (340, ... ) == 0x0
 02840   568   NtClose  (332, ... ) == 0x0
 02841   568   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 332, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 332, {status=0x0, info=0}, ) == 0x0
 02842   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 340, ) == 0x0
 02843   568   NtDeviceIoControlFile  (332, 340, 0x0, 0x0, 0xf14014,  (332, 340, 0x0, 0x0, 0xf14014, "\3\0\0\0gsmtp185.google.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 02844   568   NtClose  (340, ... ) == 0x0
 02845   568   NtClose  (332, ... ) == 0x0
 02846   568   NtWaitForSingleObject  (180, 0, 0x0, ... ) == 0x0
 02847   568   NtWaitForSingleObject  (184, 0, 0x0, ... ) == 0x0
 02848   568   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 332, ) }, ... 332, ) == 0x0
 02849   568   NtWaitForSingleObject  (332, 0, {-1800000000, -1}, ... ) == 0x0
 02850   568   NtClose  (332, ... ) == 0x0
 02851   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02852   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 332, ) == 0x0
 02853   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02854   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02855   568   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 12645576,  (0xc0100080, {24, 0, 0x40, 0, 12645576, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 340, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 340, {status=0x0, info=1}, ) == 0x0
 02856   568   NtSetInformationFile  (340, 12645632, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02857   568   NtSetInformationFile  (340, 12645624, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02858   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02859   568   NtWriteFile  (340, 277, 0, 0,  (340, 277, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02860   568   NtReadFile  (340, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (340, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\257!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02861   568   NtFsControlFile  (340, 277, 0x0, 0x0, 0x11c017,  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\257!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\257!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02862   568   NtFsControlFile  (340, 277, 0x0, 0x0, 0x11c017,  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\260\202\345\267s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\260\202\345\267s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 76, 1024, ... {status=0x103, info=48},  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\260\202\345\267s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\260\202\345\267s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02863   568   NtFsControlFile  (340, 277, 0x0, 0x0, 0x11c017,  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\261\202\345\267s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\261\202\345\267s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\261\202\345\267s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\261\202\345\267s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02864   568   NtFsControlFile  (340, 277, 0x0, 0x0, 0x11c017,  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\261\202\345\267s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\261\202\345\267s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02865   568   NtFsControlFile  (340, 277, 0x0, 0x0, 0x11c017,  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\260\202\345\267s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\260\202\345\267s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02866   568   NtClose  (332, ... ) == 0x0
 02867   568   NtClose  (340, ... ) == 0x0
 02868   568   NtReleaseMutant  (184, ... 0x0, ) == 0x0
 02869   568   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02870   568   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02871   568   NtCreateKey  (0x2001d, {24, 32, 0x40, 0, 0,  (0x2001d, {24, 32, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 340, 2, ) }, 0, 0x0, 0, ... 340, 2, ) == 0x0
 02872   568   NtCreateKey  (0x20019, {24, 340, 0x40, 0, 0,  (0x20019, {24, 340, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 332, 2, ) }, 0, 0x0, 0, ... 332, 2, ) == 0x0
 02873   568   NtClose  (340, ... ) == 0x0
 02874   568   NtQueryValueKey  (332,  (332, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02875   568   NtClose  (332, ... ) == 0x0
 02876   568   NtWaitForSingleObject  (128, 0, 0x0, ... ) == 0x0
 02877   568   NtQueryInformationFile  (124, 12646996, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02878   568   NtReleaseMutant  (128, ... 0x0, ) == 0x0
 02879   568   NtWaitForSingleObject  (128, 0, 0x0, ... ) == 0x0
 02880   568   NtQueryInformationFile  (124, 12647152, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02881   568   NtReleaseMutant  (128, ... 0x0, ) == 0x0
 02882   568   NtReleaseMutant  (180, ... 0x0, ) == 0x0
 02883   568   NtDelayExecution  (0, {-50000000, -1}, ... ) == 0x0
 02884   568   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 02885   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 332, ) == 0x0
 02886   568   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 12644832, 112, ... 340, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 12644832, 112, ... 340, 0x0, 0x0, 0x0, 112, ) == 0x0
 02887   568   NtRequestWaitReplyPort  (340, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850}  (340, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850} "\0\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w <%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\21\0\10\326%\0\330\225%\0\0\0\0\00\365\300\0L\1\0\0\30\0\0\0\0\0\0\0\0\0\300\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 568, 1723, 0} "\7\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\21\0\10\326%\0\330\225%\0\0\0\0\00\365\300\0L\1\0\0\30\0\0\0\0\0\0\0\0\0\300\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 412, 568, 1723, 0}  (340, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850} "\0\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w <%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\21\0\10\326%\0\330\225%\0\0\0\0\00\365\300\0L\1\0\0\30\0\0\0\0\0\0\0\0\0\300\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 568, 1723, 0} "\7\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\21\0\10\326%\0\330\225%\0\0\0\0\00\365\300\0L\1\0\0\30\0\0\0\0\0\0\0\0\0\300\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 02888   568   NtRequestWaitReplyPort  (340, {108, 132, new_msg, 0, 44, 5, 20, 0}  (340, {108, 132, new_msg, 0, 44, 5, 20, 0} "\1\0\0\0A\2\11\0s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\377\377\377\377\7\0\0\0\0\0\0\0\214\221%\0\24\0\0\0\0\0\0\0\24\0\0\0g\0s\0m\0t\0p\01\08\05\0.\0g\0o\0o\0g\0l\0e\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 412, 568, 1724, 0} "\2\226\0\0\1\0\221\200\30\342\34\201?\2\0\0C\6O\200?\2\0\0\30\342\34\201\0\20\342\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ... {44, 68, reply, 0, 412, 568, 1724, 0}  (340, {108, 132, new_msg, 0, 44, 5, 20, 0} "\1\0\0\0A\2\11\0s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\377\377\377\377\7\0\0\0\0\0\0\0\214\221%\0\24\0\0\0\0\0\0\0\24\0\0\0g\0s\0m\0t\0p\01\08\05\0.\0g\0o\0o\0g\0l\0e\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 412, 568, 1724, 0} "\2\226\0\0\1\0\221\200\30\342\34\201?\2\0\0C\6O\200?\2\0\0\30\342\34\201\0\20\342\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 02889   568   NtClose  (332, ... ) == 0x0
 02890   568   NtClose  (340, ... ) == 0x0
 02891   568   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 340, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 340, {status=0x0, info=0}, ) == 0x0
 02892   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 332, ) == 0x0
 02893   568   NtDeviceIoControlFile  (340, 332, 0x0, 0x0, 0xf14014,  (340, 332, 0x0, 0x0, 0xf14014, "\3\0\0\0gsmtp185.google.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 02894   568   NtClose  (332, ... ) == 0x0
 02895   568   NtClose  (340, ... ) == 0x0
 02896   568   NtWaitForSingleObject  (180, 0, 0x0, ... ) == 0x0
 02897   568   NtWaitForSingleObject  (184, 0, 0x0, ... ) == 0x0
 02898   568   NtWaitForMultipleObjects  (2, (244, 260, ), 1, 0, {0, 0}, ... ) == 0x102
 02899   568   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 340, ) }, ... 340, ) == 0x0
 02900   568   NtWaitForSingleObject  (340, 0, {-1800000000, -1}, ... ) == 0x0
 02901   568   NtClose  (340, ... ) == 0x0
 02902   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02903   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 340, ) == 0x0
 02904   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02905   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02906   568   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 12645576,  (0xc0100080, {24, 0, 0x40, 0, 12645576, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 332, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 332, {status=0x0, info=1}, ) == 0x0
 02907   568   NtSetInformationFile  (332, 12645632, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02908   568   NtSetInformationFile  (332, 12645624, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02909   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02910   568   NtWriteFile  (332, 277, 0, 0,  (332, 277, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02911   568   NtReadFile  (332, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (332, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\261!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02912   568   NtFsControlFile  (332, 277, 0x0, 0x0, 0x11c017,  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\261!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\261!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02913   568   NtFsControlFile  (332, 277, 0x0, 0x0, 0x11c017,  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\214\312&\277s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\214\312&\277s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 76, 1024, ... {status=0x103, info=48},  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\214\312&\277s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\214\312&\277s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02914   568   NtFsControlFile  (332, 277, 0x0, 0x0, 0x11c017,  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\215\312&\277s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\215\312&\277s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\215\312&\277s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\215\312&\277s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02915   568   NtFsControlFile  (332, 277, 0x0, 0x0, 0x11c017,  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\215\312&\277s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\215\312&\277s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02916   568   NtFsControlFile  (332, 277, 0x0, 0x0, 0x11c017,  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\214\312&\277s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (332, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\214\312&\277s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02917   568   NtClose  (340, ... ) == 0x0
 02918   568   NtClose  (332, ... ) == 0x0
 02919   568   NtReleaseMutant  (184, ... 0x0, ) == 0x0
 02920   568   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02921   568   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02922   568   NtWaitForMultipleObjects  (2, (244, 260, ), 1, 0, {0, 0}, ... ) == 0x102
 02923   568   NtCreateKey  (0x2001d, {24, 32, 0x40, 0, 0,  (0x2001d, {24, 32, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 332, 2, ) }, 0, 0x0, 0, ... 332, 2, ) == 0x0
 02924   568   NtCreateKey  (0x20019, {24, 332, 0x40, 0, 0,  (0x20019, {24, 332, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 340, 2, ) }, 0, 0x0, 0, ... 340, 2, ) == 0x0
 02925   568   NtClose  (332, ... ) == 0x0
 02926   568   NtQueryValueKey  (340,  (340, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02927   568   NtClose  (340, ... ) == 0x0
 02928   568   NtWaitForSingleObject  (128, 0, 0x0, ... ) == 0x0
 02929   568   NtQueryInformationFile  (124, 12646996, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02930   568   NtReleaseMutant  (128, ... 0x0, ) == 0x0
 02931   568   NtWaitForSingleObject  (128, 0, 0x0, ... ) == 0x0
 02932   568   NtQueryInformationFile  (124, 12647152, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02933   568   NtReleaseMutant  (128, ... 0x0, ) == 0x0
 02934   568   NtReleaseMutant  (180, ... 0x0, ) == 0x0
 02935   568   NtDelayExecution  (0, {-50000000, -1}, ... ) == 0x0
 02936   568   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 02937   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 340, ) == 0x0
 02938   568   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 12644832, 112, ... 332, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 12644832, 112, ... 332, 0x0, 0x0, 0x0, 112, ) == 0x0
 02939   568   NtRequestWaitReplyPort  (332, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850}  (332, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850} "\0\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w <%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\22\0\10\326%\0\30\222%\0\0\0\0\00\365\300\0T\1\0\0\30\0\0\0\0\0\0\0\0\0\300\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 568, 1728, 0} "\7\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\22\0\10\326%\0\30\222%\0\0\0\0\00\365\300\0T\1\0\0\30\0\0\0\0\0\0\0\0\0\300\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 412, 568, 1728, 0}  (332, {128, 152, new_msg, 0, 126900, 2359296, 12644596, 2012750850} "\0\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w <%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\22\0\10\326%\0\30\222%\0\0\0\0\00\365\300\0T\1\0\0\30\0\0\0\0\0\0\0\0\0\300\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 568, 1728, 0} "\7\367\300\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\22\0\10\326%\0\30\222%\0\0\0\0\00\365\300\0T\1\0\0\30\0\0\0\0\0\0\0\0\0\300\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 02940   568   NtRequestWaitReplyPort  (332, {108, 132, new_msg, 0, 44, 5, 20, 0}  (332, {108, 132, new_msg, 0, 44, 5, 20, 0} "\1\0\0\0A\2\11\0s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\377\377\377\377\7\0\0\0\0\0\0\0\214\221%\0\24\0\0\0\0\0\0\0\24\0\0\0g\0s\0m\0t\0p\01\08\05\0.\0g\0o\0o\0g\0l\0e\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 412, 568, 1729, 0} "\2\226\0\0\1\0\221\200\30\342\34\201?\2\0\0C\6O\200?\2\0\0\30\342\34\201\0\20\342\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ... {44, 68, reply, 0, 412, 568, 1729, 0}  (332, {108, 132, new_msg, 0, 44, 5, 20, 0} "\1\0\0\0A\2\11\0s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\377\377\377\377\7\0\0\0\0\0\0\0\214\221%\0\24\0\0\0\0\0\0\0\24\0\0\0g\0s\0m\0t\0p\01\08\05\0.\0g\0o\0o\0g\0l\0e\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 412, 568, 1729, 0} "\2\226\0\0\1\0\221\200\30\342\34\201?\2\0\0C\6O\200?\2\0\0\30\342\34\201\0\20\342\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 02941   568   NtClose  (340, ... ) == 0x0
 02942   568   NtClose  (332, ... ) == 0x0
 02943   568   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 332, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 332, {status=0x0, info=0}, ) == 0x0
 02944   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 340, ) == 0x0
 02945   568   NtDeviceIoControlFile  (332, 340, 0x0, 0x0, 0xf14014,  (332, 340, 0x0, 0x0, 0xf14014, "\3\0\0\0gsmtp185.google.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 02946   568   NtClose  (340, ... ) == 0x0
 02947   568   NtClose  (332, ... ) == 0x0
 02948   568   NtWaitForSingleObject  (180, 0, 0x0, ... ) == 0x0
 02949   568   NtWaitForSingleObject  (184, 0, 0x0, ... ) == 0x0
 02950   568   NtWaitForMultipleObjects  (2, (244, 260, ), 1, 0, {0, 0}, ... ) == 0x102
 02951   568   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 332, ) }, ... 332, ) == 0x0
 02952   568   NtWaitForSingleObject  (332, 0, {-1800000000, -1}, ... ) == 0x0
 02953   568   NtClose  (332, ... ) == 0x0
 02954   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02955   568   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 332, ) == 0x0
 02956   568   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02957   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02958   568   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 12645576,  (0xc0100080, {24, 0, 0x40, 0, 12645576, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 340, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 340, {status=0x0, info=1}, ) == 0x0
 02959   568   NtSetInformationFile  (340, 12645632, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02960   568   NtSetInformationFile  (340, 12645624, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02961   568   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02962   568   NtWriteFile  (340, 277, 0, 0,  (340, 277, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02963   568   NtReadFile  (340, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (340, 277, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\263!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02964   568   NtFsControlFile  (340, 277, 0x0, 0x0, 0x11c017,  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\263!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\263!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02965   568   NtFsControlFile  (340, 277, 0x0, 0x0, 0x11c017,  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\220\312&\277s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\220\312&\277s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 76, 1024, ... {status=0x103, info=48},  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\220\312&\277s\206\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\220\312&\277s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02966   568   NtFsControlFile  (340, 277, 0x0, 0x0, 0x11c017,  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\221\312&\277s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\221\312&\277s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\221\312&\277s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\221\312&\277s\206\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02967   568   NtFsControlFile  (340, 277, 0x0, 0x0, 0x11c017,  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\221\312&\277s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\221\312&\277s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02968   568   NtFsControlFile  (340, 277, 0x0, 0x0, 0x11c017,  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\220\312&\277s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (340, 277, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\220\312&\277s\206\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02969   568   NtClose  (332, ... ) == 0x0
 02970   568   NtClose  (340, ... ) == 0x0
 02971   568   NtReleaseMutant  (184, ... 0x0, ) == 0x0
 02972   568   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02973   568   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02974   568   NtWaitForMultipleObjects  (2, (244, 260, ), 1, 0, {0, 0}, ... ) == 0x102
 02975   568   NtCreateKey  (0x2001d, {24, 32, 0x40, 0, 0,  (0x2001d, {24, 32, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 340, 2, ) }, 0, 0x0, 0, ... 340, 2, ) == 0x0
 02976   568   NtCreateKey  (0x20019, {24, 340, 0x40, 0, 0,  (0x20019, {24, 340, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 332, 2, ) }, 0, 0x0, 0, ... 332, 2, ) == 0x0
 02977   568   NtClose  (340, ... ) == 0x0
 02978   568   NtQueryValueKey  (332,  (332, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02979   568   NtClose  (332, ... ) == 0x0
 02980   568   NtWaitForSingleObject  (128, 0, 0x0, ... ) == 0x0
 02981   568   NtQueryInformationFile  (124, 12646996, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02982   568   NtReleaseMutant  (128, ... 0x0, ) == 0x0
 02983   568   NtWaitForSingleObject  (128, 0, 0x0, ... ) == 0x0
 02984   568   NtQueryInformationFile  (124, 12647152, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02985   568   NtReleaseMutant  (128, ... 0x0, ) == 0x0
 02986   568   NtReleaseMutant  (180, ... 0x0, ) == 0x0
 02987   568   NtDelayExecution  (0, {-50000000, -1}, ...
NtAccessCheck(>)	1	NtUserSetWindowsHookEx(>)	1	NtGdiGetStockObject(>)	5	NtQueryInformationToken(>)	25
NtAddAtom(>)	1	NtUserShowWindow(>)	1	NtNotifyChangeKey(>)	5	NtCreateSection(>)	31
NtClearEvent(>)	1	NtCallbackReturn(>)	2	NtWaitForMultipleObjects(>)	5	NtProtectVirtualMemory(>)	35
NtCreateThread(>)	1	NtContinue(>)	2	NtOpenProcessToken(>)	6	NtQueryDefaultLocale(>)	36
NtGdiCreateBitmap(>)	1	NtCreateIoCompletion(>)	2	NtUserCallNoParam(>)	7	NtUserGetClassInfo(>)	37
NtGdiDeleteObjectApp(>)	1	NtDuplicateToken(>)	2	NtCreateSemaphore(>)	9	NtOpenSection(>)	40
NtGdiInit(>)	1	NtGdiCreatePatternBrushInternal(>)	2	NtOpenMutant(>)	9	NtSetInformationThread(>)	43
NtGdiQueryFontAssocInfo(>)	1	NtGdiCreateSolidBrush(>)	2	NtQueryVolumeInformationFile(>)	9	NtQueryInformationFile(>)	47
NtGdiSelectBitmap(>)	1	NtGdiHfontCreate(>)	2	NtQueryDefaultUILanguage(>)	10	NtAllocateVirtualMemory(>)	49
NtOpenKeyedEvent(>)	1	NtOpenDirectoryObject(>)	2	NtQueryDirectoryFile(>)	10	NtCreateFile(>)	49
NtOpenProcess(>)	1	NtQueryInstallUILanguage(>)	2	NtOpenProcessTokenEx(>)	11	NtOpenThreadToken(>)	50
NtOpenSymbolicLinkObject(>)	1	NtQueryKey(>)	2	NtOpenThreadTokenEx(>)	11	NtRequestWaitReplyPort(>)	50
NtQueryEvent(>)	1	NtQuerySecurityObject(>)	2	NtUserSystemParametersInfo(>)	11	NtUserFindExistingCursorIcon(>)	51
NtQueryInformationThread(>)	1	NtRegisterThreadTerminatePort(>)	2	NtDelayExecution(>)	14	NtCreateKey(>)	55
NtQueryObject(>)	1	NtSetEvent(>)	2	NtDeviceIoControlFile(>)	14	NtMapViewOfSection(>)	57
NtQuerySymbolicLinkObject(>)	1	NtTestAlert(>)	2	NtUnmapViewOfSection(>)	16	NtQueryVirtualMemory(>)	60
NtQuerySystemTime(>)	1	NtUserCreateWindowEx(>)	2	NtFlushInstructionCache(>)	17	NtSetInformationFile(>)	61
NtQueryTimerResolution(>)	1	NtUserGetThreadDesktop(>)	2	NtConnectPort(>)	19	NtOpenFile(>)	64
NtResumeThread(>)	1	NtUserMessageCall(>)	2	NtQuerySection(>)	19	NtUserRegisterClassExWOW(>)	64
NtSecureConnectPort(>)	1	NtDeleteValueKey(>)	3	NtUserGetWindowDC(>)	19	NtReleaseMutant(>)	71
NtUserGetAncestor(>)	1	NtFreeVirtualMemory(>)	3	NtOpenEvent(>)	20	NtCreateEvent(>)	73
NtUserGetClassName(>)	1	NtGdiCreateCompatibleDC(>)	3	NtSetInformationProcess(>)	20	NtFsControlFile(>)	92
NtUserGetDC(>)	1	NtUserGetObjectInformation(>)	3	NtUserCallOneParam(>)	20	NtQueryAttributesFile(>)	92
NtUserGetGUIThreadInfo(>)	1	NtCreateMutant(>)	4	NtQueryDebugFilterState(>)	22	NtEnumerateValueKey(>)	93
NtUserGetMessage(>)	1	NtEnumerateKey(>)	4	NtQuerySystemInformation(>)	22	NtWaitForSingleObject(>)	109
NtUserGetProcessWindowStation(>)	1	NtReleaseSemaphore(>)	4	NtSetValueKey(>)	22	NtOpenKey(>)	180
NtUserRemoveProp(>)	1	NtSetInformationObject(>)	4	NtQueryInformationProcess(>)	23	NtQueryValueKey(>)	429
NtUserSetProp(>)	1	NtUserRegisterWindowMessage(>)	4	NtReadFile(>)	23	NtClose(>)	438
NtUserSetWindowPos(>)	1	NtDuplicateObject(>)	5	NtWriteFile(>)	23