Summary:


NtAccessCheck(>)  1 
NtCreateIoCompletion(>)  2 
NtCreateSemaphore(>)  11 
NtCreateKey(>)  39 

NtAddAtom(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtSetEvent(>)  11 
NtFsControlFile(>)  39 

NtCallbackReturn(>)  1 
NtOpenDirectoryObject(>)  2 
NtCreateMutant(>)  12 
NtQueryDefaultLocale(>)  40 

NtContinue(>)  1 
NtQueryInstallUILanguage(>)  2 
NtEnumerateKey(>)  12 
NtSetInformationProcess(>)  40 

NtGdiCreateBitmap(>)  1 
NtTerminateProcess(>)  2 
NtOpenProcessTokenEx(>)  12 
NtSetInformationThread(>)  40 

NtGdiInit(>)  1 
NtDeleteValueKey(>)  3 
NtOpenThreadTokenEx(>)  12 
NtQueryInformationProcess(>)  44 

NtGdiQueryFontAssocInfo(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtQueryDefaultUILanguage(>)  12 
NtCreateSection(>)  46 

NtGdiSelectBitmap(>)  1 
NtWaitForMultipleObjects(>)  3 
NtWriteFile(>)  12 
NtUserUnregisterClass(>)  46 

NtOpenKeyedEvent(>)  1 
NtDuplicateObject(>)  4 
NtProtectVirtualMemory(>)  16 
NtUserFindExistingCursorIcon(>)  48 

NtOpenProcess(>)  1 
NtDuplicateToken(>)  4 
NtReadFile(>)  17 
NtCreateEvent(>)  51 

NtOpenSymbolicLinkObject(>)  1 
NtNotifyChangeKey(>)  4 
NtDeviceIoControlFile(>)  18 
NtWaitForSingleObject(>)  54 

NtQueryEvent(>)  1 
NtQuerySecurityObject(>)  4 
NtQueryDirectoryFile(>)  22 
NtOpenSection(>)  55 

NtQueryObject(>)  1 
NtUserRegisterWindowMessage(>)  4 
NtQueryInformationFile(>)  22 
NtUserRegisterClassExWOW(>)  63 

NtQuerySymbolicLinkObject(>)  1 
NtGdiGetStockObject(>)  5 
NtUnmapViewOfSection(>)  22 
NtMapViewOfSection(>)  70 

NtQuerySystemTime(>)  1 
NtSetInformationObject(>)  5 
NtRequestWaitReplyPort(>)  23 
NtUserGetClassInfo(>)  82 

NtQueryTimerResolution(>)  1 
NtClearEvent(>)  6 
NtSetValueKey(>)  25 
NtOpenFile(>)  92 

NtRegisterThreadTerminatePort(>)  1 
NtConnectPort(>)  6 
NtQueryDebugFilterState(>)  29 
NtAllocateVirtualMemory(>)  107 

NtSecureConnectPort(>)  1 
NtReleaseSemaphore(>)  6 
NtQuerySystemInformation(>)  29 
NtQueryAttributesFile(>)  140 

NtTestAlert(>)  1 
NtOpenEvent(>)  7 
NtQuerySection(>)  31 
NtQueryVirtualMemory(>)  168 

NtUserCallNoParam(>)  1 
NtQueryKey(>)  7 
NtReleaseMutant(>)  33 
NtEnumerateValueKey(>)  185 

NtUserCallOneParam(>)  1 
NtQueryVolumeInformationFile(>)  7 
NtFreeVirtualMemory(>)  34 
NtOpenKey(>)  269 

NtUserGetDC(>)  1 
NtFlushInstructionCache(>)  8 
NtCreateFile(>)  36 
NtQueryValueKey(>)  450 

NtUserGetObjectInformation(>)  1 
NtOpenMutant(>)  9 
NtSetInformationFile(>)  37 
NtClose(>)  501 

NtUserGetProcessWindowStation(>)  1 
NtOpenProcessToken(>)  10 
NtOpenThreadToken(>)  38 

NtUserGetThreadDesktop(>)  1 
NtUserSystemParametersInfo(>)  10 

Trace:
 00001   436   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   436   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 524288, 65536, ) == 0x0
 00005   436   NtAllocateVirtualMemory  (-1, 524288, 0, 4096, 4096, 4, ... 524288, 4096, ) == 0x0
 00006   436   NtAllocateVirtualMemory  (-1, 528384, 0, 8192, 4096, 4, ... 528384, 8192, ) == 0x0
 00007   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 589824, 65536, ) == 0x0
 00009   436   NtAllocateVirtualMemory  (-1, 589824, 0, 24576, 4096, 4, ... 589824, 24576, ) == 0x0
 00010   436   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   436   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   436   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   436   NtClose  (12, ... ) == 0x0
 00014   436   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   436   NtQueryVolumeInformationFile  (12, 457416, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   436   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 457400, ... ) }, 457400, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   436   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   436   NtClose  (16, ... ) == 0x0
 00021   436   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   436   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   436   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 533304, {12, 0, 0}, 455584, 44, ... 24, {24, 16, 0, 65536, 655360, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 533304, {12, 0, 0}, 455584, 44, ... 24, {24, 16, 0, 65536, 655360, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   436   NtClose  (16, ... ) == 0x0
 00026   436   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   436   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   436   NtQueryVirtualMemory  (-1, 0xa0000, Basic, 28, ... {BaseAddress=0xa0000,AllocationBase=0xa0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   436   NtAllocateVirtualMemory  (-1, 655360, 0, 4096, 4096, 4, ... 655360, 4096, ) == 0x0
 00031   436   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 432, 436, 1435, 0} "\330\375\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 432, 436, 1435, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 432, 436, 1435, 0} "\330\375\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   436   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   436   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   436   NtClose  (16, ... ) == 0x0
 00036   436   NtAllocateVirtualMemory  (-1, 446464, 0, 4096, 4096, 260, ... 446464, 4096, ) == 0x0
 00037   436   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   436   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xb0000), 0x0, 90112, ) == 0x0
 00040   436   NtClose  (28, ... ) == 0x0
 00041   436   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   436   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xd0000), 0x0, 212992, ) == 0x0
 00044   436   NtClose  (28, ... ) == 0x0
 00045   436   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x110000), 0x0, 266240, ) == 0x0
 00047   436   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   436   NtClose  (28, ... ) == 0x0
 00049   436   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x160000), 0x0, 24576, ) == 0x0
 00051   436   NtClose  (28, ... ) == 0x0
 00052   436   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   436   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   436   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   436   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 432, 436, 1436, 0} "(\261\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 432, 436, 1436, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 432, 436, 1436, 0} "(\261\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   436   NtProtectVirtualMemory  (-1, (0x404000), 97, 4, ... (0x404000), 4096, 8, ) == 0x0
 00057   436   NtProtectVirtualMemory  (-1, (0x404000), 4096, 8, ... (0x404000), 4096, 4, ) == 0x0
 00058   436   NtFlushInstructionCache  (-1, 4210688, 97, ... ) == 0x0
 00059   436   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00060   436   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00061   436   NtClose  (28, ... ) == 0x0
 00062   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00063   436   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00064   436   NtClose  (28, ... ) == 0x0
 00065   436   NtTestAlert  (... ) == 0x0
 00066   436   NtContinue  (458032, 1, ...
 00067   436   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x403204,}, 4, ... ) == 0x0
 00068   436   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 28, ) }, ... 28, ) == 0x0
 00069   436   NtQueryValueKey  (28,  (28, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00070   436   NtClose  (28, ... ) == 0x0
 00071   436   NtAllocateVirtualMemory  (-1, 536576, 0, 4096, 4096, 4, ... 536576, 4096, ) == 0x0
 00072   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wininet.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00073   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00074   436   NtClose  (28, ... ) == 0x0
 00075   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00076   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00077   436   NtClose  (28, ... ) == 0x0
 00078   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00079   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00080   436   NtClose  (28, ... ) == 0x0
 00081   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00082   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00083   436   NtClose  (28, ... ) == 0x0
 00084   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00085   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00086   436   NtClose  (28, ... ) == 0x0
 00087   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00088   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00089   436   NtClose  (28, ... ) == 0x0
 00090   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00091   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00092   436   NtClose  (28, ... ) == 0x0
 00093   436   NtAllocateVirtualMemory  (-1, 442368, 0, 4096, 4096, 260, ... 442368, 4096, ) == 0x0
 00094   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00095   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00096   436   NtClose  (28, ... ) == 0x0
 00097   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00098   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00099   436   NtClose  (28, ... ) == 0x0
 00100   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00101   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00102   436   NtClose  (28, ... ) == 0x0
 00103   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 28, ) }, ... 28, ) == 0x0
 00104   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00105   436   NtClose  (28, ... ) == 0x0
 00106   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00107   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 1507328, 65536, ) == 0x0
 00108   436   NtAllocateVirtualMemory  (-1, 1507328, 0, 4096, 4096, 4, ... 1507328, 4096, ) == 0x0
 00109   436   NtAllocateVirtualMemory  (-1, 1511424, 0, 8192, 4096, 4, ... 1511424, 8192, ) == 0x0
 00110   436   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 28, ) }, ... 28, ) == 0x0
 00111   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x180000), 0x0, 12288, ) == 0x0
 00112   436   NtClose  (28, ... ) == 0x0
 00113   436   NtAllocateVirtualMemory  (-1, 1519616, 0, 4096, 4096, 4, ... 1519616, 4096, ) == 0x0
 00114   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00115   436   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 454320, 256, 454064, 256}  (24, {28, 56, new_msg, 0, 454320, 256, 454064, 256} "\210\6\31\1\0\0\0\0\1\0\0\0\260\356\6\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 432, 436, 1440, 0} "XQ\26\0\0\0\0\0\0\0\0\0\260\356\6\0\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 432, 436, 1440, 0}  (24, {28, 56, new_msg, 0, 454320, 256, 454064, 256} "\210\6\31\1\0\0\0\0\1\0\0\0\260\356\6\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 432, 436, 1440, 0} "XQ\26\0\0\0\0\0\0\0\0\0\260\356\6\0\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00116   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00117   436   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 1060864, ) == 0x0
 00118   436   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 32, ) == 0x0
 00119   436   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00120   436   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482208, ) == 0x0
 00121   436   NtQueryInformationToken  (-2147482208, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00122   436   NtQueryInformationToken  (-2147482208, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00123   436   NtClose  (-2147482208, ... ) == 0x0
 00124   436   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3604480, 4096, ) == 0x0
 00125   436   NtFreeVirtualMemory  (-1, (0x370000), 4096, 32768, ... (0x370000), 4096, ) == 0x0
 00126   436   NtDuplicateObject  (-1, 36, -1, 0x0, 0, 2, ... 44, ) == 0x0
 00127   436   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00128   436   NtQueryValueKey  (-2147482208,  (-2147482208, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00129   436   NtClose  (-2147482208, ... ) == 0x0
 00130   436   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00131   436   NtQueryValueKey  (-2147482208,  (-2147482208, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00132   436   NtClose  (-2147482208, ... ) == 0x0
 00133   436   NtQueryDefaultLocale  (0, -133527028, ... ) == 0x0
 00134   436   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00135   436   NtUserCallNoParam  (24, ... ) == 0x0
 00136   436   NtGdiCreateCompatibleDC  (0, ...
 00137   436   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3604480, 4096, ) == 0x0
 00136   436   NtGdiCreateCompatibleDC  ... ) == 0x110103c7
 00138   436   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00139   436   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00140   436   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x50503bc
 00141   436   NtGdiCreateSolidBrush  (0, 0, ...
 00142   436   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3670016, 4096, ) == 0x0
 00141   436   NtGdiCreateSolidBrush  ... ) == 0x41003ba
 00143   436   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00144   436   NtGdiCreateCompatibleDC  (0, ... ) == 0x40103bb
 00145   436   NtGdiSelectBitmap  (67175355, 84214716, ... ) == 0x185000f
 00146   436   NtUserGetThreadDesktop  (436, 0, ... ) == 0x28
 00147   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 48, ) }, ... 48, ) == 0x0
 00148   436   NtQueryValueKey  (48,  (48, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (48, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00149   436   NtClose  (48, ... ) == 0x0
 00150   436   NtUserFindExistingCursorIcon  (452404, 452420, 452988, ... ) == 0x10011
 00151   436   NtUserRegisterClassExWOW  (452924, 453004, 452988, 453020, 673, 128, 0, ... ) == 0x810dc017
 00152   436   NtUserFindExistingCursorIcon  (452404, 452420, 452988, ... ) == 0x10011
 00153   436   NtUserRegisterClassExWOW  (452924, 453004, 452988, 453020, 674, 128, 0, ... ) == 0x810dc01c
 00154   436   NtUserFindExistingCursorIcon  (452404, 452420, 452988, ... ) == 0x10011
 00155   436   NtUserRegisterClassExWOW  (452924, 453004, 452988, 453020, 675, 128, 0, ... ) == 0x810dc01e
 00156   436   NtUserFindExistingCursorIcon  (452404, 452420, 452988, ... ) == 0x10011
 00157   436   NtUserRegisterClassExWOW  (452924, 453004, 452988, 453020, 676, 128, 0, ... ) == 0x810d8002
 00158   436   NtUserFindExistingCursorIcon  (452404, 452420, 452988, ... ) == 0x10013
 00159   436   NtUserRegisterClassExWOW  (452924, 453004, 452988, 453020, 677, 128, 0, ... ) == 0x810dc018
 00160   436   NtUserFindExistingCursorIcon  (452404, 452420, 452988, ... ) == 0x10011
 00161   436   NtUserRegisterClassExWOW  (452924, 453004, 452988, 453020, 678, 128, 0, ... ) == 0x810dc01a
 00162   436   NtUserFindExistingCursorIcon  (452404, 452420, 452988, ... ) == 0x10011
 00163   436   NtUserRegisterClassExWOW  (452924, 453004, 452988, 453020, 679, 128, 0, ... ) == 0x810dc01d
 00164   436   NtUserFindExistingCursorIcon  (452404, 452420, 452988, ... ) == 0x10011
 00165   436   NtUserRegisterClassExWOW  (452924, 453004, 452988, 453020, 681, 128, 0, ... ) == 0x810dc026
 00166   436   NtUserFindExistingCursorIcon  (452404, 452420, 452988, ... ) == 0x10011
 00167   436   NtUserRegisterClassExWOW  (452924, 453004, 452988, 453020, 680, 128, 0, ... ) == 0x810dc019
 00168   436   NtUserRegisterClassExWOW  (452876, 452956, 452940, 452972, 0, 128, 0, ... ) == 0x810dc020
 00169   436   NtUserRegisterClassExWOW  (452876, 452952, 452968, 452940, 0, 130, 0, ... ) == 0x810dc022
 00170   436   NtUserRegisterClassExWOW  (452876, 452956, 452940, 452972, 0, 128, 0, ...
 00171   436   NtAllocateVirtualMemory  (-1, 4354048, 0, 4096, 4096, 32, ... 4354048, 4096, ) == 0x0
 00170   436   NtUserRegisterClassExWOW  ... ) == 0x810dc023
 00172   436   NtUserRegisterClassExWOW  (452876, 452952, 452968, 452940, 0, 130, 0, ... ) == 0x810dc024
 00173   436   NtUserRegisterClassExWOW  (452876, 452956, 452940, 452972, 0, 128, 0, ... ) == 0x810dc025
 00174   436   NtCallbackReturn  (0, 0, 0, ...
 00175   436   NtGdiInit  (... ) == 0x1
 00176   436   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00177   436   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00178   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 48, ) }, ... 48, ) == 0x0
 00179   436   NtQueryValueKey  (48,  (48, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (48, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00180   436   NtQueryValueKey  (48,  (48, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (48, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00181   436   NtClose  (48, ... ) == 0x0
 00182   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 48, ) }, ... 48, ) == 0x0
 00183   436   NtQueryValueKey  (48,  (48, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00184   436   NtClose  (48, ... ) == 0x0
 00185   436   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 48, ) }, ... 48, ) == 0x0
 00186   436   NtSetInformationObject  (48, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00187   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00188   436   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00189   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00190   436   NtAllocateVirtualMemory  (-1, 540672, 0, 4096, 4096, 4, ... 540672, 4096, ) == 0x0
 00191   436   NtAllocateVirtualMemory  (-1, 544768, 0, 4096, 4096, 4, ... 544768, 4096, ) == 0x0
 00192   436   NtAllocateVirtualMemory  (-1, 548864, 0, 4096, 4096, 4, ... 548864, 4096, ) == 0x0
 00193   436   NtAllocateVirtualMemory  (-1, 552960, 0, 4096, 4096, 4, ... 552960, 4096, ) == 0x0
 00194   436   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00195   436   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 454732, 0,  (0x1f0003, {24, 52, 0x80, 454732, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00196   436   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 56, ) }, ... 56, ) == 0x0
 00197   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00198   436   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00199   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 60, ) }, ... 60, ) == 0x0
 00200   436   NtQueryValueKey  (60,  (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00201   436   NtClose  (60, ... ) == 0x0
 00202   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00203   436   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00204   436   NtAllocateVirtualMemory  (-1, 557056, 0, 4096, 4096, 4, ... 557056, 4096, ) == 0x0
 00205   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00206   436   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00207   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 60, ) }, ... 60, ) == 0x0
 00208   436   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00209   436   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00210   436   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00211   436   NtClose  (60, ... ) == 0x0
 00212   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 60, ) }, ... 60, ) == 0x0
 00213   436   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00214   436   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00215   436   NtClose  (60, ... ) == 0x0
 00216   436   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00217   436   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00218   436   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00219   436   NtOpenKey  (0x9, {24, 48, 0x40, 0, 0,  (0x9, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00220   436   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00221   436   NtAllocateVirtualMemory  (-1, 561152, 0, 8192, 4096, 4, ... 561152, 8192, ) == 0x0
 00222   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00223   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 60, ) == 0x0
 00224   436   NtQueryInformationToken  (60, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00225   436   NtClose  (60, ... ) == 0x0
 00226   436   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 60, ) }, ... 60, ) == 0x0
 00227   436   NtSetInformationObject  (60, Handle, {Inherit=0,ProtectFromClose=1,}, 393472, ... ) == 0x0
 00228   436   NtCreateKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 64, 2, ) }, 0, 0x0, 0, ... 64, 2, ) == 0x0
 00229   436   NtQueryDefaultUILanguage  (452968, ...
 00230   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00231   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00232   436   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00233   436   NtClose  (-2147482208, ... ) == 0x0
 00234   436   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00235   436   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00236   436   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00237   436   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00238   436   NtClose  (-2147482196, ... ) == 0x0
 00239   436   NtClose  (-2147482208, ... ) == 0x0
 00229   436   NtQueryDefaultUILanguage  ... ) == 0x0
 00240   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00241   436   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00242   436   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00243   436   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 72, ) == 0x0
 00244   436   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x710000), 0x0, 593920, ) == 0x0
 00245   436   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00246   436   NtQueryDefaultUILanguage  (2013024600, ...
 00247   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00248   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00249   436   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00250   436   NtClose  (-2147482208, ... ) == 0x0
 00251   436   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00252   436   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00253   436   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00254   436   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00255   436   NtClose  (-2147482196, ... ) == 0x0
 00256   436   NtClose  (-2147482208, ... ) == 0x0
 00246   436   NtQueryDefaultUILanguage  ... ) == 0x0
 00257   436   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00258   436   NtQueryDefaultLocale  (1, 451004, ... ) == 0x0
 00259   436   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00260   436   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 451860, 1, 96, 0}  (24, {128, 156, new_msg, 0, 451860, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\350\6\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275x\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\24\354\6\0\0\0\0\0" ... {128, 156, reply, 0, 432, 436, 1450, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\350\6\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275x\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\24\354\6\0\0\0\0\0" )  ... {128, 156, reply, 0, 432, 436, 1450, 0}  (24, {128, 156, new_msg, 0, 451860, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\350\6\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275x\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\24\354\6\0\0\0\0\0" ... {128, 156, reply, 0, 432, 436, 1450, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\350\6\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275x\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\24\354\6\0\0\0\0\0" )  ) == 0x0
 00261   436   NtClose  (68, ... ) == 0x0
 00262   436   NtClose  (72, ... ) == 0x0
 00263   436   NtUnmapViewOfSection  (-1, 0x710000, ... ) == 0x0
 00264   436   NtUnmapViewOfSection  (-1, 0x6ec14, ... ) == STATUS_NOT_MAPPED_VIEW
 00265   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00266   436   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00267   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00268   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00269   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 449544, ... ) }, 449544, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00270   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00271   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00272   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00273   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 450136, ... ) }, 450136, ... ) == 0x0
 00274   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 72, {status=0x0, info=1}, ) }, 3, 33, ... 72, {status=0x0, info=1}, ) == 0x0
 00275   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00276   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00277   436   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00278   436   NtClose  (68, ... ) == 0x0
 00279   436   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x710000), 0x0, 921600, ) == 0x0
 00280   436   NtClose  (76, ... ) == 0x0
 00281   436   NtUnmapViewOfSection  (-1, 0x710000, ... ) == 0x0
 00282   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 00283   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 76, ... 68, ) == 0x0
 00284   436   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00285   436   NtOpenProcessToken  (-1, 0x8, ... 80, ) == 0x0
 00286   436   NtQueryInformationToken  (80, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00287   436   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00288   436   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 84, ) }, ... 84, ) == 0x0
 00289   436   NtQueryValueKey  (84,  (84, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (84, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00290   436   NtClose  (84, ... ) == 0x0
 00291   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00292   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00293   436   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00294   436   NtClose  (84, ... ) == 0x0
 00295   436   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00296   436   NtClose  (80, ... ) == 0x0
 00297   436   NtClose  (76, ... ) == 0x0
 00298   436   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00299   436   NtClose  (68, ... ) == 0x0
 00300   436   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00301   436   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00302   436   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00303   436   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00304   436   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00305   436   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00306   436   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00307   436   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00308   436   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00309   436   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00310   436   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00311   436   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00312   436   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00313   436   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00314   436   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00315   436   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00316   436   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00317   436   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00318   436   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00319   436   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00320   436   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00321   436   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 451320, ... ) , 42, 451320, ... ) == 0x0
 00322   436   NtQueryDefaultUILanguage  (450036, ...
 00323   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00324   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00325   436   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00326   436   NtClose  (-2147482208, ... ) == 0x0
 00327   436   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00328   436   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00329   436   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00330   436   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00331   436   NtClose  (-2147482196, ... ) == 0x0
 00332   436   NtClose  (-2147482208, ... ) == 0x0
 00322   436   NtQueryDefaultUILanguage  ... ) == 0x0
 00333   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00334   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 448888, ... ) }, 448888, ... ) == 0x0
 00335   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00336   436   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00337   436   NtClose  (68, ... ) == 0x0
 00338   436   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3a0000), 0x0, 4096, ) == 0x0
 00339   436   NtClose  (76, ... ) == 0x0
 00340   436   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 00341   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 448528, ... ) }, 448528, ... ) == 0x0
 00342   436   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 449228,  (0x80100080, {24, 0, 0x40, 0, 449228, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) == 0x0
 00343   436   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 76, ... 68, ) == 0x0
 00344   436   NtClose  (76, ... ) == 0x0
 00345   436   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3a0000), {0, 0}, 4096, ) == 0x0
 00346   436   NtClose  (68, ... ) == 0x0
 00347   436   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 00348   436   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00349   436   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 76, ) == 0x0
 00350   436   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x3a0000), 0x0, 4096, ) == 0x0
 00351   436   NtQueryInformationFile  (68, 448848, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00352   436   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00353   436   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 448928, 1, 96, 0}  (24, {128, 156, new_msg, 0, 448928, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\240\340\6\0\0\0\0\0" ... {128, 156, reply, 0, 432, 436, 1451, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\240\340\6\0\0\0\0\0" )  ... {128, 156, reply, 0, 432, 436, 1451, 0}  (24, {128, 156, new_msg, 0, 448928, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\240\340\6\0\0\0\0\0" ... {128, 156, reply, 0, 432, 436, 1451, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\240\340\6\0\0\0\0\0" )  ) == 0x0
 00354   436   NtClose  (68, ... ) == 0x0
 00355   436   NtClose  (76, ... ) == 0x0
 00356   436   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 00357   436   NtUnmapViewOfSection  (-1, 0x6e0a0, ... ) == STATUS_NOT_MAPPED_VIEW
 00358   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00359   436   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00360   436   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00361   436   NtUserGetDC  (0, ... ) == 0x1010054
 00362   436   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00363   436   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00364   436   NtUserSystemParametersInfo  (66, 12, 451340, 0, ... ) == 0x1
 00365   436   NtOpenProcessToken  (-1, 0x8, ... 76, ) == 0x0
 00366   436   NtAccessCheck  (557536, 76, 0x1, 450744, 450688, 56, 450772, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00367   436   NtClose  (76, ... ) == 0x0
 00368   436   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 76, ) }, ... 76, ) == 0x0
 00369   436   NtQueryValueKey  (76,  (76, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00370   436   NtClose  (76, ... ) == 0x0
 00371   436   NtUserSystemParametersInfo  (41, 500, 450840, 0, ... ) == 0x1
 00372   436   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 76, ) }, ... 76, ) == 0x0
 00373   436   NtQueryValueKey  (76,  (76, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00374   436   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 68, ) }, ... 68, ) == 0x0
 00375   436   NtQueryValueKey  (68,  (68, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00376   436   NtClose  (68, ... ) == 0x0
 00377   436   NtClose  (76, ... ) == 0x0
 00378   436   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00379   436   NtUserSystemParametersInfo  (4130, 0, 451364, 0, ... ) == 0x1
 00380   436   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 76, ) }, ... 76, ) == 0x0
 00381   436   NtEnumerateValueKey  (76, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00382   436   NtClose  (76, ... ) == 0x0
 00383   436   NtUserFindExistingCursorIcon  (450648, 450664, 451232, ... ) == 0x10011
 00384   436   NtUserRegisterClassExWOW  (451100, 451180, 451164, 451196, 0, 384, 0, ... ) == 0x810dc03b
 00385   436   NtUserRegisterClassExWOW  (451100, 451180, 451164, 451196, 0, 384, 0, ... ) == 0x810dc03d
 00386   436   NtUserFindExistingCursorIcon  (450644, 450660, 451228, ... ) == 0x10011
 00387   436   NtUserRegisterClassExWOW  (451096, 451176, 451160, 451192, 0, 384, 0, ... ) == 0x810dc03f
 00388   436   NtUserFindExistingCursorIcon  (450648, 450664, 451232, ... ) == 0x10011
 00389   436   NtUserRegisterClassExWOW  (451100, 451180, 451164, 451196, 0, 384, 0, ... ) == 0x810dc041
 00390   436   NtUserFindExistingCursorIcon  (450648, 450664, 451232, ... ) == 0x10011
 00391   436   NtUserRegisterClassExWOW  (451100, 451180, 451164, 451196, 0, 384, 0, ... ) == 0x810dc043
 00392   436   NtUserRegisterClassExWOW  (451100, 451180, 451164, 451196, 0, 384, 0, ... ) == 0x810dc045
 00393   436   NtUserFindExistingCursorIcon  (450648, 450664, 451232, ... ) == 0x10011
 00394   436   NtUserRegisterClassExWOW  (451100, 451180, 451164, 451196, 0, 384, 0, ... ) == 0x810dc047
 00395   436   NtUserFindExistingCursorIcon  (450644, 450660, 451228, ... ) == 0x10011
 00396   436   NtUserRegisterClassExWOW  (451096, 451176, 451160, 451192, 0, 384, 0, ... ) == 0x810dc049
 00397   436   NtUserGetClassInfo  (1905590272, 451260, 451212, 451288, 0, ... ) == 0xc049
 00398   436   NtUserFindExistingCursorIcon  (450648, 450664, 451232, ... ) == 0x10011
 00399   436   NtUserRegisterClassExWOW  (451100, 451180, 451164, 451196, 0, 384, 0, ... ) == 0x810dc04b
 00400   436   NtUserFindExistingCursorIcon  (450648, 450664, 451232, ... ) == 0x10011
 00401   436   NtUserRegisterClassExWOW  (451100, 451180, 451164, 451196, 0, 384, 0, ... ) == 0x810dc04d
 00402   436   NtUserFindExistingCursorIcon  (450648, 450664, 451232, ... ) == 0x10011
 00403   436   NtUserRegisterClassExWOW  (451100, 451180, 451164, 451196, 0, 384, 0, ... ) == 0x810dc04f
 00404   436   NtUserRegisterClassExWOW  (451100, 451180, 451164, 451196, 0, 384, 0, ... ) == 0x810dc051
 00405   436   NtUserFindExistingCursorIcon  (450648, 450664, 451232, ... ) == 0x10011
 00406   436   NtUserRegisterClassExWOW  (451100, 451180, 451164, 451196, 0, 384, 0, ... ) == 0x810dc053
 00407   436   NtUserFindExistingCursorIcon  (450644, 450660, 451228, ... ) == 0x10011
 00408   436   NtUserRegisterClassExWOW  (451096, 451176, 451160, 451192, 0, 384, 0, ... ) == 0x810dc055
 00409   436   NtUserRegisterClassExWOW  (451096, 451176, 451160, 451192, 0, 384, 0, ... ) == 0x810dc057
 00410   436   NtUserFindExistingCursorIcon  (450648, 450664, 451232, ... ) == 0x10011
 00411   436   NtUserRegisterClassExWOW  (451100, 451180, 451164, 451196, 0, 384, 0, ... ) == 0x810dc059
 00412   436   NtUserFindExistingCursorIcon  (450648, 450664, 451232, ... ) == 0x10013
 00413   436   NtUserRegisterClassExWOW  (451100, 451180, 451164, 451196, 0, 384, 0, ... ) == 0x810dc05b
 00414   436   NtUserFindExistingCursorIcon  (450648, 450664, 451232, ... ) == 0x10011
 00415   436   NtUserRegisterClassExWOW  (451100, 451180, 451164, 451196, 0, 384, 0, ... ) == 0x810dc05d
 00416   436   NtUserFindExistingCursorIcon  (450648, 450664, 451232, ... ) == 0x10011
 00417   436   NtUserRegisterClassExWOW  (451100, 451180, 451164, 451196, 0, 384, 0, ... ) == 0x810dc05f
 00418   436   NtUserFindExistingCursorIcon  (450644, 450660, 451228, ... ) == 0x10011
 00419   436   NtUserRegisterClassExWOW  (451096, 451176, 451160, 451192, 0, 384, 0, ... ) == 0x810dc017
 00420   436   NtUserFindExistingCursorIcon  (450644, 450660, 451228, ... ) == 0x10011
 00421   436   NtUserRegisterClassExWOW  (451096, 451176, 451160, 451192, 0, 384, 0, ... ) == 0x810dc019
 00422   436   NtUserFindExistingCursorIcon  (450644, 450660, 451228, ... ) == 0x10013
 00423   436   NtUserRegisterClassExWOW  (451096, 451176, 451160, 451192, 0, 384, 0, ... ) == 0x810dc018
 00424   436   NtUserFindExistingCursorIcon  (450648, 450664, 451232, ... ) == 0x10011
 00425   436   NtUserRegisterClassExWOW  (451100, 451180, 451164, 451196, 0, 384, 0, ... ) == 0x810dc01a
 00426   436   NtUserFindExistingCursorIcon  (450644, 450660, 451228, ... ) == 0x10011
 00427   436   NtUserRegisterClassExWOW  (451096, 451176, 451160, 451192, 0, 384, 0, ... ) == 0x810dc01c
 00428   436   NtUserFindExistingCursorIcon  (450648, 450664, 451232, ... ) == 0x10011
 00429   436   NtUserRegisterClassExWOW  (451100, 451180, 451164, 451196, 0, 384, 0, ... ) == 0x810dc01e
 00430   436   NtUserFindExistingCursorIcon  (450644, 450660, 451228, ... ) == 0x10011
 00431   436   NtUserRegisterClassExWOW  (451156, 451236, 451220, 451252, 0, 384, 0, ... ) == 0x810dc01b
 00432   436   NtUserFindExistingCursorIcon  (450640, 450656, 451224, ... ) == 0x10011
 00433   436   NtUserRegisterClassExWOW  (451152, 451232, 451216, 451248, 0, 384, 0, ...
 00434   436   NtAllocateVirtualMemory  (-1, 4358144, 0, 4096, 4096, 32, ... 4358144, 4096, ) == 0x0
 00433   436   NtUserRegisterClassExWOW  ... ) == 0x810dc068
 00435   436   NtUserFindExistingCursorIcon  (450648, 450664, 451232, ... ) == 0x10011
 00436   436   NtUserRegisterClassExWOW  (451100, 451180, 451164, 451196, 0, 384, 0, ... ) == 0x810dc06a
 00437   436   NtCreateKey  (0x2001f, {24, 60, 0x40, 0, 0,  (0x2001f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 76, 2, ) }, 0, 0x0, 0, ... 76, 2, ) == 0x0
 00438   436   NtAllocateVirtualMemory  (-1, 100663296, 0, 3145728, 12288, 64, ... 100663296, 3145728, ) == 0x0
 00439   436   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 456488,  (0x80100080, {24, 0, 0x40, 0, 456488, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 96, 0, 0, ... 68, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 96, 0, 0, ... 68, {status=0x0, info=1}, ) == 0x0
 00440   436   NtQueryInformationFile  (68, 456540, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00441   436   NtAllocateVirtualMemory  (-1, 569344, 0, 16384, 4096, 4, ... 569344, 16384, ) == 0x0
 00442   436   NtReadFile  (68, 0, 0, 0, 13364, 0x0, 0, ... {status=0x0, info=13364},  (68, 0, 0, 0, 13364, 0x0, 0, ... {status=0x0, info=13364}, "MZ\200\0\1\0\0\0\4\0\20\0\377\377\0\0@\1\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\12$\0\0\0\0\0\0\0\0PE\0\0L\1\2\0?\206\216F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\1B\0\0\0\0\0\0\0\0\0\0\0\0\42\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\20\0\0\0\2\0\0\1\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0P\0\0\0\2\0\0\340\11\1\0\2\0\0\0\0\20\0\0\0\20\0\0\0\0\1\0\0\0\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0@\0\0a\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10/\0\0\0\20\0\0\00\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\340\0\0\0\0\0\0\0\0a\0\0\0\0@\0\0\0\2\0\0\02\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00443   436   NtClose  (68, ... ) == 0x0
 00444   436   NtQueryValueKey  (76,  (76, "FromCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00445   436   NtQueryValueKey  (76,  (76, "SecureProtocols", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00446   436   NtQueryValueKey  (76,  (76, "CertificateRevocation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00447   436   NtQueryValueKey  (76,  (76, "DisableKeepAlive", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00448   436   NtQueryValueKey  (76,  (76, "DisablePassport", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00449   436   NtQueryValueKey  (76,  (76, "CacheMode", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00450   436   NtQueryValueKey  (76,  (76, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00451   436   NtQueryValueKey  (76,  (76, "ProxyHttp1.1", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00452   436   NtQueryValueKey  (76,  (76, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00453   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00454   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\Secur32.dll"}, 453912, ... ) }, 453912, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00455   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "Secur32.dll"}, 453912, ... ) }, 453912, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00456   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 453912, ... ) }, 453912, ... ) == 0x0
 00457   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00458   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 80, ) == 0x0
 00459   436   NtQuerySection  (80, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00460   436   NtClose  (68, ... ) == 0x0
 00461   436   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f90000), 0x0, 65536, ) == 0x0
 00462   436   NtClose  (80, ... ) == 0x0
 00463   436   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 80, ) == 0x0
 00464   436   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 68, ) == 0x0
 00465   436   NtOpenEvent  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\SECURITY\LSA_AUTHENTICATION_INITIALIZED"}, ... 84, ) }, ... 84, ) == 0x0
 00466   436   NtQueryEvent  (84, Basic, 8, ... {EventType=0,SignalState=1,}, 0x0, ) == 0x0
 00467   436   NtClose  (84, ... ) == 0x0
 00468   436   NtConnectPort  ( ("\LsaAuthenticationPort", {12, 2, 1, 0}, 0x0, 0x0, 455396, 140, ... 84, 0x0, 0x0, 256, 140, ) , {12, 2, 1, 0}, 0x0, 0x0, 455396, 140, ... 84, 0x0, 0x0, 256, 140, ) == 0x0
 00469   436   NtRequestWaitReplyPort  (84, {28, 52, new_msg, 0, 0, 0, 0, 0}  (84, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\220\36\10\0" ... {176, 200, reply, 0, 432, 436, 1453, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ... {176, 200, reply, 0, 432, 436, 1453, 0}  (84, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\220\36\10\0" ... {176, 200, reply, 0, 432, 436, 1453, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ) == 0x0
 00470   436   NtQueryValueKey  (76,  (76, "SyncMode5", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00471   436   NtOpenKey  (0xf, {24, 48, 0x40, 0, 0,  (0xf, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache"}, ... 88, ) }, ... 88, ) == 0x0
 00472   436   NtQueryValueKey  (88,  (88, "FixupKey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00473   436   NtClose  (88, ... ) == 0x0
 00474   436   NtOpenKey  (0xf, {24, 48, 0x40, 0, 0,  (0xf, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 88, ) }, ... 88, ) == 0x0
 00475   436   NtQueryValueKey  (88,  (88, "SessionStartTimeDefaultDeltaSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00476   436   NtClose  (88, ... ) == 0x0
 00477   436   NtOpenKey  (0xf, {24, 48, 0x40, 0, 0,  (0xf, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 88, ) }, ... 88, ) == 0x0
 00478   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\Setup"}, ... 92, ) }, ... 92, ) == 0x0
 00479   436   NtQueryValueKey  (92,  (92, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (92, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00480   436   NtClose  (92, ... ) == 0x0
 00481   436   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 92, ) }, ... 92, ) == 0x0
 00482   436   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 96, ) }, ... 96, ) == 0x0
 00483   436   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 100, ) }, ... 100, ) == 0x0
 00484   436   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 104, ) }, ... 104, ) == 0x0
 00485   436   NtQueryValueKey  (104,  (104, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 00486   436   NtQueryValueKey  (104,  (104, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 00487   436   NtClose  (104, ... ) == 0x0
 00488   436   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 104, ) }, ... 104, ) == 0x0
 00489   436   NtQueryValueKey  (104,  (104, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (104, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 00490   436   NtQueryValueKey  (104,  (104, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (104, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 00491   436   NtQueryValueKey  (104,  (104, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (104, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 00492   436   NtQueryValueKey  (104,  (104, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (104, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 00493   436   NtQueryValueKey  (104,  (104, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (104, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 00494   436   NtQueryValueKey  (104,  (104, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (104, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 00495   436   NtClose  (104, ... ) == 0x0
 00496   436   NtOpenKey  (0xf, {24, 96, 0x40, 0, 0,  (0xf, {24, 96, 0x40, 0, 0, "Content"}, ... 104, ) }, ... 104, ) == 0x0
 00497   436   NtQueryValueKey  (104,  (104, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00498   436   NtClose  (104, ... ) == 0x0
 00499   436   NtOpenKey  (0xf, {24, 96, 0x40, 0, 0,  (0xf, {24, 96, 0x40, 0, 0, "Content"}, ... 104, ) }, ... 104, ) == 0x0
 00500   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "shell32.dll"}, ... 108, ) }, ... 108, ) == 0x0
 00501   436   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00502   436   NtClose  (108, ... ) == 0x0
 00503   436   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SYSTEM\Setup"}, ... 108, ) }, ... 108, ) == 0x0
 00504   436   NtQueryValueKey  (108,  (108, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00505   436   NtClose  (108, ... ) == 0x0
 00506   436   NtQueryDefaultUILanguage  (450364, ...
 00507   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00508   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00509   436   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00510   436   NtClose  (-2147482208, ... ) == 0x0
 00511   436   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00512   436   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00513   436   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00514   436   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00515   436   NtClose  (-2147482196, ... ) == 0x0
 00516   436   NtClose  (-2147482208, ... ) == 0x0
 00506   436   NtQueryDefaultUILanguage  ... ) == 0x0
 00517   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00518   436   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll"}, 1, 96, ... 108, {status=0x0, info=1}, ) }, 1, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00519   436   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 108, ... 112, ) == 0x0
 00520   436   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x710000), 0x0, 8323072, ) == 0x0
 00521   436   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00522   436   NtAllocateVirtualMemory  (-1, 438272, 0, 4096, 4096, 260, ... 438272, 4096, ) == 0x0
 00523   436   NtQueryDefaultLocale  (1, 448400, ... ) == 0x0
 00524   436   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00525   436   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 449256, 1, 96, 0}  (24, {128, 156, new_msg, 0, 449256, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\336\6\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1l\0\0\0\377\377\377\377\0\0\0\0\20\311\250\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\350\341\6\0\0\0\0\0" ... {128, 156, reply, 0, 432, 436, 1454, 0} " S\26\0\33\0\1\0\0\0\0\0\1\336\6\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1l\0\0\0\377\377\377\377\0\0\0\0\20\311\250\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\350\341\6\0\0\0\0\0" )  ... {128, 156, reply, 0, 432, 436, 1454, 0}  (24, {128, 156, new_msg, 0, 449256, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\336\6\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1l\0\0\0\377\377\377\377\0\0\0\0\20\311\250\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\350\341\6\0\0\0\0\0" ... {128, 156, reply, 0, 432, 436, 1454, 0} " S\26\0\33\0\1\0\0\0\0\0\1\336\6\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1l\0\0\0\377\377\377\377\0\0\0\0\20\311\250\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\350\341\6\0\0\0\0\0" )  ) == 0x0
 00526   436   NtClose  (108, ... ) == 0x0
 00527   436   NtClose  (112, ... ) == 0x0
 00528   436   NtUnmapViewOfSection  (-1, 0x710000, ... ) == 0x0
 00529   436   NtUnmapViewOfSection  (-1, 0x6e1e8, ... ) == STATUS_NOT_MAPPED_VIEW
 00530   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00531   436   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00532   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00533   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00534   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 447484, ... ) }, 447484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00535   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00536   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00537   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00538   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 448076, ... ) }, 448076, ... ) == 0x0
 00539   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 112, {status=0x0, info=1}, ) }, 3, 33, ... 112, {status=0x0, info=1}, ) == 0x0
 00540   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00541   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 108, ) }, ... 108, ) == 0x0
 00542   436   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00543   436   NtClose  (108, ... ) == 0x0
 00544   436   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {432, 0}, ... 108, ) == 0x0
 00545   436   NtQueryInformationProcess  (108, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00546   436   NtClose  (108, ... ) == 0x0
 00547   436   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00548   436   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00549   436   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00550   436   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 108, ) }, ... 108, ) == 0x0
 00551   436   NtQueryValueKey  (108,  (108, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00552   436   NtClose  (108, ... ) == 0x0
 00553   436   NtUserSystemParametersInfo  (41, 500, 449940, 0, ... ) == 0x1
 00554   436   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00555   436   NtUserGetClassInfo  (1999896576, 450348, 450300, 450376, 0, ... ) == 0x0
 00556   436   NtUserFindExistingCursorIcon  (449732, 449748, 450316, ... ) == 0x10011
 00557   436   NtUserRegisterClassExWOW  (450184, 450264, 450248, 450280, 0, 384, 0, ... ) == 0x810dc03b
 00558   436   NtUserGetClassInfo  (1999896576, 450348, 450300, 450376, 0, ... ) == 0x0
 00559   436   NtUserRegisterClassExWOW  (450184, 450264, 450248, 450280, 0, 384, 0, ... ) == 0x810dc03d
 00560   436   NtUserGetClassInfo  (1999896576, 450348, 450300, 450376, 0, ... ) == 0x0
 00561   436   NtUserFindExistingCursorIcon  (449732, 449748, 450316, ... ) == 0x10011
 00562   436   NtUserRegisterClassExWOW  (450184, 450264, 450248, 450280, 0, 384, 0, ... ) == 0x810dc03f
 00563   436   NtUserGetClassInfo  (1999896576, 450348, 450300, 450376, 0, ... ) == 0x0
 00564   436   NtUserFindExistingCursorIcon  (449732, 449748, 450316, ... ) == 0x10011
 00565   436   NtUserRegisterClassExWOW  (450184, 450264, 450248, 450280, 0, 384, 0, ... ) == 0x810dc041
 00566   436   NtUserGetClassInfo  (1999896576, 450348, 450300, 450376, 0, ... ) == 0x0
 00567   436   NtUserFindExistingCursorIcon  (449732, 449748, 450316, ... ) == 0x10011
 00568   436   NtUserRegisterClassExWOW  (450184, 450264, 450248, 450280, 0, 384, 0, ... ) == 0x810dc043
 00569   436   NtUserGetClassInfo  (1999896576, 450348, 450300, 450376, 0, ... ) == 0x0
 00570   436   NtUserRegisterClassExWOW  (450184, 450264, 450248, 450280, 0, 384, 0, ... ) == 0x810dc045
 00571   436   NtUserGetClassInfo  (1999896576, 450348, 450300, 450376, 0, ... ) == 0x0
 00572   436   NtUserFindExistingCursorIcon  (449732, 449748, 450316, ... ) == 0x10011
 00573   436   NtUserRegisterClassExWOW  (450184, 450264, 450248, 450280, 0, 384, 0, ... ) == 0x810dc047
 00574   436   NtUserGetClassInfo  (1999896576, 450348, 450300, 450376, 0, ... ) == 0x0
 00575   436   NtUserFindExistingCursorIcon  (449728, 449744, 450312, ... ) == 0x10011
 00576   436   NtUserRegisterClassExWOW  (450180, 450260, 450244, 450276, 0, 384, 0, ... ) == 0x810dc049
 00577   436   NtUserGetClassInfo  (1999896576, 450348, 450300, 450376, 0, ... ) == 0x0
 00578   436   NtUserFindExistingCursorIcon  (449732, 449748, 450316, ... ) == 0x10011
 00579   436   NtUserRegisterClassExWOW  (450184, 450264, 450248, 450280, 0, 384, 0, ... ) == 0x810dc04b
 00580   436   NtUserGetClassInfo  (1999896576, 450348, 450300, 450376, 0, ... ) == 0x0
 00581   436   NtUserFindExistingCursorIcon  (449732, 449748, 450316, ... ) == 0x10011
 00582   436   NtUserRegisterClassExWOW  (450184, 450264, 450248, 450280, 0, 384, 0, ... ) == 0x810dc04d
 00583   436   NtUserGetClassInfo  (1999896576, 450348, 450300, 450376, 0, ... ) == 0x0
 00584   436   NtUserFindExistingCursorIcon  (449732, 449748, 450316, ... ) == 0x10011
 00585   436   NtUserRegisterClassExWOW  (450184, 450264, 450248, 450280, 0, 384, 0, ... ) == 0x810dc04f
 00586   436   NtUserGetClassInfo  (1999896576, 450352, 450304, 450380, 0, ... ) == 0x0
 00587   436   NtUserRegisterClassExWOW  (450188, 450268, 450252, 450284, 0, 384, 0, ... ) == 0x810dc051
 00588   436   NtUserGetClassInfo  (1999896576, 450348, 450300, 450376, 0, ... ) == 0x0
 00589   436   NtUserFindExistingCursorIcon  (449732, 449748, 450316, ... ) == 0x10011
 00590   436   NtUserRegisterClassExWOW  (450184, 450264, 450248, 450280, 0, 384, 0, ... ) == 0x810dc053
 00591   436   NtUserGetClassInfo  (1999896576, 450348, 450300, 450376, 0, ... ) == 0x0
 00592   436   NtUserFindExistingCursorIcon  (449732, 449748, 450316, ... ) == 0x10011
 00593   436   NtUserRegisterClassExWOW  (450184, 450264, 450248, 450280, 0, 384, 0, ... ) == 0x810dc055
 00594   436   NtUserRegisterClassExWOW  (450184, 450264, 450248, 450280, 0, 384, 0, ... ) == 0x810dc057
 00595   436   NtUserGetClassInfo  (1999896576, 450348, 450300, 450376, 0, ... ) == 0x0
 00596   436   NtUserFindExistingCursorIcon  (449732, 449748, 450316, ... ) == 0x10011
 00597   436   NtUserRegisterClassExWOW  (450184, 450264, 450248, 450280, 0, 384, 0, ... ) == 0x810dc059
 00598   436   NtUserGetClassInfo  (1999896576, 450348, 450300, 450376, 0, ... ) == 0x0
 00599   436   NtUserFindExistingCursorIcon  (449732, 449748, 450316, ... ) == 0x10013
 00600   436   NtUserRegisterClassExWOW  (450184, 450264, 450248, 450280, 0, 384, 0, ... ) == 0x810dc05b
 00601   436   NtUserGetClassInfo  (1999896576, 450348, 450300, 450376, 0, ... ) == 0x0
 00602   436   NtUserFindExistingCursorIcon  (449732, 449748, 450316, ... ) == 0x10011
 00603   436   NtUserRegisterClassExWOW  (450184, 450264, 450248, 450280, 0, 384, 0, ... ) == 0x810dc05d
 00604   436   NtUserGetClassInfo  (1999896576, 450348, 450300, 450376, 0, ... ) == 0x0
 00605   436   NtUserFindExistingCursorIcon  (449732, 449748, 450316, ... ) == 0x10011
 00606   436   NtUserRegisterClassExWOW  (450184, 450264, 450248, 450280, 0, 384, 0, ... ) == 0x810dc05f
 00607   436   NtUserGetClassInfo  (1999896576, 452100, 452052, 452128, 0, ... ) == 0xc03b
 00608   436   NtUserGetClassInfo  (1999896576, 452100, 452052, 452128, 0, ... ) == 0xc03d
 00609   436   NtUserGetClassInfo  (1999896576, 452100, 452052, 452128, 0, ... ) == 0xc03f
 00610   436   NtUserGetClassInfo  (1999896576, 452100, 452052, 452128, 0, ... ) == 0xc041
 00611   436   NtUserGetClassInfo  (1999896576, 452100, 452052, 452128, 0, ... ) == 0xc043
 00612   436   NtUserGetClassInfo  (1999896576, 452100, 452052, 452128, 0, ... ) == 0xc045
 00613   436   NtUserGetClassInfo  (1999896576, 452100, 452052, 452128, 0, ... ) == 0xc047
 00614   436   NtUserGetClassInfo  (1999896576, 452100, 452052, 452128, 0, ... ) == 0xc049
 00615   436   NtUserGetClassInfo  (1999896576, 452100, 452052, 452128, 0, ... ) == 0xc04b
 00616   436   NtUserGetClassInfo  (1999896576, 452100, 452052, 452128, 0, ... ) == 0xc04d
 00617   436   NtUserGetClassInfo  (1999896576, 452100, 452052, 452128, 0, ... ) == 0xc04f
 00618   436   NtUserGetClassInfo  (1999896576, 452104, 452056, 452132, 0, ... ) == 0xc051
 00619   436   NtUserGetClassInfo  (1999896576, 452100, 452052, 452128, 0, ... ) == 0xc053
 00620   436   NtUserGetClassInfo  (1999896576, 452100, 452052, 452128, 0, ... ) == 0xc055
 00621   436   NtUserGetClassInfo  (1999896576, 452100, 452052, 452128, 0, ... ) == 0xc059
 00622   436   NtUserGetClassInfo  (1999896576, 452100, 452052, 452128, 0, ... ) == 0xc05b
 00623   436   NtUserGetClassInfo  (1999896576, 452100, 452052, 452128, 0, ... ) == 0xc05d
 00624   436   NtUserGetClassInfo  (1999896576, 452100, 452052, 452128, 0, ... ) == 0xc05f
 00625   436   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00626   436   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 569712, 0,  (0x1f0003, {24, 52, 0x80, 569712, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 108, ) }, 0, 2147483647, ... 108, ) == STATUS_OBJECT_NAME_EXISTS
 00627   436   NtReleaseSemaphore  (108, 1, ... 0, ) == 0x0
 00628   436   NtWaitForSingleObject  (108, 0, {0, 0}, ... ) == 0x0
 00629   436   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 116, 2, ) }, 0, 0x0, 0, ... 116, 2, ) == 0x0
 00630   436   NtQueryValueKey  (116,  (116, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (116, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 00631   436   NtClose  (116, ... ) == 0x0
 00632   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 452624, ... ) }, 452624, ... ) == 0x0
 00633   436   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 116, 2, ) }, 0, 0x0, 0, ... 116, 2, ) == 0x0
 00634   436   NtSetValueKey  (116,  (116, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 150, ... ) , 0, 1,  (116, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 150, ... ) , 150, ... ) == 0x0
 00635   436   NtClose  (116, ... ) == 0x0
 00636   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 453956, ... ) }, 453956, ... ) == 0x0
 00637   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 453688, ... ) }, 453688, ... ) == 0x0
 00638   436   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 7, 2113568, ... 116, {status=0x0, info=1}, ) }, 7, 2113568, ... 116, {status=0x0, info=1}, ) == 0x0
 00639   436   NtSetInformationFile  (116, 453664, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00640   436   NtClose  (116, ... ) == 0x0
 00641   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\desktop.ini"}, 453688, ... ) }, 453688, ... ) == 0x0
 00642   436   NtQueryValueKey  (104,  (104, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00643   436   NtQueryValueKey  (104,  (104, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00644   436   NtQueryValueKey  (104,  (104, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\251~\1\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\251~\1\0"}, 16, ) }, 16, ) == 0x0
 00645   436   NtOpenKey  (0xf, {24, 48, 0x40, 0, 0,  (0xf, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache"}, ... 116, ) }, ... 116, ) == 0x0
 00646   436   NtOpenKey  (0xf, {24, 116, 0x40, 0, 0,  (0xf, {24, 116, 0x40, 0, 0, "Paths"}, ... 120, ) }, ... 120, ) == 0x0
 00647   436   NtOpenKey  (0xf, {24, 120, 0x40, 0, 0,  (0xf, {24, 120, 0x40, 0, 0, "Path1"}, ... 124, ) }, ... 124, ) == 0x0
 00648   436   NtOpenKey  (0xf, {24, 120, 0x40, 0, 0,  (0xf, {24, 120, 0x40, 0, 0, "Path2"}, ... 128, ) }, ... 128, ) == 0x0
 00649   436   NtOpenKey  (0xf, {24, 120, 0x40, 0, 0,  (0xf, {24, 120, 0x40, 0, 0, "Path3"}, ... 132, ) }, ... 132, ) == 0x0
 00650   436   NtOpenKey  (0xf, {24, 120, 0x40, 0, 0,  (0xf, {24, 120, 0x40, 0, 0, "Path4"}, ... 136, ) }, ... 136, ) == 0x0
 00651   436   NtOpenKey  (0xf, {24, 116, 0x40, 0, 0,  (0xf, {24, 116, 0x40, 0, 0, "Special Paths"}, ... 140, ) }, ... 140, ) == 0x0
 00652   436   NtSetValueKey  (120,  (120, "Directory", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\0\0", 174, ... ) , 0, 1,  (120, "Directory", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\0\0", 174, ... ) , 174, ... ) == 0x0
 00653   436   NtSetValueKey  (120,  (120, "Paths", 0, 4, "\4\0\0\0", 4, ... ) , 0, 4,  (120, "Paths", 0, 4, "\4\0\0\0", 4, ... ) , 4, ... ) == 0x0
 00654   436   NtSetValueKey  (124,  (124, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\01\0\0\0", 188, ... ) , 0, 1,  (124, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\01\0\0\0", 188, ... ) , 188, ... ) == 0x0
 00655   436   NtSetValueKey  (128,  (128, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\02\0\0\0", 188, ... ) , 0, 1,  (128, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\02\0\0\0", 188, ... ) , 188, ... ) == 0x0
 00656   436   NtSetValueKey  (132,  (132, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\03\0\0\0", 188, ... ) , 0, 1,  (132, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\03\0\0\0", 188, ... ) , 188, ... ) == 0x0
 00657   436   NtSetValueKey  (136,  (136, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\04\0\0\0", 188, ... ) , 0, 1,  (136, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\04\0\0\0", 188, ... ) , 188, ... ) == 0x0
 00658   436   NtSetValueKey  (124,  (124, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (124, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 00659   436   NtSetValueKey  (128,  (128, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (128, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 00660   436   NtSetValueKey  (132,  (132, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (132, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 00661   436   NtSetValueKey  (136,  (136, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (136, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 00662   436   NtClose  (136, ... ) == 0x0
 00663   436   NtClose  (132, ... ) == 0x0
 00664   436   NtClose  (128, ... ) == 0x0
 00665   436   NtClose  (124, ... ) == 0x0
 00666   436   NtClose  (120, ... ) == 0x0
 00667   436   NtClose  (140, ... ) == 0x0
 00668   436   NtClose  (116, ... ) == 0x0
 00669   436   NtOpenKey  (0xf, {24, 96, 0x40, 0, 0,  (0xf, {24, 96, 0x40, 0, 0, "Cookies"}, ... 116, ) }, ... 116, ) == 0x0
 00670   436   NtQueryValueKey  (116,  (116, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00671   436   NtClose  (116, ... ) == 0x0
 00672   436   NtClose  (104, ... ) == 0x0
 00673   436   NtOpenKey  (0xf, {24, 96, 0x40, 0, 0,  (0xf, {24, 96, 0x40, 0, 0, "Cookies"}, ... 104, ) }, ... 104, ) == 0x0
 00674   436   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00675   436   NtReleaseSemaphore  (108, 1, ... 0, ) == 0x0
 00676   436   NtWaitForSingleObject  (108, 0, {0, 0}, ... ) == 0x0
 00677   436   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 116, 2, ) }, 0, 0x0, 0, ... 116, 2, ) == 0x0
 00678   436   NtQueryValueKey  (116,  (116, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (116, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 00679   436   NtClose  (116, ... ) == 0x0
 00680   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies"}, 452624, ... ) }, 452624, ... ) == 0x0
 00681   436   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 116, 2, ) }, 0, 0x0, 0, ... 116, 2, ) == 0x0
 00682   436   NtSetValueKey  (116,  (116, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 86, ... ) , 0, 1,  (116, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 86, ... ) , 86, ... ) == 0x0
 00683   436   NtClose  (116, ... ) == 0x0
 00684   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies"}, 453956, ... ) }, 453956, ... ) == 0x0
 00685   436   NtQueryValueKey  (104,  (104, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 00686   436   NtQueryValueKey  (104,  (104, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 00687   436   NtQueryValueKey  (104,  (104, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 00688   436   NtOpenKey  (0xf, {24, 96, 0x40, 0, 0,  (0xf, {24, 96, 0x40, 0, 0, "History"}, ... 116, ) }, ... 116, ) == 0x0
 00689   436   NtQueryValueKey  (116,  (116, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00690   436   NtClose  (116, ... ) == 0x0
 00691   436   NtClose  (104, ... ) == 0x0
 00692   436   NtOpenKey  (0xf, {24, 96, 0x40, 0, 0,  (0xf, {24, 96, 0x40, 0, 0, "History"}, ... 104, ) }, ... 104, ) == 0x0
 00693   436   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00694   436   NtReleaseSemaphore  (108, 1, ... 0, ) == 0x0
 00695   436   NtWaitForSingleObject  (108, 0, {0, 0}, ... ) == 0x0
 00696   436   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 116, 2, ) }, 0, 0x0, 0, ... 116, 2, ) == 0x0
 00697   436   NtQueryValueKey  (116,  (116, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (116, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 00698   436   NtClose  (116, ... ) == 0x0
 00699   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 452624, ... ) }, 452624, ... ) == 0x0
 00700   436   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 116, 2, ) }, 0, 0x0, 0, ... 116, 2, ) == 0x0
 00701   436   NtSetValueKey  (116,  (116, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 116, ... ) , 0, 1,  (116, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 116, ... ) , 116, ... ) == 0x0
 00702   436   NtClose  (116, ... ) == 0x0
 00703   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 453956, ... ) }, 453956, ... ) == 0x0
 00704   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 453688, ... ) }, 453688, ... ) == 0x0
 00705   436   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 7, 2113568, ... 116, {status=0x0, info=1}, ) }, 7, 2113568, ... 116, {status=0x0, info=1}, ) == 0x0
 00706   436   NtSetInformationFile  (116, 453664, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00707   436   NtClose  (116, ... ) == 0x0
 00708   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\desktop.ini"}, 453688, ... ) }, 453688, ... ) == 0x0
 00709   436   NtQueryValueKey  (104,  (104, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 00710   436   NtQueryValueKey  (104,  (104, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 00711   436   NtQueryValueKey  (104,  (104, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 00712   436   NtClose  (104, ... ) == 0x0
 00713   436   NtClose  (100, ... ) == 0x0
 00714   436   NtClose  (92, ... ) == 0x0
 00715   436   NtClose  (96, ... ) == 0x0
 00716   436   NtClose  (88, ... ) == 0x0
 00717   436   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "_!MSFTHISTORY!_"}, ... 88, ) }, ... 88, ) == 0x0
 00718   436   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "c:!documents and settings!sri-user!local settings!temporary internet files!content.ie5!"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00719   436   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 569712, 0,  (0x1f0001, {24, 52, 0x80, 569712, 0, "c:!documents and settings!sri-user!local settings!temporary internet files!content.ie5!"}, 0, ... 96, ) }, 0, ... 96, ) == 0x0
 00720   436   NtWaitForSingleObject  (96, 0, 0x0, ... ) == 0x0
 00721   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 3, 8388641, ... 92, {status=0x0, info=1}, ) }, 3, 8388641, ... 92, {status=0x0, info=1}, ) == 0x0
 00722   436   NtQueryVolumeInformationFile  (92, 455208, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00723   436   NtClose  (92, ... ) == 0x0
 00724   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 92, {status=0x0, info=1}, ) }, 3, 8388641, ... 92, {status=0x0, info=1}, ) == 0x0
 00725   436   NtQueryVolumeInformationFile  (92, 455232, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00726   436   NtClose  (92, ... ) == 0x0
 00727   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 455560, ... ) }, 455560, ... ) == 0x0
 00728   436   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 92, {status=0x0, info=1}, ) }, 7, 2113568, ... 92, {status=0x0, info=1}, ) == 0x0
 00729   436   NtSetInformationFile  (92, 455536, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00730   436   NtClose  (92, ... ) == 0x0
 00731   436   NtCreateFile  (0xc0100080, {24, 0, 0x40, 569712, 455552,  (0xc0100080, {24, 0, 0x40, 569712, 455552, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 92, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 92, {status=0x0, info=1}, ) == 0x0
 00732   436   NtSetInformationFile  (92, 455604, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00733   436   NtQueryInformationFile  (92, 455604, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00734   436   NtClose  (92, ... ) == 0x0
 00735   436   NtCreateFile  (0xc0100080, {24, 0, 0x40, 569712, 455536,  (0xc0100080, {24, 0, 0x40, 569712, 455536, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 92, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 92, {status=0x0, info=1}, ) == 0x0
 00736   436   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Local Settings_Temporary Internet Files_Content.IE5_index.dat_32768"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00737   436   NtCreateSection  (0xf0007, {24, 52, 0x80, 569712, 0,  (0xf0007, {24, 52, 0x80, 569712, 0, "C:_Documents and Settings_SRI-user_Local Settings_Temporary Internet Files_Content.IE5_index.dat_32768"}, 0x0, 4, 134217728, 92, ... 100, ) }, 0x0, 4, 134217728, 92, ... 100, ) == 0x0
 00738   436   NtMapViewOfSection  (100, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3c0000), {0, 0}, 32768, ) == 0x0
 00739   436   NtWaitForSingleObject  (96, 0, 0x0, ... ) == 0x0
 00740   436   NtQueryInformationFile  (92, 455568, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00741   436   NtReleaseMutant  (96, ... 0x0, ) == 0x0
 00742   436   NtReleaseMutant  (96, ... 0x0, ) == 0x0
 00743   436   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "c:!documents and settings!sri-user!cookies!"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00744   436   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 569712, 0,  (0x1f0001, {24, 52, 0x80, 569712, 0, "c:!documents and settings!sri-user!cookies!"}, 0, ... 104, ) }, 0, ... 104, ) == 0x0
 00745   436   NtWaitForSingleObject  (104, 0, 0x0, ... ) == 0x0
 00746   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 3, 8388641, ... 116, {status=0x0, info=1}, ) }, 3, 8388641, ... 116, {status=0x0, info=1}, ) == 0x0
 00747   436   NtQueryVolumeInformationFile  (116, 455208, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00748   436   NtClose  (116, ... ) == 0x0
 00749   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 116, {status=0x0, info=1}, ) }, 3, 8388641, ... 116, {status=0x0, info=1}, ) == 0x0
 00750   436   NtQueryVolumeInformationFile  (116, 455232, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00751   436   NtClose  (116, ... ) == 0x0
 00752   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 455560, ... ) }, 455560, ... ) == 0x0
 00753   436   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 7, 2113568, ... 116, {status=0x0, info=1}, ) }, 7, 2113568, ... 116, {status=0x0, info=1}, ) == 0x0
 00754   436   NtSetInformationFile  (116, 455536, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00755   436   NtClose  (116, ... ) == 0x0
 00756   436   NtCreateFile  (0xc0100080, {24, 0, 0x40, 569712, 455552,  (0xc0100080, {24, 0, 0x40, 569712, 455552, "\??\C:\Documents and Settings\SRI-user\Cookies\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 116, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 116, {status=0x0, info=1}, ) == 0x0
 00757   436   NtSetInformationFile  (116, 455604, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00758   436   NtQueryInformationFile  (116, 455604, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00759   436   NtClose  (116, ... ) == 0x0
 00760   436   NtCreateFile  (0xc0100080, {24, 0, 0x40, 569712, 455536,  (0xc0100080, {24, 0, 0x40, 569712, 455536, "\??\C:\Documents and Settings\SRI-user\Cookies\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 116, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 116, {status=0x0, info=1}, ) == 0x0
 00761   436   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Cookies_index.dat_16384"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00762   436   NtCreateSection  (0xf0007, {24, 52, 0x80, 569712, 0,  (0xf0007, {24, 52, 0x80, 569712, 0, "C:_Documents and Settings_SRI-user_Cookies_index.dat_16384"}, 0x0, 4, 134217728, 116, ... 140, ) }, 0x0, 4, 134217728, 116, ... 140, ) == 0x0
 00763   436   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3d0000), {0, 0}, 16384, ) == 0x0
 00764   436   NtReleaseMutant  (104, ... 0x0, ) == 0x0
 00765   436   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "c:!documents and settings!sri-user!local settings!history!history.ie5!"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00766   436   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 569712, 0,  (0x1f0001, {24, 52, 0x80, 569712, 0, "c:!documents and settings!sri-user!local settings!history!history.ie5!"}, 0, ... 120, ) }, 0, ... 120, ) == 0x0
 00767   436   NtWaitForSingleObject  (120, 0, 0x0, ... ) == 0x0
 00768   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 3, 8388641, ... 124, {status=0x0, info=1}, ) }, 3, 8388641, ... 124, {status=0x0, info=1}, ) == 0x0
 00769   436   NtQueryVolumeInformationFile  (124, 455208, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00770   436   NtClose  (124, ... ) == 0x0
 00771   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 124, {status=0x0, info=1}, ) }, 3, 8388641, ... 124, {status=0x0, info=1}, ) == 0x0
 00772   436   NtQueryVolumeInformationFile  (124, 455232, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00773   436   NtClose  (124, ... ) == 0x0
 00774   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 455560, ... ) }, 455560, ... ) == 0x0
 00775   436   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 7, 2113568, ... 124, {status=0x0, info=1}, ) }, 7, 2113568, ... 124, {status=0x0, info=1}, ) == 0x0
 00776   436   NtSetInformationFile  (124, 455536, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00777   436   NtClose  (124, ... ) == 0x0
 00778   436   NtCreateFile  (0xc0100080, {24, 0, 0x40, 569712, 455552,  (0xc0100080, {24, 0, 0x40, 569712, 455552, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 124, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 124, {status=0x0, info=1}, ) == 0x0
 00779   436   NtSetInformationFile  (124, 455604, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00780   436   NtQueryInformationFile  (124, 455604, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00781   436   NtClose  (124, ... ) == 0x0
 00782   436   NtCreateFile  (0xc0100080, {24, 0, 0x40, 569712, 455536,  (0xc0100080, {24, 0, 0x40, 569712, 455536, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 124, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 124, {status=0x0, info=1}, ) == 0x0
 00783   436   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Local Settings_History_History.IE5_index.dat_32768"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00784   436   NtCreateSection  (0xf0007, {24, 52, 0x80, 569712, 0,  (0xf0007, {24, 52, 0x80, 569712, 0, "C:_Documents and Settings_SRI-user_Local Settings_History_History.IE5_index.dat_32768"}, 0x0, 4, 134217728, 124, ... 128, ) }, 0x0, 4, 134217728, 124, ... 128, ) == 0x0
 00785   436   NtMapViewOfSection  (128, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 32768, ) == 0x0
 00786   436   NtReleaseMutant  (120, ... 0x0, ) == 0x0
 00787   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 455616, ... ) }, 455616, ... ) == 0x0
 00788   436   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 132, {status=0x0, info=1}, ) }, 7, 2113568, ... 132, {status=0x0, info=1}, ) == 0x0
 00789   436   NtSetInformationFile  (132, 455592, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00790   436   NtClose  (132, ... ) == 0x0
 00791   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini"}, 455616, ... ) }, 455616, ... ) == 0x0
 00792   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 455616, ... ) }, 455616, ... ) == 0x0
 00793   436   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 7, 2113568, ... 132, {status=0x0, info=1}, ) }, 7, 2113568, ... 132, {status=0x0, info=1}, ) == 0x0
 00794   436   NtSetInformationFile  (132, 455592, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00795   436   NtClose  (132, ... ) == 0x0
 00796   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\desktop.ini"}, 455616, ... ) }, 455616, ... ) == 0x0
 00797   436   NtWaitForSingleObject  (96, 0, 0x0, ... ) == 0x0
 00798   436   NtQueryInformationFile  (92, 454000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00799   436   NtReleaseMutant  (96, ... 0x0, ) == 0x0
 00800   436   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 132, ) }, ... 132, ) == 0x0
 00801   436   NtOpenKey  (0xf, {24, 132, 0x40, 0, 0,  (0xf, {24, 132, 0x40, 0, 0, "Extensible Cache"}, ... 136, ) }, ... 136, ) == 0x0
 00802   436   NtClose  (132, ... ) == 0x0
 00803   436   NtWaitForSingleObject  (88, 0, {-600000000, -1}, ... ) == 0x0
 00804   436   NtEnumerateKey  (136, 0, Basic, 288, ... {LastWrite={0x89210de2,0x1c79d95}, TitleIdx=0, Name= (136, 0, Basic, 288, ... {LastWrite={0x89210de2,0x1c79d95}, TitleIdx=0, Name="MSHist012007051420070521"}, 64, ) }, 64, ) == 0x0
 00805   436   NtOpenKey  (0xf, {24, 136, 0x40, 0, 0,  (0xf, {24, 136, 0x40, 0, 0, "MSHist012007051420070521"}, ... 132, ) }, ... 132, ) == 0x0
 00806   436   NtQueryValueKey  (132,  (132, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00807   436   NtQueryValueKey  (132,  (132, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00808   436   NtQueryValueKey  (132,  (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 00809   436   NtQueryValueKey  (132,  (132, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00810   436   NtQueryValueKey  (132,  (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 00811   436   NtQueryValueKey  (132,  (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 00812   436   NtQueryValueKey  (132,  (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 00813   436   NtQueryValueKey  (132,  (132, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 00814   436   NtQueryValueKey  (132,  (132, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00815   436   NtClose  (132, ... ) == 0x0
 00816   436   NtEnumerateKey  (136, 1, Basic, 288, ... {LastWrite={0xfe4bb184,0x1c7a3a9}, TitleIdx=0, Name= (136, 1, Basic, 288, ... {LastWrite={0xfe4bb184,0x1c7a3a9}, TitleIdx=0, Name="MSHist012007052120070528"}, 64, ) }, 64, ) == 0x0
 00817   436   NtOpenKey  (0xf, {24, 136, 0x40, 0, 0,  (0xf, {24, 136, 0x40, 0, 0, "MSHist012007052120070528"}, ... 132, ) }, ... 132, ) == 0x0
 00818   436   NtQueryValueKey  (132,  (132, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00819   436   NtQueryValueKey  (132,  (132, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00820   436   NtQueryValueKey  (132,  (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 00821   436   NtQueryValueKey  (132,  (132, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00822   436   NtQueryValueKey  (132,  (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 00823   436   NtQueryValueKey  (132,  (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 00824   436   NtQueryValueKey  (132,  (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 00825   436   NtQueryValueKey  (132,  (132, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 00826   436   NtQueryValueKey  (132,  (132, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00827   436   NtClose  (132, ... ) == 0x0
 00828   436   NtEnumerateKey  (136, 2, Basic, 288, ... {LastWrite={0xfe4e13de,0x1c7a3a9}, TitleIdx=0, Name= (136, 2, Basic, 288, ... {LastWrite={0xfe4e13de,0x1c7a3a9}, TitleIdx=0, Name="MSHist012007053120070601"}, 64, ) }, 64, ) == 0x0
 00829   436   NtOpenKey  (0xf, {24, 136, 0x40, 0, 0,  (0xf, {24, 136, 0x40, 0, 0, "MSHist012007053120070601"}, ... 132, ) }, ... 132, ) == 0x0
 00830   436   NtQueryValueKey  (132,  (132, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00831   436   NtQueryValueKey  (132,  (132, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00832   436   NtQueryValueKey  (132,  (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 00833   436   NtQueryValueKey  (132,  (132, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00834   436   NtQueryValueKey  (132,  (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 00835   436   NtQueryValueKey  (132,  (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 00836   436   NtQueryValueKey  (132,  (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 00837   436   NtQueryValueKey  (132,  (132, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 00838   436   NtQueryValueKey  (132,  (132, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00839   436   NtClose  (132, ... ) == 0x0
 00840   436   NtEnumerateKey  (136, 3, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 00841   436   NtReleaseMutant  (88, ... 0x0, ) == 0x0
 00842   436   NtClose  (136, ... ) == 0x0
 00843   436   NtWaitForSingleObject  (96, 0, 0x0, ... ) == 0x0
 00844   436   NtQueryInformationFile  (92, 455928, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00845   436   NtReleaseMutant  (96, ... 0x0, ) == 0x0
 00846   436   NtWaitForSingleObject  (96, 0, 0x0, ... ) == 0x0
 00847   436   NtQueryInformationFile  (92, 456000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00848   436   NtReleaseMutant  (96, ... 0x0, ) == 0x0
 00849   436   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00850   436   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00851   436   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00852   436   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00853   436   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00854   436   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 136, ) }, ... 136, ) == 0x0
 00855   436   NtQueryValueKey  (136,  (136, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00856   436   NtClose  (136, ... ) == 0x0
 00857   436   NtQueryValueKey  (76,  (76, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00858   436   NtQueryValueKey  (76,  (76, "DisableReadRange", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00859   436   NtQueryValueKey  (76,  (76, "SocketSendBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00860   436   NtQueryValueKey  (76,  (76, "SocketReceiveBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00861   436   NtQueryValueKey  (76,  (76, "KeepAliveTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00862   436   NtQueryValueKey  (76,  (76, "MaxHttpRedirects", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00863   436   NtQueryValueKey  (76,  (76, "MaxConnectionsPerServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00864   436   NtQueryValueKey  (76,  (76, "MaxConnectionsPer1_0Server", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00865   436   NtQueryValueKey  (76,  (76, "ServerInfoTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00866   436   NtQueryValueKey  (76,  (76, "ReceiveTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00867   436   NtQueryValueKey  (76,  (76, "DisableNTLMPreAuth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00868   436   NtQueryValueKey  (76,  (76, "ScavengeCacheLowerBound", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00869   436   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 136, ) }, ... 136, ) == 0x0
 00870   436   NtQueryValueKey  (136,  (136, "ScavengeCacheFileLifeTime", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00871   436   NtClose  (136, ... ) == 0x0
 00872   436   NtQueryValueKey  (76,  (76, "HttpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00873   436   NtQueryValueKey  (76,  (76, "FtpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00874   436   NtQueryValueKey  (76,  (76, "GopherDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00875   436   NtQueryValueKey  (76,  (76, "DisableCachingOfSSLPages", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00876   436   NtQueryValueKey  (76,  (76, "PerUserCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00877   436   NtQueryValueKey  (76,  (76, "LeashLegacyCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00878   436   NtQueryValueKey  (76,  (76, "DisableNT4RasCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00879   436   NtQueryValueKey  (76,  (76, "DialupUseLanSettings", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00880   436   NtQueryValueKey  (76,  (76, "SendExtraCRLF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00881   436   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 136, ) }, ... 136, ) == 0x0
 00882   436   NtQueryValueKey  (136,  (136, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00883   436   NtClose  (136, ... ) == 0x0
 00884   436   NtQueryValueKey  (76,  (76, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00885   436   NtQueryValueKey  (76,  (76, "NonBlockingClient32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00886   436   NtQueryValueKey  (76,  (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 00887   436   NtQueryValueKey  (76,  (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 00888   436   NtQueryValueKey  (76,  (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 00889   436   NtQueryValueKey  (76,  (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 00890   436   NtQueryValueKey  (76,  (76, "HeaderExclusionListForCache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00891   436   NtQueryValueKey  (76,  (76, "DnsCacheEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00892   436   NtQueryValueKey  (76,  (76, "DnsCacheEntries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00893   436   NtQueryValueKey  (76,  (76, "DnsCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00894   436   NtQueryValueKey  (76,  (76, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00895   436   NtQueryValueKey  (76,  (76, "WarnAlwaysOnPost", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00896   436   NtQueryValueKey  (76,  (76, "WarnOnZoneCrossing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00897   436   NtQueryValueKey  (76,  (76, "WarnOnBadCertSending", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00898   436   NtQueryValueKey  (76,  (76, "WarnOnBadCertRecving", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00899   436   NtQueryValueKey  (76,  (76, "WarnOnPostRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00900   436   NtQueryValueKey  (76,  (76, "AlwaysDrainOnRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00901   436   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "WininetStartupMutex"}, ... 136, ) }, ... 136, ) == 0x0
 00902   436   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 132, ) == 0x0
 00903   436   NtQueryValueKey  (76,  (76, "GlobalUserOffline", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00904   436   NtWaitForSingleObject  (96, 0, 0x0, ... ) == 0x0
 00905   436   NtQueryInformationFile  (92, 455976, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00906   436   NtReleaseMutant  (96, ... 0x0, ) == 0x0
 00907   436   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "WininetConnectionMutex"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00908   436   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 569712, 0,  (0x1f0001, {24, 52, 0x80, 569712, 0, "WininetConnectionMutex"}, 0, ... 144, ) }, 0, ... 144, ) == 0x0
 00909   436   NtCreateMutant  (0x1f0001, 0x0, 0, ... 148, ) == 0x0
 00910   436   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "WininetProxyRegistryMutex"}, ... 152, ) }, ... 152, ) == 0x0
 00911   436   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00912   436   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00913   436   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 156, ) }, ... 156, ) == 0x0
 00914   436   NtQueryValueKey  (156,  (156, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 00915   436   NtQueryValueKey  (156,  (156, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 00916   436   NtClose  (156, ... ) == 0x0
 00917   436   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 156, ) == 0x0
 00918   436   NtWaitForSingleObject  (156, 0, 0x0, ... ) == 0x0
 00919   436   NtClearEvent  (156, ... ) == 0x0
 00920   436   NtSetEvent  (156, ... 0x0, ) == 0x0
 00921   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wsock32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00922   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wsock32.dll"}, 453972, ... ) }, 453972, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00923   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "wsock32.dll"}, 453972, ... ) }, 453972, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00924   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wsock32.dll"}, 453972, ... ) }, 453972, ... ) == 0x0
 00925   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wsock32.dll"}, 5, 96, ... 160, {status=0x0, info=1}, ) }, 5, 96, ... 160, {status=0x0, info=1}, ) == 0x0
 00926   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 160, ... 164, ) == 0x0
 00927   436   NtQuerySection  (164, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00928   436   NtClose  (160, ... ) == 0x0
 00929   436   NtMapViewOfSection  (164, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ad0000), 0x0, 32768, ) == 0x0
 00930   436   NtClose  (164, ... ) == 0x0
 00931   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00932   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 453168, ... ) }, 453168, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00933   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 453168, ... ) }, 453168, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00934   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 453168, ... ) }, 453168, ... ) == 0x0
 00935   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 164, {status=0x0, info=1}, ) }, 5, 96, ... 164, {status=0x0, info=1}, ) == 0x0
 00936   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 164, ... 160, ) == 0x0
 00937   436   NtQuerySection  (160, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00938   436   NtClose  (164, ... ) == 0x0
 00939   436   NtMapViewOfSection  (160, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00940   436   NtClose  (160, ... ) == 0x0
 00941   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00942   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 452364, ... ) }, 452364, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00943   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 452364, ... ) }, 452364, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00944   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 452364, ... ) }, 452364, ... ) == 0x0
 00945   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 160, {status=0x0, info=1}, ) }, 5, 96, ... 160, {status=0x0, info=1}, ) == 0x0
 00946   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 160, ... 164, ) == 0x0
 00947   436   NtQuerySection  (164, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00948   436   NtClose  (160, ... ) == 0x0
 00949   436   NtMapViewOfSection  (164, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00950   436   NtClose  (164, ... ) == 0x0
 00951   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00952   436   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00953   436   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 164, ) }, ... 164, ) == 0x0
 00954   436   NtQueryValueKey  (164,  (164, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (164, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00955   436   NtQueryValueKey  (164,  (164, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (164, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00956   436   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 160, ) == 0x0
 00957   436   NtOpenKey  (0x2000000, {24, 164, 0x40, 0, 0,  (0x2000000, {24, 164, 0x40, 0, 0, "Protocol_Catalog9"}, ... 168, ) }, ... 168, ) == 0x0
 00958   436   NtQueryValueKey  (168,  (168, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00959   436   NtNotifyChangeKey  (168, 160, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00960   436   NtQueryValueKey  (168,  (168, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00961   436   NtOpenKey  (0x2000000, {24, 168, 0x40, 0, 0,  (0x2000000, {24, 168, 0x40, 0, 0, "00000019"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00962   436   NtQueryValueKey  (168,  (168, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) }, 16, ) == 0x0
 00963   436   NtQueryValueKey  (168,  (168, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00964   436   NtOpenKey  (0x2000000, {24, 168, 0x40, 0, 0,  (0x2000000, {24, 168, 0x40, 0, 0, "Catalog_Entries"}, ... 172, ) }, ... 172, ) == 0x0
 00965   436   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000001"}, ... 176, ) }, ... 176, ) == 0x0
 00966   436   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00967   436   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00968   436   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\311\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\311\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\312\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0$\364\6\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30\317\10\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\312\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\313\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\313\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\314\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\311\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\311\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\312\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0$\364\6\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30\317\10\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\312\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\313\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\313\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\314\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\313\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\314\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0 (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\311\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\311\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\312\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0$\364\6\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30\317\10\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\312\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\313\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\313\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\314\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00969   436   NtClose  (176, ... ) == 0x0
 00970   436   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000002"}, ... 176, ) }, ... 176, ) == 0x0
 00971   436   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00972   436   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00973   436   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\316\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\316\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\317\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0$\364\6\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30\317\10\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\317\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\320\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\320\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\321\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\316\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\316\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\317\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0$\364\6\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30\317\10\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\317\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\320\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\320\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\321\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\320\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\321\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0 (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\316\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\316\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\317\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0$\364\6\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30\317\10\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\317\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\320\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\320\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\321\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00974   436   NtClose  (176, ... ) == 0x0
 00975   436   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000003"}, ... 176, ) }, ... 176, ) == 0x0
 00976   436   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00977   436   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00978   436   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\323\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\323\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\324\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0$\364\6\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30\317\10\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\324\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\325\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\325\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\326\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\323\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\323\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\324\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0$\364\6\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30\317\10\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\324\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\325\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\325\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\326\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\325\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\326\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0 (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\323\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\323\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\324\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0$\364\6\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30\317\10\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\324\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\325\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\325\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\326\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00979   436   NtClose  (176, ... ) == 0x0
 00980   436   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000004"}, ... 176, ) }, ... 176, ) == 0x0
 00981   436   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00982   436   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00983   436   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\330\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\330\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\331\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0$\364\6\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30\317\10\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\331\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\332\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\332\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\333\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\330\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\330\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\331\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0$\364\6\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30\317\10\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\331\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\332\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\332\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\333\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\332\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\333\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0 (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\330\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\330\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\331\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0$\364\6\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30\317\10\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\331\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\332\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\332\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\333\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00984   436   NtClose  (176, ... ) == 0x0
 00985   436   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000005"}, ... 176, ) }, ... 176, ) == 0x0
 00986   436   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00987   436   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00988   436   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\335\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\335\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\336\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0$\364\6\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30\317\10\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\336\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\337\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\337\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\340\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\335\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\335\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\336\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0$\364\6\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30\317\10\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\336\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\337\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\337\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\340\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\337\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\340\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0 (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\335\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\335\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\336\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0$\364\6\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30\317\10\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\336\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\337\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\337\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\340\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00989   436   NtClose  (176, ... ) == 0x0
 00990   436   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000006"}, ... 176, ) }, ... 176, ) == 0x0
 00991   436   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00992   436   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00993   436   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\342\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\342\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\343\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0$\364\6\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30\317\10\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\343\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\344\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\344\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\345\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\342\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\342\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\343\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0$\364\6\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30\317\10\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\343\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\344\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\344\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\345\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\344\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\345\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0 (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\342\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\342\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\343\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0$\364\6\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30\317\10\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\343\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\344\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\344\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\345\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00994   436   NtClose  (176, ... ) == 0x0
 00995   436   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000007"}, ... 176, ) }, ... 176, ) == 0x0
 00996   436   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00997   436   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00998   436   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\347\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\347\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\350\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0$\364\6\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30\317\10\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\350\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\351\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\351\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\352\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\347\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\347\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\350\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0$\364\6\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30\317\10\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\350\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\351\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\351\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\352\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\351\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\352\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0 (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\347\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\347\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\350\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0$\364\6\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30\317\10\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\350\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\351\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\351\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\352\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00999   436   NtClose  (176, ... ) == 0x0
 01000   436   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000008"}, ... 176, ) }, ... 176, ) == 0x0
 01001   436   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01002   436   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01003   436   NtAllocateVirtualMemory  (-1, 585728, 0, 4096, 4096, 4, ... 585728, 4096, ) == 0x0
 01004   436   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\355\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\355\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\356\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0$\364\6\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30\317\10\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\356\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\357\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\357\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\360\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\355\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\355\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\356\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0$\364\6\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30\317\10\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\356\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\357\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\357\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\360\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\357\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\360\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0 (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\355\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\355\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\356\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0$\364\6\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30\317\10\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\356\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\357\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\357\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\360\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01005   436   NtClose  (176, ... ) == 0x0
 01006   436   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000009"}, ... 176, ) }, ... 176, ) == 0x0
 01007   436   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01008   436   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01009   436   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\362\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\362\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\363\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0$\364\6\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30\317\10\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\363\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\364\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\364\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\365\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\362\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\362\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\363\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0$\364\6\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30\317\10\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\363\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\364\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\364\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\365\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\364\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\365\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0 (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\362\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\362\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\363\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0$\364\6\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30\317\10\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\363\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\364\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\364\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\365\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01010   436   NtClose  (176, ... ) == 0x0
 01011   436   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000010"}, ... 176, ) }, ... 176, ) == 0x0
 01012   436   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01013   436   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01014   436   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\367\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\367\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\370\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0$\364\6\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30\317\10\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\370\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\371\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\371\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\372\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\367\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\367\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\370\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0$\364\6\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30\317\10\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\370\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\371\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\371\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\372\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\371\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\372\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0 (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\367\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\367\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\370\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0$\364\6\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\30\317\10\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\370\3\0\0\260\1\0\0\264\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\371\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\10\0\2\0\0\0\220\0\0\0\371\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\372\3\0\0\260\1\0\0\264\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01015   436   NtClose  (176, ... ) == 0x0
 01016   436   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000011"}, ... 176, ) }, ... 176, ) == 0x0
 01017   436   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01018   436   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01019   436   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\374\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\374\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\375\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\254\0\0\0\375\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\376\3\0\0\260\1\0\0\264\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\240\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\376\3\0\0\260\1\0\0\264\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\377\3\0\0\260\1\0\0\264\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\377\3\0\0\260\1\0\0\264\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\254\0\0\0\0\4\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\244\0\0\0@\364\6\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\350\316\10\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\374\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\374\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\375\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\254\0\0\0\375\3\0\0\260\1\0\0\264\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\376\3\0\0\260\1\0\0\264\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\240\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\376\3\0\0\260\1\0\0\264\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\377\3\0\0\260\1\0\0\264\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\377\3\0\0\260\1\0\0\264\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\254\0\0\0\0\4\0\0\260\1\0\0\264\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\244\0\0\0@\364\6\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\350\316\10\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) }, 900, ) == 0x0
 01020   436   NtClose  (176, ... ) == 0x0
 01021   436   NtClose  (172, ... ) == 0x0
 01022   436   NtWaitForSingleObject  (160, 0, {0, 0}, ... ) == 0x102
 01023   436   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 172, ) == 0x0
 01024   436   NtOpenKey  (0x2000000, {24, 164, 0x40, 0, 0,  (0x2000000, {24, 164, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 176, ) }, ... 176, ) == 0x0
 01025   436   NtQueryValueKey  (176,  (176, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (176, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01026   436   NtNotifyChangeKey  (176, 172, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 01027   436   NtQueryValueKey  (176,  (176, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (176, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01028   436   NtOpenKey  (0x2000000, {24, 176, 0x40, 0, 0,  (0x2000000, {24, 176, 0x40, 0, 0, "00000004"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01029   436   NtQueryValueKey  (176,  (176, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (176, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 01030   436   NtOpenKey  (0x2000000, {24, 176, 0x40, 0, 0,  (0x2000000, {24, 176, 0x40, 0, 0, "Catalog_Entries"}, ... 180, ) }, ... 180, ) == 0x0
 01031   436   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 7405568, 1048576, ) == 0x0
 01032   436   NtAllocateVirtualMemory  (-1, 7405568, 0, 8192, 4096, 4, ... 7405568, 8192, ) == 0x0
 01033   436   NtOpenKey  (0x20019, {24, 180, 0x40, 0, 0,  (0x20019, {24, 180, 0x40, 0, 0, "000000000001"}, ... 184, ) }, ... 184, ) == 0x0
 01034   436   NtQueryValueKey  (184,  (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01035   436   NtQueryValueKey  (184,  (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01036   436   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01037   436   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01038   436   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01039   436   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01040   436   NtQueryValueKey  (184,  (184, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (184, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 01041   436   NtQueryValueKey  (184,  (184, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01042   436   NtQueryValueKey  (184,  (184, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 01043   436   NtQueryValueKey  (184,  (184, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01044   436   NtQueryValueKey  (184,  (184, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01045   436   NtQueryValueKey  (184,  (184, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01046   436   NtClose  (184, ... ) == 0x0
 01047   436   NtOpenKey  (0x20019, {24, 180, 0x40, 0, 0,  (0x20019, {24, 180, 0x40, 0, 0, "000000000002"}, ... 184, ) }, ... 184, ) == 0x0
 01048   436   NtQueryValueKey  (184,  (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01049   436   NtQueryValueKey  (184,  (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01050   436   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01051   436   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01052   436   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01053   436   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01054   436   NtQueryValueKey  (184,  (184, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (184, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 01055   436   NtQueryValueKey  (184,  (184, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01056   436   NtQueryValueKey  (184,  (184, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 01057   436   NtQueryValueKey  (184,  (184, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01058   436   NtQueryValueKey  (184,  (184, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01059   436   NtQueryValueKey  (184,  (184, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01060   436   NtClose  (184, ... ) == 0x0
 01061   436   NtOpenKey  (0x20019, {24, 180, 0x40, 0, 0,  (0x20019, {24, 180, 0x40, 0, 0, "000000000003"}, ... 184, ) }, ... 184, ) == 0x0
 01062   436   NtQueryValueKey  (184,  (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01063   436   NtQueryValueKey  (184,  (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01064   436   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01065   436   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01066   436   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01067   436   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01068   436   NtQueryValueKey  (184,  (184, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (184, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 01069   436   NtQueryValueKey  (184,  (184, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01070   436   NtQueryValueKey  (184,  (184, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 01071   436   NtQueryValueKey  (184,  (184, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01072   436   NtQueryValueKey  (184,  (184, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01073   436   NtQueryValueKey  (184,  (184, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01074   436   NtClose  (184, ... ) == 0x0
 01075   436   NtClose  (180, ... ) == 0x0
 01076   436   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x102
 01077   436   NtClose  (164, ... ) == 0x0
 01078   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01079   436   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01080   436   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 164, ) }, ... 164, ) == 0x0
 01081   436   NtQueryValueKey  (164,  (164, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01082   436   NtClose  (164, ... ) == 0x0
 01083   436   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 164, ) == 0x0
 01084   436   NtClearEvent  (132, ... ) == 0x0
 01085   436   NtSetEvent  (132, ... 0x0, ) == 0x0
 01086   436   NtWaitForSingleObject  (96, 0, 0x0, ... ) == 0x0
 01087   436   NtQueryInformationFile  (92, 455664, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01088   436   NtReleaseMutant  (96, ... 0x0, ) == 0x0
 01089   436   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Http Filters\RPA"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01090   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Http Filters\RPA"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01091   436   NtAllocateVirtualMemory  (-1, 7413760, 0, 4096, 4096, 4, ... 7413760, 4096, ) == 0x0
 01092   436   NtWaitForSingleObject  (144, 0, 0x0, ... ) == 0x0
 01093   436   NtWaitForSingleObject  (148, 0, 0x0, ... ) == 0x0
 01094   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RASAPI32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01095   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\RASAPI32.DLL"}, 454280, ... ) }, 454280, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01096   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "RASAPI32.DLL"}, 454280, ... ) }, 454280, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01097   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\RASAPI32.DLL"}, 454280, ... ) }, 454280, ... ) == 0x0
 01098   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\RASAPI32.DLL"}, 5, 96, ... 180, {status=0x0, info=1}, ) }, 5, 96, ... 180, {status=0x0, info=1}, ) == 0x0
 01099   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 180, ... 184, ) == 0x0
 01100   436   NtQuerySection  (184, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01101   436   NtClose  (180, ... ) == 0x0
 01102   436   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76ee0000), 0x0, 225280, ) == 0x0
 01103   436   NtClose  (184, ... ) == 0x0
 01104   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rasman.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01105   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rasman.dll"}, 453476, ... ) }, 453476, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01106   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rasman.dll"}, 453476, ... ) }, 453476, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01107   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman.dll"}, 453476, ... ) }, 453476, ... ) == 0x0
 01108   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman.dll"}, 5, 96, ... 184, {status=0x0, info=1}, ) }, 5, 96, ... 184, {status=0x0, info=1}, ) == 0x0
 01109   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 184, ... 180, ) == 0x0
 01110   436   NtQuerySection  (180, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01111   436   NtClose  (184, ... ) == 0x0
 01112   436   NtMapViewOfSection  (180, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e90000), 0x0, 69632, ) == 0x0
 01113   436   NtClose  (180, ... ) == 0x0
 01114   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01115   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\NETAPI32.dll"}, 452672, ... ) }, 452672, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01116   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "NETAPI32.dll"}, 452672, ... ) }, 452672, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01117   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 452672, ... ) }, 452672, ... ) == 0x0
 01118   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 5, 96, ... 180, {status=0x0, info=1}, ) }, 5, 96, ... 180, {status=0x0, info=1}, ) == 0x0
 01119   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 180, ... 184, ) == 0x0
 01120   436   NtQuerySection  (184, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01121   436   NtClose  (180, ... ) == 0x0
 01122   436   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 01123   436   NtClose  (184, ... ) == 0x0
 01124   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "TAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01125   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\TAPI32.dll"}, 453476, ... ) }, 453476, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01126   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "TAPI32.dll"}, 453476, ... ) }, 453476, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01127   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 453476, ... ) }, 453476, ... ) == 0x0
 01128   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 5, 96, ... 184, {status=0x0, info=1}, ) }, 5, 96, ... 184, {status=0x0, info=1}, ) == 0x0
 01129   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 184, ... 180, ) == 0x0
 01130   436   NtQuerySection  (180, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01131   436   NtClose  (184, ... ) == 0x0
 01132   436   NtMapViewOfSection  (180, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76eb0000), 0x0, 172032, ) == 0x0
 01133   436   NtClose  (180, ... ) == 0x0
 01134   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rtutils.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01135   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rtutils.dll"}, 452672, ... ) }, 452672, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01136   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rtutils.dll"}, 452672, ... ) }, 452672, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01137   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rtutils.dll"}, 452672, ... ) }, 452672, ... ) == 0x0
 01138   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rtutils.dll"}, 5, 96, ... 180, {status=0x0, info=1}, ) }, 5, 96, ... 180, {status=0x0, info=1}, ) == 0x0
 01139   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 180, ... 184, ) == 0x0
 01140   436   NtQuerySection  (184, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01141   436   NtClose  (180, ... ) == 0x0
 01142   436   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e80000), 0x0, 53248, ) == 0x0
 01143   436   NtClose  (184, ... ) == 0x0
 01144   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINMM.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01145   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINMM.dll"}, 452672, ... ) }, 452672, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01146   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WINMM.dll"}, 452672, ... ) }, 452672, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01147   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINMM.dll"}, 452672, ... ) }, 452672, ... ) == 0x0
 01148   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINMM.dll"}, 5, 96, ... 184, {status=0x0, info=1}, ) }, 5, 96, ... 184, {status=0x0, info=1}, ) == 0x0
 01149   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 184, ... 180, ) == 0x0
 01150   436   NtQuerySection  (180, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01151   436   NtClose  (184, ... ) == 0x0
 01152   436   NtMapViewOfSection  (180, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b40000), 0x0, 180224, ) == 0x0
 01153   436   NtClose  (180, ... ) == 0x0
 01154   436   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 180, ) == 0x0
 01155   436   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 184, ) == 0x0
 01156   436   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 188, ) == 0x0
 01157   436   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32"}, ... 192, ) }, ... 192, ) == 0x0
 01158   436   NtQueryValueKey  (192,  (192, "wave", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01159   436   NtQueryValueKey  (192,  (192, "wave1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01160   436   NtQueryValueKey  (192,  (192, "wave2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01161   436   NtQueryValueKey  (192,  (192, "wave3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01162   436   NtQueryValueKey  (192,  (192, "wave4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01163   436   NtQueryValueKey  (192,  (192, "wave5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01164   436   NtQueryValueKey  (192,  (192, "wave6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01165   436   NtQueryValueKey  (192,  (192, "wave7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01166   436   NtQueryValueKey  (192,  (192, "wave8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01167   436   NtQueryValueKey  (192,  (192, "wave9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01168   436   NtQueryValueKey  (192,  (192, "midi", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01169   436   NtQueryValueKey  (192,  (192, "midi1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01170   436   NtQueryValueKey  (192,  (192, "midi2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01171   436   NtQueryValueKey  (192,  (192, "midi3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01172   436   NtQueryValueKey  (192,  (192, "midi4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01173   436   NtQueryValueKey  (192,  (192, "midi5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01174   436   NtQueryValueKey  (192,  (192, "midi6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01175   436   NtQueryValueKey  (192,  (192, "midi7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01176   436   NtQueryValueKey  (192,  (192, "midi8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01177   436   NtQueryValueKey  (192,  (192, "midi9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01178   436   NtQueryTimerResolution  (... 156250, 10000, 156250, ) == 0x0
 01179   436   NtQueryValueKey  (192,  (192, "aux", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01180   436   NtQueryValueKey  (192,  (192, "aux1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01181   436   NtQueryValueKey  (192,  (192, "aux2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01182   436   NtQueryValueKey  (192,  (192, "aux3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01183   436   NtQueryValueKey  (192,  (192, "aux4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01184   436   NtQueryValueKey  (192,  (192, "aux5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01185   436   NtQueryValueKey  (192,  (192, "aux6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01186   436   NtQueryValueKey  (192,  (192, "aux7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01187   436   NtQueryValueKey  (192,  (192, "aux8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01188   436   NtQueryValueKey  (192,  (192, "aux9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01189   436   NtUserRegisterWindowMessage  ( ("MSJSTICK_VJOYD_MSGSTR", ... ) , ... ) == 0xc07c
 01190   436   NtOpenKey  (0xf003f, {24, 48, 0x40, 0, 0,  (0xf003f, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm"}, ... 196, ) }, ... 196, ) == 0x0
 01191   436   NtQueryValueKey  (196,  (196, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (196, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01192   436   NtClose  (196, ... ) == 0x0
 01193   436   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 0, 0,  (0x1f0003, {24, 52, 0x80, 0, 0, "DINPUTWINMM"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 01194   436   NtQueryValueKey  (192,  (192, "mixer", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01195   436   NtQueryValueKey  (192,  (192, "mixer1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01196   436   NtQueryValueKey  (192,  (192, "mixer2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01197   436   NtQueryValueKey  (192,  (192, "mixer3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01198   436   NtQueryValueKey  (192,  (192, "mixer4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01199   436   NtQueryValueKey  (192,  (192, "mixer5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01200   436   NtQueryValueKey  (192,  (192, "mixer6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01201   436   NtQueryValueKey  (192,  (192, "mixer7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01202   436   NtQueryValueKey  (192,  (192, "mixer8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01203   436   NtQueryValueKey  (192,  (192, "mixer9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01204   436   NtQueryDefaultUILanguage  (452672, ...
 01205   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01206   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 01207   436   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01208   436   NtClose  (-2147482208, ... ) == 0x0
 01209   436   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 01210   436   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01211   436   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 01212   436   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01213   436   NtClose  (-2147482196, ... ) == 0x0
 01214   436   NtClose  (-2147482208, ... ) == 0x0
 01204   436   NtQueryDefaultUILanguage  ... ) == 0x0
 01215   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01216   436   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 1, 96, ... 196, {status=0x0, info=1}, ) }, 1, 96, ... 196, {status=0x0, info=1}, ) == 0x0
 01217   436   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 196, ... 200, ) == 0x0
 01218   436   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x810000), 0x0, 163840, ) == 0x0
 01219   436   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01220   436   NtQueryDefaultLocale  (1, 450708, ... ) == 0x0
 01221   436   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01222   436   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 451564, 1, 96, 0}  (24, {128, 156, new_msg, 0, 451564, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\347\6\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\304\0\0\0\377\377\377\377\0\0\0\0\360Z\203\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\354\352\6\0\0\0\0\0" ... {128, 156, reply, 0, 432, 436, 1455, 0} " S\26\0\33\0\1\0\0\0\0\0\1\347\6\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\304\0\0\0\377\377\377\377\0\0\0\0\360Z\203\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\354\352\6\0\0\0\0\0" )  ... {128, 156, reply, 0, 432, 436, 1455, 0}  (24, {128, 156, new_msg, 0, 451564, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\347\6\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\304\0\0\0\377\377\377\377\0\0\0\0\360Z\203\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\354\352\6\0\0\0\0\0" ... {128, 156, reply, 0, 432, 436, 1455, 0} " S\26\0\33\0\1\0\0\0\0\0\1\347\6\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\304\0\0\0\377\377\377\377\0\0\0\0\360Z\203\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\354\352\6\0\0\0\0\0" )  ) == 0x0
 01223   436   NtClose  (196, ... ) == 0x0
 01224   436   NtClose  (200, ... ) == 0x0
 01225   436   NtUnmapViewOfSection  (-1, 0x810000, ... ) == 0x0
 01226   436   NtUnmapViewOfSection  (-1, 0x6eaec, ... ) == STATUS_NOT_MAPPED_VIEW
 01227   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01228   436   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01229   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01230   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01231   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 449792, ... ) }, 449792, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01232   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01233   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01234   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01235   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 450384, ... ) }, 450384, ... ) == 0x0
 01236   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 200, {status=0x0, info=1}, ) }, 3, 33, ... 200, {status=0x0, info=1}, ) == 0x0
 01237   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01238   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Telephony"}, ... 196, ) }, ... 196, ) == 0x0
 01239   436   NtQueryValueKey  (196,  (196, "Tapi32MaxNumRequestRetries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01240   436   NtQueryValueKey  (196,  (196, "Tapi32RequestRetryTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01241   436   NtClose  (196, ... ) == 0x0
 01242   436   NtCreateMutant  (0x1f0001, 0x0, 0, ... 196, ) == 0x0
 01243   436   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 7413904, 0,  (0x1f0001, {24, 52, 0x80, 7413904, 0, "RasPbFile"}, 0, ... ) }, 0, ... ) == STATUS_ACCESS_DENIED
 01244   436   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "RasPbFile"}, ... 204, ) }, ... 204, ) == 0x0
 01245   436   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 208, ) == 0x0
 01246   436   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 212, ) == 0x0
 01247   436   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 216, ) == 0x0
 01248   436   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 220, ) == 0x0
 01249   436   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 224, ) == 0x0
 01250   436   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 228, ) == 0x0
 01251   436   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 232, ) == 0x0
 01252   436   NtCreateKey  (0xf003f, {24, 48, 0x40, 0, 0,  (0xf003f, {24, 48, 0x40, 0, 0, "Software\Microsoft\Tracing"}, 0, 0x0, 0, ... 236, 2, ) }, 0, 0x0, 0, ... 236, 2, ) == 0x0
 01253   436   NtQueryValueKey  (236,  (236, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (236, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01254   436   NtClose  (236, ... ) == 0x0
 01255   436   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 236, ) == 0x0
 01256   436   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 240, ) == 0x0
 01257   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Tracing\RASAPI32"}, ... 244, ) }, ... 244, ) == 0x0
 01258   436   NtQueryValueKey  (244,  (244, "EnableFileTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (244, "EnableFileTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01259   436   NtQueryValueKey  (244,  (244, "FileTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (244, "FileTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) }, 16, ) == 0x0
 01260   436   NtQueryValueKey  (244,  (244, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (244, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01261   436   NtQueryValueKey  (244,  (244, "ConsoleTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (244, "ConsoleTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) }, 16, ) == 0x0
 01262   436   NtQueryValueKey  (244,  (244, "MaxFileSize", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\20\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (244, "MaxFileSize", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\20\0"}, 16, ) }, 16, ) == 0x0
 01263   436   NtQueryValueKey  (244,  (244, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (244, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) }, 46, ) == 0x0
 01264   436   NtQueryValueKey  (244,  (244, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (244, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) }, 46, ) == 0x0
 01265   436   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 248, ) == 0x0
 01266   436   NtNotifyChangeKey  (244, 248, 0, 0, 2011390432, 14, 0, 0, 0, 1, ... ) == 0x103
 01267   436   NtQueryValueKey  (244,  (244, "EnableFileTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (244, "EnableFileTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01268   436   NtQueryValueKey  (244,  (244, "FileTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (244, "FileTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) }, 16, ) == 0x0
 01269   436   NtQueryValueKey  (244,  (244, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (244, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01270   436   NtQueryValueKey  (244,  (244, "ConsoleTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (244, "ConsoleTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) }, 16, ) == 0x0
 01271   436   NtQueryValueKey  (244,  (244, "MaxFileSize", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\20\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (244, "MaxFileSize", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\20\0"}, 16, ) }, 16, ) == 0x0
 01272   436   NtQueryValueKey  (244,  (244, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (244, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) }, 46, ) == 0x0
 01273   436   NtQueryValueKey  (244,  (244, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (244, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) }, 46, ) == 0x0
 01274   436   NtNotifyChangeKey  (244, 248, 0, 0, 2011390432, 14, 0, 0, 0, 1, ... ) == 0x103
 01275   436   NtSetEvent  (232, ... 0x0, ) == 0x0
 01276   436   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 252, ) }, ... 252, ) == 0x0
 01277   436   NtWaitForSingleObject  (252, 0, {-1800000000, -1}, ... ) == 0x0
 01278   436   NtClose  (252, ... ) == 0x0
 01279   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01280   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01281   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 252, ) }, ... 252, ) == 0x0
 01282   436   NtQueryValueKey  (252,  (252, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01283   436   NtClose  (252, ... ) == 0x0
 01284   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01285   436   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 252, ) == 0x0
 01286   436   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 256, ) == 0x0
 01287   436   NtQuerySystemTime  (... {-609885304, 29869973}, ) == 0x0
 01288   436   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 260, ) == 0x0
 01289   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01290   436   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01291   436   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01292   436   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01293   436   NtAllocateVirtualMemory  (-1, 7417856, 0, 4096, 4096, 4, ... 7417856, 4096, ) == 0x0
 01294   436   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 264, ) == 0x0
 01295   436   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 268, ) == 0x0
 01296   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 272, ) }, ... 272, ) == 0x0
 01297   436   NtOpenKey  (0x20019, {24, 272, 0x40, 0, 0,  (0x20019, {24, 272, 0x40, 0, 0, "ActiveComputerName"}, ... 276, ) }, ... 276, ) == 0x0
 01298   436   NtQueryValueKey  (276,  (276, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (276, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (276, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01299   436   NtClose  (276, ... ) == 0x0
 01300   436   NtClose  (272, ... ) == 0x0
 01301   436   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 272, ) == 0x0
 01302   436   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 276, ) == 0x0
 01303   436   NtDuplicateObject  (-1, 272, -1, 0x0, 0, 2, ... 280, ) == 0x0
 01304   436   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01305   436   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 284, ) == 0x0
 01306   436   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01307   436   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01308   436   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 454440,  (0xc0100080, {24, 0, 0x40, 0, 454440, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 288, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 288, {status=0x0, info=1}, ) == 0x0
 01309   436   NtSetInformationFile  (288, 454496, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01310   436   NtSetInformationFile  (288, 454488, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01311   436   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01312   436   NtAllocateVirtualMemory  (-1, 7421952, 0, 4096, 4096, 4, ... 7421952, 4096, ) == 0x0
 01313   436   NtWriteFile  (288, 265, 0, 0,  (288, 265, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01314   436   NtReadFile  (288, 265, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (288, 265, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\213 \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01315   436   NtFsControlFile  (288, 265, 0x0, 0x0, 0x11c017,  (288, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\213 \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (288, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\213 \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01316   436   NtFsControlFile  (288, 265, 0x0, 0x0, 0x11c017,  (288, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\00\3235\31\2113\334\21\261\306\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\00\3235\31\2113\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , 76, 1024, ... {status=0x103, info=48},  (288, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\00\3235\31\2113\334\21\261\306\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\00\3235\31\2113\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01317   436   NtFsControlFile  (288, 265, 0x0, 0x0, 0x11c017,  (288, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\01\3235\31\2113\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\01\3235\31\2113\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (288, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\01\3235\31\2113\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\01\3235\31\2113\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01318   436   NtFsControlFile  (288, 265, 0x0, 0x0, 0x11c017,  (288, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\01\3235\31\2113\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (288, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\01\3235\31\2113\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01319   436   NtFsControlFile  (288, 265, 0x0, 0x0, 0x11c017,  (288, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\00\3235\31\2113\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (288, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\00\3235\31\2113\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01320   436   NtClose  (284, ... ) == 0x0
 01321   436   NtClose  (288, ... ) == 0x0
 01322   436   NtReleaseMutant  (148, ... 0x0, ) == 0x0
 01323   436   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01324   436   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01325   436   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 288, ) }, ... 288, ) == 0x0
 01326   436   NtWaitForSingleObject  (288, 0, {-1800000000, -1}, ... ) == 0x0
 01327   436   NtClose  (288, ... ) == 0x0
 01328   436   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01329   436   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 288, ) == 0x0
 01330   436   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01331   436   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01332   436   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 454028,  (0xc0100080, {24, 0, 0x40, 0, 454028, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 284, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 284, {status=0x0, info=1}, ) == 0x0
 01333   436   NtSetInformationFile  (284, 454084, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01334   436   NtSetInformationFile  (284, 454076, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01335   436   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01336   436   NtWriteFile  (284, 265, 0, 0,  (284, 265, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01337   436   NtReadFile  (284, 265, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (284, 265, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\214 \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01338   436   NtFsControlFile  (284, 265, 0x0, 0x0, 0x11c017,  (284, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\33\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\214 \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (284, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\33\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\214 \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01339   436   NtFsControlFile  (284, 265, 0x0, 0x0, 0x11c017,  (284, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\2\0\0\0(\0\0\0\0\0\32\0\0\0\0\02\3235\31\2113\334\21\261\306\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0X\366\6\0\0\0\0\0", 64, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\02\3235\31\2113\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , 64, 1024, ... {status=0x103, info=48},  (284, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\2\0\0\0(\0\0\0\0\0\32\0\0\0\0\02\3235\31\2113\334\21\261\306\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0X\366\6\0\0\0\0\0", 64, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\02\3235\31\2113\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01340   436   NtFsControlFile  (284, 265, 0x0, 0x0, 0x11c017,  (284, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\3\0\0\0(\0\0\0\0\0\32\0\0\0\0\02\3235\31\2113\334\21\261\306\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0X\366\6\02\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\2\0\0\0X\2\0\0\0\0\0\0@\2\0\0.\2\0\0\22\2\0\0 \0\0\0\4\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\2\0\0\340\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\316\1\0\0\240\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\226\1\0\0~\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\1\0\0B\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\1\0\0\32\1\0\0 \0\0\0\4\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\16\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0E\0R\0S\0v\0c\0\0\0DNS Client\0\0i\0e\0n\0t\0\0\0Dnscache\0\0c\0h\0e\0\0\0Logical Disk Manager\0\0k\0 \0M\0a\0n\0a\0g\0e\0r\0\0\0dmserver\0\0v\0e\0r\0\0\0DHCP Client\0l\0i\0e\0n\0t\0\0\0Dhcp\0\0p\0\0\0Cryptographic Services\0\0c\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0CryptSvc\0\0", ) , 64, 1024, ... {status=0x103, info=624},  (284, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\3\0\0\0(\0\0\0\0\0\32\0\0\0\0\02\3235\31\2113\334\21\261\306\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0X\366\6\02\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\2\0\0\0X\2\0\0\0\0\0\0@\2\0\0.\2\0\0\22\2\0\0 \0\0\0\4\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\2\0\0\340\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\316\1\0\0\240\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\226\1\0\0~\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\1\0\0B\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\1\0\0\32\1\0\0 \0\0\0\4\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\16\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0E\0R\0S\0v\0c\0\0\0DNS Client\0\0i\0e\0n\0t\0\0\0Dnscache\0\0c\0h\0e\0\0\0Logical Disk Manager\0\0k\0 \0M\0a\0n\0a\0g\0e\0r\0\0\0dmserver\0\0v\0e\0r\0\0\0DHCP Client\0l\0i\0e\0n\0t\0\0\0Dhcp\0\0p\0\0\0Cryptographic Services\0\0c\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0CryptSvc\0\0", ) , ) == 0x103
 01341   436   NtFsControlFile  (284, 265, 0x0, 0x0, 0x11c017,  (284, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\4\0\0\0(\0\0\0\0\0\32\0\0\0\0\02\3235\31\2113\334\21\261\306\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0X\366\6\0>\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\3\0\0\0X\2\0\0\0\0\0\0@\2\0\04\2\0\0\4\2\0\0 \0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\362\1\0\0\336\1\0\0 \0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\306\1\0\0\242\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0d\1\0\0 \1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\1\0\0\356\0\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Help and Support\0\0S\0u\0p\0p\0o\0r\0t\0\0\0helpsvc\0s\0v\0c\0\0\0Fast User Switching Compatibility\0n\0g\0 \0C\0o\0m\0p\0a\0t\0i\0b\0i\0l\0i\0t\0y\0\0\0FastUserSwitchingCompatibility\0\0g\0C\0o\0m\0p\0a\0t\0i\0b\0i\0l\0i\0t\0y\0\0\0COM+ Event System\0t\0 \0S\0y\0s\0t\0e\0m\0\0\0EventSystem\0y\0s\0t\0", ) , 64, 1024, ... {status=0x103, info=624},  (284, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\4\0\0\0(\0\0\0\0\0\32\0\0\0\0\02\3235\31\2113\334\21\261\306\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0X\366\6\0>\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\3\0\0\0X\2\0\0\0\0\0\0@\2\0\04\2\0\0\4\2\0\0 \0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\362\1\0\0\336\1\0\0 \0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\306\1\0\0\242\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0d\1\0\0 \1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\1\0\0\356\0\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Help and Support\0\0S\0u\0p\0p\0o\0r\0t\0\0\0helpsvc\0s\0v\0c\0\0\0Fast User Switching Compatibility\0n\0g\0 \0C\0o\0m\0p\0a\0t\0i\0b\0i\0l\0i\0t\0y\0\0\0FastUserSwitchingCompatibility\0\0g\0C\0o\0m\0p\0a\0t\0i\0b\0i\0l\0i\0t\0y\0\0\0COM+ Event System\0t\0 \0S\0y\0s\0t\0e\0m\0\0\0EventSystem\0y\0s\0t\0", ) , ) == 0x103
 01342   436   NtFsControlFile  (284, 265, 0x0, 0x0, 0x11c017,  (284, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\5\0\0\0(\0\0\0\0\0\32\0\0\0\0\02\3235\31\2113\334\21\261\306\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0X\366\6\0p\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\4\0\0\0X\2\0\0\0\0\0\0@\2\0\0&\2\0\0\30\2\0\0 \0\0\0\4\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\364\1\0\0\334\1\0\0 \0\0\0\4\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\314\1\0\0\240\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\214\1\0\0x\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0j\1\0\0B\1\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\1\0\0\370\0\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Network Location Awareness (NLA)\0\0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0\0\0Nla\0a\0\0\0Network Connections\0n\0n\0e\0c\0t\0i\0o\0n\0s\0\0\0Netman\0\0a\0n\0\0\0Messenger\0n\0g\0e\0r\0\0\0Messenger\0n\0g\0e\0r\0\0\0TCP/IP NetBIOS Helper\0I\0O\0S\0 \0H\0e\0l\0p\0e\0r\0\0\0LmHosts\0s\0t\0", ) , 64, 1024, ... {status=0x103, info=624},  (284, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\5\0\0\0(\0\0\0\0\0\32\0\0\0\0\02\3235\31\2113\334\21\261\306\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0X\366\6\0p\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\4\0\0\0X\2\0\0\0\0\0\0@\2\0\0&\2\0\0\30\2\0\0 \0\0\0\4\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\364\1\0\0\334\1\0\0 \0\0\0\4\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\314\1\0\0\240\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\214\1\0\0x\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0j\1\0\0B\1\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\1\0\0\370\0\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Network Location Awareness (NLA)\0\0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0\0\0Nla\0a\0\0\0Network Connections\0n\0n\0e\0c\0t\0i\0o\0n\0s\0\0\0Netman\0\0a\0n\0\0\0Messenger\0n\0g\0e\0r\0\0\0Messenger\0n\0g\0e\0r\0\0\0TCP/IP NetBIOS Helper\0I\0O\0S\0 \0H\0e\0l\0p\0e\0r\0\0\0LmHosts\0s\0t\0", ) , ) == 0x103
 01343   436   NtFsControlFile  (284, 265, 0x0, 0x0, 0x11c017,  (284, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\6\0\0\0(\0\0\0\0\0\32\0\0\0\0\02\3235\31\2113\334\21\261\306\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0X\366\6\0\242\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\5\0\0\0X\2\0\0\0\0\0\0@\2\0\0.\2\0\0\22\2\0\0 \0\0\0\4\0\0\0\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\372\1\0\0\334\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\272\1\0\0\226\1\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\0\0X\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0L\1\0\0\24\1\0\0 \0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0a\0m\0S\0s\0\0\0Remote Procedure Call (RPC)\0r\0e\0 \0C\0a\0l\0l\0 \0(\0R\0P\0C\0)\0\0\0RpcSs\0S\0s\0\0\0Remote Registry\0e\0g\0i\0s\0t\0r\0y\0\0\0RemoteRegistry\0\0g\0i\0s\0t\0r\0y\0\0\0Protected Storage\0 \0S\0t\0o\0r\0a\0g\0e\0\0\0ProtectedStorage\0\0S\0t\0o\0r\0a\0g\0", ) , 64, 1024, ... {status=0x103, info=624},  (284, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\6\0\0\0(\0\0\0\0\0\32\0\0\0\0\02\3235\31\2113\334\21\261\306\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0X\366\6\0\242\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\5\0\0\0X\2\0\0\0\0\0\0@\2\0\0.\2\0\0\22\2\0\0 \0\0\0\4\0\0\0\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\372\1\0\0\334\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\272\1\0\0\226\1\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\0\0X\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0L\1\0\0\24\1\0\0 \0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0a\0m\0S\0s\0\0\0Remote Procedure Call (RPC)\0r\0e\0 \0C\0a\0l\0l\0 \0(\0R\0P\0C\0)\0\0\0RpcSs\0S\0s\0\0\0Remote Registry\0e\0g\0i\0s\0t\0r\0y\0\0\0RemoteRegistry\0\0g\0i\0s\0t\0r\0y\0\0\0Protected Storage\0 \0S\0t\0o\0r\0a\0g\0e\0\0\0ProtectedStorage\0\0S\0t\0o\0r\0a\0g\0", ) , ) == 0x103
 01344   436   NtFsControlFile  (284, 265, 0x0, 0x0, 0x11c017,  (284, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\7\0\0\0\24\0\0\0\0\0\0\0\0\0\0\02\3235\31\2113\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\6\0\0\0X\2\0\0\0\0\0\0@\2\0\04\2\0\0\0\2\0\0 \0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\356\1\0\0\320\1\0\0 \1\0\0\4\0\0\0G\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\276\1\0\0\236\1\0\0 \1\0\0\4\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\1\0\0`\1\0\0 \0\0\0\4\0\0\0A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0>\1\0\0\14\1\0\0 \0\0\0\4\0\0\0\207\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\374\0\0\0\340\0\0\0\20\1\0\0\4\0\0\0E\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Print Spooler\0p\0o\0o\0l\0e\0r\0\0\0Spooler\0l\0e\0r\0\0\0Shell Hardware Detection\0\0e\0 \0D\0e\0t\0e\0c\0t\0i\0o\0n\0\0\0ShellHWDetection\0\0t\0e\0c\0t\0i\0o\0n\0\0\0System Event Notification\0N\0o\0t\0i\0f\0i\0c\0a\0t\0i\0o\0n\0\0\0SENS\0\0S\0\0\0Secondary Logon\0y\0 \0L\0o\0g\0o\0n\0\0\0seclogon\0\0g\0o\0n\0\0\0Task Sch", ) , 44, 1024, ... {status=0x103, info=624},  (284, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\7\0\0\0\24\0\0\0\0\0\0\0\0\0\0\02\3235\31\2113\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\6\0\0\0X\2\0\0\0\0\0\0@\2\0\04\2\0\0\0\2\0\0 \0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\356\1\0\0\320\1\0\0 \1\0\0\4\0\0\0G\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\276\1\0\0\236\1\0\0 \1\0\0\4\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\1\0\0`\1\0\0 \0\0\0\4\0\0\0A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0>\1\0\0\14\1\0\0 \0\0\0\4\0\0\0\207\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\374\0\0\0\340\0\0\0\20\1\0\0\4\0\0\0E\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Print Spooler\0p\0o\0o\0l\0e\0r\0\0\0Spooler\0l\0e\0r\0\0\0Shell Hardware Detection\0\0e\0 \0D\0e\0t\0e\0c\0t\0i\0o\0n\0\0\0ShellHWDetection\0\0t\0e\0c\0t\0i\0o\0n\0\0\0System Event Notification\0N\0o\0t\0i\0f\0i\0c\0a\0t\0i\0o\0n\0\0\0SENS\0\0S\0\0\0Secondary Logon\0y\0 \0L\0o\0g\0o\0n\0\0\0seclogon\0\0g\0o\0n\0\0\0Task Sch", ) , ) == 0x103
 01345   436   NtClose  (288, ... ) == 0x0
 01346   436   NtClose  (284, ... ) == 0x0
 01347   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "sensapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01348   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\sensapi.dll"}, 454288, ... ) }, 454288, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01349   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "sensapi.dll"}, 454288, ... ) }, 454288, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01350   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sensapi.dll"}, 454288, ... ) }, 454288, ... ) == 0x0
 01351   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sensapi.dll"}, 5, 96, ... 284, {status=0x0, info=1}, ) }, 5, 96, ... 284, {status=0x0, info=1}, ) == 0x0
 01352   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 284, ... 288, ) == 0x0
 01353   436   NtQuerySection  (288, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01354   436   NtClose  (284, ... ) == 0x0
 01355   436   NtMapViewOfSection  (288, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x722b0000), 0x0, 20480, ) == 0x0
 01356   436   NtClose  (288, ... ) == 0x0
 01357   436   NtOpenSection  (0x4, {24, 52, 0x0, 0, 0,  (0x4, {24, 52, 0x0, 0, 0, "SENS Information Cache"}, ... 288, ) }, ... 288, ) == 0x0
 01358   436   NtMapViewOfSection  (288, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x810000), {0, 0}, 4096, ) == 0x0
 01359   436   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 284, ) == 0x0
 01360   436   NtConnectPort  ( ("\RPC Control\senssvc", {12, 2, 1, 1}, 0x0, 0x0, 454752, 112, ... 292, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 454752, 112, ... 292, 0x0, 0x0, 0x0, 112, ) == 0x0
 01361   436   NtRequestWaitReplyPort  (292, {128, 152, new_msg, 0, 126516, 524288, 454516, 2012750850}  (292, {128, 152, new_msg, 0, 126516, 524288, 454516, 2012750850} "\0\366\6\0\2$\370w\370T\367w$\344\373c) \321\21\215\270\0\252\0J\275^\1\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\360(q\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\10\0x\1\10\0@;q\0\240\1\10\0\300 ... {128, 152, reply, 0, 432, 436, 1457, 0} "\7\366\6\0\2$\370w\370T\367w$\344\373c) \321\21\215\270\0\252\0J\275^\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\10\0x\1\10\0@;q\0\240\1\10\0\300 )  ... {128, 152, reply, 0, 432, 436, 1457, 0}  (292, {128, 152, new_msg, 0, 126516, 524288, 454516, 2012750850} "\0\366\6\0\2$\370w\370T\367w$\344\373c) \321\21\215\270\0\252\0J\275^\1\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\360(q\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\10\0x\1\10\0@;q\0\240\1\10\0\300 ... {128, 152, reply, 0, 432, 436, 1457, 0} "\7\366\6\0\2$\370w\370T\367w$\344\373c) \321\21\215\270\0\252\0J\275^\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\10\0x\1\10\0@;q\0\240\1\10\0\300 )  ) == 0x0
 01362   436   NtRequestWaitReplyPort  (292, {32, 56, new_msg, 0, 44, 7, 20, 0}  (292, {32, 56, new_msg, 0, 44, 7, 20, 0} "\1\0\0\0A\2\0\0\2113\334\21\261\306\0\14)\371\246\3050\0\0\0\377\377\377\377@\2\0\0" ... {124, 148, reply, 0, 432, 436, 1458, 0} "\2@\375\177\1\00\300\0\0\0\0\253\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\304\353\361\371X\5O\200\0@\375\177\0\0\0\0\0\0\0\0`\370\33\2010\373\34\201\1\373\34\201\0\0\0\0P\377\37\3000\373\34\201\0\0\0\0\0\0\306\0\377\377\305\0\0\0\0\0\0\0\306\0\0W\33\2010\373\34\201<\353\361\371" )  ... {124, 148, reply, 0, 432, 436, 1458, 0}  (292, {32, 56, new_msg, 0, 44, 7, 20, 0} "\1\0\0\0A\2\0\0\2113\334\21\261\306\0\14)\371\246\3050\0\0\0\377\377\377\377@\2\0\0" ... {124, 148, reply, 0, 432, 436, 1458, 0} "\2@\375\177\1\00\300\0\0\0\0\253\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\304\353\361\371X\5O\200\0@\375\177\0\0\0\0\0\0\0\0`\370\33\2010\373\34\201\1\373\34\201\0\0\0\0P\377\37\3000\373\34\201\0\0\0\0\0\0\306\0\377\377\305\0\0\0\0\0\0\0\306\0\0W\33\2010\373\34\201<\353\361\371" )  ) == 0x0
 01363   436   NtWaitForSingleObject  (96, 0, 0x0, ... ) == 0x0
 01364   436   NtQueryInformationFile  (92, 455860, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01365   436   NtReleaseMutant  (96, ... 0x0, ) == 0x0
 01366   436   NtRequestWaitReplyPort  (84, {28, 52, new_msg, 0, 0, 0, 0, 0}  (84, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\0\2\320Gq\0" ... {176, 200, reply, 0, 432, 436, 1460, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\0\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ... {176, 200, reply, 0, 432, 436, 1460, 0}  (84, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\0\2\320Gq\0" ... {176, 200, reply, 0, 432, 436, 1460, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\0\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ) == 0x0
 01367   436   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01368   436   NtOpenThreadToken  (-2, 0x20008, 1, ... ) == STATUS_NO_TOKEN
 01369   436   NtOpenProcessToken  (-1, 0x20008, ... 296, ) == 0x0
 01370   436   NtQueryInformationToken  (296, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01371   436   NtClose  (296, ... ) == 0x0
 01372   436   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER"}, ... 296, ) }, ... 296, ) == 0x0
 01373   436   NtSetInformationObject  (296, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 01374   436   NtOpenKey  (0x3, {24, 296, 0x40, 0, 0,  (0x3, {24, 296, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 300, ) }, ... 300, ) == 0x0
 01375   436   NtOpenKey  (0x1, {24, 300, 0x40, 0, 0,  (0x1, {24, 300, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, ... 304, ) }, ... 304, ) == 0x0
 01376   436   NtQueryValueKey  (304,  (304, "MigrateProxy", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (304, "MigrateProxy", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01377   436   NtClose  (304, ... ) == 0x0
 01378   436   NtAllocateVirtualMemory  (-1, 7426048, 0, 20480, 4096, 4, ... 7426048, 20480, ) == 0x0
 01379   436   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01380   436   NtOpenProcessToken  (-1, 0xc, ... 304, ) == 0x0
 01381   436   NtReleaseSemaphore  (108, 1, ... 0, ) == 0x0
 01382   436   NtWaitForSingleObject  (108, 0, {0, 0}, ... ) == 0x0
 01383   436   NtCreateKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 308, 2, ) }, 0, 0x0, 0, ... 308, 2, ) == 0x0
 01384   436   NtQueryValueKey  (308,  (308, "Common AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (308, "Common AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 82, ) }, 82, ) == 0x0
 01385   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USERENV.dll"}, ... 312, ) }, ... 312, ) == 0x0
 01386   436   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75a70000), 0x0, 667648, ) == 0x0
 01387   436   NtClose  (312, ... ) == 0x0
 01388   436   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 312, ) }, ... 312, ) == 0x0
 01389   436   NtQueryValueKey  (312,  (312, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01390   436   NtClose  (312, ... ) == 0x0
 01391   436   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 312, ) }, ... 312, ) == 0x0
 01392   436   NtQueryValueKey  (312,  (312, "ChkAccDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01393   436   NtClose  (312, ... ) == 0x0
 01394   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\ProductOptions"}, ... 312, ) }, ... 312, ) == 0x0
 01395   436   NtQueryValueKey  (312,  (312, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (312, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) }, 24, ) == 0x0
 01396   436   NtClose  (312, ... ) == 0x0
 01397   436   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 451072, 0,  (0x1f0003, {24, 52, 0x80, 451072, 0, "Global\userenv:  User Profile setup event"}, 0, 1, ... 312, ) }, 0, 1, ... 312, ) == STATUS_OBJECT_NAME_EXISTS
 01398   436   NtQueryDefaultLocale  (1, 448908, ... ) == 0x0
 01399   436   NtQueryDefaultLocale  (1, 448908, ... ) == 0x0
 01400   436   NtQueryDefaultLocale  (1, 448908, ... ) == 0x0
 01401   436   NtQueryDefaultLocale  (1, 448908, ... ) == 0x0
 01402   436   NtQueryDefaultLocale  (1, 448908, ... ) == 0x0
 01403   436   NtQueryDefaultLocale  (1, 448908, ... ) == 0x0
 01404   436   NtQueryDefaultLocale  (1, 448908, ... ) == 0x0
 01405   436   NtQueryDefaultLocale  (1, 448908, ... ) == 0x0
 01406   436   NtQueryDefaultLocale  (1, 448908, ... ) == 0x0
 01407   436   NtQueryDefaultLocale  (1, 448908, ... ) == 0x0
 01408   436   NtQueryDefaultLocale  (1, 448908, ... ) == 0x0
 01409   436   NtQueryDefaultLocale  (1, 448908, ... ) == 0x0
 01410   436   NtQueryDefaultLocale  (1, 448908, ... ) == 0x0
 01411   436   NtQueryDefaultLocale  (1, 448908, ... ) == 0x0
 01412   436   NtQueryDefaultLocale  (1, 448908, ... ) == 0x0
 01413   436   NtQueryDefaultLocale  (1, 448908, ... ) == 0x0
 01414   436   NtQueryDefaultLocale  (1, 448908, ... ) == 0x0
 01415   436   NtQueryDefaultLocale  (1, 448908, ... ) == 0x0
 01416   436   NtQueryDefaultLocale  (1, 448908, ... ) == 0x0
 01417   436   NtQueryDefaultLocale  (1, 448908, ... ) == 0x0
 01418   436   NtQueryDefaultLocale  (1, 448908, ... ) == 0x0
 01419   436   NtQueryDefaultLocale  (1, 448908, ... ) == 0x0
 01420   436   NtQueryDefaultLocale  (1, 448908, ... ) == 0x0
 01421   436   NtQueryDefaultLocale  (1, 448908, ... ) == 0x0
 01422   436   NtQueryDefaultLocale  (1, 448908, ... ) == 0x0
 01423   436   NtQueryDefaultLocale  (1, 448908, ... ) == 0x0
 01424   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01425   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 316, ) == 0x0
 01426   436   NtQueryInformationToken  (316, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01427   436   NtClose  (316, ... ) == 0x0
 01428   436   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 316, ) }, ... 316, ) == 0x0
 01429   436   NtOpenKey  (0x20019, {24, 316, 0x40, 0, 0,  (0x20019, {24, 316, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 320, ) }, ... 320, ) == 0x0
 01430   436   NtQueryValueKey  (320,  (320, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (320, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) }, 66, ) == 0x0
 01431   436   NtQueryDefaultLocale  (1, 448908, ... ) == 0x0
 01432   436   NtQueryValueKey  (320,  (320, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (320, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) }, 70, ) == 0x0
 01433   436   NtQueryDefaultLocale  (1, 448908, ... ) == 0x0
 01434   436   NtQueryDefaultLocale  (1, 448908, ... ) == 0x0
 01435   436   NtQueryDefaultLocale  (1, 448908, ... ) == 0x0
 01436   436   NtQueryDefaultLocale  (1, 448908, ... ) == 0x0
 01437   436   NtClose  (320, ... ) == 0x0
 01438   436   NtClose  (316, ... ) == 0x0
 01439   436   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 316, ) }, ... 316, ) == 0x0
 01440   436   NtQueryValueKey  (316,  (316, "RsopDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01441   436   NtClose  (316, ... ) == 0x0
 01442   436   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 316, ) }, ... 316, ) == 0x0
 01443   436   NtQueryValueKey  (316,  (316, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01444   436   NtQueryValueKey  (316,  (316, "RsopLogging", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01445   436   NtClose  (316, ... ) == 0x0
 01446   436   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01447   436   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 316, ) }, ... 316, ) == 0x0
 01448   436   NtQueryValueKey  (316,  (316, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01449   436   NtClose  (316, ... ) == 0x0
 01450   436   NtAllocateVirtualMemory  (-1, 1523712, 0, 4096, 4096, 4, ... 1523712, 4096, ) == 0x0
 01451   436   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01452   436   NtAllocateVirtualMemory  (-1, 0, 0, 1, 4096, 4, ... 8519680, 4096, ) == 0x0
 01453   436   NtAllocateVirtualMemory  (-1, 7446528, 0, 4096, 4096, 4, ... 7446528, 4096, ) == 0x0
 01454   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01455   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01456   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 316, ) }, ... 316, ) == 0x0
 01457   436   NtQueryValueKey  (316,  (316, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (316, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 01458   436   NtClose  (316, ... ) == 0x0
 01459   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 316, ) }, ... 316, ) == 0x0
 01460   436   NtQueryValueKey  (316,  (316, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) }, 32, ) == 0x0
 01461   436   NtClose  (316, ... ) == 0x0
 01462   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01463   436   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\Environment"}, ... 316, ) }, ... 316, ) == 0x0
 01464   436   NtQueryKey  (316, Full, 176, ... {LastWrite={0x7838d13c,0x1c73999}, TitleIdx=0, Subkeys=0, Values=12, Class=""}, 44, ) == 0x0
 01465   436   NtQuerySecurityObject  (316, 7, 0, ... ) == STATUS_ACCESS_DENIED
 01466   436   NtEnumerateValueKey  (316, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (316, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (316, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 01467   436   NtEnumerateValueKey  (316, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (316, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (316, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 01468   436   NtEnumerateValueKey  (316, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (316, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (316, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 01469   436   NtEnumerateValueKey  (316, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (316, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 01470   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01471   436   NtEnumerateValueKey  (316, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (316, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 01472   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01473   436   NtEnumerateValueKey  (316, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (316, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 01474   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01475   436   NtEnumerateValueKey  (316, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (316, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 01476   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01477   436   NtEnumerateValueKey  (316, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (316, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 01478   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01479   436   NtEnumerateValueKey  (316, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (316, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 01480   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01481   436   NtEnumerateValueKey  (316, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (316, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 01482   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01483   436   NtEnumerateValueKey  (316, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (316, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (316, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 01484   436   NtEnumerateValueKey  (316, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (316, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (316, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 01485   436   NtEnumerateValueKey  (316, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (316, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (316, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 01486   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01487   436   NtEnumerateValueKey  (316, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (316, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (316, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 01488   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01489   436   NtEnumerateValueKey  (316, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (316, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (316, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 01490   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01491   436   NtEnumerateValueKey  (316, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (316, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 01492   436   NtEnumerateValueKey  (316, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (316, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 01493   436   NtEnumerateValueKey  (316, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (316, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 01494   436   NtEnumerateValueKey  (316, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (316, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 01495   436   NtEnumerateValueKey  (316, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (316, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 01496   436   NtEnumerateValueKey  (316, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (316, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 01497   436   NtEnumerateValueKey  (316, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (316, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (316, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 01498   436   NtEnumerateValueKey  (316, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (316, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (316, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 01499   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01500   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01501   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 451996, ... ) }, 451996, ... ) == 0x0
 01502   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01503   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01504   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01505   436   NtEnumerateValueKey  (316, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (316, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (316, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 01506   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01507   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01508   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 451996, ... ) }, 451996, ... ) == 0x0
 01509   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01510   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01511   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01512   436   NtClose  (316, ... ) == 0x0
 01513   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 316, ) }, ... 316, ) == 0x0
 01514   436   NtOpenKey  (0x20019, {24, 316, 0x40, 0, 0,  (0x20019, {24, 316, 0x40, 0, 0, "ActiveComputerName"}, ... 320, ) }, ... 320, ) == 0x0
 01515   436   NtQueryValueKey  (320,  (320, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (320, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (320, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01516   436   NtClose  (320, ... ) == 0x0
 01517   436   NtClose  (316, ... ) == 0x0
 01518   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01519   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 316, ) }, ... 316, ) == 0x0
 01520   436   NtQueryValueKey  (316,  (316, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (316, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 01521   436   NtClose  (316, ... ) == 0x0
 01522   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 316, ) }, ... 316, ) == 0x0
 01523   436   NtQueryValueKey  (316,  (316, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) }, 38, ) == 0x0
 01524   436   NtClose  (316, ... ) == 0x0
 01525   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01526   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 316, ) }, ... 316, ) == 0x0
 01527   436   NtQueryValueKey  (316,  (316, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 01528   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01529   436   NtQueryValueKey  (316,  (316, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) }, 72, ) == 0x0
 01530   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01531   436   NtClose  (316, ... ) == 0x0
 01532   436   NtQueryInformationToken  (304, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 01533   436   NtOpenKey  (0x20019, {24, 296, 0x40, 0, 0,  (0x20019, {24, 296, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 316, ) }, ... 316, ) == 0x0
 01534   436   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 01535   436   NtQueryInformationToken  (304, Type, 4, ... {token info, class 8, size 4}, 4, ) == 0x0
 01536   436   NtDuplicateToken  (304, 0xc, {24, 0, 0x0, 0, 453380, 0x0}, 0, 2, ... ) == STATUS_ACCESS_DENIED
 01537   436   NtQueryInformationToken  (304, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 01538   436   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01539   436   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 320, ) == 0x0
 01540   436   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01541   436   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01542   436   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 451584,  (0xc0100080, {24, 0, 0x40, 0, 451584, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 324, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 324, {status=0x0, info=1}, ) == 0x0
 01543   436   NtSetInformationFile  (324, 451640, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01544   436   NtSetInformationFile  (324, 451632, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01545   436   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01546   436   NtWriteFile  (324, 265, 0, 0,  (324, 265, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01547   436   NtReadFile  (324, 265, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (324, 265, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\6\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01548   436   NtFsControlFile  (324, 265, 0x0, 0x0, 0x11c017,  (324, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264\352\6\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\6\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (324, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264\352\6\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\6\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01549   436   NtFsControlFile  (324, 265, 0x0, 0x0, 0x11c017,  (324, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0;\372<\31\2113\334\21\261\306\0\14)\371\246\305\1\0\0\0\354\352\6\0\1\0\0\0\370\243q\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0;\372<\31\2113\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (324, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0;\372<\31\2113\334\21\261\306\0\14)\371\246\305\1\0\0\0\354\352\6\0\1\0\0\0\370\243q\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0;\372<\31\2113\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01550   436   NtFsControlFile  (324, 265, 0x0, 0x0, 0x11c017,  (324, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0;\372<\31\2113\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0 \244q\0\1\0\0\0,\244q\0 \0\0\0\1\0\0\0\16\0\20\08\244q\0H\244q\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0\0\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\330\246q\0\1\0\0\0\1\0\0\0\20\0\22\0\354\246q\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (324, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0;\372<\31\2113\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0 \244q\0\1\0\0\0,\244q\0 \0\0\0\1\0\0\0\16\0\20\08\244q\0H\244q\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0\0\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\330\246q\0\1\0\0\0\1\0\0\0\20\0\22\0\354\246q\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01551   436   NtClose  (320, ... ) == 0x0
 01552   436   NtClose  (324, ... ) == 0x0
 01553   436   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01554   436   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 324, ) == 0x0
 01555   436   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01556   436   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01557   436   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 451580,  (0xc0100080, {24, 0, 0x40, 0, 451580, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 320, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 320, {status=0x0, info=1}, ) == 0x0
 01558   436   NtSetInformationFile  (320, 451636, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01559   436   NtSetInformationFile  (320, 451628, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01560   436   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01561   436   NtWriteFile  (320, 265, 0, 0,  (320, 265, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01562   436   NtReadFile  (320, 265, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (320, 265, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\7\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01563   436   NtFsControlFile  (320, 265, 0x0, 0x0, 0x11c017,  (320, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\260\352\6\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\7\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (320, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\260\352\6\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\7\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01564   436   NtFsControlFile  (320, 265, 0x0, 0x0, 0x11c017,  (320, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0<\372<\31\2113\334\21\261\306\0\14)\371\246\305\1\0\0\0\350\352\6\0\1\0\0\0\370\243q\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0<\372<\31\2113\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (320, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0<\372<\31\2113\334\21\261\306\0\14)\371\246\305\1\0\0\0\350\352\6\0\1\0\0\0\370\243q\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0<\372<\31\2113\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01565   436   NtFsControlFile  (320, 265, 0x0, 0x0, 0x11c017,  (320, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0<\372<\31\2113\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0 \244q\0\1\0\0\0,\244q\0 \0\0\0\1\0\0\0\16\0\20\08\244q\0H\244q\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0\0\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\330\246q\0\1\0\0\0\1\0\0\0\20\0\22\0\354\246q\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (320, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0<\372<\31\2113\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0 \244q\0\1\0\0\0,\244q\0 \0\0\0\1\0\0\0\16\0\20\08\244q\0H\244q\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0\0\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\330\246q\0\1\0\0\0\1\0\0\0\20\0\22\0\354\246q\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01566   436   NtClose  (324, ... ) == 0x0
 01567   436   NtClose  (320, ... ) == 0x0
 01568   436   NtOpenEvent  (0x100000, {24, 0, 0x0, 0, 0,  (0x100000, {24, 0, 0x0, 0, 0, "\INSTALLATION_SECURITY_HOLD"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01569   436   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01570   436   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 320, ) == 0x0
 01571   436   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01572   436   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01573   436   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 451212,  (0xc0100080, {24, 0, 0x40, 0, 451212, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 324, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 324, {status=0x0, info=1}, ) == 0x0
 01574   436   NtSetInformationFile  (324, 451268, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01575   436   NtSetInformationFile  (324, 451260, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01576   436   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01577   436   NtWriteFile  (324, 265, 0, 0,  (324, 265, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0j(\319\14\261\320\21\233\250\0\300O\331.\365\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01578   436   NtReadFile  (324, 265, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (324, 265, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\10\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01579   436   NtFsControlFile  (324, 265, 0x0, 0x0, 0x11c017,  (324, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\32\0\0\0\1\0\0\0\2\0\0\0\0\0\0\0\1\0", 26, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\10\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 26, 1024, ... {status=0x103, info=68},  (324, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\32\0\0\0\1\0\0\0\2\0\0\0\0\0\0\0\1\0", 26, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\10\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01580   436   NtClose  (320, ... ) == 0x0
 01581   436   NtClose  (324, ... ) == 0x0
 01582   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01583   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01584   436   NtQueryInformationToken  (304, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 01585   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 324, ) }, ... 324, ) == 0x0
 01586   436   NtQueryValueKey  (324,  (324, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (324, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) }, 104, ) == 0x0
 01587   436   NtClose  (324, ... ) == 0x0
 01588   436   NtCreateKey  (0x2001f, {24, 316, 0x40, 0, 0,  (0x2001f, {24, 316, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Winlogon"}, 0, 0x0, 0, ... 324, 2, ) }, 0, 0x0, 0, ... 324, 2, ) == 0x0
 01589   436   NtQueryValueKey  (324,  (324, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (324, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01590   436   NtClose  (324, ... ) == 0x0
 01591   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01592   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01593   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\c:\autoexec.bat"}, 453284, ... ) }, 453284, ... ) == 0x0
 01594   436   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 453292,  (0x80100080, {24, 0, 0x40, 0, 453292, "\??\c:\autoexec.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 324, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 324, {status=0x0, info=1}, ) == 0x0
 01595   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01596   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01597   436   NtQueryInformationFile  (324, 453308, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01598   436   NtReadFile  (324, 0, 0, 0, 0, 0x0, 0, ... {status=0x0, info=0}, "", ) == 0x0
 01599   436   NtClose  (324, ... ) == 0x0
 01600   436   NtOpenKey  (0x20019, {24, 316, 0x40, 0, 0,  (0x20019, {24, 316, 0x40, 0, 0, "Environment"}, ... 324, ) }, ... 324, ) == 0x0
 01601   436   NtAllocateVirtualMemory  (-1, 7450624, 0, 12288, 4096, 4, ... 7450624, 12288, ) == 0x0
 01602   436   NtEnumerateValueKey  (324, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (324, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (324, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 01603   436   NtEnumerateValueKey  (324, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (324, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (324, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 01604   436   NtEnumerateValueKey  (324, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01605   436   NtEnumerateValueKey  (324, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (324, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (324, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 01606   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01607   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01608   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 452024, ... ) }, 452024, ... ) == 0x0
 01609   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 320, {status=0x0, info=1}, ) }, 3, 16417, ... 320, {status=0x0, info=1}, ) == 0x0
 01610   436   NtQueryDirectoryFile  (320, 0, 0, 0, 451384, 616, BothDirectory, 1,  (320, 0, 0, 0, 451384, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01611   436   NtClose  (320, ... ) == 0x0
 01612   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 320, {status=0x0, info=1}, ) }, 3, 16417, ... 320, {status=0x0, info=1}, ) == 0x0
 01613   436   NtQueryDirectoryFile  (320, 0, 0, 0, 451384, 616, BothDirectory, 1,  (320, 0, 0, 0, 451384, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 01614   436   NtClose  (320, ... ) == 0x0
 01615   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01616   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01617   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01618   436   NtEnumerateValueKey  (324, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (324, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (324, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 01619   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01620   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01621   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 452024, ... ) }, 452024, ... ) == 0x0
 01622   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 320, {status=0x0, info=1}, ) }, 3, 16417, ... 320, {status=0x0, info=1}, ) == 0x0
 01623   436   NtQueryDirectoryFile  (320, 0, 0, 0, 451384, 616, BothDirectory, 1,  (320, 0, 0, 0, 451384, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01624   436   NtClose  (320, ... ) == 0x0
 01625   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 320, {status=0x0, info=1}, ) }, 3, 16417, ... 320, {status=0x0, info=1}, ) == 0x0
 01626   436   NtQueryDirectoryFile  (320, 0, 0, 0, 451384, 616, BothDirectory, 1,  (320, 0, 0, 0, 451384, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 01627   436   NtClose  (320, ... ) == 0x0
 01628   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01629   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01630   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01631   436   NtEnumerateValueKey  (324, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01632   436   NtClose  (324, ... ) == 0x0
 01633   436   NtOpenKey  (0x20019, {24, 316, 0x40, 0, 0,  (0x20019, {24, 316, 0x40, 0, 0, "Volatile Environment"}, ... 324, ) }, ... 324, ) == 0x0
 01634   436   NtEnumerateValueKey  (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 01635   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01636   436   NtEnumerateValueKey  (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 01637   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01638   436   NtEnumerateValueKey  (324, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (324, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 01639   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01640   436   NtEnumerateValueKey  (324, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (324, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 01641   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01642   436   NtEnumerateValueKey  (324, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (324, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 01643   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01644   436   NtEnumerateValueKey  (324, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (324, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 01645   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01646   436   NtEnumerateValueKey  (324, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (324, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 01647   436   NtEnumerateValueKey  (324, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01648   436   NtEnumerateValueKey  (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 01649   436   NtEnumerateValueKey  (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 01650   436   NtEnumerateValueKey  (324, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (324, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 01651   436   NtEnumerateValueKey  (324, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (324, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 01652   436   NtEnumerateValueKey  (324, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (324, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 01653   436   NtEnumerateValueKey  (324, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (324, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 01654   436   NtEnumerateValueKey  (324, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (324, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 01655   436   NtEnumerateValueKey  (324, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01656   436   NtClose  (324, ... ) == 0x0
 01657   436   NtClose  (316, ... ) == 0x0
 01658   436   NtFreeVirtualMemory  (-1, (0x820000), 0, 32768, ... (0x820000), 4096, ) == 0x0
 01659   436   NtClose  (308, ... ) == 0x0
 01660   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Application Data"}, 453948, ... ) }, 453948, ... ) == 0x0
 01661   436   NtCreateKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 308, 2, ) }, 0, 0x0, 0, ... 308, 2, ) == 0x0
 01662   436   NtSetValueKey  (308,  (308, "Common AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 106, ... ) , 0, 1,  (308, "Common AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 106, ... ) , 106, ... ) == 0x0
 01663   436   NtClose  (308, ... ) == 0x0
 01664   436   NtClose  (304, ... ) == 0x0
 01665   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\"}, 3, 16417, ... 304, {status=0x0, info=1}, ) }, 3, 16417, ... 304, {status=0x0, info=1}, ) == 0x0
 01666   436   NtQueryDirectoryFile  (304, 0, 0, 0, 452924, 616, BothDirectory, 1,  (304, 0, 0, 0, 452924, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 01667   436   NtClose  (304, ... ) == 0x0
 01668   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Ras\"}, 3, 16417, ... 304, {status=0x0, info=1}, ) }, 3, 16417, ... 304, {status=0x0, info=1}, ) == 0x0
 01669   436   NtQueryDirectoryFile  (304, 0, 0, 0, 452924, 616, BothDirectory, 1,  (304, 0, 0, 0, 452924, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 01670   436   NtClose  (304, ... ) == 0x0
 01671   436   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01672   436   NtOpenProcessToken  (-1, 0xc, ... 304, ) == 0x0
 01673   436   NtQueryInformationToken  (304, User, 64, ... {token info, class 1, size 36}, 36, ) == 0x0
 01674   436   NtOpenKey  (0x2001f, {24, 296, 0x40, 0, 0,  (0x2001f, {24, 296, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 308, ) }, ... 308, ) == 0x0
 01675   436   NtCreateKey  (0x2000000, {24, 308, 0x40, 0, 0,  (0x2000000, {24, 308, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 316, 2, ) }, 0, 0x0, 0, ... 316, 2, ) == 0x0
 01676   436   NtClose  (308, ... ) == 0x0
 01677   436   NtQueryValueKey  (316,  (316, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (316, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) }, 74, ) == 0x0
 01678   436   NtAllocateVirtualMemory  (-1, 0, 0, 1, 4096, 4, ... 8519680, 4096, ) == 0x0
 01679   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01680   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01681   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 308, ) }, ... 308, ) == 0x0
 01682   436   NtQueryValueKey  (308,  (308, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (308, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 01683   436   NtClose  (308, ... ) == 0x0
 01684   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 308, ) }, ... 308, ) == 0x0
 01685   436   NtQueryValueKey  (308,  (308, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) }, 32, ) == 0x0
 01686   436   NtClose  (308, ... ) == 0x0
 01687   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01688   436   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\Environment"}, ... 308, ) }, ... 308, ) == 0x0
 01689   436   NtQueryKey  (308, Full, 176, ... {LastWrite={0x7838d13c,0x1c73999}, TitleIdx=0, Subkeys=0, Values=12, Class=""}, 44, ) == 0x0
 01690   436   NtQuerySecurityObject  (308, 7, 0, ... ) == STATUS_ACCESS_DENIED
 01691   436   NtEnumerateValueKey  (308, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (308, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (308, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 01692   436   NtEnumerateValueKey  (308, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (308, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (308, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 01693   436   NtEnumerateValueKey  (308, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (308, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (308, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 01694   436   NtEnumerateValueKey  (308, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (308, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (308, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 01695   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01696   436   NtEnumerateValueKey  (308, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (308, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (308, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 01697   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01698   436   NtEnumerateValueKey  (308, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (308, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (308, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 01699   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01700   436   NtEnumerateValueKey  (308, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (308, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (308, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 01701   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01702   436   NtEnumerateValueKey  (308, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (308, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (308, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 01703   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01704   436   NtEnumerateValueKey  (308, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (308, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (308, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 01705   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01706   436   NtEnumerateValueKey  (308, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (308, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (308, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 01707   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01708   436   NtEnumerateValueKey  (308, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (308, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (308, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 01709   436   NtEnumerateValueKey  (308, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (308, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (308, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 01710   436   NtEnumerateValueKey  (308, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (308, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (308, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 01711   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01712   436   NtEnumerateValueKey  (308, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (308, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (308, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 01713   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01714   436   NtEnumerateValueKey  (308, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (308, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (308, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 01715   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01716   436   NtEnumerateValueKey  (308, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (308, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (308, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 01717   436   NtEnumerateValueKey  (308, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (308, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (308, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 01718   436   NtEnumerateValueKey  (308, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (308, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (308, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 01719   436   NtEnumerateValueKey  (308, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (308, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (308, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 01720   436   NtEnumerateValueKey  (308, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (308, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (308, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 01721   436   NtEnumerateValueKey  (308, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (308, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (308, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 01722   436   NtEnumerateValueKey  (308, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (308, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (308, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 01723   436   NtEnumerateValueKey  (308, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (308, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (308, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 01724   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01725   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01726   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 451996, ... ) }, 451996, ... ) == 0x0
 01727   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01728   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01729   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01730   436   NtEnumerateValueKey  (308, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (308, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (308, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 01731   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01732   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01733   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 451996, ... ) }, 451996, ... ) == 0x0
 01734   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01735   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01736   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01737   436   NtClose  (308, ... ) == 0x0
 01738   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 308, ) }, ... 308, ) == 0x0
 01739   436   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "ActiveComputerName"}, ... 324, ) }, ... 324, ) == 0x0
 01740   436   NtQueryValueKey  (324,  (324, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (324, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (324, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01741   436   NtClose  (324, ... ) == 0x0
 01742   436   NtClose  (308, ... ) == 0x0
 01743   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01744   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 308, ) }, ... 308, ) == 0x0
 01745   436   NtQueryValueKey  (308,  (308, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (308, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 01746   436   NtClose  (308, ... ) == 0x0
 01747   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 308, ) }, ... 308, ) == 0x0
 01748   436   NtQueryValueKey  (308,  (308, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) }, 38, ) == 0x0
 01749   436   NtClose  (308, ... ) == 0x0
 01750   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01751   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 308, ) }, ... 308, ) == 0x0
 01752   436   NtQueryValueKey  (308,  (308, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 01753   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01754   436   NtQueryValueKey  (308,  (308, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) }, 72, ) == 0x0
 01755   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01756   436   NtClose  (308, ... ) == 0x0
 01757   436   NtQueryInformationToken  (304, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 01758   436   NtOpenKey  (0x20019, {24, 296, 0x40, 0, 0,  (0x20019, {24, 296, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 308, ) }, ... 308, ) == 0x0
 01759   436   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 01760   436   NtQueryInformationToken  (304, Type, 4, ... {token info, class 8, size 4}, 4, ) == 0x0
 01761   436   NtDuplicateToken  (304, 0xc, {24, 0, 0x0, 0, 453380, 0x0}, 0, 2, ... ) == STATUS_ACCESS_DENIED
 01762   436   NtQueryInformationToken  (304, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 01763   436   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01764   436   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 324, ) == 0x0
 01765   436   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01766   436   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01767   436   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 451584,  (0xc0100080, {24, 0, 0x40, 0, 451584, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 320, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 320, {status=0x0, info=1}, ) == 0x0
 01768   436   NtSetInformationFile  (320, 451640, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01769   436   NtSetInformationFile  (320, 451632, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01770   436   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01771   436   NtWriteFile  (320, 265, 0, 0,  (320, 265, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01772   436   NtReadFile  (320, 265, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (320, 265, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\11\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01773   436   NtFsControlFile  (320, 265, 0x0, 0x0, 0x11c017,  (320, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264\352\6\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\11\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (320, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264\352\6\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\11\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01774   436   NtFsControlFile  (320, 265, 0x0, 0x0, 0x11c017,  (320, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0=\372<\31\2113\334\21\261\306\0\14)\371\246\305\1\0\0\0\354\352\6\0\1\0\0\0\210\244q\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0=\372<\31\2113\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (320, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0=\372<\31\2113\334\21\261\306\0\14)\371\246\305\1\0\0\0\354\352\6\0\1\0\0\0\210\244q\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0=\372<\31\2113\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01775   436   NtFsControlFile  (320, 265, 0x0, 0x0, 0x11c017,  (320, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0=\372<\31\2113\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\270\327q\0\1\0\0\0\304\327q\0 \0\0\0\1\0\0\0\16\0\20\0\320\327q\0\340\327q\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\330\246q\0\1\0\0\0\1\0\0\0\20\0\22\0\354\246q\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (320, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0=\372<\31\2113\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\270\327q\0\1\0\0\0\304\327q\0 \0\0\0\1\0\0\0\16\0\20\0\320\327q\0\340\327q\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\330\246q\0\1\0\0\0\1\0\0\0\20\0\22\0\354\246q\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01776   436   NtClose  (324, ... ) == 0x0
 01777   436   NtClose  (320, ... ) == 0x0
 01778   436   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01779   436   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 320, ) == 0x0
 01780   436   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01781   436   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01782   436   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 451580,  (0xc0100080, {24, 0, 0x40, 0, 451580, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 324, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 324, {status=0x0, info=1}, ) == 0x0
 01783   436   NtSetInformationFile  (324, 451636, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01784   436   NtSetInformationFile  (324, 451628, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01785   436   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01786   436   NtWriteFile  (324, 265, 0, 0,  (324, 265, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01787   436   NtReadFile  (324, 265, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (324, 265, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\12\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01788   436   NtFsControlFile  (324, 265, 0x0, 0x0, 0x11c017,  (324, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\260\352\6\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\12\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (324, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\260\352\6\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\12\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01789   436   NtFsControlFile  (324, 265, 0x0, 0x0, 0x11c017,  (324, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0>\372<\31\2113\334\21\261\306\0\14)\371\246\305\1\0\0\0\350\352\6\0\1\0\0\0\210\244q\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0>\372<\31\2113\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (324, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0>\372<\31\2113\334\21\261\306\0\14)\371\246\305\1\0\0\0\350\352\6\0\1\0\0\0\210\244q\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0>\372<\31\2113\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01790   436   NtFsControlFile  (324, 265, 0x0, 0x0, 0x11c017,  (324, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0>\372<\31\2113\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\270\327q\0\1\0\0\0\304\327q\0 \0\0\0\1\0\0\0\16\0\20\0\320\327q\0\340\327q\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\330\246q\0\1\0\0\0\1\0\0\0\20\0\22\0\354\246q\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (324, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0>\372<\31\2113\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\270\327q\0\1\0\0\0\304\327q\0 \0\0\0\1\0\0\0\16\0\20\0\320\327q\0\340\327q\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\330\246q\0\1\0\0\0\1\0\0\0\20\0\22\0\354\246q\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01791   436   NtClose  (320, ... ) == 0x0
 01792   436   NtClose  (324, ... ) == 0x0
 01793   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01794   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01795   436   NtQueryInformationToken  (304, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 01796   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 324, ) }, ... 324, ) == 0x0
 01797   436   NtQueryValueKey  (324,  (324, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (324, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) }, 104, ) == 0x0
 01798   436   NtClose  (324, ... ) == 0x0
 01799   436   NtCreateKey  (0x2001f, {24, 308, 0x40, 0, 0,  (0x2001f, {24, 308, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Winlogon"}, 0, 0x0, 0, ... 324, 2, ) }, 0, 0x0, 0, ... 324, 2, ) == 0x0
 01800   436   NtQueryValueKey  (324,  (324, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (324, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01801   436   NtClose  (324, ... ) == 0x0
 01802   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01803   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01804   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\c:\autoexec.bat"}, 453284, ... ) }, 453284, ... ) == 0x0
 01805   436   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 453292,  (0x80100080, {24, 0, 0x40, 0, 453292, "\??\c:\autoexec.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 324, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 324, {status=0x0, info=1}, ) == 0x0
 01806   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01807   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01808   436   NtQueryInformationFile  (324, 453308, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01809   436   NtReadFile  (324, 0, 0, 0, 0, 0x0, 0, ... {status=0x0, info=0}, "", ) == 0x0
 01810   436   NtClose  (324, ... ) == 0x0
 01811   436   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "Environment"}, ... 324, ) }, ... 324, ) == 0x0
 01812   436   NtEnumerateValueKey  (324, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (324, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (324, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 01813   436   NtEnumerateValueKey  (324, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (324, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (324, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 01814   436   NtEnumerateValueKey  (324, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01815   436   NtEnumerateValueKey  (324, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (324, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (324, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 01816   436   NtAllocateVirtualMemory  (-1, 7462912, 0, 4096, 4096, 4, ... 7462912, 4096, ) == 0x0
 01817   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01818   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01819   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 452024, ... ) }, 452024, ... ) == 0x0
 01820   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 320, {status=0x0, info=1}, ) }, 3, 16417, ... 320, {status=0x0, info=1}, ) == 0x0
 01821   436   NtQueryDirectoryFile  (320, 0, 0, 0, 451384, 616, BothDirectory, 1,  (320, 0, 0, 0, 451384, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01822   436   NtClose  (320, ... ) == 0x0
 01823   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 320, {status=0x0, info=1}, ) }, 3, 16417, ... 320, {status=0x0, info=1}, ) == 0x0
 01824   436   NtQueryDirectoryFile  (320, 0, 0, 0, 451384, 616, BothDirectory, 1,  (320, 0, 0, 0, 451384, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 01825   436   NtClose  (320, ... ) == 0x0
 01826   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01827   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01828   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01829   436   NtEnumerateValueKey  (324, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (324, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (324, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 01830   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01831   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01832   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 452024, ... ) }, 452024, ... ) == 0x0
 01833   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 320, {status=0x0, info=1}, ) }, 3, 16417, ... 320, {status=0x0, info=1}, ) == 0x0
 01834   436   NtQueryDirectoryFile  (320, 0, 0, 0, 451384, 616, BothDirectory, 1,  (320, 0, 0, 0, 451384, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01835   436   NtClose  (320, ... ) == 0x0
 01836   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 320, {status=0x0, info=1}, ) }, 3, 16417, ... 320, {status=0x0, info=1}, ) == 0x0
 01837   436   NtQueryDirectoryFile  (320, 0, 0, 0, 451384, 616, BothDirectory, 1,  (320, 0, 0, 0, 451384, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 01838   436   NtClose  (320, ... ) == 0x0
 01839   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01840   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01841   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01842   436   NtEnumerateValueKey  (324, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01843   436   NtClose  (324, ... ) == 0x0
 01844   436   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "Volatile Environment"}, ... 324, ) }, ... 324, ) == 0x0
 01845   436   NtEnumerateValueKey  (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 01846   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01847   436   NtEnumerateValueKey  (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 01848   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01849   436   NtEnumerateValueKey  (324, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (324, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 01850   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01851   436   NtEnumerateValueKey  (324, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (324, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 01852   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01853   436   NtEnumerateValueKey  (324, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (324, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 01854   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01855   436   NtEnumerateValueKey  (324, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (324, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 01856   436   NtQueryVirtualMemory  (-1, 0x820000, Basic, 28, ... {BaseAddress=0x820000,AllocationBase=0x820000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01857   436   NtEnumerateValueKey  (324, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (324, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 01858   436   NtEnumerateValueKey  (324, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01859   436   NtEnumerateValueKey  (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (324, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 01860   436   NtEnumerateValueKey  (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (324, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 01861   436   NtEnumerateValueKey  (324, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (324, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 01862   436   NtEnumerateValueKey  (324, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (324, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 01863   436   NtEnumerateValueKey  (324, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (324, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 01864   436   NtEnumerateValueKey  (324, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (324, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 01865   436   NtEnumerateValueKey  (324, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (324, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (324, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 01866   436   NtEnumerateValueKey  (324, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01867   436   NtClose  (324, ... ) == 0x0
 01868   436   NtClose  (308, ... ) == 0x0
 01869   436   NtFreeVirtualMemory  (-1, (0x820000), 0, 32768, ... (0x820000), 4096, ) == 0x0
 01870   436   NtClose  (316, ... ) == 0x0
 01871   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data"}, 453948, ... ) }, 453948, ... ) == 0x0
 01872   436   NtQueryInformationToken  (304, User, 64, ... {token info, class 1, size 36}, 36, ) == 0x0
 01873   436   NtOpenKey  (0x2001f, {24, 296, 0x40, 0, 0,  (0x2001f, {24, 296, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 316, ) }, ... 316, ) == 0x0
 01874   436   NtCreateKey  (0x2000000, {24, 316, 0x40, 0, 0,  (0x2000000, {24, 316, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 308, 2, ) }, 0, 0x0, 0, ... 308, 2, ) == 0x0
 01875   436   NtClose  (316, ... ) == 0x0
 01876   436   NtSetValueKey  (308,  (308, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 0, 1,  (308, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 104, ... ) == 0x0
 01877   436   NtClose  (308, ... ) == 0x0
 01878   436   NtClose  (304, ... ) == 0x0
 01879   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data\Microsoft\Network\Connections\Pbk\"}, 3, 16417, ... ) }, 3, 16417, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 01880   436   NtCreateKey  (0x2, {24, 300, 0x40, 0, 0,  (0x2, {24, 300, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, 0, "", 0, ... 304, 2, ) }, 0, "", 0, ... 304, 2, ) == 0x0
 01881   436   NtSetValueKey  (304,  (304, "MigrateProxy", 0, 4, "\1\0\0\0", 4, ... ) , 0, 4,  (304, "MigrateProxy", 0, 4, "\1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 01882   436   NtClose  (304, ... ) == 0x0
 01883   436   NtOpenKey  (0x20019, {24, 300, 0x40, 0, 0,  (0x20019, {24, 300, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, ... 304, ) }, ... 304, ) == 0x0
 01884   436   NtQueryValueKey  (304,  (304, "ProxyEnable", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (304, "ProxyEnable", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01885   436   NtQueryValueKey  (304,  (304, "ProxyServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01886   436   NtQueryValueKey  (304,  (304, "ProxyOverride", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01887   436   NtQueryValueKey  (304,  (304, "AutoConfigURL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01888   436   NtClose  (304, ... ) == 0x0
 01889   436   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 01890   436   NtCreateKey  (0x1, {24, 300, 0x40, 0, 0,  (0x1, {24, 300, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections"}, 0, "", 0, ... 304, 2, ) }, 0, "", 0, ... 304, 2, ) == 0x0
 01891   436   NtQueryValueKey  (304,  (304, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (304, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 01892   436   NtQueryValueKey  (304,  (304, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (304, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 01893   436   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 01894   436   NtClose  (304, ... ) == 0x0
 01895   436   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 01896   436   NtCreateKey  (0x1, {24, 300, 0x40, 0, 0,  (0x1, {24, 300, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections"}, 0, "", 0, ... 304, 2, ) }, 0, "", 0, ... 304, 2, ) == 0x0
 01897   436   NtQueryValueKey  (304,  (304, "DefaultConnectionSettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\3\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (304, "DefaultConnectionSettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\3\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 01898   436   NtQueryValueKey  (304,  (304, "DefaultConnectionSettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\3\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (304, "DefaultConnectionSettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\3\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 01899   436   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 01900   436   NtClose  (304, ... ) == 0x0
 01901   436   NtWaitForSingleObject  (132, 0, 0x0, ... ) == 0x0
 01902   436   NtClearEvent  (132, ... ) == 0x0
 01903   436   NtSetEvent  (132, ... 0x0, ) == 0x0
 01904   436   NtCreateKey  (0x20006, {24, 300, 0x40, 0, 0,  (0x20006, {24, 300, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, 0, "", 0, ... 304, 2, ) }, 0, "", 0, ... 304, 2, ) == 0x0
 01905   436   NtSetValueKey  (304,  (304, "ProxyEnable", 0, 4, "\0\0\0\0", 4, ... ) , 0, 4,  (304, "ProxyEnable", 0, 4, "\0\0\0\0", 4, ... ) , 4, ... ) == 0x0
 01906   436   NtDeleteValueKey  (304,  (304, "ProxyServer", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01907   436   NtDeleteValueKey  (304,  (304, "ProxyOverride", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01908   436   NtDeleteValueKey  (304,  (304, "AutoConfigURL", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01909   436   NtClose  (304, ... ) == 0x0
 01910   436   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT"}, ... 304, ) }, ... 304, ) == 0x0
 01911   436   NtCreateKey  (0x2, {24, 304, 0x40, 0, 0,  (0x2, {24, 304, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, 0, "", 0, ... 308, 2, ) }, 0, "", 0, ... 308, 2, ) == 0x0
 01912   436   NtSetValueKey  (308,  (308, "ProxyEnable", 0, 4, "\0\0\0\0", 4, ... ) , 0, 4,  (308, "ProxyEnable", 0, 4, "\0\0\0\0", 4, ... ) , 4, ... ) == 0x0
 01913   436   NtClose  (308, ... ) == 0x0
 01914   436   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 01915   436   NtCreateKey  (0x1, {24, 300, 0x40, 0, 0,  (0x1, {24, 300, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections"}, 0, "", 0, ... 308, 2, ) }, 0, "", 0, ... 308, 2, ) == 0x0
 01916   436   NtQueryValueKey  (308,  (308, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (308, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 01917   436   NtQueryValueKey  (308,  (308, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (308, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 01918   436   NtCreateKey  (0x2, {24, 300, 0x40, 0, 0,  (0x2, {24, 300, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections"}, 0, "", 0, ... 316, 2, ) }, 0, "", 0, ... 316, 2, ) == 0x0
 01919   436   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 01920   436   NtClose  (308, ... ) == 0x0
 01921   436   NtSetValueKey  (316,  (316, "SavedLegacySettings", 0, 3, "<\0\0\0\27\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0", 56, ... , 0, 3,  (316, "SavedLegacySettings", 0, 3, "<\0\0\0\27\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0", 56, ... , 56, ...
 01922   436   NtSetInformationFile  (-2147482700, -133527756, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01923   436   NtSetInformationFile  (-2147482700, -133527792, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01924   436   NtSetInformationFile  (-2147482700, -133527856, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01921   436   NtSetValueKey  ... ) == 0x0
 01925   436   NtClose  (316, ... ) == 0x0
 01926   436   NtReleaseMutant  (144, ... 0x0, ) == 0x0
 01927   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "urlmon.dll"}, ... 316, ) }, ... 316, ) == 0x0
 01928   436   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x760f0000), 0x0, 491520, ) == 0x0
 01929   436   NtClose  (316, ... ) == 0x0
 01930   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 316, ) }, ... 316, ) == 0x0
 01931   436   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 28672, ) == 0x0
 01932   436   NtClose  (316, ... ) == 0x0
 01933   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01934   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8519680, 65536, ) == 0x0
 01935   436   NtAllocateVirtualMemory  (-1, 8519680, 0, 4096, 4096, 4, ... 8519680, 4096, ) == 0x0
 01936   436   NtAllocateVirtualMemory  (-1, 8523776, 0, 8192, 4096, 4, ... 8523776, 8192, ) == 0x0
 01937   436   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "ZonesCounterMutex"}, 0, ... 316, ) }, 0, ... 316, ) == 0x0
 01938   436   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "ZonesCacheCounterMutex"}, 0, ... 308, ) }, 0, ... 308, ) == 0x0
 01939   436   NtQueryDefaultUILanguage  (451884, ...
 01940   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01941   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 01942   436   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01943   436   NtClose  (-2147482208, ... ) == 0x0
 01944   436   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 01945   436   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01946   436   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 01947   436   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01948   436   NtClose  (-2147482196, ... ) == 0x0
 01949   436   NtClose  (-2147482208, ... ) == 0x0
 01939   436   NtQueryDefaultUILanguage  ... ) == 0x0
 01950   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01951   436   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\urlmon.dll"}, 1, 96, ... 324, {status=0x0, info=1}, ) }, 1, 96, ... 324, {status=0x0, info=1}, ) == 0x0
 01952   436   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 324, ... 320, ) == 0x0
 01953   436   NtMapViewOfSection  (320, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x830000), 0x0, 454656, ) == 0x0
 01954   436   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\urlmon.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01955   436   NtQueryDefaultLocale  (1, 449920, ... ) == 0x0
 01956   436   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\urlmon.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01957   436   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 450776, 1, 96, 0}  (24, {128, 156, new_msg, 0, 450776, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\344\6\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1D\1\0\0\377\377\377\377\0\0\0\0\240\302\210\0\0\0\0\0\303\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\330\347\6\0\0\0\0\0" ... {128, 156, reply, 0, 432, 436, 1464, 0} " S\26\0\33\0\1\0\0\0\0\0\1\344\6\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1D\1\0\0\377\377\377\377\0\0\0\0\240\302\210\0\0\0\0\0\303\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\330\347\6\0\0\0\0\0" )  ... {128, 156, reply, 0, 432, 436, 1464, 0}  (24, {128, 156, new_msg, 0, 450776, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\344\6\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1D\1\0\0\377\377\377\377\0\0\0\0\240\302\210\0\0\0\0\0\303\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\330\347\6\0\0\0\0\0" ... {128, 156, reply, 0, 432, 436, 1464, 0} " S\26\0\33\0\1\0\0\0\0\0\1\344\6\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1D\1\0\0\377\377\377\377\0\0\0\0\240\302\210\0\0\0\0\0\303\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\330\347\6\0\0\0\0\0" )  ) == 0x0
 01958   436   NtClose  (324, ... ) == 0x0
 01959   436   NtClose  (320, ... ) == 0x0
 01960   436   NtUnmapViewOfSection  (-1, 0x830000, ... ) == 0x0
 01961   436   NtUnmapViewOfSection  (-1, 0x6e7d8, ... ) == STATUS_NOT_MAPPED_VIEW
 01962   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01963   436   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01964   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01965   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01966   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 448460, ... ) }, 448460, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01967   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01968   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01969   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01970   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 449052, ... ) }, 449052, ... ) == 0x0
 01971   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 320, {status=0x0, info=1}, ) }, 3, 33, ... 320, {status=0x0, info=1}, ) == 0x0
 01972   436   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01973   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01974   436   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01975   436   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01976   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01977   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 324, ) == 0x0
 01978   436   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01979   436   NtClose  (324, ... ) == 0x0
 01980   436   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes"}, ... 324, ) }, ... 324, ) == 0x0
 01981   436   NtSetInformationObject  (326, Handle, {Inherit=0,ProtectFromClose=1,}, 393472, ... ) == 0x0
 01982   436   NtQueryKey  (326, Name, 384, ... {Name= (326, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01983   436   NtOpenKey  (0x2000000, {24, 326, 0x40, 0, 0,  (0x2000000, {24, 326, 0x40, 0, 0, "PROTOCOLS\Name-Space Handler\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01984   436   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\PROTOCOLS\Name-Space Handler"}, ... 328, ) }, ... 328, ) == 0x0
 01985   436   NtQueryKey  (330, Name, 392, ... {Name= (330, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Name-Space HandlerS"}, 130, ) }, 130, ) == 0x0
 01986   436   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01987   436   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 332, ) == 0x0
 01988   436   NtQueryInformationToken  (332, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01989   436   NtClose  (332, ... ) == 0x0
 01990   436   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\PROTOCOLS\Name-Space Handler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01991   436   NtEnumerateKey  (330, 0, Node, 288, ... {LastWrite={0x5d796f8c,0x1c73999}, TitleIdx=0, Name= (330, 0, Node, 288, ... {LastWrite={0x5d796f8c,0x1c73999}, TitleIdx=0, Name="mk", Class=""}, 28, ) , Class=""}, 28, ) == 0x0
 01992   436   NtEnumerateKey  (330, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES
 01993   436   NtClose  (330, ... ) == 0x0
 01994   436   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01995   436   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01996   436   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"}, ... 328, ) }, ... 328, ) == 0x0
 01997   436   NtOpenKey  (0x20019, {24, 328, 0x40, 0, 0,  (0x20019, {24, 328, 0x40, 0, 0, "Ranges\"}, ... 332, ) }, ... 332, ) == 0x0
 01998   436   NtQueryKey  (332, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 01999   436   NtClose  (332, ... ) == 0x0
 02000   436   NtRequestWaitReplyPort  (84, {28, 52, new_msg, 0, 0, 0, 0, 0}  (84, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\220\36\10\0" ... {176, 200, reply, 0, 432, 436, 1465, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ... {176, 200, reply, 0, 432, 436, 1465, 0}  (84, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\220\36\10\0" ... {176, 200, reply, 0, 432, 436, 1465, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ) == 0x0
 02001   436   NtCreateSection  (0xf0007, {24, 52, 0x80, 0, 0,  (0xf0007, {24, 52, 0x80, 0, 0, "UrlZonesSM_SRI-user"}, {8, 0}, 4, 134217728, 0, ... 332, ) }, {8, 0}, 4, 134217728, 0, ... 332, ) == 0x0
 02002   436   NtMapViewOfSection  (332, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x830000), {0, 0}, 4096, ) == 0x0
 02003   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\Setup"}, ... 336, ) }, ... 336, ) == 0x0
 02004   436   NtQueryValueKey  (336,  (336, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (336, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02005   436   NtClose  (336, ... ) == 0x0
 02006   436   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\"}, ... 336, ) }, ... 336, ) == 0x0
 02007   436   NtOpenKey  (0x20019, {24, 336, 0x40, 0, 0,  (0x20019, {24, 336, 0x40, 0, 0, "0"}, ... 340, ) }, ... 340, ) == 0x0
 02008   436   NtClose  (340, ... ) == 0x0
 02009   436   NtOpenKey  (0x20019, {24, 336, 0x40, 0, 0,  (0x20019, {24, 336, 0x40, 0, 0, "1"}, ... 340, ) }, ... 340, ) == 0x0
 02010   436   NtClose  (340, ... ) == 0x0
 02011   436   NtOpenKey  (0x20019, {24, 336, 0x40, 0, 0,  (0x20019, {24, 336, 0x40, 0, 0, "2"}, ... 340, ) }, ... 340, ) == 0x0
 02012   436   NtClose  (340, ... ) == 0x0
 02013   436   NtOpenKey  (0x20019, {24, 336, 0x40, 0, 0,  (0x20019, {24, 336, 0x40, 0, 0, "3"}, ... 340, ) }, ... 340, ) == 0x0
 02014   436   NtClose  (340, ... ) == 0x0
 02015   436   NtOpenKey  (0x20019, {24, 336, 0x40, 0, 0,  (0x20019, {24, 336, 0x40, 0, 0, "4"}, ... 340, ) }, ... 340, ) == 0x0
 02016   436   NtClose  (340, ... ) == 0x0
 02017   436   NtClose  (336, ... ) == 0x0
 02018   436   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\"}, ... 336, ) }, ... 336, ) == 0x0
 02019   436   NtEnumerateKey  (336, 0, Basic, 288, ... {LastWrite={0x8db90da8,0x1c7399c}, TitleIdx=0, Name= (336, 0, Basic, 288, ... {LastWrite={0x8db90da8,0x1c7399c}, TitleIdx=0, Name="0"}, 18, ) }, 18, ) == 0x0
 02020   436   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0"}, ... 340, ) }, ... 340, ) == 0x0
 02021   436   NtQueryValueKey  (340,  (340, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="!\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (340, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="!\0\0\0"}, 16, ) }, 16, ) == 0x0
 02022   436   NtClose  (340, ... ) == 0x0
 02023   436   NtEnumerateKey  (336, 1, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name= (336, 1, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name="1"}, 18, ) }, 18, ) == 0x0
 02024   436   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1"}, ... 340, ) }, ... 340, ) == 0x0
 02025   436   NtQueryValueKey  (340,  (340, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\333\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (340, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\333\0\0\0"}, 16, ) }, 16, ) == 0x0
 02026   436   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02027   436   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02028   436   NtOpenKey  (0x2001f, {24, 60, 0x40, 0, 0,  (0x2001f, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"}, ... 344, ) }, ... 344, ) == 0x0
 02029   436   NtSetValueKey  (344,  (344, "ProxyBypass", 0, 4, "\1\0\0\0", 4, ... ) , 0, 4,  (344, "ProxyBypass", 0, 4, "\1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 02030   436   NtSetValueKey  (344,  (344, "IntranetName", 0, 4, "\1\0\0\0", 4, ... ) , 0, 4,  (344, "IntranetName", 0, 4, "\1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 02031   436   NtSetValueKey  (344,  (344, "UNCAsIntranet", 0, 4, "\1\0\0\0", 4, ... ) , 0, 4,  (344, "UNCAsIntranet", 0, 4, "\1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 02032   436   NtClose  (344, ... ) == 0x0
 02033   436   NtClose  (340, ... ) == 0x0
 02034   436   NtEnumerateKey  (336, 2, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name= (336, 2, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name="2I"}, 18, ) }, 18, ) == 0x0
 02035   436   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2"}, ... 340, ) }, ... 340, ) == 0x0
 02036   436   NtQueryValueKey  (340,  (340, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="G\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (340, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="G\0\0\0"}, 16, ) }, 16, ) == 0x0
 02037   436   NtClose  (340, ... ) == 0x0
 02038   436   NtEnumerateKey  (336, 3, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name= (336, 3, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name="3"}, 18, ) }, 18, ) == 0x0
 02039   436   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3"}, ... 340, ) }, ... 340, ) == 0x0
 02040   436   NtQueryValueKey  (340,  (340, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (340, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02041   436   NtClose  (340, ... ) == 0x0
 02042   436   NtEnumerateKey  (336, 4, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name= (336, 4, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name="4"}, 18, ) }, 18, ) == 0x0
 02043   436   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4"}, ... 340, ) }, ... 340, ) == 0x0
 02044   436   NtQueryValueKey  (340,  (340, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (340, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 02045   436   NtClose  (340, ... ) == 0x0
 02046   436   NtEnumerateKey  (336, 5, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02047   436   NtClose  (336, ... ) == 0x0
 02048   436   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02049   436   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02050   436   NtOpenKey  (0x20019, {24, 328, 0x40, 0, 0,  (0x20019, {24, 328, 0x40, 0, 0, "Domains\66.11.115.52"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02051   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\66.11.115.52"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02052   436   NtQueryValueKey  (328,  (328, "ProxyBypass", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (328, "ProxyBypass", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02053   436   NtClearEvent  (132, ... ) == 0x0
 02054   436   NtSetEvent  (132, ... 0x0, ) == 0x0
 02055   436   NtOpenKey  (0x20019, {24, 328, 0x40, 0, 0,  (0x20019, {24, 328, 0x40, 0, 0, "ProtocolDefaults\"}, ... 336, ) }, ... 336, ) == 0x0
 02056   436   NtQueryValueKey  (336,  (336, "http", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (336, "http", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 02057   436   NtClose  (336, ... ) == 0x0
 02058   436   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02059   436   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02060   436   NtWaitForSingleObject  (316, 0, 0x0, ... ) == 0x0
 02061   436   NtReleaseMutant  (316, ... 0x0, ) == 0x0
 02062   436   NtWaitForSingleObject  (308, 0, 0x0, ... ) == 0x0
 02063   436   NtReleaseMutant  (308, ... 0x0, ) == 0x0
 02064   436   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3"}, ... 336, ) }, ... 336, ) == 0x0
 02065   436   NtQueryValueKey  (336,  (336, "1A10", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (336, "1A10", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02066   436   NtWaitForSingleObject  (308, 0, 0x0, ... ) == 0x0
 02067   436   NtReleaseMutant  (308, ... 0x0, ) == 0x0
 02068   436   NtWaitForSingleObject  (308, 0, 0x0, ... ) == 0x0
 02069   436   NtReleaseMutant  (308, ... 0x0, ) == 0x0
 02070   436   NtClose  (336, ... ) == 0x0
 02071   436   NtWaitForSingleObject  (96, 0, 0x0, ... ) == 0x0
 02072   436   NtQueryInformationFile  (92, 456112, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02073   436   NtReleaseMutant  (96, ... 0x0, ) == 0x0
 02074   436   NtWaitForSingleObject  (96, 0, 0x0, ... ) == 0x0
 02075   436   NtQueryInformationFile  (92, 453728, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02076   436   NtReleaseMutant  (96, ... 0x0, ) == 0x0
 02077   436   NtWaitForSingleObject  (104, 0, 0x0, ... ) == 0x0
 02078   436   NtQueryInformationFile  (116, 455692, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02079   436   NtReleaseMutant  (104, ... 0x0, ) == 0x0
 02080   436   NtWaitForSingleObject  (104, 0, 0x0, ... ) == 0x0
 02081   436   NtQueryInformationFile  (116, 455652, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02082   436   NtReleaseMutant  (104, ... 0x0, ) == 0x0
 02083   436   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x102
 02084   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 452280, ... ) }, 452280, ... ) == 0x0
 02085   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 5, 96, ... 336, {status=0x0, info=1}, ) }, 5, 96, ... 336, {status=0x0, info=1}, ) == 0x0
 02086   436   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 336, ... 340, ) == 0x0
 02087   436   NtClose  (336, ... ) == 0x0
 02088   436   NtMapViewOfSection  (340, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x840000), 0x0, 229376, ) == 0x0
 02089   436   NtClose  (340, ... ) == 0x0
 02090   436   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 02091   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 452596, ... ) }, 452596, ... ) == 0x0
 02092   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 5, 96, ... 340, {status=0x0, info=1}, ) }, 5, 96, ... 340, {status=0x0, info=1}, ) == 0x0
 02093   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 340, ... 336, ) == 0x0
 02094   436   NtQuerySection  (336, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02095   436   NtClose  (340, ... ) == 0x0
 02096   436   NtMapViewOfSection  (336, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 241664, ) == 0x0
 02097   436   NtClose  (336, ... ) == 0x0
 02098   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02099   436   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02100   436   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 336, ) == 0x0
 02101   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02102   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 452396, ... ) }, 452396, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02103   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DNSAPI.dll"}, 452396, ... ) }, 452396, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02104   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 452396, ... ) }, 452396, ... ) == 0x0
 02105   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 5, 96, ... 340, {status=0x0, info=1}, ) }, 5, 96, ... 340, {status=0x0, info=1}, ) == 0x0
 02106   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 340, ... 344, ) == 0x0
 02107   436   NtQuerySection  (344, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02108   436   NtClose  (340, ... ) == 0x0
 02109   436   NtMapViewOfSection  (344, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 151552, ) == 0x0
 02110   436   NtClose  (344, ... ) == 0x0
 02111   436   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 344, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 344, 2, ) , 0, ... 344, 2, ) == 0x0
 02112   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 340, ) }, ... 340, ) == 0x0
 02113   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02114   436   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DNS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02115   436   NtQueryValueKey  (340,  (340, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02116   436   NtQueryValueKey  (344,  (344, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02117   436   NtQueryValueKey  (340,  (340, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02118   436   NtQueryValueKey  (344,  (344, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (344, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02119   436   NtQueryValueKey  (340,  (340, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02120   436   NtQueryValueKey  (344,  (344, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02121   436   NtQueryValueKey  (340,  (340, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02122   436   NtQueryValueKey  (344,  (344, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02123   436   NtQueryValueKey  (340,  (340, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02124   436   NtQueryValueKey  (340,  (340, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02125   436   NtQueryValueKey  (340,  (340, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02126   436   NtQueryValueKey  (340,  (340, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02127   436   NtQueryValueKey  (340,  (340, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02128   436   NtQueryValueKey  (340,  (340, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02129   436   NtQueryValueKey  (340,  (340, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02130   436   NtQueryValueKey  (344,  (344, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02131   436   NtQueryValueKey  (340,  (340, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02132   436   NtQueryValueKey  (340,  (340, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02133   436   NtQueryValueKey  (344,  (344, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02134   436   NtQueryValueKey  (340,  (340, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02135   436   NtQueryValueKey  (344,  (344, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02136   436   NtQueryValueKey  (340,  (340, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02137   436   NtQueryValueKey  (344,  (344, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02138   436   NtQueryValueKey  (340,  (340, "RegistrationOverwritesInConflict", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02139   436   NtQueryValueKey  (344,  (344, "DisableReplaceAddressesInConflicts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02140   436   NtQueryValueKey  (340,  (340, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02141   436   NtQueryValueKey  (344,  (344, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02142   436   NtQueryValueKey  (340,  (340, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02143   436   NtQueryValueKey  (344,  (344, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02144   436   NtQueryValueKey  (340,  (340, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02145   436   NtQueryValueKey  (344,  (344, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02146   436   NtQueryValueKey  (340,  (340, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02147   436   NtQueryValueKey  (344,  (344, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02148   436   NtQueryValueKey  (340,  (340, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02149   436   NtQueryValueKey  (340,  (340, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02150   436   NtQueryValueKey  (340,  (340, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02151   436   NtQueryValueKey  (340,  (340, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02152   436   NtQueryValueKey  (340,  (340, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02153   436   NtQueryValueKey  (340,  (340, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02154   436   NtQueryValueKey  (340,  (340, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02155   436   NtQueryValueKey  (340,  (340, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02156   436   NtQueryValueKey  (340,  (340, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02157   436   NtQueryValueKey  (340,  (340, "UseMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02158   436   NtQueryValueKey  (340,  (340, "MulticastOnNameError", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02159   436   NtQueryValueKey  (340,  (340, "UseDotLocalDomain", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02160   436   NtQueryValueKey  (340,  (340, "ListenOnMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02161   436   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\Setup"}, ... 348, ) }, ... 348, ) == 0x0
 02162   436   NtQueryValueKey  (348,  (348, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02163   436   NtClose  (348, ... ) == 0x0
 02164   436   NtClose  (344, ... ) == 0x0
 02165   436   NtClose  (340, ... ) == 0x0
 02166   436   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 340, ) }, ... 340, ) == 0x0
 02167   436   NtQueryValueKey  (340,  (340, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02168   436   NtQueryValueKey  (340,  (340, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02169   436   NtQueryValueKey  (340,  (340, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02170   436   NtClose  (340, ... ) == 0x0
 02171   436   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 340, ) == 0x0
 02172   436   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 452872, 112, ... 344, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 452872, 112, ... 344, 0x0, 0x0, 0x0, 112, ) == 0x0
 02173   436   NtRequestWaitReplyPort  (344, {128, 152, new_msg, 0, 124636, 524288, 452636, 2012750850}  (344, {128, 152, new_msg, 0, 124636, 524288, 452636, 2012750850} "\0\356\6\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\0\347q\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\3\00\326q\0\250\326q\0\0\0\0\0\240\326q\0\310\326q\0\360\326q\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\2\10\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 432, 436, 1467, 0} "\7\356\6\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\3\00\326q\0\250\326q\0\0\0\0\0\240\326q\0\310\326q\0\360\326q\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\2\10\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 432, 436, 1467, 0}  (344, {128, 152, new_msg, 0, 124636, 524288, 452636, 2012750850} "\0\356\6\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\0\347q\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\3\00\326q\0\250\326q\0\0\0\0\0\240\326q\0\310\326q\0\360\326q\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\2\10\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 432, 436, 1467, 0} "\7\356\6\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\3\00\326q\0\250\326q\0\0\0\0\0\240\326q\0\310\326q\0\360\326q\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\2\10\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 02174   436   NtRequestWaitReplyPort  (344, {64, 88, new_msg, 0, 44, 3, 20, 0}  (344, {64, 88, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\10\0\2113\334\21\261\306\0\14)\371\246\305\1\0\0\0\377\377\377\377\1\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0\3757B@\335\350\344\34C\27\122" ... {52, 76, reply, 0, 432, 436, 1468, 0} "\2`\372\177\1\00\300\0\0\0\0\271\12\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p^\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 432, 436, 1468, 0}  (344, {64, 88, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\10\0\2113\334\21\261\306\0\14)\371\246\305\1\0\0\0\377\377\377\377\1\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0\3757B@\335\350\344\34C\27\122" ... {52, 76, reply, 0, 432, 436, 1468, 0} "\2`\372\177\1\00\300\0\0\0\0\271\12\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p^\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 02175   436   NtClose  (340, ... ) == 0x0
 02176   436   NtClose  (344, ... ) == 0x0
 02177   436   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 344, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 344, 2, ) , 0, ... 344, 2, ) == 0x0
 02178   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 340, ) }, ... 340, ) == 0x0
 02179   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02180   436   NtQueryValueKey  (344,  (344, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (344, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02181   436   NtQueryValueKey  (344,  (344, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (344, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02182   436   NtClose  (344, ... ) == 0x0
 02183   436   NtClose  (340, ... ) == 0x0
 02184   436   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 340, ) == 0x0
 02185   436   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 452736, 112, ... 344, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 452736, 112, ... 344, 0x0, 0x0, 0x0, 112, ) == 0x0
 02186   436   NtRequestWaitReplyPort  (344, {128, 152, new_msg, 0, 124500, 524288, 452500, 2012750850}  (344, {128, 152, new_msg, 0, 124500, 524288, 452500, 2012750850} "\0\356\6\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\0\347q\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\4\00\326q\0\320\326q\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\6\0\200\351\6\0\0\0\0\0\263\26\365w\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 432, 436, 1471, 0} "\7\356\6\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\4\00\326q\0\320\326q\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\6\0\200\351\6\0\0\0\0\0\263\26\365w\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 432, 436, 1471, 0}  (344, {128, 152, new_msg, 0, 124500, 524288, 452500, 2012750850} "\0\356\6\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\0\347q\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\4\00\326q\0\320\326q\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\6\0\200\351\6\0\0\0\0\0\263\26\365w\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 432, 436, 1471, 0} "\7\356\6\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\4\00\326q\0\320\326q\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\6\0\200\351\6\0\0\0\0\0\263\26\365w\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 02187   436   NtRequestWaitReplyPort  (344, {44, 68, new_msg, 0, 432, 436, 1468, 0}  (344, {44, 68, new_msg, 0, 432, 436, 1468, 0} "\1`\0\0A\2\4\0\0\0\0\0\271\12\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0" ... {40, 64, reply, 0, 432, 436, 1472, 0} "\2`\372\177\4\00\300\0\0\0\0\271\12\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\1\0\0\240,\11\0" )  ... {40, 64, reply, 0, 432, 436, 1472, 0}  (344, {44, 68, new_msg, 0, 432, 436, 1468, 0} "\1`\0\0A\2\4\0\0\0\0\0\271\12\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0" ... {40, 64, reply, 0, 432, 436, 1472, 0} "\2`\372\177\4\00\300\0\0\0\0\271\12\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\1\0\0\240,\11\0" )  ) == 0x0
 02188   436   NtRequestWaitReplyPort  (344, {64, 88, new_msg, 56, 0, 1, 0, 0}  (344, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\352\6\0@\0\314w\310\325q\0H\352\6\0\260\352\6\0\0\267\362v\260\352\6\0\310\325q\0\1\0\0\0@\347q\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {64, 88, reply, 56, 432, 436, 1473, 0} "\10\352\6\0@\0\314w\310\325q\0H\352\6\0\260\352\6\0\0\267\362v\260\352\6\0\310\325q\0\1\0\0\0@\347q\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {64, 88, reply, 56, 432, 436, 1473, 0}  (344, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\352\6\0@\0\314w\310\325q\0H\352\6\0\260\352\6\0\0\267\362v\260\352\6\0\310\325q\0\1\0\0\0@\347q\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {64, 88, reply, 56, 432, 436, 1473, 0} "\10\352\6\0@\0\314w\310\325q\0H\352\6\0\260\352\6\0\0\267\362v\260\352\6\0\310\325q\0\1\0\0\0@\347q\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02189   436   NtClose  (340, ... ) == 0x0
 02190   436   NtClose  (344, ... ) == 0x0
 02191   436   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 344, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 344, 2, ) , 0, ... 344, 2, ) == 0x0
 02192   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 340, ) }, ... 340, ) == 0x0
 02193   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02194   436   NtQueryValueKey  (344,  (344, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (344, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02195   436   NtQueryValueKey  (344,  (344, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (344, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02196   436   NtClose  (344, ... ) == 0x0
 02197   436   NtClose  (340, ... ) == 0x0
 02198   436   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 340, ) }, ... 340, ) == 0x0
 02199   436   NtQueryValueKey  (340,  (340, "DnsNbtLookupOrder", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02200   436   NtClose  (340, ... ) == 0x0
 02201   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 452280, ... ) }, 452280, ... ) == 0x0
 02202   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 340, {status=0x0, info=1}, ) }, 5, 96, ... 340, {status=0x0, info=1}, ) == 0x0
 02203   436   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 340, ... 344, ) == 0x0
 02204   436   NtClose  (340, ... ) == 0x0
 02205   436   NtMapViewOfSection  (344, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x840000), 0x0, 16384, ) == 0x0
 02206   436   NtClose  (344, ... ) == 0x0
 02207   436   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 02208   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 452596, ... ) }, 452596, ... ) == 0x0
 02209   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 344, {status=0x0, info=1}, ) }, 5, 96, ... 344, {status=0x0, info=1}, ) == 0x0
 02210   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 344, ... 340, ) == 0x0
 02211   436   NtQuerySection  (340, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02212   436   NtClose  (344, ... ) == 0x0
 02213   436   NtMapViewOfSection  (340, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fb0000), 0x0, 28672, ) == 0x0
 02214   436   NtClose  (340, ... ) == 0x0
 02215   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... 340, ) }, ... 340, ) == 0x0
 02216   436   NtMapViewOfSection  (340, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 02217   436   NtClose  (340, ... ) == 0x0
 02218   436   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 340, ) == 0x0
 02219   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 344, ) }, ... 344, ) == 0x0
 02220   436   NtQueryValueKey  (344,  (344, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (344, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02221   436   NtClose  (344, ... ) == 0x0
 02222   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 452280, ... ) }, 452280, ... ) == 0x0
 02223   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02224   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8650752, 65536, ) == 0x0
 02225   436   NtAllocateVirtualMemory  (-1, 8650752, 0, 4096, 4096, 4, ... 8650752, 4096, ) == 0x0
 02226   436   NtAllocateVirtualMemory  (-1, 8654848, 0, 8192, 4096, 4, ... 8654848, 8192, ) == 0x0
 02227   436   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 344, ) == 0x0
 02228   436   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 452568, 112, ... 348, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 452568, 112, ... 348, 0x0, 0x0, 0x0, 112, ) == 0x0
 02229   436   NtRequestWaitReplyPort  (348, {128, 152, new_msg, 0, 124332, 524288, 452332, 2012750850}  (348, {128, 152, new_msg, 0, 124332, 524288, 452332, 2012750850} "\0\355\6\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\0\347q\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\5\00\326q\0\0\355q\0\350\2\10\0\230\356q\0@\0\0\0\220\356q\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\4\10\0\0\0\0\0.\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 432, 436, 1476, 0} "\7\355\6\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\5\00\326q\0\0\355q\0\350\2\10\0\230\356q\0@\0\0\0\220\356q\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\4\10\0\0\0\0\0.\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 432, 436, 1476, 0}  (348, {128, 152, new_msg, 0, 124332, 524288, 452332, 2012750850} "\0\355\6\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\0\347q\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\5\00\326q\0\0\355q\0\350\2\10\0\230\356q\0@\0\0\0\220\356q\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\4\10\0\0\0\0\0.\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 432, 436, 1476, 0} "\7\355\6\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\5\00\326q\0\0\355q\0\350\2\10\0\230\356q\0@\0\0\0\220\356q\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\4\10\0\0\0\0\0.\0\0\0\5\0\0\0" )  ) == 0x0
 02230   436   NtRequestWaitReplyPort  (348, {64, 88, new_msg, 0, 432, 436, 1472, 0}  (348, {64, 88, new_msg, 0, 432, 436, 1472, 0} "\1`\0\0A\2\10\0\0\0\0\0\271\12\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\3757B@\335\350\344\34C\27\122" ... {52, 76, reply, 0, 432, 436, 1477, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p^\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 432, 436, 1477, 0}  (348, {64, 88, new_msg, 0, 432, 436, 1472, 0} "\1`\0\0A\2\10\0\0\0\0\0\271\12\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\3757B@\335\350\344\34C\27\122" ... {52, 76, reply, 0, 432, 436, 1477, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p^\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 02231   436   NtClose  (344, ... ) == 0x0
 02232   436   NtClose  (348, ... ) == 0x0
 02233   436   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 348, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 348, 2, ) , 0, ... 348, 2, ) == 0x0
 02234   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 344, ) }, ... 344, ) == 0x0
 02235   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02236   436   NtQueryValueKey  (348,  (348, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02237   436   NtQueryValueKey  (348,  (348, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02238   436   NtClose  (348, ... ) == 0x0
 02239   436   NtClose  (344, ... ) == 0x0
 02240   436   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 344, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 344, 2, ) , 0, ... 344, 2, ) == 0x0
 02241   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 348, ) }, ... 348, ) == 0x0
 02242   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02243   436   NtQueryValueKey  (344,  (344, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (344, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02244   436   NtQueryValueKey  (344,  (344, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (344, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02245   436   NtClose  (344, ... ) == 0x0
 02246   436   NtClose  (348, ... ) == 0x0
 02247   436   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\VxD\MSTCP"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02248   436   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\ComputerName\ComputerName"}, ... 348, ) }, ... 348, ) == 0x0
 02249   436   NtQueryValueKey  (348,  (348, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02250   436   NtQueryValueKey  (348,  (348, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02251   436   NtClose  (348, ... ) == 0x0
 02252   436   NtWaitForSingleObject  (160, 0, {0, 0}, ... ) == 0x102
 02253   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02254   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\iphlpapi.dll"}, 453740, ... ) }, 453740, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02255   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "iphlpapi.dll"}, 453740, ... ) }, 453740, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02256   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iphlpapi.dll"}, 453740, ... ) }, 453740, ... ) == 0x0
 02257   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iphlpapi.dll"}, 5, 96, ... 348, {status=0x0, info=1}, ) }, 5, 96, ... 348, {status=0x0, info=1}, ) == 0x0
 02258   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 348, ... 344, ) == 0x0
 02259   436   NtQuerySection  (344, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02260   436   NtClose  (348, ... ) == 0x0
 02261   436   NtMapViewOfSection  (344, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d60000), 0x0, 86016, ) == 0x0
 02262   436   NtClose  (344, ... ) == 0x0
 02263   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netman.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02264   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\netman.dll"}, 452936, ... ) }, 452936, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02265   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "netman.dll"}, 452936, ... ) }, 452936, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02266   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netman.dll"}, 452936, ... ) }, 452936, ... ) == 0x0
 02267   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netman.dll"}, 5, 96, ... 344, {status=0x0, info=1}, ) }, 5, 96, ... 344, {status=0x0, info=1}, ) == 0x0
 02268   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 344, ... 348, ) == 0x0
 02269   436   NtQuerySection  (348, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02270   436   NtClose  (344, ... ) == 0x0
 02271   436   NtMapViewOfSection  (348, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76de0000), 0x0, 155648, ) == 0x0
 02272   436   NtClose  (348, ... ) == 0x0
 02273   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPRAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02274   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MPRAPI.dll"}, 452132, ... ) }, 452132, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02275   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "MPRAPI.dll"}, 452132, ... ) }, 452132, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02276   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MPRAPI.dll"}, 452132, ... ) }, 452132, ... ) == 0x0
 02277   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MPRAPI.dll"}, 5, 96, ... 348, {status=0x0, info=1}, ) }, 5, 96, ... 348, {status=0x0, info=1}, ) == 0x0
 02278   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 348, ... 344, ) == 0x0
 02279   436   NtQuerySection  (344, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02280   436   NtClose  (348, ... ) == 0x0
 02281   436   NtMapViewOfSection  (344, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d40000), 0x0, 90112, ) == 0x0
 02282   436   NtClose  (344, ... ) == 0x0
 02283   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ACTIVEDS.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02284   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ACTIVEDS.dll"}, 451328, ... ) }, 451328, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02285   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ACTIVEDS.dll"}, 451328, ... ) }, 451328, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02286   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ACTIVEDS.dll"}, 451328, ... ) }, 451328, ... ) == 0x0
 02287   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ACTIVEDS.dll"}, 5, 96, ... 344, {status=0x0, info=1}, ) }, 5, 96, ... 344, {status=0x0, info=1}, ) == 0x0
 02288   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 344, ... 348, ) == 0x0
 02289   436   NtQuerySection  (348, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02290   436   NtClose  (344, ... ) == 0x0
 02291   436   NtMapViewOfSection  (348, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e40000), 0x0, 192512, ) == 0x0
 02292   436   NtClose  (348, ... ) == 0x0
 02293   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "adsldpc.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02294   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\adsldpc.dll"}, 450524, ... ) }, 450524, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02295   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "adsldpc.dll"}, 450524, ... ) }, 450524, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02296   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\adsldpc.dll"}, 450524, ... ) }, 450524, ... ) == 0x0
 02297   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\adsldpc.dll"}, 5, 96, ... 348, {status=0x0, info=1}, ) }, 5, 96, ... 348, {status=0x0, info=1}, ) == 0x0
 02298   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 348, ... 344, ) == 0x0
 02299   436   NtQuerySection  (344, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02300   436   NtClose  (348, ... ) == 0x0
 02301   436   NtMapViewOfSection  (344, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e10000), 0x0, 147456, ) == 0x0
 02302   436   NtClose  (344, ... ) == 0x0
 02303   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ATL.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02304   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ATL.DLL"}, 450524, ... ) }, 450524, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02305   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ATL.DLL"}, 450524, ... ) }, 450524, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02306   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 450524, ... ) }, 450524, ... ) == 0x0
 02307   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 5, 96, ... 344, {status=0x0, info=1}, ) }, 5, 96, ... 344, {status=0x0, info=1}, ) == 0x0
 02308   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 344, ... 348, ) == 0x0
 02309   436   NtQuerySection  (348, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02310   436   NtClose  (344, ... ) == 0x0
 02311   436   NtMapViewOfSection  (348, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b20000), 0x0, 86016, ) == 0x0
 02312   436   NtClose  (348, ... ) == 0x0
 02313   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SAMLIB.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02314   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SAMLIB.dll"}, 451328, ... ) }, 451328, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02315   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "SAMLIB.dll"}, 451328, ... ) }, 451328, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02316   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 451328, ... ) }, 451328, ... ) == 0x0
 02317   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 5, 96, ... 348, {status=0x0, info=1}, ) }, 5, 96, ... 348, {status=0x0, info=1}, ) == 0x0
 02318   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 348, ... 344, ) == 0x0
 02319   436   NtQuerySection  (344, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02320   436   NtClose  (348, ... ) == 0x0
 02321   436   NtMapViewOfSection  (344, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71bf0000), 0x0, 69632, ) == 0x0
 02322   436   NtClose  (344, ... ) == 0x0
 02323   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02324   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 451328, ... ) }, 451328, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02325   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "SETUPAPI.dll"}, 451328, ... ) }, 451328, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02326   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 451328, ... ) }, 451328, ... ) == 0x0
 02327   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 5, 96, ... 344, {status=0x0, info=1}, ) }, 5, 96, ... 344, {status=0x0, info=1}, ) == 0x0
 02328   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 344, ... 348, ) == 0x0
 02329   436   NtQuerySection  (348, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02330   436   NtClose  (344, ... ) == 0x0
 02331   436   NtMapViewOfSection  (348, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76670000), 0x0, 933888, ) == 0x0
 02332   436   NtClose  (348, ... ) == 0x0
 02333   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WZCSvc.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02334   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WZCSvc.DLL"}, 452132, ... ) }, 452132, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02335   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WZCSvc.DLL"}, 452132, ... ) }, 452132, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02336   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WZCSvc.DLL"}, 452132, ... ) }, 452132, ... ) == 0x0
 02337   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WZCSvc.DLL"}, 5, 96, ... 348, {status=0x0, info=1}, ) }, 5, 96, ... 348, {status=0x0, info=1}, ) == 0x0
 02338   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 348, ... 344, ) == 0x0
 02339   436   NtQuerySection  (344, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02340   436   NtClose  (348, ... ) == 0x0
 02341   436   NtMapViewOfSection  (344, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76da0000), 0x0, 196608, ) == 0x0
 02342   436   NtClose  (344, ... ) == 0x0
 02343   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WMI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02344   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WMI.dll"}, 451328, ... ) }, 451328, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02345   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WMI.dll"}, 451328, ... ) }, 451328, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02346   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WMI.dll"}, 451328, ... ) }, 451328, ... ) == 0x0
 02347   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WMI.dll"}, 5, 96, ... 344, {status=0x0, info=1}, ) }, 5, 96, ... 344, {status=0x0, info=1}, ) == 0x0
 02348   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 344, ... 348, ) == 0x0
 02349   436   NtQuerySection  (348, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02350   436   NtClose  (344, ... ) == 0x0
 02351   436   NtMapViewOfSection  (348, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d30000), 0x0, 16384, ) == 0x0
 02352   436   NtClose  (348, ... ) == 0x0
 02353   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DHCPCSVC.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02354   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DHCPCSVC.DLL"}, 451328, ... ) }, 451328, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02355   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DHCPCSVC.DLL"}, 451328, ... ) }, 451328, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02356   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DHCPCSVC.DLL"}, 451328, ... ) }, 451328, ... ) == 0x0
 02357   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DHCPCSVC.DLL"}, 5, 96, ... 348, {status=0x0, info=1}, ) }, 5, 96, ... 348, {status=0x0, info=1}, ) == 0x0
 02358   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 348, ... 344, ) == 0x0
 02359   436   NtQuerySection  (344, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02360   436   NtClose  (348, ... ) == 0x0
 02361   436   NtMapViewOfSection  (344, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d80000), 0x0, 106496, ) == 0x0
 02362   436   NtClose  (344, ... ) == 0x0
 02363   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WTSAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02364   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WTSAPI32.dll"}, 451328, ... ) }, 451328, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02365   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WTSAPI32.dll"}, 451328, ... ) }, 451328, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02366   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WTSAPI32.dll"}, 451328, ... ) }, 451328, ... ) == 0x0
 02367   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WTSAPI32.dll"}, 5, 96, ... 344, {status=0x0, info=1}, ) }, 5, 96, ... 344, {status=0x0, info=1}, ) == 0x0
 02368   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 344, ... 348, ) == 0x0
 02369   436   NtQuerySection  (348, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02370   436   NtClose  (344, ... ) == 0x0
 02371   436   NtMapViewOfSection  (348, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f50000), 0x0, 32768, ) == 0x0
 02372   436   NtClose  (348, ... ) == 0x0
 02373   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINSTA.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02374   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINSTA.dll"}, 450524, ... ) }, 450524, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02375   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WINSTA.dll"}, 450524, ... ) }, 450524, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02376   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINSTA.dll"}, 450524, ... ) }, 450524, ... ) == 0x0
 02377   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINSTA.dll"}, 5, 96, ... 348, {status=0x0, info=1}, ) }, 5, 96, ... 348, {status=0x0, info=1}, ) == 0x0
 02378   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 348, ... 344, ) == 0x0
 02379   436   NtQuerySection  (344, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02380   436   NtClose  (348, ... ) == 0x0
 02381   436   NtMapViewOfSection  (344, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76360000), 0x0, 61440, ) == 0x0
 02382   436   NtClose  (344, ... ) == 0x0
 02383   436   NtQueryDefaultLocale  (1, 453612, ... ) == 0x0
 02384   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02385   436   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 8716288, 262144, ) == 0x0
 02386   436   NtAllocateVirtualMemory  (-1, 8716288, 0, 4096, 4096, 4, ... 8716288, 4096, ) == 0x0
 02387   436   NtAllocateVirtualMemory  (-1, 8720384, 0, 8192, 4096, 4, ... 8720384, 8192, ) == 0x0
 02388   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02389   436   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02390   436   NtQueryDefaultLocale  (1, 453572, ... ) == 0x0
 02391   436   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02392   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\Setup"}, ... 344, ) }, ... 344, ) == 0x0
 02393   436   NtQueryValueKey  (344,  (344, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (344, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02394   436   NtClose  (344, ... ) == 0x0
 02395   436   NtUserGetProcessWindowStation  (... ) == 0x24
 02396   436   NtUserGetObjectInformation  (36, 1, 453244, 12, 453256, ... ) == 0x1
 02397   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\WPA\PnP"}, ... 344, ) }, ... 344, ) == 0x0
 02398   436   NtQueryValueKey  (344,  (344, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (344, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) }, 16, ) == 0x0
 02399   436   NtClose  (344, ... ) == 0x0
 02400   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\Setup"}, ... 344, ) }, ... 344, ) == 0x0
 02401   436   NtQueryValueKey  (344,  (344, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (344, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02402   436   NtQueryValueKey  (344,  (344, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (344, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 02403   436   NtClose  (344, ... ) == 0x0
 02404   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\Setup"}, ... 344, ) }, ... 344, ) == 0x0
 02405   436   NtQueryValueKey  (344,  (344, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (344, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02406   436   NtQueryValueKey  (344,  (344, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (344, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 02407   436   NtClose  (344, ... ) == 0x0
 02408   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 344, ) }, ... 344, ) == 0x0
 02409   436   NtQueryValueKey  (344,  (344, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (344, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02410   436   NtQueryValueKey  (344,  (344, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (344, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02411   436   NtClose  (344, ... ) == 0x0
 02412   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 344, ) }, ... 344, ) == 0x0
 02413   436   NtQueryValueKey  (344,  (344, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (344, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02414   436   NtQueryValueKey  (344,  (344, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (344, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 02415   436   NtClose  (344, ... ) == 0x0
 02416   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 344, ) }, ... 344, ) == 0x0
 02417   436   NtQueryValueKey  (344,  (344, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (344, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02418   436   NtQueryValueKey  (344,  (344, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (344, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 02419   436   NtClose  (344, ... ) == 0x0
 02420   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 344, ) }, ... 344, ) == 0x0
 02421   436   NtQueryValueKey  (344,  (344, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (344, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) }, 46, ) == 0x0
 02422   436   NtClose  (344, ... ) == 0x0
 02423   436   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 344, ) == 0x0
 02424   436   NtCreateMutant  (0x1f0001, 0x0, 0, ... 348, ) == 0x0
 02425   436   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 352, ) == 0x0
 02426   436   NtCreateMutant  (0x1f0001, 0x0, 0, ... 356, ) == 0x0
 02427   436   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 360, ) == 0x0
 02428   436   NtCreateMutant  (0x1f0001, 0x0, 0, ... 364, ) == 0x0
 02429   436   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 368, ) }, ... 368, ) == 0x0
 02430   436   NtQueryValueKey  (368,  (368, "LogLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02431   436   NtQueryValueKey  (368,  (368, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02432   436   NtOpenKey  (0x1, {24, 368, 0x40, 0, 0,  (0x1, {24, 368, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02433   436   NtClose  (368, ... ) == 0x0
 02434   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 453164, ... ) }, 453164, ... ) == 0x0
 02435   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 368, ) }, ... 368, ) == 0x0
 02436   436   NtQueryValueKey  (368,  (368, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (368, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (368, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 02437   436   NtClose  (368, ... ) == 0x0
 02438   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 368, ) }, ... 368, ) == 0x0
 02439   436   NtQueryValueKey  (368,  (368, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (368, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Data= (368, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) }, 52, ) == 0x0
 02440   436   NtClose  (368, ... ) == 0x0
 02441   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02442   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 368, ) }, ... 368, ) == 0x0
 02443   436   NtQueryValueKey  (368,  (368, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (368, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (368, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 02444   436   NtClose  (368, ... ) == 0x0
 02445   436   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 368, ) == 0x0
 02446   436   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 372, ) == 0x0
 02447   436   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 376, ) == 0x0
 02448   436   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02449   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8978432, 65536, ) == 0x0
 02450   436   NtAllocateVirtualMemory  (-1, 8978432, 0, 4096, 4096, 4, ... 8978432, 4096, ) == 0x0
 02451   436   NtAllocateVirtualMemory  (-1, 8982528, 0, 8192, 4096, 4, ... 8982528, 8192, ) == 0x0
 02452   436   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 380, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 380, {status=0x0, info=0}, ) == 0x0
 02453   436   NtCreateFile  (0x40000000, {24, 0, 0x40, 0, 0,  (0x40000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 384, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 384, {status=0x0, info=0}, ) == 0x0
 02454   436   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 388, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 388, {status=0x0, info=0}, ) == 0x0
 02455   436   NtCreateFile  (0x100003, {24, 0, 0x40, 0, 0,  (0x100003, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 392, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 392, {status=0x0, info=0}, ) == 0x0
 02456   436   NtCreateFile  (0x20100080, {24, 0, 0x40, 0, 453696,  (0x20100080, {24, 0, 0x40, 0, 453696, "\??\Ip"}, 0x0, 128, 3, 1, 64, 0, 0, ... 396, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 64, 0, 0, ... 396, {status=0x0, info=0}, ) == 0x0
 02457   436   NtAllocateVirtualMemory  (-1, 8990720, 0, 36864, 4096, 4, ... 8990720, 36864, ) == 0x0
 02458   436   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 400, ) == 0x0
 02459   436   NtDeviceIoControlFile  (380, 400, 0x0, 0x0, 0x120003,  (380, 400, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (380, 400, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 02460   436   NtClose  (400, ... ) == 0x0
 02461   436   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 400, ) == 0x0
 02462   436   NtDeviceIoControlFile  (380, 400, 0x0, 0x0, 0x120003,  (380, 400, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\260\7"\263\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , 36, 348, ... {status=0x0, info=118},  (380, 400, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\260\7"\263\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) \263\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) == 0x0
 02463   436   NtClose  (400, ... ) == 0x0
 02464   436   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 400, ) == 0x0
 02465   436   NtDeviceIoControlFile  (380, 400, 0x0, 0x0, 0x120003,  (380, 400, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\371\246\305\0\0\1\0\0\0\5\0\0\0\320\7"\263Z\305\0\0\217\0\0\0.\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`o\0\0\203\0\0\0,\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , 36, 348, ... {status=0x0, info=158},  (380, 400, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\371\246\305\0\0\1\0\0\0\5\0\0\0\320\7"\263Z\305\0\0\217\0\0\0.\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`o\0\0\203\0\0\0,\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) \263Z\305\0\0\217\0\0\0.\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`o\0\0\203\0\0\0,\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) == 0x0
 02466   436   NtClose  (400, ... ) == 0x0
 02467   436   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp6"}, 0x0, 128, 3, 3, 0, 0, 0, ... ) }, 0x0, 128, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02468   436   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 400, ) == 0x0
 02469   436   NtDeviceIoControlFile  (380, 400, 0x0, 0x0, 0x120003,  (380, 400, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (380, 400, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 02470   436   NtClose  (400, ... ) == 0x0
 02471   436   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 400, ) == 0x0
 02472   436   NtDeviceIoControlFile  (380, 400, 0x0, 0x0, 0x120003,  (380, 400, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , 36, 4, ... {status=0x0, info=4},  (380, 400, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , ) == 0x0
 02473   436   NtClose  (400, ... ) == 0x0
 02474   436   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 400, ) == 0x0
 02475   436   NtDeviceIoControlFile  (380, 400, 0x0, 0x0, 0x120003,  (380, 400, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , 36, 8, ... {status=0x0, info=8},  (380, 400, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , ) == 0x0
 02476   436   NtClose  (400, ... ) == 0x0
 02477   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9109504, 65536, ) == 0x0
 02478   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02479   436   NtAllocateVirtualMemory  (-1, 9109504, 0, 1, 4096, 4, ... 9109504, 4096, ) == 0x0
 02480   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02481   436   NtFreeVirtualMemory  (-1, (0x8b0000), 0, 32768, ... (0x8b0000), 65536, ) == 0x0
 02482   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9109504, 65536, ) == 0x0
 02483   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02484   436   NtAllocateVirtualMemory  (-1, 9109504, 0, 1, 4096, 4, ... 9109504, 4096, ) == 0x0
 02485   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02486   436   NtFreeVirtualMemory  (-1, (0x8b0000), 0, 32768, ... (0x8b0000), 65536, ) == 0x0
 02487   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9109504, 65536, ) == 0x0
 02488   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02489   436   NtAllocateVirtualMemory  (-1, 9109504, 0, 1, 4096, 4, ... 9109504, 4096, ) == 0x0
 02490   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02491   436   NtFreeVirtualMemory  (-1, (0x8b0000), 0, 32768, ... (0x8b0000), 65536, ) == 0x0
 02492   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9109504, 65536, ) == 0x0
 02493   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02494   436   NtAllocateVirtualMemory  (-1, 9109504, 0, 1, 4096, 4, ... 9109504, 4096, ) == 0x0
 02495   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02496   436   NtFreeVirtualMemory  (-1, (0x8b0000), 0, 32768, ... (0x8b0000), 65536, ) == 0x0
 02497   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9109504, 65536, ) == 0x0
 02498   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02499   436   NtAllocateVirtualMemory  (-1, 9109504, 0, 1, 4096, 4, ... 9109504, 4096, ) == 0x0
 02500   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02501   436   NtFreeVirtualMemory  (-1, (0x8b0000), 0, 32768, ... (0x8b0000), 65536, ) == 0x0
 02502   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9109504, 65536, ) == 0x0
 02503   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02504   436   NtAllocateVirtualMemory  (-1, 9109504, 0, 1, 4096, 4, ... 9109504, 4096, ) == 0x0
 02505   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02506   436   NtFreeVirtualMemory  (-1, (0x8b0000), 0, 32768, ... (0x8b0000), 65536, ) == 0x0
 02507   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9109504, 65536, ) == 0x0
 02508   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02509   436   NtAllocateVirtualMemory  (-1, 9109504, 0, 1, 4096, 4, ... 9109504, 4096, ) == 0x0
 02510   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02511   436   NtFreeVirtualMemory  (-1, (0x8b0000), 0, 32768, ... (0x8b0000), 65536, ) == 0x0
 02512   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9109504, 65536, ) == 0x0
 02513   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02514   436   NtAllocateVirtualMemory  (-1, 9109504, 0, 1, 4096, 4, ... 9109504, 4096, ) == 0x0
 02515   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02516   436   NtFreeVirtualMemory  (-1, (0x8b0000), 0, 32768, ... (0x8b0000), 65536, ) == 0x0
 02517   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9109504, 65536, ) == 0x0
 02518   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02519   436   NtAllocateVirtualMemory  (-1, 9109504, 0, 1, 4096, 4, ... 9109504, 4096, ) == 0x0
 02520   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02521   436   NtFreeVirtualMemory  (-1, (0x8b0000), 0, 32768, ... (0x8b0000), 65536, ) == 0x0
 02522   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9109504, 65536, ) == 0x0
 02523   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02524   436   NtAllocateVirtualMemory  (-1, 9109504, 0, 1, 4096, 4, ... 9109504, 4096, ) == 0x0
 02525   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02526   436   NtFreeVirtualMemory  (-1, (0x8b0000), 0, 32768, ... (0x8b0000), 65536, ) == 0x0
 02527   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9109504, 65536, ) == 0x0
 02528   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02529   436   NtAllocateVirtualMemory  (-1, 9109504, 0, 1, 4096, 4, ... 9109504, 4096, ) == 0x0
 02530   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02531   436   NtFreeVirtualMemory  (-1, (0x8b0000), 0, 32768, ... (0x8b0000), 65536, ) == 0x0
 02532   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9109504, 65536, ) == 0x0
 02533   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02534   436   NtAllocateVirtualMemory  (-1, 9109504, 0, 1, 4096, 4, ... 9109504, 4096, ) == 0x0
 02535   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02536   436   NtFreeVirtualMemory  (-1, (0x8b0000), 0, 32768, ... (0x8b0000), 65536, ) == 0x0
 02537   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9109504, 65536, ) == 0x0
 02538   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02539   436   NtAllocateVirtualMemory  (-1, 9109504, 0, 1, 4096, 4, ... 9109504, 4096, ) == 0x0
 02540   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02541   436   NtFreeVirtualMemory  (-1, (0x8b0000), 0, 32768, ... (0x8b0000), 65536, ) == 0x0
 02542   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9109504, 65536, ) == 0x0
 02543   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02544   436   NtAllocateVirtualMemory  (-1, 9109504, 0, 1, 4096, 4, ... 9109504, 4096, ) == 0x0
 02545   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02546   436   NtFreeVirtualMemory  (-1, (0x8b0000), 0, 32768, ... (0x8b0000), 65536, ) == 0x0
 02547   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9109504, 65536, ) == 0x0
 02548   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02549   436   NtAllocateVirtualMemory  (-1, 9109504, 0, 1, 4096, 4, ... 9109504, 4096, ) == 0x0
 02550   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02551   436   NtFreeVirtualMemory  (-1, (0x8b0000), 0, 32768, ... (0x8b0000), 65536, ) == 0x0
 02552   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9109504, 65536, ) == 0x0
 02553   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02554   436   NtAllocateVirtualMemory  (-1, 9109504, 0, 1, 4096, 4, ... 9109504, 4096, ) == 0x0
 02555   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02556   436   NtFreeVirtualMemory  (-1, (0x8b0000), 0, 32768, ... (0x8b0000), 65536, ) == 0x0
 02557   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9109504, 65536, ) == 0x0
 02558   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02559   436   NtAllocateVirtualMemory  (-1, 9109504, 0, 1, 4096, 4, ... 9109504, 4096, ) == 0x0
 02560   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02561   436   NtFreeVirtualMemory  (-1, (0x8b0000), 0, 32768, ... (0x8b0000), 65536, ) == 0x0
 02562   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9109504, 65536, ) == 0x0
 02563   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02564   436   NtAllocateVirtualMemory  (-1, 9109504, 0, 1, 4096, 4, ... 9109504, 4096, ) == 0x0
 02565   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02566   436   NtFreeVirtualMemory  (-1, (0x8b0000), 0, 32768, ... (0x8b0000), 65536, ) == 0x0
 02567   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9109504, 65536, ) == 0x0
 02568   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02569   436   NtAllocateVirtualMemory  (-1, 9109504, 0, 1, 4096, 4, ... 9109504, 4096, ) == 0x0
 02570   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02571   436   NtFreeVirtualMemory  (-1, (0x8b0000), 0, 32768, ... (0x8b0000), 65536, ) == 0x0
 02572   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9109504, 65536, ) == 0x0
 02573   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02574   436   NtAllocateVirtualMemory  (-1, 9109504, 0, 1, 4096, 4, ... 9109504, 4096, ) == 0x0
 02575   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02576   436   NtFreeVirtualMemory  (-1, (0x8b0000), 0, 32768, ... (0x8b0000), 65536, ) == 0x0
 02577   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9109504, 65536, ) == 0x0
 02578   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02579   436   NtAllocateVirtualMemory  (-1, 9109504, 0, 1, 4096, 4, ... 9109504, 4096, ) == 0x0
 02580   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02581   436   NtFreeVirtualMemory  (-1, (0x8b0000), 0, 32768, ... (0x8b0000), 65536, ) == 0x0
 02582   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9109504, 65536, ) == 0x0
 02583   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02584   436   NtAllocateVirtualMemory  (-1, 9109504, 0, 1, 4096, 4, ... 9109504, 4096, ) == 0x0
 02585   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02586   436   NtFreeVirtualMemory  (-1, (0x8b0000), 0, 32768, ... (0x8b0000), 65536, ) == 0x0
 02587   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9109504, 65536, ) == 0x0
 02588   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02589   436   NtAllocateVirtualMemory  (-1, 9109504, 0, 1, 4096, 4, ... 9109504, 4096, ) == 0x0
 02590   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02591   436   NtFreeVirtualMemory  (-1, (0x8b0000), 0, 32768, ... (0x8b0000), 65536, ) == 0x0
 02592   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9109504, 65536, ) == 0x0
 02593   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02594   436   NtAllocateVirtualMemory  (-1, 9109504, 0, 1, 4096, 4, ... 9109504, 4096, ) == 0x0
 02595   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02596   436   NtFreeVirtualMemory  (-1, (0x8b0000), 0, 32768, ... (0x8b0000), 65536, ) == 0x0
 02597   436   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9109504, 65536, ) == 0x0
 02598   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 02599   436   NtAllocateVirtualMemory  (-1, 9109504, 0, 1, 4096, 4, ... 9109504, 4096, ) == 0x0
 02600   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 02601   436   NtFreeVirtualMemory  (-1, (0x8b0000), 0, 32768, ... (0x8b0000), 65536, ) == 0x0
 02602   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Linkage"}, ... 400, ) }, ... 400, ) == 0x0
 02603   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"}, ... 404, ) }, ... 404, ) == 0x0
 02604   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces"}, ... 408, ) }, ... 408, ) == 0x0
 02605   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters"}, ... 412, ) }, ... 412, ) == 0x0
 02606   436   NtQueryDefaultLocale  (1, 453632, ... ) == 0x0
 02607   436   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp6"}, 0x0, 128, 3, 3, 0, 0, 0, ... ) }, 0x0, 128, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02608   436   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp6"}, 0x0, 128, 3, 3, 0, 0, 0, ... ) }, 0x0, 128, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02609   436   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 416, ) == 0x0
 02610   436   NtDeviceIoControlFile  (380, 416, 0x0, 0x0, 0x120003,  (380, 416, 0x0, 0x0, 0x120003, "\1\3\0\0\0\0\0\0\0\2\0\0\0\1\0\0\4\1\0\0\1\0\0\0B\13s4\0\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0n\0\0\0Pw-", 51, 52, ... ) , 51, 52, ... ) == STATUS_HOST_UNREACHABLE
 02611   436   NtClose  (416, ... ) == 0x0
 02612   436   NtWaitForSingleObject  (144, 0, 0x0, ... ) == 0x0
 02613   436   NtWaitForSingleObject  (148, 0, 0x0, ... ) == 0x0
 02614   436   NtReleaseMutant  (148, ... 0x0, ) == 0x0
 02615   436   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02616   436   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02617   436   NtOpenEvent  (0x100000, {24, 0, 0x0, 0, 0,  (0x100000, {24, 0, 0x0, 0, 0, "\INSTALLATION_SECURITY_HOLD"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02618   436   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02619   436   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 416, ) == 0x0
 02620   436   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02621   436   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02622   436   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 449844,  (0xc0100080, {24, 0, 0x40, 0, 449844, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 420, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 420, {status=0x0, info=1}, ) == 0x0
 02623   436   NtSetInformationFile  (420, 449900, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02624   436   NtSetInformationFile  (420, 449892, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02625   436   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02626   436   NtWriteFile  (420, 265, 0, 0,  (420, 265, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0j(\319\14\261\320\21\233\250\0\300O\331.\365\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02627   436   NtReadFile  (420, 265, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (420, 265, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\13\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02628   436   NtFsControlFile  (420, 265, 0x0, 0x0, 0x11c017,  (420, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\32\0\0\0\1\0\0\0\2\0\0\0\0\0\0\0\1\0", 26, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\13\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 26, 1024, ... {status=0x103, info=68},  (420, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\32\0\0\0\1\0\0\0\2\0\0\0\0\0\0\0\1\0", 26, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\13\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02629   436   NtClose  (416, ... ) == 0x0
 02630   436   NtClose  (420, ... ) == 0x0
 02631   436   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 420, 2, ) }, 0, 0x0, 0, ... 420, 2, ) == 0x0
 02632   436   NtCreateKey  (0x20019, {24, 420, 0x40, 0, 0,  (0x20019, {24, 420, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 416, 2, ) }, 0, 0x0, 0, ... 416, 2, ) == 0x0
 02633   436   NtClose  (420, ... ) == 0x0
 02634   436   NtQueryValueKey  (416,  (416, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02635   436   NtClose  (416, ... ) == 0x0
 02636   436   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02637   436   NtOpenProcessToken  (-1, 0xc, ... 416, ) == 0x0
 02638   436   NtReleaseSemaphore  (108, 1, ... 0, ) == 0x0
 02639   436   NtWaitForSingleObject  (108, 0, {0, 0}, ... ) == 0x0
 02640   436   NtClose  (416, ... ) == 0x0
 02641   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\"}, 3, 16417, ... 416, {status=0x0, info=1}, ) }, 3, 16417, ... 416, {status=0x0, info=1}, ) == 0x0
 02642   436   NtQueryDirectoryFile  (416, 0, 0, 0, 451688, 616, BothDirectory, 1,  (416, 0, 0, 0, 451688, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 02643   436   NtClose  (416, ... ) == 0x0
 02644   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Ras\"}, 3, 16417, ... 416, {status=0x0, info=1}, ) }, 3, 16417, ... 416, {status=0x0, info=1}, ) == 0x0
 02645   436   NtQueryDirectoryFile  (416, 0, 0, 0, 451688, 616, BothDirectory, 1,  (416, 0, 0, 0, 451688, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 02646   436   NtClose  (416, ... ) == 0x0
 02647   436   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02648   436   NtOpenProcessToken  (-1, 0xc, ... 416, ) == 0x0
 02649   436   NtQueryInformationToken  (416, User, 64, ... {token info, class 1, size 36}, 36, ) == 0x0
 02650   436   NtOpenKey  (0x2001f, {24, 296, 0x40, 0, 0,  (0x2001f, {24, 296, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 420, ) }, ... 420, ) == 0x0
 02651   436   NtCreateKey  (0x2000000, {24, 420, 0x40, 0, 0,  (0x2000000, {24, 420, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 424, 2, ) }, 0, 0x0, 0, ... 424, 2, ) == 0x0
 02652   436   NtClose  (420, ... ) == 0x0
 02653   436   NtQueryValueKey  (424,  (424, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (424, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) }, 74, ) == 0x0
 02654   436   NtAllocateVirtualMemory  (-1, 0, 0, 1, 4096, 4, ... 9109504, 4096, ) == 0x0
 02655   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02656   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02657   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 420, ) }, ... 420, ) == 0x0
 02658   436   NtQueryValueKey  (420,  (420, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (420, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 02659   436   NtClose  (420, ... ) == 0x0
 02660   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 420, ) }, ... 420, ) == 0x0
 02661   436   NtQueryValueKey  (420,  (420, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) }, 32, ) == 0x0
 02662   436   NtClose  (420, ... ) == 0x0
 02663   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02664   436   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\Environment"}, ... 420, ) }, ... 420, ) == 0x0
 02665   436   NtQueryKey  (420, Full, 176, ... {LastWrite={0x7838d13c,0x1c73999}, TitleIdx=0, Subkeys=0, Values=12, Class=""}, 44, ) == 0x0
 02666   436   NtQuerySecurityObject  (420, 7, 0, ... ) == STATUS_ACCESS_DENIED
 02667   436   NtEnumerateValueKey  (420, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (420, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 02668   436   NtEnumerateValueKey  (420, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (420, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 02669   436   NtEnumerateValueKey  (420, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (420, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 02670   436   NtEnumerateValueKey  (420, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (420, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 02671   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02672   436   NtEnumerateValueKey  (420, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (420, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 02673   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02674   436   NtEnumerateValueKey  (420, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (420, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 02675   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02676   436   NtEnumerateValueKey  (420, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (420, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 02677   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02678   436   NtEnumerateValueKey  (420, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (420, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 02679   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02680   436   NtEnumerateValueKey  (420, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (420, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 02681   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02682   436   NtEnumerateValueKey  (420, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (420, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 02683   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02684   436   NtEnumerateValueKey  (420, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (420, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02685   436   NtEnumerateValueKey  (420, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (420, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02686   436   NtEnumerateValueKey  (420, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (420, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 02687   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02688   436   NtEnumerateValueKey  (420, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (420, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 02689   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02690   436   NtEnumerateValueKey  (420, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (420, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 02691   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02692   436   NtEnumerateValueKey  (420, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (420, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 02693   436   NtEnumerateValueKey  (420, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (420, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 02694   436   NtEnumerateValueKey  (420, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (420, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 02695   436   NtEnumerateValueKey  (420, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (420, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 02696   436   NtEnumerateValueKey  (420, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (420, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 02697   436   NtEnumerateValueKey  (420, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (420, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 02698   436   NtEnumerateValueKey  (420, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (420, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 02699   436   NtEnumerateValueKey  (420, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (420, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02700   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02701   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02702   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 450760, ... ) }, 450760, ... ) == 0x0
 02703   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02704   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02705   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02706   436   NtEnumerateValueKey  (420, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (420, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02707   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02708   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02709   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 450760, ... ) }, 450760, ... ) == 0x0
 02710   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02711   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02712   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02713   436   NtClose  (420, ... ) == 0x0
 02714   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 420, ) }, ... 420, ) == 0x0
 02715   436   NtOpenKey  (0x20019, {24, 420, 0x40, 0, 0,  (0x20019, {24, 420, 0x40, 0, 0, "ActiveComputerName"}, ... 428, ) }, ... 428, ) == 0x0
 02716   436   NtQueryValueKey  (428,  (428, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (428, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (428, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 02717   436   NtClose  (428, ... ) == 0x0
 02718   436   NtClose  (420, ... ) == 0x0
 02719   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02720   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 420, ) }, ... 420, ) == 0x0
 02721   436   NtQueryValueKey  (420,  (420, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (420, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 02722   436   NtClose  (420, ... ) == 0x0
 02723   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 420, ) }, ... 420, ) == 0x0
 02724   436   NtQueryValueKey  (420,  (420, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) }, 38, ) == 0x0
 02725   436   NtClose  (420, ... ) == 0x0
 02726   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02727   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 420, ) }, ... 420, ) == 0x0
 02728   436   NtQueryValueKey  (420,  (420, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 02729   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02730   436   NtQueryValueKey  (420,  (420, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) }, 72, ) == 0x0
 02731   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02732   436   NtClose  (420, ... ) == 0x0
 02733   436   NtQueryInformationToken  (416, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 02734   436   NtOpenKey  (0x20019, {24, 296, 0x40, 0, 0,  (0x20019, {24, 296, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 420, ) }, ... 420, ) == 0x0
 02735   436   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 02736   436   NtQueryInformationToken  (416, Type, 4, ... {token info, class 8, size 4}, 4, ) == 0x0
 02737   436   NtDuplicateToken  (416, 0xc, {24, 0, 0x0, 0, 452144, 0x0}, 0, 2, ... ) == STATUS_ACCESS_DENIED
 02738   436   NtQueryInformationToken  (416, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 02739   436   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02740   436   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 428, ) == 0x0
 02741   436   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02742   436   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02743   436   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 450348,  (0xc0100080, {24, 0, 0x40, 0, 450348, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 432, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 432, {status=0x0, info=1}, ) == 0x0
 02744   436   NtSetInformationFile  (432, 450404, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02745   436   NtSetInformationFile  (432, 450396, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02746   436   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02747   436   NtWriteFile  (432, 265, 0, 0,  (432, 265, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02748   436   NtReadFile  (432, 265, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (432, 265, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\14\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02749   436   NtFsControlFile  (432, 265, 0x0, 0x0, 0x11c017,  (432, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\345\6\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\14\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (432, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\345\6\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\14\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02750   436   NtFsControlFile  (432, 265, 0x0, 0x0, 0x11c017,  (432, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0?\372<\31\2113\334\21\261\306\0\14)\371\246\305\1\0\0\0\30\346\6\0\1\0\0\0\330\254q\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0?\372<\31\2113\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (432, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0?\372<\31\2113\334\21\261\306\0\14)\371\246\305\1\0\0\0\30\346\6\0\1\0\0\0\330\254q\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0?\372<\31\2113\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02751   436   NtFsControlFile  (432, 265, 0x0, 0x0, 0x11c017,  (432, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0?\372<\31\2113\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0 \244q\0\1\0\0\0,\244q\0 \0\0\0\1\0\0\0\16\0\20\08\244q\0H\244q\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\330\246q\0\1\0\0\0\1\0\0\0\20\0\22\0\354\246q\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (432, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0?\372<\31\2113\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0 \244q\0\1\0\0\0,\244q\0 \0\0\0\1\0\0\0\16\0\20\08\244q\0H\244q\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\330\246q\0\1\0\0\0\1\0\0\0\20\0\22\0\354\246q\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02752   436   NtClose  (428, ... ) == 0x0
 02753   436   NtClose  (432, ... ) == 0x0
 02754   436   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02755   436   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 432, ) == 0x0
 02756   436   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02757   436   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02758   436   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 450344,  (0xc0100080, {24, 0, 0x40, 0, 450344, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 428, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 428, {status=0x0, info=1}, ) == 0x0
 02759   436   NtSetInformationFile  (428, 450400, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02760   436   NtSetInformationFile  (428, 450392, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02761   436   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02762   436   NtWriteFile  (428, 265, 0, 0,  (428, 265, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02763   436   NtReadFile  (428, 265, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (428, 265, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\15\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02764   436   NtFsControlFile  (428, 265, 0x0, 0x0, 0x11c017,  (428, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\334\345\6\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\15\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (428, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\334\345\6\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\15\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02765   436   NtFsControlFile  (428, 265, 0x0, 0x0, 0x11c017,  (428, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0@\372<\31\2113\334\21\261\306\0\14)\371\246\305\1\0\0\0\24\346\6\0\1\0\0\0\330\254q\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0@\372<\31\2113\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (428, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0@\372<\31\2113\334\21\261\306\0\14)\371\246\305\1\0\0\0\24\346\6\0\1\0\0\0\330\254q\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0@\372<\31\2113\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02766   436   NtFsControlFile  (428, 265, 0x0, 0x0, 0x11c017,  (428, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0@\372<\31\2113\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0 \244q\0\1\0\0\0,\244q\0 \0\0\0\1\0\0\0\16\0\20\08\244q\0H\244q\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\330\246q\0\1\0\0\0\1\0\0\0\20\0\22\0\354\246q\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (428, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0@\372<\31\2113\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0 \244q\0\1\0\0\0,\244q\0 \0\0\0\1\0\0\0\16\0\20\08\244q\0H\244q\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\330\246q\0\1\0\0\0\1\0\0\0\20\0\22\0\354\246q\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02767   436   NtClose  (432, ... ) == 0x0
 02768   436   NtClose  (428, ... ) == 0x0
 02769   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02770   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02771   436   NtQueryInformationToken  (416, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 02772   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 428, ) }, ... 428, ) == 0x0
 02773   436   NtQueryValueKey  (428,  (428, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (428, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) }, 104, ) == 0x0
 02774   436   NtClose  (428, ... ) == 0x0
 02775   436   NtCreateKey  (0x2001f, {24, 420, 0x40, 0, 0,  (0x2001f, {24, 420, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Winlogon"}, 0, 0x0, 0, ... 428, 2, ) }, 0, 0x0, 0, ... 428, 2, ) == 0x0
 02776   436   NtQueryValueKey  (428,  (428, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (428, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02777   436   NtClose  (428, ... ) == 0x0
 02778   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02779   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02780   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\c:\autoexec.bat"}, 452048, ... ) }, 452048, ... ) == 0x0
 02781   436   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 452056,  (0x80100080, {24, 0, 0x40, 0, 452056, "\??\c:\autoexec.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 428, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 428, {status=0x0, info=1}, ) == 0x0
 02782   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02783   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02784   436   NtQueryInformationFile  (428, 452072, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02785   436   NtReadFile  (428, 0, 0, 0, 0, 0x0, 0, ... {status=0x0, info=0}, "", ) == 0x0
 02786   436   NtClose  (428, ... ) == 0x0
 02787   436   NtOpenKey  (0x20019, {24, 420, 0x40, 0, 0,  (0x20019, {24, 420, 0x40, 0, 0, "Environment"}, ... 428, ) }, ... 428, ) == 0x0
 02788   436   NtAllocateVirtualMemory  (-1, 7467008, 0, 12288, 4096, 4, ... 7467008, 12288, ) == 0x0
 02789   436   NtEnumerateValueKey  (428, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (428, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (428, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02790   436   NtEnumerateValueKey  (428, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (428, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (428, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02791   436   NtEnumerateValueKey  (428, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02792   436   NtEnumerateValueKey  (428, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (428, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (428, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02793   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02794   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02795   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 450788, ... ) }, 450788, ... ) == 0x0
 02796   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 432, {status=0x0, info=1}, ) }, 3, 16417, ... 432, {status=0x0, info=1}, ) == 0x0
 02797   436   NtQueryDirectoryFile  (432, 0, 0, 0, 450148, 616, BothDirectory, 1,  (432, 0, 0, 0, 450148, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 02798   436   NtClose  (432, ... ) == 0x0
 02799   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 432, {status=0x0, info=1}, ) }, 3, 16417, ... 432, {status=0x0, info=1}, ) == 0x0
 02800   436   NtQueryDirectoryFile  (432, 0, 0, 0, 450148, 616, BothDirectory, 1,  (432, 0, 0, 0, 450148, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 02801   436   NtClose  (432, ... ) == 0x0
 02802   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02803   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02804   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02805   436   NtEnumerateValueKey  (428, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (428, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (428, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02806   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02807   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02808   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 450788, ... ) }, 450788, ... ) == 0x0
 02809   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 432, {status=0x0, info=1}, ) }, 3, 16417, ... 432, {status=0x0, info=1}, ) == 0x0
 02810   436   NtQueryDirectoryFile  (432, 0, 0, 0, 450148, 616, BothDirectory, 1,  (432, 0, 0, 0, 450148, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 02811   436   NtClose  (432, ... ) == 0x0
 02812   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 432, {status=0x0, info=1}, ) }, 3, 16417, ... 432, {status=0x0, info=1}, ) == 0x0
 02813   436   NtQueryDirectoryFile  (432, 0, 0, 0, 450148, 616, BothDirectory, 1,  (432, 0, 0, 0, 450148, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 02814   436   NtClose  (432, ... ) == 0x0
 02815   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02816   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02817   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02818   436   NtEnumerateValueKey  (428, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02819   436   NtClose  (428, ... ) == 0x0
 02820   436   NtOpenKey  (0x20019, {24, 420, 0x40, 0, 0,  (0x20019, {24, 420, 0x40, 0, 0, "Volatile Environment"}, ... 428, ) }, ... 428, ) == 0x0
 02821   436   NtEnumerateValueKey  (428, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (428, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 02822   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02823   436   NtEnumerateValueKey  (428, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (428, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 02824   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02825   436   NtEnumerateValueKey  (428, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (428, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 02826   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02827   436   NtEnumerateValueKey  (428, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (428, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 02828   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02829   436   NtEnumerateValueKey  (428, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (428, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 02830   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02831   436   NtEnumerateValueKey  (428, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (428, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 02832   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02833   436   NtEnumerateValueKey  (428, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (428, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 02834   436   NtEnumerateValueKey  (428, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02835   436   NtEnumerateValueKey  (428, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (428, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 02836   436   NtEnumerateValueKey  (428, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (428, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 02837   436   NtEnumerateValueKey  (428, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (428, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 02838   436   NtEnumerateValueKey  (428, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (428, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 02839   436   NtEnumerateValueKey  (428, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (428, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 02840   436   NtEnumerateValueKey  (428, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (428, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 02841   436   NtEnumerateValueKey  (428, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (428, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 02842   436   NtEnumerateValueKey  (428, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02843   436   NtClose  (428, ... ) == 0x0
 02844   436   NtClose  (420, ... ) == 0x0
 02845   436   NtFreeVirtualMemory  (-1, (0x8b0000), 0, 32768, ... (0x8b0000), 4096, ) == 0x0
 02846   436   NtClose  (424, ... ) == 0x0
 02847   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data"}, 452712, ... ) }, 452712, ... ) == 0x0
 02848   436   NtQueryInformationToken  (416, User, 64, ... {token info, class 1, size 36}, 36, ) == 0x0
 02849   436   NtOpenKey  (0x2001f, {24, 296, 0x40, 0, 0,  (0x2001f, {24, 296, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 424, ) }, ... 424, ) == 0x0
 02850   436   NtCreateKey  (0x2000000, {24, 424, 0x40, 0, 0,  (0x2000000, {24, 424, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 420, 2, ) }, 0, 0x0, 0, ... 420, 2, ) == 0x0
 02851   436   NtClose  (424, ... ) == 0x0
 02852   436   NtSetValueKey  (420,  (420, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 0, 1,  (420, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 104, ... ) == 0x0
 02853   436   NtClose  (420, ... ) == 0x0
 02854   436   NtClose  (416, ... ) == 0x0
 02855   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data\Microsoft\Network\Connections\Pbk\"}, 3, 16417, ... ) }, 3, 16417, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02856   436   NtWaitForSingleObject  (96, 0, 0x0, ... ) == 0x0
 02857   436   NtQueryInformationFile  (92, 453760, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02858   436   NtReleaseMutant  (96, ... 0x0, ) == 0x0
 02859   436   NtReleaseMutant  (144, ... 0x0, ) == 0x0
 02860   436   NtWaitForSingleObject  (160, 0, {0, 0}, ... ) == 0x102
 02861   436   NtWaitForSingleObject  (160, 0, {0, 0}, ... ) == 0x102
 02862   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 452512, ... ) }, 452512, ... ) == 0x0
 02863   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 452156, ... ) }, 452156, ... ) == 0x0
 02864   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... 416, ) }, ... 416, ) == 0x0
 02865   436   NtQueryValueKey  (416,  (416, "Transports", Partial, 144, ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=7, Data= (416, "Transports", Partial, 144, ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) }, 42, ) == 0x0
 02866   436   NtQueryValueKey  (416,  (416, "Transports", Partial, 144, ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=7, Data= (416, "Transports", Partial, 144, ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) }, 42, ) == 0x0
 02867   436   NtClose  (416, ... ) == 0x0
 02868   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... 416, ) }, ... 416, ) == 0x0
 02869   436   NtQueryValueKey  (416,  (416, "Mapping", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02870   436   NtQueryValueKey  (416,  (416, "Mapping", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02871   436   NtQueryValueKey  (416,  (416, "Mapping", Partial, 152, ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) , Partial, 152, ... TitleIdx=0, Type=3, Data= (416, "Mapping", Partial, 152, ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 02872   436   NtClose  (416, ... ) == 0x0
 02873   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... 416, ) }, ... 416, ) == 0x0
 02874   436   NtQueryValueKey  (416,  (416, "MinSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (416, "MinSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 02875   436   NtQueryValueKey  (416,  (416, "MaxSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (416, "MaxSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 02876   436   NtQueryValueKey  (416,  (416, "UseDelayedAcceptance", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (416, "UseDelayedAcceptance", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02877   436   NtQueryValueKey  (416,  (416, "HelperDllName", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (416, "HelperDllName", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 02878   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 453076, ... ) }, 453076, ... ) == 0x0
 02879   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 420, {status=0x0, info=1}, ) }, 5, 96, ... 420, {status=0x0, info=1}, ) == 0x0
 02880   436   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 420, ... 424, ) == 0x0
 02881   436   NtClose  (420, ... ) == 0x0
 02882   436   NtMapViewOfSection  (424, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8b0000), 0x0, 20480, ) == 0x0
 02883   436   NtClose  (424, ... ) == 0x0
 02884   436   NtUnmapViewOfSection  (-1, 0x8b0000, ... ) == 0x0
 02885   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 453392, ... ) }, 453392, ... ) == 0x0
 02886   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 424, {status=0x0, info=1}, ) }, 5, 96, ... 424, {status=0x0, info=1}, ) == 0x0
 02887   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 424, ... 420, ) == 0x0
 02888   436   NtQuerySection  (420, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02889   436   NtClose  (424, ... ) == 0x0
 02890   436   NtMapViewOfSection  (420, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a90000), 0x0, 32768, ) == 0x0
 02891   436   NtClose  (420, ... ) == 0x0
 02892   436   NtClose  (416, ... ) == 0x0
 02893   436   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 455592, 67, ... 416, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 455592, 67, ... 416, {status=0x0, info=0}, ) == 0x0
 02894   436   NtDeviceIoControlFile  (416, 336, 0x0, 0x0, 0x1207b,  (416, 336, 0x0, 0x0, 0x1207b, "\7\0\0\0\0\0\0\0 \277q\0\17\346\367w", 16, 16, ... {status=0x0, info=16}, "\7\0\0\0B\0\0\0\0 \0\0\230\355\10\201", ) , 16, 16, ... {status=0x0, info=16},  (416, 336, 0x0, 0x0, 0x1207b, "\7\0\0\0\0\0\0\0 \277q\0\17\346\367w", 16, 16, ... {status=0x0, info=16}, "\7\0\0\0B\0\0\0\0 \0\0\230\355\10\201", ) , ) == 0x0
 02895   436   NtDeviceIoControlFile  (416, 336, 0x0, 0x0, 0x1207b,  (416, 336, 0x0, 0x0, 0x1207b, "\6\0\0\0B\0\0\0\0 \0\0\230\355\10\201", 16, 16, ... {status=0x0, info=16}, "\6\0\0\0B\0\0\0\0 \0\0\230\355\10\201", ) , 16, 16, ... {status=0x0, info=16},  (416, 336, 0x0, 0x0, 0x1207b, "\6\0\0\0B\0\0\0\0 \0\0\230\355\10\201", 16, 16, ... {status=0x0, info=16}, "\6\0\0\0B\0\0\0\0 \0\0\230\355\10\201", ) , ) == 0x0
 02896   436   NtDeviceIoControlFile  (416, 336, 0x0, 0x0, 0x12047,  (416, 336, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0 \277q\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 02897   436   NtWaitForSingleObject  (160, 0, {0, 0}, ... ) == 0x102
 02898   436   NtDeviceIoControlFile  (416, 336, 0x0, 0x0, 0x12003,  (416, 336, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=420}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\13\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=420},  (416, 336, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=420}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\13\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02899   436   NtDeviceIoControlFile  (416, 336, 0x0, 0x0, 0x12047,  (416, 336, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\0\0\0\0\2\0\4\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02900   436   NtDeviceIoControlFile  (416, 336, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ... {status=0x0, info=26},  (416, 336, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ... {status=0x0, info=26}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\13\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02901   436   NtDeviceIoControlFile  (416, 336, 0x0, 0x0, 0x12007,  (416, 336, 0x0, 0x0, 0x12007, "\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\16\0\2\0\0PB\13s4\0\0\0\0\0\0\0\0", 34, 0, ... {status=0xc000023d, info=0}, 0x0, ) , 34, 0, ... {status=0xc000023d, info=0}, 0x0, ) == 0x103
 02902   436   NtWaitForSingleObject  (336, 1, {-5000000, -1}, ... ) == 0x0
 02903   436   NtDeviceIoControlFile  (416, 336, 0x0, 0x0, 0x12037,  (416, 336, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (416, 336, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02904   436   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 424, ) }, ... 424, ) == 0x0
 02905   436   NtQueryValueKey  (424,  (424, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (424, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 02906   436   NtQueryValueKey  (424,  (424, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (424, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 02907   436   NtQueryValueKey  (424,  (424, "AutodialDLL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02908   436   NtClose  (424, ... ) == 0x0
 02909   436   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rasadhlp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02910   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rasadhlp.dll"}, 453816, ... ) }, 453816, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02911   436   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rasadhlp.dll"}, 453816, ... ) }, 453816, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02912   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasadhlp.dll"}, 453816, ... ) }, 453816, ... ) == 0x0
 02913   436   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasadhlp.dll"}, 5, 96, ... 424, {status=0x0, info=1}, ) }, 5, 96, ... 424, {status=0x0, info=1}, ) == 0x0
 02914   436   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 424, ... 428, ) == 0x0
 02915   436   NtQuerySection  (428, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02916   436   NtClose  (424, ... ) == 0x0
 02917   436   NtMapViewOfSection  (428, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fc0000), 0x0, 20480, ) == 0x0
 02918   436   NtClose  (428, ... ) == 0x0
 02919   436   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 428, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 428, {status=0x0, info=0}, ) == 0x0
 02920   436   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 424, ) == 0x0
 02921   436   NtDeviceIoControlFile  (428, 424, 0x0, 0x0, 0xf14014,  (428, 424, 0x0, 0x0, 0xf14014, "\0\0\0\0B\13s4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 02922   436   NtClose  (424, ... ) == 0x0
 02923   436   NtClose  (428, ... ) == 0x0
 02924   436   NtDeviceIoControlFile  (416, 336, 0x0, 0x0, 0x12037,  (416, 336, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (416, 336, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02925   436   NtClose  (420, ... ) == 0x0
 02926   436   NtClose  (416, ... ) == 0x0
 02927   436   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x102
 02928   436   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 416, ) == 0x0
 02929   436   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 452568, 112, ... 420, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 452568, 112, ... 420, 0x0, 0x0, 0x0, 112, ) == 0x0
 02930   436   NtRequestWaitReplyPort  (420, {128, 152, new_msg, 0, 124332, 524288, 452332, 2012750850}  (420, {128, 152, new_msg, 0, 124332, 524288, 452332, 2012750850} "\0\355\6\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314wH\37\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\6\00\326q\0\260\313q\0\0\0\0\0\250\313q\0\320\313q\0\370\313q\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\10\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 432, 436, 1482, 0} "\7\355\6\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\6\00\326q\0\260\313q\0\0\0\0\0\250\313q\0\320\313q\0\370\313q\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\10\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 432, 436, 1482, 0}  (420, {128, 152, new_msg, 0, 124332, 524288, 452332, 2012750850} "\0\355\6\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314wH\37\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\6\00\326q\0\260\313q\0\0\0\0\0\250\313q\0\320\313q\0\370\313q\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\10\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 432, 436, 1482, 0} "\7\355\6\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\6\00\326q\0\260\313q\0\0\0\0\0\250\313q\0\320\313q\0\370\313q\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\10\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 02931   436   NtRequestWaitReplyPort  (420, {64, 88, new_msg, 0, 44, 3, 20, 0}  (420, {64, 88, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\10\0\2113\334\21\261\306\0\14)\371\246\305\1\0\0\0\377\377\377\377\1\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0\3757B@\335\350\344\34C\27\122" ... {52, 76, reply, 0, 432, 436, 1483, 0} "\2`\372\177\1\00\300\0\0\0\0\271\12\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p^\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 432, 436, 1483, 0}  (420, {64, 88, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\10\0\2113\334\21\261\306\0\14)\371\246\305\1\0\0\0\377\377\377\377\1\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0\3757B@\335\350\344\34C\27\122" ... {52, 76, reply, 0, 432, 436, 1483, 0} "\2`\372\177\1\00\300\0\0\0\0\271\12\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p^\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 02932   436   NtClose  (416, ... ) == 0x0
 02933   436   NtClose  (420, ... ) == 0x0
 02934   436   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 420, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 420, 2, ) , 0, ... 420, 2, ) == 0x0
 02935   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 416, ) }, ... 416, ) == 0x0
 02936   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02937   436   NtQueryValueKey  (420,  (420, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02938   436   NtQueryValueKey  (420,  (420, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02939   436   NtClose  (420, ... ) == 0x0
 02940   436   NtClose  (416, ... ) == 0x0
 02941   436   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 416, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 416, 2, ) , 0, ... 416, 2, ) == 0x0
 02942   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 420, ) }, ... 420, ) == 0x0
 02943   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02944   436   NtQueryValueKey  (416,  (416, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (416, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02945   436   NtQueryValueKey  (416,  (416, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (416, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02946   436   NtClose  (416, ... ) == 0x0
 02947   436   NtClose  (420, ... ) == 0x0
 02948   436   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\VxD\MSTCP"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02949   436   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\ComputerName\ComputerName"}, ... 420, ) }, ... 420, ) == 0x0
 02950   436   NtQueryValueKey  (420,  (420, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02951   436   NtQueryValueKey  (420,  (420, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02952   436   NtClose  (420, ... ) == 0x0
 02953   436   NtWaitForSingleObject  (160, 0, {0, 0}, ... ) == 0x102
 02954   436   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp6"}, 0x0, 128, 3, 3, 0, 0, 0, ... ) }, 0x0, 128, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02955   436   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp6"}, 0x0, 128, 3, 3, 0, 0, 0, ... ) }, 0x0, 128, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02956   436   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 420, ) == 0x0
 02957   436   NtDeviceIoControlFile  (380, 420, 0x0, 0x0, 0x120003,  (380, 420, 0x0, 0x0, 0x120003, "\1\3\0\0\0\0\0\0\0\2\0\0\0\1\0\0\4\1\0\0\1\0\0\0B\13s4\0\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0n\0\0\0Pw-", 51, 52, ... ) , 51, 52, ... ) == STATUS_HOST_UNREACHABLE
 02958   436   NtClose  (420, ... ) == 0x0
 02959   436   NtWaitForSingleObject  (144, 0, 0x0, ... ) == 0x0
 02960   436   NtWaitForSingleObject  (148, 0, 0x0, ... ) == 0x0
 02961   436   NtReleaseMutant  (148, ... 0x0, ) == 0x0
 02962   436   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02963   436   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02964   436   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 420, 2, ) }, 0, 0x0, 0, ... 420, 2, ) == 0x0
 02965   436   NtCreateKey  (0x20019, {24, 420, 0x40, 0, 0,  (0x20019, {24, 420, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 416, 2, ) }, 0, 0x0, 0, ... 416, 2, ) == 0x0
 02966   436   NtClose  (420, ... ) == 0x0
 02967   436   NtQueryValueKey  (416,  (416, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02968   436   NtClose  (416, ... ) == 0x0
 02969   436   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02970   436   NtOpenProcessToken  (-1, 0xc, ... 416, ) == 0x0
 02971   436   NtReleaseSemaphore  (108, 1, ... 0, ) == 0x0
 02972   436   NtWaitForSingleObject  (108, 0, {0, 0}, ... ) == 0x0
 02973   436   NtClose  (416, ... ) == 0x0
 02974   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\"}, 3, 16417, ... 416, {status=0x0, info=1}, ) }, 3, 16417, ... 416, {status=0x0, info=1}, ) == 0x0
 02975   436   NtQueryDirectoryFile  (416, 0, 0, 0, 451688, 616, BothDirectory, 1,  (416, 0, 0, 0, 451688, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 02976   436   NtClose  (416, ... ) == 0x0
 02977   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Ras\"}, 3, 16417, ... 416, {status=0x0, info=1}, ) }, 3, 16417, ... 416, {status=0x0, info=1}, ) == 0x0
 02978   436   NtQueryDirectoryFile  (416, 0, 0, 0, 451688, 616, BothDirectory, 1,  (416, 0, 0, 0, 451688, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 02979   436   NtClose  (416, ... ) == 0x0
 02980   436   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02981   436   NtOpenProcessToken  (-1, 0xc, ... 416, ) == 0x0
 02982   436   NtQueryInformationToken  (416, User, 64, ... {token info, class 1, size 36}, 36, ) == 0x0
 02983   436   NtOpenKey  (0x2001f, {24, 296, 0x40, 0, 0,  (0x2001f, {24, 296, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 420, ) }, ... 420, ) == 0x0
 02984   436   NtCreateKey  (0x2000000, {24, 420, 0x40, 0, 0,  (0x2000000, {24, 420, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 428, 2, ) }, 0, 0x0, 0, ... 428, 2, ) == 0x0
 02985   436   NtClose  (420, ... ) == 0x0
 02986   436   NtQueryValueKey  (428,  (428, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (428, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) }, 74, ) == 0x0
 02987   436   NtAllocateVirtualMemory  (-1, 0, 0, 1, 4096, 4, ... 9109504, 4096, ) == 0x0
 02988   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02989   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02990   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 420, ) }, ... 420, ) == 0x0
 02991   436   NtQueryValueKey  (420,  (420, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (420, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 02992   436   NtClose  (420, ... ) == 0x0
 02993   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 420, ) }, ... 420, ) == 0x0
 02994   436   NtQueryValueKey  (420,  (420, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) }, 32, ) == 0x0
 02995   436   NtClose  (420, ... ) == 0x0
 02996   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02997   436   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\Environment"}, ... 420, ) }, ... 420, ) == 0x0
 02998   436   NtQueryKey  (420, Full, 176, ... {LastWrite={0x7838d13c,0x1c73999}, TitleIdx=0, Subkeys=0, Values=12, Class=""}, 44, ) == 0x0
 02999   436   NtQuerySecurityObject  (420, 7, 0, ... ) == STATUS_ACCESS_DENIED
 03000   436   NtEnumerateValueKey  (420, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (420, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 03001   436   NtEnumerateValueKey  (420, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (420, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 03002   436   NtEnumerateValueKey  (420, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (420, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 03003   436   NtEnumerateValueKey  (420, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (420, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 03004   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03005   436   NtEnumerateValueKey  (420, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (420, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 03006   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03007   436   NtEnumerateValueKey  (420, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (420, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 03008   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03009   436   NtEnumerateValueKey  (420, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (420, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 03010   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03011   436   NtEnumerateValueKey  (420, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (420, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 03012   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03013   436   NtEnumerateValueKey  (420, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (420, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 03014   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03015   436   NtEnumerateValueKey  (420, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (420, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 03016   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03017   436   NtEnumerateValueKey  (420, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (420, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 03018   436   NtEnumerateValueKey  (420, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (420, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 03019   436   NtEnumerateValueKey  (420, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (420, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 03020   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03021   436   NtEnumerateValueKey  (420, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (420, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 03022   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03023   436   NtEnumerateValueKey  (420, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (420, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 03024   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03025   436   NtEnumerateValueKey  (420, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (420, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 03026   436   NtEnumerateValueKey  (420, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (420, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 03027   436   NtEnumerateValueKey  (420, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (420, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 03028   436   NtEnumerateValueKey  (420, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (420, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 03029   436   NtEnumerateValueKey  (420, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (420, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 03030   436   NtEnumerateValueKey  (420, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (420, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 03031   436   NtEnumerateValueKey  (420, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (420, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 03032   436   NtEnumerateValueKey  (420, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (420, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 03033   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03034   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03035   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 450760, ... ) }, 450760, ... ) == 0x0
 03036   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03037   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03038   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03039   436   NtEnumerateValueKey  (420, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (420, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 03040   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03041   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03042   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 450760, ... ) }, 450760, ... ) == 0x0
 03043   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03044   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03045   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03046   436   NtClose  (420, ... ) == 0x0
 03047   436   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 420, ) }, ... 420, ) == 0x0
 03048   436   NtOpenKey  (0x20019, {24, 420, 0x40, 0, 0,  (0x20019, {24, 420, 0x40, 0, 0, "ActiveComputerName"}, ... 424, ) }, ... 424, ) == 0x0
 03049   436   NtQueryValueKey  (424,  (424, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (424, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (424, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 03050   436   NtClose  (424, ... ) == 0x0
 03051   436   NtClose  (420, ... ) == 0x0
 03052   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03053   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 420, ) }, ... 420, ) == 0x0
 03054   436   NtQueryValueKey  (420,  (420, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (420, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 03055   436   NtClose  (420, ... ) == 0x0
 03056   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 420, ) }, ... 420, ) == 0x0
 03057   436   NtQueryValueKey  (420,  (420, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) }, 38, ) == 0x0
 03058   436   NtClose  (420, ... ) == 0x0
 03059   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03060   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 420, ) }, ... 420, ) == 0x0
 03061   436   NtQueryValueKey  (420,  (420, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 03062   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03063   436   NtQueryValueKey  (420,  (420, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) }, 72, ) == 0x0
 03064   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03065   436   NtClose  (420, ... ) == 0x0
 03066   436   NtQueryInformationToken  (416, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 03067   436   NtOpenKey  (0x20019, {24, 296, 0x40, 0, 0,  (0x20019, {24, 296, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 420, ) }, ... 420, ) == 0x0
 03068   436   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 03069   436   NtQueryInformationToken  (416, Type, 4, ... {token info, class 8, size 4}, 4, ) == 0x0
 03070   436   NtDuplicateToken  (416, 0xc, {24, 0, 0x0, 0, 452144, 0x0}, 0, 2, ... ) == STATUS_ACCESS_DENIED
 03071   436   NtQueryInformationToken  (416, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 03072   436   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03073   436   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 424, ) == 0x0
 03074   436   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03075   436   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03076   436   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 450348,  (0xc0100080, {24, 0, 0x40, 0, 450348, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 432, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 432, {status=0x0, info=1}, ) == 0x0
 03077   436   NtSetInformationFile  (432, 450404, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03078   436   NtSetInformationFile  (432, 450396, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03079   436   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03080   436   NtWriteFile  (432, 265, 0, 0,  (432, 265, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03081   436   NtReadFile  (432, 265, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (432, 265, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\16\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03082   436   NtFsControlFile  (432, 265, 0x0, 0x0, 0x11c017,  (432, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\345\6\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\16\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (432, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\345\6\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\16\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03083   436   NtFsControlFile  (432, 265, 0x0, 0x0, 0x11c017,  (432, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0A\372<\31\2113\334\21\261\306\0\14)\371\246\305\1\0\0\0\30\346\6\0\1\0\0\0(\314q\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0A\372<\31\2113\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (432, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0A\372<\31\2113\334\21\261\306\0\14)\371\246\305\1\0\0\0\30\346\6\0\1\0\0\0(\314q\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0A\372<\31\2113\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03084   436   NtFsControlFile  (432, 265, 0x0, 0x0, 0x11c017,  (432, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0A\372<\31\2113\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\310\322q\0\1\0\0\0\324\322q\0 \0\0\0\1\0\0\0\16\0\20\0\340\322q\0\360\322q\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\330\246q\0\1\0\0\0\1\0\0\0\20\0\22\0\354\246q\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (432, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0A\372<\31\2113\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\310\322q\0\1\0\0\0\324\322q\0 \0\0\0\1\0\0\0\16\0\20\0\340\322q\0\360\322q\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\330\246q\0\1\0\0\0\1\0\0\0\20\0\22\0\354\246q\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 03085   436   NtClose  (424, ... ) == 0x0
 03086   436   NtClose  (432, ... ) == 0x0
 03087   436   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03088   436   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 432, ) == 0x0
 03089   436   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03090   436   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03091   436   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 450344,  (0xc0100080, {24, 0, 0x40, 0, 450344, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 424, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 424, {status=0x0, info=1}, ) == 0x0
 03092   436   NtSetInformationFile  (424, 450400, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03093   436   NtSetInformationFile  (424, 450392, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03094   436   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03095   436   NtWriteFile  (424, 265, 0, 0,  (424, 265, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03096   436   NtReadFile  (424, 265, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (424, 265, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\17\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03097   436   NtFsControlFile  (424, 265, 0x0, 0x0, 0x11c017,  (424, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\334\345\6\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\17\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (424, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\334\345\6\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\17\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03098   436   NtFsControlFile  (424, 265, 0x0, 0x0, 0x11c017,  (424, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0B\372<\31\2113\334\21\261\306\0\14)\371\246\305\1\0\0\0\24\346\6\0\1\0\0\0(\314q\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0B\372<\31\2113\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (424, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0B\372<\31\2113\334\21\261\306\0\14)\371\246\305\1\0\0\0\24\346\6\0\1\0\0\0(\314q\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0B\372<\31\2113\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03099   436   NtFsControlFile  (424, 265, 0x0, 0x0, 0x11c017,  (424, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0B\372<\31\2113\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\310\322q\0\1\0\0\0\324\322q\0 \0\0\0\1\0\0\0\16\0\20\0\340\322q\0\360\322q\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\330\246q\0\1\0\0\0\1\0\0\0\20\0\22\0\354\246q\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (424, 265, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0B\372<\31\2113\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\310\322q\0\1\0\0\0\324\322q\0 \0\0\0\1\0\0\0\16\0\20\0\340\322q\0\360\322q\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\330\246q\0\1\0\0\0\1\0\0\0\20\0\22\0\354\246q\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 03100   436   NtClose  (432, ... ) == 0x0
 03101   436   NtClose  (424, ... ) == 0x0
 03102   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03103   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03104   436   NtQueryInformationToken  (416, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 03105   436   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 424, ) }, ... 424, ) == 0x0
 03106   436   NtQueryValueKey  (424,  (424, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (424, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) }, 104, ) == 0x0
 03107   436   NtClose  (424, ... ) == 0x0
 03108   436   NtCreateKey  (0x2001f, {24, 420, 0x40, 0, 0,  (0x2001f, {24, 420, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Winlogon"}, 0, 0x0, 0, ... 424, 2, ) }, 0, 0x0, 0, ... 424, 2, ) == 0x0
 03109   436   NtQueryValueKey  (424,  (424, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (424, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03110   436   NtClose  (424, ... ) == 0x0
 03111   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03112   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03113   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\c:\autoexec.bat"}, 452048, ... ) }, 452048, ... ) == 0x0
 03114   436   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 452056,  (0x80100080, {24, 0, 0x40, 0, 452056, "\??\c:\autoexec.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 424, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 424, {status=0x0, info=1}, ) == 0x0
 03115   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03116   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03117   436   NtQueryInformationFile  (424, 452072, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03118   436   NtReadFile  (424, 0, 0, 0, 0, 0x0, 0, ... {status=0x0, info=0}, "", ) == 0x0
 03119   436   NtClose  (424, ... ) == 0x0
 03120   436   NtOpenKey  (0x20019, {24, 420, 0x40, 0, 0,  (0x20019, {24, 420, 0x40, 0, 0, "Environment"}, ... 424, ) }, ... 424, ) == 0x0
 03121   436   NtEnumerateValueKey  (424, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (424, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (424, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 03122   436   NtEnumerateValueKey  (424, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (424, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (424, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 03123   436   NtEnumerateValueKey  (424, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 03124   436   NtEnumerateValueKey  (424, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (424, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (424, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 03125   436   NtAllocateVirtualMemory  (-1, 7479296, 0, 4096, 4096, 4, ... 7479296, 4096, ) == 0x0
 03126   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03127   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03128   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 450788, ... ) }, 450788, ... ) == 0x0
 03129   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 432, {status=0x0, info=1}, ) }, 3, 16417, ... 432, {status=0x0, info=1}, ) == 0x0
 03130   436   NtQueryDirectoryFile  (432, 0, 0, 0, 450148, 616, BothDirectory, 1,  (432, 0, 0, 0, 450148, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 03131   436   NtClose  (432, ... ) == 0x0
 03132   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 432, {status=0x0, info=1}, ) }, 3, 16417, ... 432, {status=0x0, info=1}, ) == 0x0
 03133   436   NtQueryDirectoryFile  (432, 0, 0, 0, 450148, 616, BothDirectory, 1,  (432, 0, 0, 0, 450148, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 03134   436   NtClose  (432, ... ) == 0x0
 03135   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03136   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03137   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03138   436   NtEnumerateValueKey  (424, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (424, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (424, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 03139   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03140   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03141   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 450788, ... ) }, 450788, ... ) == 0x0
 03142   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 432, {status=0x0, info=1}, ) }, 3, 16417, ... 432, {status=0x0, info=1}, ) == 0x0
 03143   436   NtQueryDirectoryFile  (432, 0, 0, 0, 450148, 616, BothDirectory, 1,  (432, 0, 0, 0, 450148, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 03144   436   NtClose  (432, ... ) == 0x0
 03145   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 432, {status=0x0, info=1}, ) }, 3, 16417, ... 432, {status=0x0, info=1}, ) == 0x0
 03146   436   NtQueryDirectoryFile  (432, 0, 0, 0, 450148, 616, BothDirectory, 1,  (432, 0, 0, 0, 450148, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 03147   436   NtClose  (432, ... ) == 0x0
 03148   436   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03149   436   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03150   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03151   436   NtEnumerateValueKey  (424, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 03152   436   NtClose  (424, ... ) == 0x0
 03153   436   NtOpenKey  (0x20019, {24, 420, 0x40, 0, 0,  (0x20019, {24, 420, 0x40, 0, 0, "Volatile Environment"}, ... 424, ) }, ... 424, ) == 0x0
 03154   436   NtEnumerateValueKey  (424, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (424, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (424, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 03155   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03156   436   NtEnumerateValueKey  (424, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (424, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (424, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 03157   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03158   436   NtEnumerateValueKey  (424, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (424, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (424, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 03159   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03160   436   NtEnumerateValueKey  (424, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (424, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (424, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 03161   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03162   436   NtEnumerateValueKey  (424, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (424, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (424, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 03163   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03164   436   NtEnumerateValueKey  (424, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (424, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (424, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 03165   436   NtQueryVirtualMemory  (-1, 0x8b0000, Basic, 28, ... {BaseAddress=0x8b0000,AllocationBase=0x8b0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03166   436   NtEnumerateValueKey  (424, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (424, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (424, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 03167   436   NtEnumerateValueKey  (424, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 03168   436   NtEnumerateValueKey  (424, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (424, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (424, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 03169   436   NtEnumerateValueKey  (424, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (424, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (424, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 03170   436   NtEnumerateValueKey  (424, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (424, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (424, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 03171   436   NtEnumerateValueKey  (424, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (424, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (424, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 03172   436   NtEnumerateValueKey  (424, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (424, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (424, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 03173   436   NtEnumerateValueKey  (424, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (424, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (424, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 03174   436   NtEnumerateValueKey  (424, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (424, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (424, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 03175   436   NtEnumerateValueKey  (424, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 03176   436   NtClose  (424, ... ) == 0x0
 03177   436   NtClose  (420, ... ) == 0x0
 03178   436   NtFreeVirtualMemory  (-1, (0x8b0000), 0, 32768, ... (0x8b0000), 4096, ) == 0x0
 03179   436   NtClose  (428, ... ) == 0x0
 03180   436   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data"}, 452712, ... ) }, 452712, ... ) == 0x0
 03181   436   NtQueryInformationToken  (416, User, 64, ... {token info, class 1, size 36}, 36, ) == 0x0
 03182   436   NtOpenKey  (0x2001f, {24, 296, 0x40, 0, 0,  (0x2001f, {24, 296, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 428, ) }, ... 428, ) == 0x0
 03183   436   NtCreateKey  (0x2000000, {24, 428, 0x40, 0, 0,  (0x2000000, {24, 428, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 420, 2, ) }, 0, 0x0, 0, ... 420, 2, ) == 0x0
 03184   436   NtClose  (428, ... ) == 0x0
 03185   436   NtSetValueKey  (420,  (420, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 0, 1,  (420, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 104, ... ) == 0x0
 03186   436   NtClose  (420, ... ) == 0x0
 03187   436   NtClose  (416, ... ) == 0x0
 03188   436   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data\Microsoft\Network\Connections\Pbk\"}, 3, 16417, ... ) }, 3, 16417, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03189   436   NtWaitForSingleObject  (96, 0, 0x0, ... ) == 0x0
 03190   436   NtQueryInformationFile  (92, 453760, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03191   436   NtReleaseMutant  (96, ... 0x0, ) == 0x0
 03192   436   NtReleaseMutant  (144, ... 0x0, ) == 0x0
 03193   436   NtClearEvent  (156, ... ) == 0x0
 03194   436   NtSetEvent  (156, ... 0x0, ) == 0x0
 03195   436   NtTerminateProcess  (0, 0, ... ) == 0x0
 03196   436   NtFreeVirtualMemory  (-1, (0x890000), 0, 32768, ... (0x890000), 65536, ) == 0x0
 03197   436   NtClose  (380, ... ) == 0x0
 03198   436   NtClose  (384, ... ) == 0x0
 03199   436   NtClose  (392, ... ) == 0x0
 03200   436   NtClose  (388, ... ) == 0x0
 03201   436   NtClose  (396, ... ) == 0x0
 03202   436   NtClose  (372, ... ) == 0x0
 03203   436   NtClose  (376, ... ) == 0x0
 03204   436   NtClose  (412, ... ) == 0x0
 03205   436   NtClose  (408, ... ) == 0x0
 03206   436   NtClose  (404, ... ) == 0x0
 03207   436   NtClose  (400, ... ) == 0x0
 03208   436   NtClose  (368, ... ) == 0x0
 03209   436   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x14,}, 4, ... ) == 0x0
 03210   436   NtWaitForMultipleObjects  (2, (344, 348, ), 1, 0, 0x0, ... ) == 0x1
 03211   436   NtClose  (348, ... ) == 0x0
 03212   436   NtSetEvent  (344, ... 0x0, ) == 0x0
 03213   436   NtClose  (344, ... ) == 0x0
 03214   436   NtWaitForMultipleObjects  (2, (352, 356, ), 1, 0, 0x0, ... ) == 0x1
 03215   436   NtClose  (356, ... ) == 0x0
 03216   436   NtSetEvent  (352, ... 0x0, ) == 0x0
 03217   436   NtClose  (352, ... ) == 0x0
 03218   436   NtWaitForMultipleObjects  (2, (360, 364, ), 1, 0, 0x0, ... ) == 0x1
 03219   436   NtClose  (364, ... ) == 0x0
 03220   436   NtSetEvent  (360, ... 0x0, ) == 0x0
 03221   436   NtClose  (360, ... ) == 0x0
 03222   436   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x13,}, 4, ... ) == 0x0
 03223   436   NtFreeVirtualMemory  (-1, (0x850000), 0, 32768, ... (0x850000), 262144, ) == 0x0
 03224   436   NtUserUnregisterClass  (456076, 1991376896, 456064, ... ) == 0x0
 03225   436   NtUnmapViewOfSection  (-1, 0x830000, ... ) == 0x0
 03226   436   NtClose  (332, ... ) == 0x0
 03227   436   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x10,}, 4, ... ) == 0x0
 03228   436   NtUnmapViewOfSection  (-1, 0x8a0000, ... ) == 0x0
 03229   436   NtClose  (320, ... ) == 0x0
 03230   436   NtClose  (308, ... ) == 0x0
 03231   436   NtClose  (316, ... ) == 0x0
 03232   436   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xf,}, 4, ... ) == 0x0
 03233   436   NtFreeVirtualMemory  (-1, (0x820000), 0, 32768, ... (0x820000), 65536, ) == 0x0
 03234   436   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xe,}, 4, ... ) == 0x0
 03235   436   NtClose  (312, ... ) == 0x0
 03236   436   NtUnmapViewOfSection  (-1, 0x810000, ... ) == 0x0
 03237   436   NtClose  (288, ... ) == 0x0
 03238   436   NtClose  (208, ... ) == 0x0
 03239   436   NtClose  (204, ... ) == 0x0
 03240   436   NtClose  (236, ... ) == 0x0
 03241   436   NtClose  (240, ... ) == 0x0
 03242   436   NtClose  (244, ... ) == 0x0
 03243   436   NtClose  (248, ... ) == 0x0
 03244   436   NtSetEvent  (232, ... 0x0, ) == 0x0
 03245   436   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xc,}, 4, ... ) == 0x0
 03246   436   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xd,}, 4, ... ) == 0x0
 03247   436   NtClose  (196, ... ) == 0x0
 03248   436   NtUnmapViewOfSection  (-1, 0x3f0000, ... ) == 0x0
 03249   436   NtClose  (200, ... ) == 0x0
 03250   436   NtClose  (192, ... ) == 0x0
 03251   436   NtClose  (180, ... ) == 0x0
 03252   436   NtClose  (184, ... ) == 0x0
 03253   436   NtClose  (188, ... ) == 0x0
 03254   436   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xb,}, 4, ... ) == 0x0
 03255   436   NtClose  (220, ... ) == 0x0
 03256   436   NtClose  (224, ... ) == 0x0
 03257   436   NtClose  (232, ... ) == 0x0
 03258   436   NtClose  (228, ... ) == 0x0
 03259   436   NtUserGetClassInfo  (1999896576, 456164, 456116, 456192, 0, ... ) == 0xc03b
 03260   436   NtUserUnregisterClass  (456168, 1999896576, 456156, ... ) == 0x1
 03261   436   NtUserGetClassInfo  (1999896576, 456164, 456116, 456192, 0, ... ) == 0xc03d
 03262   436   NtUserUnregisterClass  (456168, 1999896576, 456156, ... ) == 0x1
 03263   436   NtUserGetClassInfo  (1999896576, 456164, 456116, 456192, 0, ... ) == 0xc03f
 03264   436   NtUserUnregisterClass  (456168, 1999896576, 456156, ... ) == 0x1
 03265   436   NtUserGetClassInfo  (1999896576, 456164, 456116, 456192, 0, ... ) == 0xc041
 03266   436   NtUserUnregisterClass  (456168, 1999896576, 456156, ... ) == 0x1
 03267   436   NtUserGetClassInfo  (1999896576, 456164, 456116, 456192, 0, ... ) == 0xc043
 03268   436   NtUserUnregisterClass  (456168, 1999896576, 456156, ... ) == 0x1
 03269   436   NtUserGetClassInfo  (1999896576, 456164, 456116, 456192, 0, ... ) == 0xc045
 03270   436   NtUserUnregisterClass  (456168, 1999896576, 456156, ... ) == 0x1
 03271   436   NtUserGetClassInfo  (1999896576, 456164, 456116, 456192, 0, ... ) == 0xc047
 03272   436   NtUserUnregisterClass  (456168, 1999896576, 456156, ... ) == 0x1
 03273   436   NtUserGetClassInfo  (1999896576, 456164, 456116, 456192, 0, ... ) == 0xc049
 03274   436   NtUserUnregisterClass  (456168, 1999896576, 456156, ... ) == 0x1
 03275   436   NtUserGetClassInfo  (1999896576, 456164, 456116, 456192, 0, ... ) == 0xc04b
 03276   436   NtUserUnregisterClass  (456168, 1999896576, 456156, ... ) == 0x1
 03277   436   NtUserGetClassInfo  (1999896576, 456164, 456116, 456192, 0, ... ) == 0xc04d
 03278   436   NtUserUnregisterClass  (456168, 1999896576, 456156, ... ) == 0x1
 03279   436   NtUserGetClassInfo  (1999896576, 456164, 456116, 456192, 0, ... ) == 0xc04f
 03280   436   NtUserUnregisterClass  (456168, 1999896576, 456156, ... ) == 0x1
 03281   436   NtUserGetClassInfo  (1999896576, 456164, 456116, 456192, 0, ... ) == 0xc051
 03282   436   NtUserUnregisterClass  (456168, 1999896576, 456156, ... ) == 0x1
 03283   436   NtUserGetClassInfo  (1999896576, 456164, 456116, 456192, 0, ... ) == 0xc053
 03284   436   NtUserUnregisterClass  (456168, 1999896576, 456156, ... ) == 0x1
 03285   436   NtUserGetClassInfo  (1999896576, 456164, 456116, 456192, 0, ... ) == 0xc057
 03286   436   NtUserUnregisterClass  (456168, 1999896576, 456156, ... ) == 0x1
 03287   436   NtUserGetClassInfo  (1999896576, 456164, 456116, 456192, 0, ... ) == 0xc059
 03288   436   NtUserUnregisterClass  (456168, 1999896576, 456156, ... ) == 0x1
 03289   436   NtUserGetClassInfo  (1999896576, 456164, 456116, 456192, 0, ... ) == 0xc05b
 03290   436   NtUserUnregisterClass  (456168, 1999896576, 456156, ... ) == 0x1
 03291   436   NtUserGetClassInfo  (1999896576, 456164, 456116, 456192, 0, ... ) == 0xc05d
 03292   436   NtUserUnregisterClass  (456168, 1999896576, 456156, ... ) == 0x1
 03293   436   NtUserGetClassInfo  (1999896576, 456164, 456116, 456192, 0, ... ) == 0xc05f
 03294   436   NtUserUnregisterClass  (456168, 1999896576, 456156, ... ) == 0x1
 03295   436   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x9,}, 4, ... ) == 0x0
 03296   436   NtClose  (108, ... ) == 0x0
 03297   436   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 03298   436   NtClose  (112, ... ) == 0x0
 03299   436   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x7,}, 4, ... ) == 0x0
 03300   436   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x8,}, 4, ... ) == 0x0
 03301   436   NtClose  (80, ... ) == 0x0
 03302   436   NtClose  (68, ... ) == 0x0
 03303   436   NtClose  (84, ... ) == 0x0
 03304   436   NtUserGetClassInfo  (1905590272, 456164, 456116, 456192, 0, ... ) == 0xc03b
 03305   436   NtUserUnregisterClass  (456168, 1905590272, 456156, ... ) == 0x1
 03306   436   NtUserGetClassInfo  (1905590272, 456164, 456116, 456192, 0, ... ) == 0xc03d
 03307   436   NtUserUnregisterClass  (456168, 1905590272, 456156, ... ) == 0x1
 03308   436   NtUserGetClassInfo  (1905590272, 456164, 456116, 456192, 0, ... ) == 0xc03f
 03309   436   NtUserUnregisterClass  (456168, 1905590272, 456156, ... ) == 0x1
 03310   436   NtUserGetClassInfo  (1905590272, 456164, 456116, 456192, 0, ... ) == 0xc041
 03311   436   NtUserUnregisterClass  (456168, 1905590272, 456156, ... ) == 0x1
 03312   436   NtUserGetClassInfo  (1905590272, 456164, 456116, 456192, 0, ... ) == 0xc043
 03313   436   NtUserUnregisterClass  (456168, 1905590272, 456156, ... ) == 0x1
 03314   436   NtUserGetClassInfo  (1905590272, 456164, 456116, 456192, 0, ... ) == 0xc045
 03315   436   NtUserUnregisterClass  (456168, 1905590272, 456156, ... ) == 0x1
 03316   436   NtUserGetClassInfo  (1905590272, 456164, 456116, 456192, 0, ... ) == 0xc047
 03317   436   NtUserUnregisterClass  (456168, 1905590272, 456156, ... ) == 0x1
 03318   436   NtUserGetClassInfo  (1905590272, 456164, 456116, 456192, 0, ... ) == 0xc049
 03319   436   NtUserUnregisterClass  (456168, 1905590272, 456156, ... ) == 0x1
 03320   436   NtUserGetClassInfo  (1905590272, 456164, 456116, 456192, 0, ... ) == 0xc04b
 03321   436   NtUserUnregisterClass  (456168, 1905590272, 456156, ... ) == 0x1
 03322   436   NtUserGetClassInfo  (1905590272, 456164, 456116, 456192, 0, ... ) == 0xc04d
 03323   436   NtUserUnregisterClass  (456168, 1905590272, 456156, ... ) == 0x1
 03324   436   NtUserGetClassInfo  (1905590272, 456164, 456116, 456192, 0, ... ) == 0xc04f
 03325   436   NtUserUnregisterClass  (456168, 1905590272, 456156, ... ) == 0x1
 03326   436   NtUserGetClassInfo  (1905590272, 456164, 456116, 456192, 0, ... ) == 0xc051
 03327   436   NtUserUnregisterClass  (456168, 1905590272, 456156, ... ) == 0x1
 03328   436   NtUserGetClassInfo  (1905590272, 456164, 456116, 456192, 0, ... ) == 0xc053
 03329   436   NtUserUnregisterClass  (456168, 1905590272, 456156, ... ) == 0x1
 03330   436   NtUserGetClassInfo  (1905590272, 456164, 456116, 456192, 0, ... ) == 0xc057
 03331   436   NtUserUnregisterClass  (456168, 1905590272, 456156, ... ) == 0x1
 03332   436   NtUserGetClassInfo  (1905590272, 456164, 456116, 456192, 0, ... ) == 0xc059
 03333   436   NtUserUnregisterClass  (456168, 1905590272, 456156, ... ) == 0x1
 03334   436   NtUserGetClassInfo  (1905590272, 456164, 456116, 456192, 0, ... ) == 0xc05b
 03335   436   NtUserUnregisterClass  (456168, 1905590272, 456156, ... ) == 0x1
 03336   436   NtUserGetClassInfo  (1905590272, 456164, 456116, 456192, 0, ... ) == 0xc05d
 03337   436   NtUserUnregisterClass  (456168, 1905590272, 456156, ... ) == 0x1
 03338   436   NtUserGetClassInfo  (1905590272, 456164, 456116, 456192, 0, ... ) == 0xc05f
 03339   436   NtUserUnregisterClass  (456168, 1905590272, 456156, ... ) == 0x1
 03340   436   NtUserGetClassInfo  (1905590272, 456164, 456116, 456192, 0, ... ) == 0xc017
 03341   436   NtUserUnregisterClass  (456168, 1905590272, 456156, ... ) == 0x1
 03342   436   NtUserGetClassInfo  (1905590272, 456164, 456116, 456192, 0, ... ) == 0xc019
 03343   436   NtUserUnregisterClass  (456168, 1905590272, 456156, ... ) == 0x1
 03344   436   NtUserGetClassInfo  (1905590272, 456164, 456116, 456192, 0, ... ) == 0xc018
 03345   436   NtUserUnregisterClass  (456168, 1905590272, 456156, ... ) == 0x1
 03346   436   NtUserGetClassInfo  (1905590272, 456164, 456116, 456192, 0, ... ) == 0xc01a
 03347   436   NtUserUnregisterClass  (456168, 1905590272, 456156, ... ) == 0x1
 03348   436   NtUserGetClassInfo  (1905590272, 456164, 456116, 456192, 0, ... ) == 0xc01c
 03349   436   NtUserUnregisterClass  (456168, 1905590272, 456156, ... ) == 0x1
 03350   436   NtUserGetClassInfo  (1905590272, 456164, 456116, 456192, 0, ... ) == 0xc01e
 03351   436   NtUserUnregisterClass  (456168, 1905590272, 456156, ... ) == 0x1
 03352   436   NtUserGetClassInfo  (1905590272, 456164, 456116, 456192, 0, ... ) == 0xc01b
 03353   436   NtUserUnregisterClass  (456168, 1905590272, 456156, ... ) == 0x1
 03354   436   NtUserGetClassInfo  (1905590272, 456164, 456116, 456192, 0, ... ) == 0xc068
 03355   436   NtUserUnregisterClass  (456168, 1905590272, 456156, ... ) == 0x1
 03356   436   NtUserGetClassInfo  (1905590272, 456164, 456116, 456192, 0, ... ) == 0xc06a
 03357   436   NtUserUnregisterClass  (456168, 1905590272, 456156, ... ) == 0x1
 03358   436   NtUnmapViewOfSection  (-1, 0x3b0000, ... ) == 0x0
 03359   436   NtClose  (76, ... ) == 0x0
 03360   436   NtClose  (64, ... ) == 0x0
 03361   436   NtWaitForSingleObject  (132, 0, 0x0, ... ) == 0x0
 03362   436   NtClearEvent  (132, ... ) == 0x0
 03363   436   NtSetEvent  (132, ... 0x0, ) == 0x0
 03364   436   NtClose  (132, ... ) == 0x0
 03365   436   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 03366   436   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 03367   436   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 03368   436   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 03369   436   NtFreeVirtualMemory  (-1, (0x0), 0, 32768, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 03370   436   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1, 0, 7408096, 7408096}  (24, {20, 48, new_msg, 0, 1, 0, 7408096, 7408096} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 432, 436, 1486, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 432, 436, 1486, 0}  (24, {20, 48, new_msg, 0, 1, 0, 7408096, 7408096} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 432, 436, 1486, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 03371   436   NtTerminateProcess  (-1, 0, ...
 03372   436   NtClose  (40, ... ) == 0x0
NtAccessCheck(>)	1	NtCreateIoCompletion(>)	2	NtCreateSemaphore(>)	11	NtCreateKey(>)	39
NtAddAtom(>)	1	NtGdiCreateSolidBrush(>)	2	NtSetEvent(>)	11	NtFsControlFile(>)	39
NtCallbackReturn(>)	1	NtOpenDirectoryObject(>)	2	NtCreateMutant(>)	12	NtQueryDefaultLocale(>)	40
NtContinue(>)	1	NtQueryInstallUILanguage(>)	2	NtEnumerateKey(>)	12	NtSetInformationProcess(>)	40
NtGdiCreateBitmap(>)	1	NtTerminateProcess(>)	2	NtOpenProcessTokenEx(>)	12	NtSetInformationThread(>)	40
NtGdiInit(>)	1	NtDeleteValueKey(>)	3	NtOpenThreadTokenEx(>)	12	NtQueryInformationProcess(>)	44
NtGdiQueryFontAssocInfo(>)	1	NtGdiCreateCompatibleDC(>)	3	NtQueryDefaultUILanguage(>)	12	NtCreateSection(>)	46
NtGdiSelectBitmap(>)	1	NtWaitForMultipleObjects(>)	3	NtWriteFile(>)	12	NtUserUnregisterClass(>)	46
NtOpenKeyedEvent(>)	1	NtDuplicateObject(>)	4	NtProtectVirtualMemory(>)	16	NtUserFindExistingCursorIcon(>)	48
NtOpenProcess(>)	1	NtDuplicateToken(>)	4	NtReadFile(>)	17	NtCreateEvent(>)	51
NtOpenSymbolicLinkObject(>)	1	NtNotifyChangeKey(>)	4	NtDeviceIoControlFile(>)	18	NtWaitForSingleObject(>)	54
NtQueryEvent(>)	1	NtQuerySecurityObject(>)	4	NtQueryDirectoryFile(>)	22	NtOpenSection(>)	55
NtQueryObject(>)	1	NtUserRegisterWindowMessage(>)	4	NtQueryInformationFile(>)	22	NtUserRegisterClassExWOW(>)	63
NtQuerySymbolicLinkObject(>)	1	NtGdiGetStockObject(>)	5	NtUnmapViewOfSection(>)	22	NtMapViewOfSection(>)	70
NtQuerySystemTime(>)	1	NtSetInformationObject(>)	5	NtRequestWaitReplyPort(>)	23	NtUserGetClassInfo(>)	82
NtQueryTimerResolution(>)	1	NtClearEvent(>)	6	NtSetValueKey(>)	25	NtOpenFile(>)	92
NtRegisterThreadTerminatePort(>)	1	NtConnectPort(>)	6	NtQueryDebugFilterState(>)	29	NtAllocateVirtualMemory(>)	107
NtSecureConnectPort(>)	1	NtReleaseSemaphore(>)	6	NtQuerySystemInformation(>)	29	NtQueryAttributesFile(>)	140
NtTestAlert(>)	1	NtOpenEvent(>)	7	NtQuerySection(>)	31	NtQueryVirtualMemory(>)	168
NtUserCallNoParam(>)	1	NtQueryKey(>)	7	NtReleaseMutant(>)	33	NtEnumerateValueKey(>)	185
NtUserCallOneParam(>)	1	NtQueryVolumeInformationFile(>)	7	NtFreeVirtualMemory(>)	34	NtOpenKey(>)	269
NtUserGetDC(>)	1	NtFlushInstructionCache(>)	8	NtCreateFile(>)	36	NtQueryValueKey(>)	450
NtUserGetObjectInformation(>)	1	NtOpenMutant(>)	9	NtSetInformationFile(>)	37	NtClose(>)	501
NtUserGetProcessWindowStation(>)	1	NtOpenProcessToken(>)	10	NtOpenThreadToken(>)	38
NtUserGetThreadDesktop(>)	1	NtUserSystemParametersInfo(>)	10