out of box experience

Summary:


NtAccessCheck(>)  1 
NtGdiHfontCreate(>)  2 
NtEnumerateKey(>)  12 
NtDuplicateObject(>)  38 

NtAddAtom(>)  1 
NtOpenDirectoryObject(>)  2 
NtConnectPort(>)  14 
NtProtectVirtualMemory(>)  41 

NtCallbackReturn(>)  1 
NtQueryInstallUILanguage(>)  2 
NtQueryDefaultUILanguage(>)  14 
NtQueryDefaultLocale(>)  41 

NtCancelTimer(>)  1 
NtQuerySecurityObject(>)  2 
NtUserCallOneParam(>)  14 
NtReadFile(>)  43 

NtCreateTimer(>)  1 
NtUserCreateWindowEx(>)  2 
NtOpenProcessTokenEx(>)  15 
NtSetInformationFile(>)  45 

NtGdiCreateBitmap(>)  1 
NtUserGetProcessWindowStation(>)  2 
NtOpenThreadTokenEx(>)  15 
NtUserFindExistingCursorIcon(>)  48 

NtGdiCreatePatternBrushInternal(>)  1 
NtUserMessageCall(>)  2 
NtSetInformationThread(>)  18 
NtCreateSection(>)  51 

NtGdiInit(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtSetInformationProcess(>)  20 
NtQueryInformationFile(>)  55 

NtGdiQueryFontAssocInfo(>)  1 
NtUserGetObjectInformation(>)  3 
NtContinue(>)  21 
NtOpenSection(>)  57 

NtGdiSelectBitmap(>)  1 
NtCreateIoCompletion(>)  4 
NtUnmapViewOfSection(>)  22 
NtUserRegisterClassExWOW(>)  64 

NtOpenKeyedEvent(>)  1 
NtNotifyChangeKey(>)  4 
NtDelayExecution(>)  23 
NtReleaseMutant(>)  69 

NtOpenProcess(>)  1 
NtReleaseSemaphore(>)  4 
NtOpenThreadToken(>)  24 
NtCreateKey(>)  77 

NtOpenSymbolicLinkObject(>)  1 
NtUserRegisterWindowMessage(>)  4 
NtQueryInformationThread(>)  24 
NtMapViewOfSection(>)  80 

NtQueryEvent(>)  1 
NtClearEvent(>)  5 
NtQueryInformationProcess(>)  25 
NtRequestWaitReplyPort(>)  89 

NtQueryObject(>)  1 
NtDeleteValueKey(>)  5 
NtRemoveIoCompletion(>)  26 
NtCreateFile(>)  92 

NtQuerySymbolicLinkObject(>)  1 
NtGdiGetStockObject(>)  5 
NtResumeThread(>)  26 
NtEnumerateValueKey(>)  103 

NtQuerySystemTime(>)  1 
NtOpenProcessToken(>)  6 
NtCreateThread(>)  27 
NtQueryVirtualMemory(>)  110 

NtQueryTimerResolution(>)  1 
NtOpenEvent(>)  7 
NtFsControlFile(>)  27 
NtCreateEvent(>)  129 

NtSecureConnectPort(>)  1 
NtSetEvent(>)  7 
NtFreeVirtualMemory(>)  28 
NtQueryAttributesFile(>)  142 

NtSetIoCompletion(>)  1 
NtUserCallNoParam(>)  7 
NtQueryVolumeInformationFile(>)  28 
NtAllocateVirtualMemory(>)  175 

NtSetTimer(>)  1 
NtFlushInstructionCache(>)  8 
NtSetEventBoostPriority(>)  28 
NtOpenFile(>)  182 

NtUserGetClassName(>)  1 
NtCreateMutant(>)  9 
NtQueryInformationToken(>)  29 
NtWaitForSingleObject(>)  222 

NtUserGetDC(>)  1 
NtOpenMutant(>)  9 
NtTestAlert(>)  31 
NtDeviceIoControlFile(>)  231 

NtUserGetGUIThreadInfo(>)  1 
NtQueryKey(>)  9 
NtRegisterThreadTerminatePort(>)  32 
NtOpenKey(>)  358 

NtUserGetThreadDesktop(>)  1 
NtSetInformationObject(>)  9 
NtSetValueKey(>)  32 
NtQueryDirectoryFile(>)  361 

NtUserSetProp(>)  1 
NtUserGetWindowDC(>)  10 
NtQuerySection(>)  34 
NtQueryValueKey(>)  517 

NtWaitForMultipleObjects(>)  1 
NtWriteFile(>)  10 
NtQuerySystemInformation(>)  34 
NtClose(>)  669 

NtDuplicateToken(>)  2 
NtCreateSemaphore(>)  11 
NtQueryDebugFilterState(>)  36 

NtGdiCreateSolidBrush(>)  2 
NtUserSystemParametersInfo(>)  11 

Trace:
 00001   392   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   392   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   392   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   392   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   392   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   392   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   392   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   392   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   392   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   392   NtClose  (12, ... ) == 0x0
 00014   392   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   392   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   392   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   392   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   392   NtClose  (16, ... ) == 0x0
 00021   392   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   392   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   392   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   392   NtClose  (16, ... ) == 0x0
 00026   392   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   392   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   392   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   392   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   392   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 316, 392, 1477, 0} "`\25\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 316, 392, 1477, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 316, 392, 1477, 0} "`\25\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   392   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   392   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   392   NtClose  (16, ... ) == 0x0
 00036   392   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   392   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   392   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   392   NtClose  (28, ... ) == 0x0
 00041   392   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   392   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   392   NtClose  (28, ... ) == 0x0
 00045   392   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   392   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   392   NtClose  (28, ... ) == 0x0
 00049   392   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   392   NtClose  (28, ... ) == 0x0
 00052   392   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   392   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   392   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   392   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 316, 392, 1480, 0} "\240B\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 316, 392, 1480, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 316, 392, 1480, 0} "\240B\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   392   NtProtectVirtualMemory  (-1, (0x4ac000), 16384, 4, ... (0x4ac000), 16384, 8, ) == 0x0
 00057   392   NtProtectVirtualMemory  (-1, (0x4ac000), 16384, 8, ... (0x4ac000), 16384, 4, ) == 0x0
 00058   392   NtFlushInstructionCache  (-1, 4898816, 16384, ... ) == 0x0
 00059   392   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00060   392   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00061   392   NtClose  (28, ... ) == 0x0
 00062   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00063   392   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00064   392   NtClose  (28, ... ) == 0x0
 00065   392   NtTestAlert  (... ) == 0x0
 00066   392   NtContinue  (1244464, 1, ...
 00067   392   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x4af984,}, 4, ... ) == 0x0
 00068   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 28, ) }, ... 28, ) == 0x0
 00069   392   NtQueryValueKey  (28,  (28, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00070   392   NtClose  (28, ... ) == 0x0
 00071   392   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00072   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00073   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1243092, ... ) }, 1243092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00074   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1243092, ... ) }, 1243092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00075   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1243092, ... ) }, 1243092, ... ) == 0x0
 00076   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00077   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00078   392   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00079   392   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00080   392   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00081   392   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00082   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00083   392   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00084   392   NtClose  (40, ... ) == 0x0
 00085   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00086   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00087   392   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00088   392   NtClose  (40, ... ) == 0x0
 00089   392   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00090   392   NtClose  (36, ... ) == 0x0
 00091   392   NtClose  (28, ... ) == 0x0
 00092   392   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00093   392   NtClose  (32, ... ) == 0x0
 00094   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00095   392   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00096   392   NtClose  (32, ... ) == 0x0
 00097   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00098   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1242288, ... ) }, 1242288, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00099   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1242288, ... ) }, 1242288, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00100   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1242288, ... ) }, 1242288, ... ) == 0x0
 00101   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00102   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 28, ) == 0x0
 00103   392   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00104   392   NtClose  (32, ... ) == 0x0
 00105   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00106   392   NtClose  (28, ... ) == 0x0
 00107   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00108   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00109   392   NtClose  (28, ... ) == 0x0
 00110   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00111   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00112   392   NtClose  (28, ... ) == 0x0
 00113   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00114   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00115   392   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00116   392   NtAllocateVirtualMemory  (-1, 3280896, 0, 8192, 4096, 4, ... 3280896, 8192, ) == 0x0
 00117   392   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 28, ) }, ... 28, ) == 0x0
 00118   392   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00119   392   NtClose  (28, ... ) == 0x0
 00120   392   NtAllocateVirtualMemory  (-1, 3289088, 0, 4096, 4096, 4, ... 3289088, 4096, ) == 0x0
 00121   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00122   392   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00123   392   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00124   392   NtClose  (28, ... ) == 0x0
 00125   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00126   392   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00127   392   NtClose  (28, ... ) == 0x0
 00128   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00129   392   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00130   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00131   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00132   392   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00133   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00134   392   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00135   392   NtClose  (32, ... ) == 0x0
 00136   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00137   392   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00138   392   NtClose  (32, ... ) == 0x0
 00139   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00140   392   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\31\1\0\0\0\0\314\4\23\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 316, 392, 1492, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 316, 392, 1492, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\31\1\0\0\0\0\314\4\23\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 316, 392, 1492, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00141   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00142   392   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x4b0000), 0x0, 1060864, ) == 0x0
 00143   392   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00144   392   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00145   392   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482036, ) == 0x0
 00146   392   NtQueryInformationToken  (-2147482036, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00147   392   NtQueryInformationToken  (-2147482036, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00148   392   NtClose  (-2147482036, ... ) == 0x0
 00149   392   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4259840, 4096, ) == 0x0
 00150   392   NtFreeVirtualMemory  (-1, (0x410000), 4096, 32768, ... (0x410000), 4096, ) == 0x0
 00151   392   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00152   392   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00153   392   NtQueryValueKey  (-2147482032,  (-2147482032, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00154   392   NtClose  (-2147482032, ... ) == 0x0
 00155   392   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00156   392   NtQueryValueKey  (-2147482032,  (-2147482032, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00157   392   NtClose  (-2147482032, ... ) == 0x0
 00158   392   NtQueryDefaultLocale  (0, -133330420, ... ) == 0x0
 00159   392   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00160   392   NtUserCallNoParam  (24, ... ) == 0x0
 00161   392   NtGdiCreateCompatibleDC  (0, ...
 00162   392   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4259840, 4096, ) == 0x0
 00161   392   NtGdiCreateCompatibleDC  ... ) == 0x29010113
 00163   392   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00164   392   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00165   392   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x3a050382
 00166   392   NtGdiCreateSolidBrush  (0, 0, ...
 00167   392   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4325376, 4096, ) == 0x0
 00166   392   NtGdiCreateSolidBrush  ... ) == 0x141003e2
 00168   392   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00169   392   NtGdiCreateCompatibleDC  (0, ... ) == 0x180103e1
 00170   392   NtGdiSelectBitmap  (402719713, 973407106, ... ) == 0x185000f
 00171   392   NtUserGetThreadDesktop  (392, 0, ... ) == 0x2c
 00172   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00173   392   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00174   392   NtClose  (52, ... ) == 0x0
 00175   392   NtUserFindExistingCursorIcon  (1240896, 1240912, 1241480, ... ) == 0x10011
 00176   392   NtUserRegisterClassExWOW  (1241416, 1241496, 1241480, 1241512, 673, 128, 0, ... ) == 0x810dc017
 00177   392   NtUserFindExistingCursorIcon  (1240896, 1240912, 1241480, ... ) == 0x10011
 00178   392   NtUserRegisterClassExWOW  (1241416, 1241496, 1241480, 1241512, 674, 128, 0, ... ) == 0x810dc01c
 00179   392   NtUserFindExistingCursorIcon  (1240896, 1240912, 1241480, ... ) == 0x10011
 00180   392   NtUserRegisterClassExWOW  (1241416, 1241496, 1241480, 1241512, 675, 128, 0, ... ) == 0x810dc01e
 00181   392   NtUserFindExistingCursorIcon  (1240896, 1240912, 1241480, ... ) == 0x10011
 00182   392   NtUserRegisterClassExWOW  (1241416, 1241496, 1241480, 1241512, 676, 128, 0, ... ) == 0x810d8002
 00183   392   NtUserFindExistingCursorIcon  (1240896, 1240912, 1241480, ... ) == 0x10013
 00184   392   NtUserRegisterClassExWOW  (1241416, 1241496, 1241480, 1241512, 677, 128, 0, ... ) == 0x810dc018
 00185   392   NtUserFindExistingCursorIcon  (1240896, 1240912, 1241480, ... ) == 0x10011
 00186   392   NtUserRegisterClassExWOW  (1241416, 1241496, 1241480, 1241512, 678, 128, 0, ... ) == 0x810dc01a
 00187   392   NtUserFindExistingCursorIcon  (1240896, 1240912, 1241480, ... ) == 0x10011
 00188   392   NtUserRegisterClassExWOW  (1241416, 1241496, 1241480, 1241512, 679, 128, 0, ... ) == 0x810dc01d
 00189   392   NtUserFindExistingCursorIcon  (1240896, 1240912, 1241480, ... ) == 0x10011
 00190   392   NtUserRegisterClassExWOW  (1241416, 1241496, 1241480, 1241512, 681, 128, 0, ... ) == 0x810dc026
 00191   392   NtUserFindExistingCursorIcon  (1240896, 1240912, 1241480, ... ) == 0x10011
 00192   392   NtUserRegisterClassExWOW  (1241416, 1241496, 1241480, 1241512, 680, 128, 0, ... ) == 0x810dc019
 00193   392   NtUserRegisterClassExWOW  (1241368, 1241448, 1241432, 1241464, 0, 128, 0, ...
 00194   392   NtAllocateVirtualMemory  (-1, 6123520, 0, 4096, 4096, 32, ... 6123520, 4096, ) == 0x0
 00193   392   NtUserRegisterClassExWOW  ... ) == 0x810dc020
 00195   392   NtUserRegisterClassExWOW  (1241368, 1241444, 1241460, 1241432, 0, 130, 0, ... ) == 0x810dc022
 00196   392   NtUserRegisterClassExWOW  (1241368, 1241448, 1241432, 1241464, 0, 128, 0, ... ) == 0x810dc023
 00197   392   NtUserRegisterClassExWOW  (1241368, 1241444, 1241460, 1241432, 0, 130, 0, ... ) == 0x810dc024
 00198   392   NtUserRegisterClassExWOW  (1241368, 1241448, 1241432, 1241464, 0, 128, 0, ... ) == 0x810dc025
 00199   392   NtCallbackReturn  (0, 0, 0, ...
 00200   392   NtGdiInit  (... ) == 0x1
 00201   392   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00202   392   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00203   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00204   392   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00205   392   NtClose  (52, ... ) == 0x0
 00206   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00207   392   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00208   392   NtClose  (52, ... ) == 0x0
 00209   392   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00210   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 52, ) }, ... 52, ) == 0x0
 00211   392   NtQueryValueKey  (52,  (52, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00212   392   NtClose  (52, ... ) == 0x0
 00213   392   NtQueryDefaultUILanguage  (1241448, ...
 00214   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00215   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00216   392   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00217   392   NtClose  (-2147482032, ... ) == 0x0
 00218   392   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00219   392   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00220   392   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 00221   392   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00222   392   NtClose  (-2147482044, ... ) == 0x0
 00223   392   NtClose  (-2147482032, ... ) == 0x0
 00213   392   NtQueryDefaultUILanguage  ... ) == 0x0
 00224   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00225   392   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00226   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00227   392   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 56, ) == 0x0
 00228   392   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x8c0000), 0x0, 8323072, ) == 0x0
 00229   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00230   392   NtQueryDefaultUILanguage  (2013024600, ...
 00231   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00232   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00233   392   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00234   392   NtClose  (-2147482032, ... ) == 0x0
 00235   392   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00236   392   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00237   392   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 00238   392   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00239   392   NtClose  (-2147482044, ... ) == 0x0
 00240   392   NtClose  (-2147482032, ... ) == 0x0
 00230   392   NtQueryDefaultUILanguage  ... ) == 0x0
 00241   392   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00242   392   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00243   392   NtQueryDefaultLocale  (1, 1239484, ... ) == 0x0
 00244   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00245   392   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240340, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240340, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\14\0\0\0\377\377\377\377\0\0\0\0\20\311\303\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\24\364\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 392, 1495, 0} " S\26\0\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\14\0\0\0\377\377\377\377\0\0\0\0\20\311\303\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\24\364\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 316, 392, 1495, 0}  (24, {128, 156, new_msg, 0, 1240340, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\14\0\0\0\377\377\377\377\0\0\0\0\20\311\303\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\24\364\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 392, 1495, 0} " S\26\0\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\14\0\0\0\377\377\377\377\0\0\0\0\20\311\303\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\24\364\22\0\0\0\0\0" )  ) == 0x0
 00246   392   NtClose  (52, ... ) == 0x0
 00247   392   NtClose  (56, ... ) == 0x0
 00248   392   NtUnmapViewOfSection  (-1, 0x8c0000, ... ) == 0x0
 00249   392   NtUnmapViewOfSection  (-1, 0x12f414, ... ) == STATUS_NOT_MAPPED_VIEW
 00250   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00251   392   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00252   392   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00253   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00254   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00255   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238568, ... ) }, 1238568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00256   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00257   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00258   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00259   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1239160, ... ) }, 1239160, ... ) == 0x0
 00260   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 56, {status=0x0, info=1}, ) }, 3, 33, ... 56, {status=0x0, info=1}, ) == 0x0
 00261   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00262   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00263   392   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00264   392   NtClose  (52, ... ) == 0x0
 00265   392   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8c0000), 0x0, 921600, ) == 0x0
 00266   392   NtClose  (60, ... ) == 0x0
 00267   392   NtUnmapViewOfSection  (-1, 0x8c0000, ... ) == 0x0
 00268   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00269   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 52, ) == 0x0
 00270   392   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00271   392   NtClose  (60, ... ) == 0x0
 00272   392   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00273   392   NtClose  (52, ... ) == 0x0
 00274   392   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00275   392   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00276   392   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00277   392   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00278   392   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00279   392   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00280   392   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00281   392   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00282   392   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00283   392   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00284   392   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00285   392   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00286   392   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00287   392   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00288   392   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00289   392   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00290   392   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00291   392   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00292   392   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00293   392   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00294   392   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00295   392   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240344, ... ) , 42, 1240344, ... ) == 0x0
 00296   392   NtQueryDefaultUILanguage  (1239060, ...
 00297   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00298   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00299   392   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00300   392   NtClose  (-2147482032, ... ) == 0x0
 00301   392   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00302   392   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00303   392   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 00304   392   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00305   392   NtClose  (-2147482044, ... ) == 0x0
 00306   392   NtClose  (-2147482032, ... ) == 0x0
 00296   392   NtQueryDefaultUILanguage  ... ) == 0x0
 00307   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00308   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237912, ... ) }, 1237912, ... ) == 0x0
 00309   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00310   392   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00311   392   NtClose  (52, ... ) == 0x0
 00312   392   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x440000), 0x0, 4096, ) == 0x0
 00313   392   NtClose  (60, ... ) == 0x0
 00314   392   NtUnmapViewOfSection  (-1, 0x440000, ... ) == 0x0
 00315   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237552, ... ) }, 1237552, ... ) == 0x0
 00316   392   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238252,  (0x80100080, {24, 0, 0x40, 0, 1238252, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) == 0x0
 00317   392   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 60, ... 52, ) == 0x0
 00318   392   NtClose  (60, ... ) == 0x0
 00319   392   NtMapViewOfSection  (52, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x440000), {0, 0}, 4096, ) == 0x0
 00320   392   NtClose  (52, ... ) == 0x0
 00321   392   NtUnmapViewOfSection  (-1, 0x440000, ... ) == 0x0
 00322   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00323   392   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 60, ) == 0x0
 00324   392   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x440000), 0x0, 4096, ) == 0x0
 00325   392   NtQueryInformationFile  (52, 1237872, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00326   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00327   392   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1237952, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1237952, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\300\352\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 392, 1496, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\300\352\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 316, 392, 1496, 0}  (24, {128, 156, new_msg, 0, 1237952, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\300\352\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 392, 1496, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\300\352\22\0\0\0\0\0" )  ) == 0x0
 00328   392   NtClose  (52, ... ) == 0x0
 00329   392   NtClose  (60, ... ) == 0x0
 00330   392   NtUnmapViewOfSection  (-1, 0x440000, ... ) == 0x0
 00331   392   NtUnmapViewOfSection  (-1, 0x12eac0, ... ) == STATUS_NOT_MAPPED_VIEW
 00332   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00333   392   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00334   392   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00335   392   NtUserGetDC  (0, ... ) == 0x1010050
 00336   392   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00337   392   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00338   392   NtUserSystemParametersInfo  (66, 12, 1240364, 0, ... ) == 0x1
 00339   392   NtOpenProcessToken  (-1, 0x8, ... 60, ) == 0x0
 00340   392   NtAccessCheck  (1329520, 60, 0x1, 1239768, 1239712, 56, 1239796, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00341   392   NtClose  (60, ... ) == 0x0
 00342   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00343   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 60, ) == 0x0
 00344   392   NtQueryInformationToken  (60, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00345   392   NtClose  (60, ... ) == 0x0
 00346   392   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 60, ) }, ... 60, ) == 0x0
 00347   392   NtSetInformationObject  (60, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00348   392   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 52, ) }, ... 52, ) == 0x0
 00349   392   NtQueryValueKey  (52,  (52, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00350   392   NtClose  (52, ... ) == 0x0
 00351   392   NtUserSystemParametersInfo  (41, 500, 1239864, 0, ... ) == 0x1
 00352   392   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 52, ) }, ... 52, ) == 0x0
 00353   392   NtQueryValueKey  (52,  (52, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00354   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 64, ) }, ... 64, ) == 0x0
 00355   392   NtQueryValueKey  (64,  (64, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00356   392   NtClose  (64, ... ) == 0x0
 00357   392   NtClose  (52, ... ) == 0x0
 00358   392   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00359   392   NtUserSystemParametersInfo  (4130, 0, 1240388, 0, ... ) == 0x1
 00360   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 52, ) }, ... 52, ) == 0x0
 00361   392   NtEnumerateValueKey  (52, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00362   392   NtClose  (52, ... ) == 0x0
 00363   392   NtUserFindExistingCursorIcon  (1239672, 1239688, 1240256, ... ) == 0x10011
 00364   392   NtUserRegisterClassExWOW  (1240124, 1240204, 1240188, 1240220, 0, 384, 0, ... ) == 0x810dc03b
 00365   392   NtUserRegisterClassExWOW  (1240124, 1240204, 1240188, 1240220, 0, 384, 0, ... ) == 0x810dc03d
 00366   392   NtUserFindExistingCursorIcon  (1239668, 1239684, 1240252, ... ) == 0x10011
 00367   392   NtUserRegisterClassExWOW  (1240120, 1240200, 1240184, 1240216, 0, 384, 0, ... ) == 0x810dc03f
 00368   392   NtUserFindExistingCursorIcon  (1239672, 1239688, 1240256, ... ) == 0x10011
 00369   392   NtUserRegisterClassExWOW  (1240124, 1240204, 1240188, 1240220, 0, 384, 0, ... ) == 0x810dc041
 00370   392   NtUserFindExistingCursorIcon  (1239672, 1239688, 1240256, ... ) == 0x10011
 00371   392   NtUserRegisterClassExWOW  (1240124, 1240204, 1240188, 1240220, 0, 384, 0, ... ) == 0x810dc043
 00372   392   NtUserRegisterClassExWOW  (1240124, 1240204, 1240188, 1240220, 0, 384, 0, ... ) == 0x810dc045
 00373   392   NtUserFindExistingCursorIcon  (1239672, 1239688, 1240256, ... ) == 0x10011
 00374   392   NtUserRegisterClassExWOW  (1240124, 1240204, 1240188, 1240220, 0, 384, 0, ... ) == 0x810dc047
 00375   392   NtUserFindExistingCursorIcon  (1239668, 1239684, 1240252, ... ) == 0x10011
 00376   392   NtUserRegisterClassExWOW  (1240120, 1240200, 1240184, 1240216, 0, 384, 0, ... ) == 0x810dc049
 00377   392   NtUserGetClassInfo  (1905590272, 1240284, 1240236, 1240312, 0, ... ) == 0xc049
 00378   392   NtUserFindExistingCursorIcon  (1239672, 1239688, 1240256, ... ) == 0x10011
 00379   392   NtUserRegisterClassExWOW  (1240124, 1240204, 1240188, 1240220, 0, 384, 0, ... ) == 0x810dc04b
 00380   392   NtUserFindExistingCursorIcon  (1239672, 1239688, 1240256, ... ) == 0x10011
 00381   392   NtUserRegisterClassExWOW  (1240124, 1240204, 1240188, 1240220, 0, 384, 0, ... ) == 0x810dc04d
 00382   392   NtUserFindExistingCursorIcon  (1239672, 1239688, 1240256, ... ) == 0x10011
 00383   392   NtUserRegisterClassExWOW  (1240124, 1240204, 1240188, 1240220, 0, 384, 0, ... ) == 0x810dc04f
 00384   392   NtUserRegisterClassExWOW  (1240124, 1240204, 1240188, 1240220, 0, 384, 0, ... ) == 0x810dc051
 00385   392   NtUserFindExistingCursorIcon  (1239672, 1239688, 1240256, ... ) == 0x10011
 00386   392   NtUserRegisterClassExWOW  (1240124, 1240204, 1240188, 1240220, 0, 384, 0, ... ) == 0x810dc053
 00387   392   NtUserFindExistingCursorIcon  (1239668, 1239684, 1240252, ... ) == 0x10011
 00388   392   NtUserRegisterClassExWOW  (1240120, 1240200, 1240184, 1240216, 0, 384, 0, ... ) == 0x810dc055
 00389   392   NtUserRegisterClassExWOW  (1240120, 1240200, 1240184, 1240216, 0, 384, 0, ... ) == 0x810dc057
 00390   392   NtUserFindExistingCursorIcon  (1239672, 1239688, 1240256, ... ) == 0x10011
 00391   392   NtUserRegisterClassExWOW  (1240124, 1240204, 1240188, 1240220, 0, 384, 0, ... ) == 0x810dc059
 00392   392   NtUserFindExistingCursorIcon  (1239672, 1239688, 1240256, ... ) == 0x10013
 00393   392   NtUserRegisterClassExWOW  (1240124, 1240204, 1240188, 1240220, 0, 384, 0, ... ) == 0x810dc05b
 00394   392   NtUserFindExistingCursorIcon  (1239672, 1239688, 1240256, ... ) == 0x10011
 00395   392   NtUserRegisterClassExWOW  (1240124, 1240204, 1240188, 1240220, 0, 384, 0, ... ) == 0x810dc05d
 00396   392   NtUserFindExistingCursorIcon  (1239672, 1239688, 1240256, ... ) == 0x10011
 00397   392   NtUserRegisterClassExWOW  (1240124, 1240204, 1240188, 1240220, 0, 384, 0, ... ) == 0x810dc05f
 00398   392   NtUserFindExistingCursorIcon  (1239668, 1239684, 1240252, ... ) == 0x10011
 00399   392   NtUserRegisterClassExWOW  (1240120, 1240200, 1240184, 1240216, 0, 384, 0, ... ) == 0x810dc017
 00400   392   NtUserFindExistingCursorIcon  (1239668, 1239684, 1240252, ... ) == 0x10011
 00401   392   NtUserRegisterClassExWOW  (1240120, 1240200, 1240184, 1240216, 0, 384, 0, ... ) == 0x810dc019
 00402   392   NtUserFindExistingCursorIcon  (1239668, 1239684, 1240252, ... ) == 0x10013
 00403   392   NtUserRegisterClassExWOW  (1240120, 1240200, 1240184, 1240216, 0, 384, 0, ... ) == 0x810dc018
 00404   392   NtUserFindExistingCursorIcon  (1239672, 1239688, 1240256, ... ) == 0x10011
 00405   392   NtUserRegisterClassExWOW  (1240124, 1240204, 1240188, 1240220, 0, 384, 0, ... ) == 0x810dc01a
 00406   392   NtUserFindExistingCursorIcon  (1239668, 1239684, 1240252, ... ) == 0x10011
 00407   392   NtUserRegisterClassExWOW  (1240120, 1240200, 1240184, 1240216, 0, 384, 0, ... ) == 0x810dc01c
 00408   392   NtUserFindExistingCursorIcon  (1239672, 1239688, 1240256, ... ) == 0x10011
 00409   392   NtUserRegisterClassExWOW  (1240124, 1240204, 1240188, 1240220, 0, 384, 0, ...
 00410   392   NtAllocateVirtualMemory  (-1, 6127616, 0, 4096, 4096, 32, ... 6127616, 4096, ) == 0x0
 00409   392   NtUserRegisterClassExWOW  ... ) == 0x810dc01e
 00411   392   NtUserFindExistingCursorIcon  (1239668, 1239684, 1240252, ... ) == 0x10011
 00412   392   NtUserRegisterClassExWOW  (1240180, 1240260, 1240244, 1240276, 0, 384, 0, ... ) == 0x810dc01b
 00413   392   NtUserFindExistingCursorIcon  (1239664, 1239680, 1240248, ... ) == 0x10011
 00414   392   NtUserRegisterClassExWOW  (1240176, 1240256, 1240240, 1240272, 0, 384, 0, ... ) == 0x810dc068
 00415   392   NtUserFindExistingCursorIcon  (1239672, 1239688, 1240256, ... ) == 0x10011
 00416   392   NtUserRegisterClassExWOW  (1240124, 1240204, 1240188, 1240220, 0, 384, 0, ... ) == 0x810dc06a
 00417   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00418   392   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00419   392   NtClose  (52, ... ) == 0x0
 00420   392   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {316, 0}, ... 52, ) == 0x0
 00421   392   NtQueryInformationProcess  (52, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00422   392   NtClose  (52, ... ) == 0x0
 00423   392   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00424   392   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00425   392   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00426   392   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 52, ) }, ... 52, ) == 0x0
 00427   392   NtQueryValueKey  (52,  (52, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00428   392   NtClose  (52, ... ) == 0x0
 00429   392   NtUserSystemParametersInfo  (41, 500, 1241024, 0, ... ) == 0x1
 00430   392   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00431   392   NtUserGetClassInfo  (1999896576, 1241432, 1241384, 1241460, 0, ... ) == 0x0
 00432   392   NtUserFindExistingCursorIcon  (1240816, 1240832, 1241400, ... ) == 0x10011
 00433   392   NtUserRegisterClassExWOW  (1241268, 1241348, 1241332, 1241364, 0, 384, 0, ... ) == 0x810dc03b
 00434   392   NtUserGetClassInfo  (1999896576, 1241432, 1241384, 1241460, 0, ... ) == 0x0
 00435   392   NtUserRegisterClassExWOW  (1241268, 1241348, 1241332, 1241364, 0, 384, 0, ... ) == 0x810dc03d
 00436   392   NtUserGetClassInfo  (1999896576, 1241432, 1241384, 1241460, 0, ... ) == 0x0
 00437   392   NtUserFindExistingCursorIcon  (1240816, 1240832, 1241400, ... ) == 0x10011
 00438   392   NtUserRegisterClassExWOW  (1241268, 1241348, 1241332, 1241364, 0, 384, 0, ... ) == 0x810dc03f
 00439   392   NtUserGetClassInfo  (1999896576, 1241432, 1241384, 1241460, 0, ... ) == 0x0
 00440   392   NtUserFindExistingCursorIcon  (1240816, 1240832, 1241400, ... ) == 0x10011
 00441   392   NtUserRegisterClassExWOW  (1241268, 1241348, 1241332, 1241364, 0, 384, 0, ... ) == 0x810dc041
 00442   392   NtUserGetClassInfo  (1999896576, 1241432, 1241384, 1241460, 0, ... ) == 0x0
 00443   392   NtUserFindExistingCursorIcon  (1240816, 1240832, 1241400, ... ) == 0x10011
 00444   392   NtUserRegisterClassExWOW  (1241268, 1241348, 1241332, 1241364, 0, 384, 0, ... ) == 0x810dc043
 00445   392   NtUserGetClassInfo  (1999896576, 1241432, 1241384, 1241460, 0, ... ) == 0x0
 00446   392   NtUserRegisterClassExWOW  (1241268, 1241348, 1241332, 1241364, 0, 384, 0, ... ) == 0x810dc045
 00447   392   NtUserGetClassInfo  (1999896576, 1241432, 1241384, 1241460, 0, ... ) == 0x0
 00448   392   NtUserFindExistingCursorIcon  (1240816, 1240832, 1241400, ... ) == 0x10011
 00449   392   NtUserRegisterClassExWOW  (1241268, 1241348, 1241332, 1241364, 0, 384, 0, ... ) == 0x810dc047
 00450   392   NtUserGetClassInfo  (1999896576, 1241432, 1241384, 1241460, 0, ... ) == 0x0
 00451   392   NtUserFindExistingCursorIcon  (1240812, 1240828, 1241396, ... ) == 0x10011
 00452   392   NtUserRegisterClassExWOW  (1241264, 1241344, 1241328, 1241360, 0, 384, 0, ... ) == 0x810dc049
 00453   392   NtUserGetClassInfo  (1999896576, 1241432, 1241384, 1241460, 0, ... ) == 0x0
 00454   392   NtUserFindExistingCursorIcon  (1240816, 1240832, 1241400, ... ) == 0x10011
 00455   392   NtUserRegisterClassExWOW  (1241268, 1241348, 1241332, 1241364, 0, 384, 0, ... ) == 0x810dc04b
 00456   392   NtUserGetClassInfo  (1999896576, 1241432, 1241384, 1241460, 0, ... ) == 0x0
 00457   392   NtUserFindExistingCursorIcon  (1240816, 1240832, 1241400, ... ) == 0x10011
 00458   392   NtUserRegisterClassExWOW  (1241268, 1241348, 1241332, 1241364, 0, 384, 0, ... ) == 0x810dc04d
 00459   392   NtUserGetClassInfo  (1999896576, 1241432, 1241384, 1241460, 0, ... ) == 0x0
 00460   392   NtUserFindExistingCursorIcon  (1240816, 1240832, 1241400, ... ) == 0x10011
 00461   392   NtUserRegisterClassExWOW  (1241268, 1241348, 1241332, 1241364, 0, 384, 0, ... ) == 0x810dc04f
 00462   392   NtUserGetClassInfo  (1999896576, 1241436, 1241388, 1241464, 0, ... ) == 0x0
 00463   392   NtUserRegisterClassExWOW  (1241272, 1241352, 1241336, 1241368, 0, 384, 0, ... ) == 0x810dc051
 00464   392   NtUserGetClassInfo  (1999896576, 1241432, 1241384, 1241460, 0, ... ) == 0x0
 00465   392   NtUserFindExistingCursorIcon  (1240816, 1240832, 1241400, ... ) == 0x10011
 00466   392   NtUserRegisterClassExWOW  (1241268, 1241348, 1241332, 1241364, 0, 384, 0, ... ) == 0x810dc053
 00467   392   NtUserGetClassInfo  (1999896576, 1241432, 1241384, 1241460, 0, ... ) == 0x0
 00468   392   NtUserFindExistingCursorIcon  (1240816, 1240832, 1241400, ... ) == 0x10011
 00469   392   NtUserRegisterClassExWOW  (1241268, 1241348, 1241332, 1241364, 0, 384, 0, ... ) == 0x810dc055
 00470   392   NtUserRegisterClassExWOW  (1241268, 1241348, 1241332, 1241364, 0, 384, 0, ... ) == 0x810dc057
 00471   392   NtUserGetClassInfo  (1999896576, 1241432, 1241384, 1241460, 0, ... ) == 0x0
 00472   392   NtUserFindExistingCursorIcon  (1240816, 1240832, 1241400, ... ) == 0x10011
 00473   392   NtUserRegisterClassExWOW  (1241268, 1241348, 1241332, 1241364, 0, 384, 0, ... ) == 0x810dc059
 00474   392   NtUserGetClassInfo  (1999896576, 1241432, 1241384, 1241460, 0, ... ) == 0x0
 00475   392   NtUserFindExistingCursorIcon  (1240816, 1240832, 1241400, ... ) == 0x10013
 00476   392   NtUserRegisterClassExWOW  (1241268, 1241348, 1241332, 1241364, 0, 384, 0, ... ) == 0x810dc05b
 00477   392   NtUserGetClassInfo  (1999896576, 1241432, 1241384, 1241460, 0, ... ) == 0x0
 00478   392   NtUserFindExistingCursorIcon  (1240816, 1240832, 1241400, ... ) == 0x10011
 00479   392   NtUserRegisterClassExWOW  (1241268, 1241348, 1241332, 1241364, 0, 384, 0, ... ) == 0x810dc05d
 00480   392   NtUserGetClassInfo  (1999896576, 1241432, 1241384, 1241460, 0, ... ) == 0x0
 00481   392   NtUserFindExistingCursorIcon  (1240816, 1240832, 1241400, ... ) == 0x10011
 00482   392   NtUserRegisterClassExWOW  (1241268, 1241348, 1241332, 1241364, 0, 384, 0, ... ) == 0x810dc05f
 00483   392   NtUserGetClassInfo  (1999896576, 1243184, 1243136, 1243212, 0, ... ) == 0xc03b
 00484   392   NtUserGetClassInfo  (1999896576, 1243184, 1243136, 1243212, 0, ... ) == 0xc03d
 00485   392   NtUserGetClassInfo  (1999896576, 1243184, 1243136, 1243212, 0, ... ) == 0xc03f
 00486   392   NtUserGetClassInfo  (1999896576, 1243184, 1243136, 1243212, 0, ... ) == 0xc041
 00487   392   NtUserGetClassInfo  (1999896576, 1243184, 1243136, 1243212, 0, ... ) == 0xc043
 00488   392   NtUserGetClassInfo  (1999896576, 1243184, 1243136, 1243212, 0, ... ) == 0xc045
 00489   392   NtUserGetClassInfo  (1999896576, 1243184, 1243136, 1243212, 0, ... ) == 0xc047
 00490   392   NtUserGetClassInfo  (1999896576, 1243184, 1243136, 1243212, 0, ... ) == 0xc049
 00491   392   NtUserGetClassInfo  (1999896576, 1243184, 1243136, 1243212, 0, ... ) == 0xc04b
 00492   392   NtUserGetClassInfo  (1999896576, 1243184, 1243136, 1243212, 0, ... ) == 0xc04d
 00493   392   NtUserGetClassInfo  (1999896576, 1243184, 1243136, 1243212, 0, ... ) == 0xc04f
 00494   392   NtUserGetClassInfo  (1999896576, 1243188, 1243140, 1243216, 0, ... ) == 0xc051
 00495   392   NtUserGetClassInfo  (1999896576, 1243184, 1243136, 1243212, 0, ... ) == 0xc053
 00496   392   NtUserGetClassInfo  (1999896576, 1243184, 1243136, 1243212, 0, ... ) == 0xc055
 00497   392   NtUserGetClassInfo  (1999896576, 1243184, 1243136, 1243212, 0, ... ) == 0xc059
 00498   392   NtUserGetClassInfo  (1999896576, 1243184, 1243136, 1243212, 0, ... ) == 0xc05b
 00499   392   NtUserGetClassInfo  (1999896576, 1243184, 1243136, 1243212, 0, ... ) == 0xc05d
 00500   392   NtUserGetClassInfo  (1999896576, 1243184, 1243136, 1243212, 0, ... ) == 0xc05f
 00501   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "urlmon.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00502   392   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x760f0000), 0x0, 491520, ) == 0x0
 00503   392   NtClose  (52, ... ) == 0x0
 00504   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ole32.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00505   392   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00506   392   NtClose  (52, ... ) == 0x0
 00507   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00508   392   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 28672, ) == 0x0
 00509   392   NtClose  (52, ... ) == 0x0
 00510   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00511   392   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00512   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00513   392   NtQueryValueKey  (52,  (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00514   392   NtClose  (52, ... ) == 0x0
 00515   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00516   392   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00517   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00518   392   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00519   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 52, ) }, ... 52, ) == 0x0
 00520   392   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00521   392   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00522   392   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00523   392   NtClose  (52, ... ) == 0x0
 00524   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 52, ) }, ... 52, ) == 0x0
 00525   392   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00526   392   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00527   392   NtClose  (52, ... ) == 0x0
 00528   392   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00529   392   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00530   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00531   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4456448, 65536, ) == 0x0
 00532   392   NtAllocateVirtualMemory  (-1, 4456448, 0, 4096, 4096, 4, ... 4456448, 4096, ) == 0x0
 00533   392   NtAllocateVirtualMemory  (-1, 4460544, 0, 8192, 4096, 4, ... 4460544, 8192, ) == 0x0
 00534   392   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00535   392   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "ZonesCounterMutex"}, 0, ... 64, ) }, 0, ... 64, ) == 0x0
 00536   392   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "ZonesCacheCounterMutex"}, 0, ... 68, ) }, 0, ... 68, ) == 0x0
 00537   392   NtQueryDefaultUILanguage  (1241308, ...
 00538   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00539   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00540   392   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00541   392   NtClose  (-2147482032, ... ) == 0x0
 00542   392   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00543   392   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00544   392   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 00545   392   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00546   392   NtClose  (-2147482044, ... ) == 0x0
 00547   392   NtClose  (-2147482032, ... ) == 0x0
 00537   392   NtQueryDefaultUILanguage  ... ) == 0x0
 00548   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00549   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\urlmon.dll"}, 1, 96, ... 72, {status=0x0, info=1}, ) }, 1, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00550   392   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 72, ... 76, ) == 0x0
 00551   392   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x8c0000), 0x0, 454656, ) == 0x0
 00552   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\urlmon.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00553   392   NtQueryDefaultLocale  (1, 1239344, ... ) == 0x0
 00554   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\urlmon.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00555   392   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240200, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240200, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\357\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1H\0\0\0\377\377\377\377\0\0\0\0\240\302\221\0\0\0\0\0\303\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\210\363\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 392, 1497, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\357\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1H\0\0\0\377\377\377\377\0\0\0\0\240\302\221\0\0\0\0\0\303\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\210\363\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 316, 392, 1497, 0}  (24, {128, 156, new_msg, 0, 1240200, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\357\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1H\0\0\0\377\377\377\377\0\0\0\0\240\302\221\0\0\0\0\0\303\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\210\363\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 392, 1497, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\357\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1H\0\0\0\377\377\377\377\0\0\0\0\240\302\221\0\0\0\0\0\303\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\210\363\22\0\0\0\0\0" )  ) == 0x0
 00556   392   NtClose  (72, ... ) == 0x0
 00557   392   NtClose  (76, ... ) == 0x0
 00558   392   NtUnmapViewOfSection  (-1, 0x8c0000, ... ) == 0x0
 00559   392   NtUnmapViewOfSection  (-1, 0x12f388, ... ) == STATUS_NOT_MAPPED_VIEW
 00560   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00561   392   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00562   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00563   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00564   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1237884, ... ) }, 1237884, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00565   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00566   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00567   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00568   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1238476, ... ) }, 1238476, ... ) == 0x0
 00569   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 76, {status=0x0, info=1}, ) }, 3, 33, ... 76, {status=0x0, info=1}, ) == 0x0
 00570   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00571   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00572   392   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00573   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00574   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00575   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 72, ) == 0x0
 00576   392   NtQueryInformationToken  (72, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00577   392   NtClose  (72, ... ) == 0x0
 00578   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes"}, ... 72, ) }, ... 72, ) == 0x0
 00579   392   NtSetInformationObject  (74, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00580   392   NtQueryKey  (74, Name, 384, ... {Name= (74, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 00581   392   NtOpenKey  (0x2000000, {24, 74, 0x40, 0, 0,  (0x2000000, {24, 74, 0x40, 0, 0, "PROTOCOLS\Name-Space Handler\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00582   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\PROTOCOLS\Name-Space Handler"}, ... 80, ) }, ... 80, ) == 0x0
 00583   392   NtQueryKey  (82, Name, 392, ... {Name= (82, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Name-Space HandlerS"}, 130, ) }, 130, ) == 0x0
 00584   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00585   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00586   392   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00587   392   NtClose  (84, ... ) == 0x0
 00588   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\PROTOCOLS\Name-Space Handler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00589   392   NtEnumerateKey  (82, 0, Node, 288, ... {LastWrite={0x5d796f8c,0x1c73999}, TitleIdx=0, Name= (82, 0, Node, 288, ... {LastWrite={0x5d796f8c,0x1c73999}, TitleIdx=0, Name="mk", Class=""}, 28, ) , Class=""}, 28, ) == 0x0
 00590   392   NtEnumerateKey  (82, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES
 00591   392   NtClose  (82, ... ) == 0x0
 00592   392   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00593   392   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00594   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 80, ) }, ... 80, ) == 0x0
 00595   392   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00596   392   NtClose  (80, ... ) == 0x0
 00597   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 80, ) }, ... 80, ) == 0x0
 00598   392   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00599   392   NtClose  (80, ... ) == 0x0
 00600   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 80, ) }, ... 80, ) == 0x0
 00601   392   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00602   392   NtClose  (80, ... ) == 0x0
 00603   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 80, ) }, ... 80, ) == 0x0
 00604   392   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00605   392   NtClose  (80, ... ) == 0x0
 00606   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00607   392   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00608   392   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00609   392   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00610   392   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00611   392   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1243224, 0,  (0x1f0003, {24, 52, 0x80, 1243224, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00612   392   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 80, ) }, ... 80, ) == 0x0
 00613   392   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00614   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00615   392   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00616   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00617   392   NtAllocateVirtualMemory  (-1, 1351680, 0, 8192, 4096, 4, ... 1351680, 8192, ) == 0x0
 00618   392   NtCreateKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 84, 2, ) }, 0, 0x0, 0, ... 84, 2, ) == 0x0
 00619   392   NtQueryDefaultUILanguage  (1241460, ...
 00620   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00621   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00622   392   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00623   392   NtClose  (-2147482032, ... ) == 0x0
 00624   392   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00625   392   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00626   392   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 00627   392   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00628   392   NtClose  (-2147482044, ... ) == 0x0
 00629   392   NtClose  (-2147482032, ... ) == 0x0
 00619   392   NtQueryDefaultUILanguage  ... ) == 0x0
 00630   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00631   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 88, {status=0x0, info=1}, ) }, 1, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00632   392   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 88, ... 92, ) == 0x0
 00633   392   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x8c0000), 0x0, 593920, ) == 0x0
 00634   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00635   392   NtQueryDefaultLocale  (1, 1239496, ... ) == 0x0
 00636   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00637   392   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240352, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240352, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1X\0\0\0\377\377\377\377\0\0\0\0P\275\223\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0 \364\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 392, 1498, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1X\0\0\0\377\377\377\377\0\0\0\0P\275\223\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0 \364\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 316, 392, 1498, 0}  (24, {128, 156, new_msg, 0, 1240352, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1X\0\0\0\377\377\377\377\0\0\0\0P\275\223\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0 \364\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 392, 1498, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1X\0\0\0\377\377\377\377\0\0\0\0P\275\223\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0 \364\22\0\0\0\0\0" )  ) == 0x0
 00638   392   NtClose  (88, ... ) == 0x0
 00639   392   NtClose  (92, ... ) == 0x0
 00640   392   NtUnmapViewOfSection  (-1, 0x8c0000, ... ) == 0x0
 00641   392   NtUnmapViewOfSection  (-1, 0x12f420, ... ) == STATUS_NOT_MAPPED_VIEW
 00642   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00643   392   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00644   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00645   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00646   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238036, ... ) }, 1238036, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00647   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00648   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00649   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00650   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1238628, ... ) }, 1238628, ... ) == 0x0
 00651   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 92, {status=0x0, info=1}, ) }, 3, 33, ... 92, {status=0x0, info=1}, ) == 0x0
 00652   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00653   392   NtCreateKey  (0x2001f, {24, 60, 0x40, 0, 0,  (0x2001f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 88, 2, ) }, 0, 0x0, 0, ... 88, 2, ) == 0x0
 00654   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00655   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\iphlpapi.dll"}, 1243092, ... ) }, 1243092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00656   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "iphlpapi.dll"}, 1243092, ... ) }, 1243092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00657   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iphlpapi.dll"}, 1243092, ... ) }, 1243092, ... ) == 0x0
 00658   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iphlpapi.dll"}, 5, 96, ... 96, {status=0x0, info=1}, ) }, 5, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00659   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 96, ... 100, ) == 0x0
 00660   392   NtQuerySection  (100, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00661   392   NtClose  (96, ... ) == 0x0
 00662   392   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d60000), 0x0, 86016, ) == 0x0
 00663   392   NtClose  (100, ... ) == 0x0
 00664   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netman.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00665   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\netman.dll"}, 1242288, ... ) }, 1242288, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00666   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "netman.dll"}, 1242288, ... ) }, 1242288, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00667   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netman.dll"}, 1242288, ... ) }, 1242288, ... ) == 0x0
 00668   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netman.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00669   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 100, ... 96, ) == 0x0
 00670   392   NtQuerySection  (96, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00671   392   NtClose  (100, ... ) == 0x0
 00672   392   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76de0000), 0x0, 155648, ) == 0x0
 00673   392   NtClose  (96, ... ) == 0x0
 00674   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPRAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00675   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MPRAPI.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00676   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "MPRAPI.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00677   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MPRAPI.dll"}, 1241484, ... ) }, 1241484, ... ) == 0x0
 00678   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MPRAPI.dll"}, 5, 96, ... 96, {status=0x0, info=1}, ) }, 5, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00679   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 96, ... 100, ) == 0x0
 00680   392   NtQuerySection  (100, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00681   392   NtClose  (96, ... ) == 0x0
 00682   392   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d40000), 0x0, 90112, ) == 0x0
 00683   392   NtClose  (100, ... ) == 0x0
 00684   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ACTIVEDS.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00685   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ACTIVEDS.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00686   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ACTIVEDS.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00687   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ACTIVEDS.dll"}, 1240680, ... ) }, 1240680, ... ) == 0x0
 00688   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ACTIVEDS.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00689   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 100, ... 96, ) == 0x0
 00690   392   NtQuerySection  (96, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00691   392   NtClose  (100, ... ) == 0x0
 00692   392   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e40000), 0x0, 192512, ) == 0x0
 00693   392   NtClose  (96, ... ) == 0x0
 00694   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "adsldpc.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00695   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\adsldpc.dll"}, 1239876, ... ) }, 1239876, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00696   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "adsldpc.dll"}, 1239876, ... ) }, 1239876, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00697   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\adsldpc.dll"}, 1239876, ... ) }, 1239876, ... ) == 0x0
 00698   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\adsldpc.dll"}, 5, 96, ... 96, {status=0x0, info=1}, ) }, 5, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00699   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 96, ... 100, ) == 0x0
 00700   392   NtQuerySection  (100, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00701   392   NtClose  (96, ... ) == 0x0
 00702   392   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e10000), 0x0, 147456, ) == 0x0
 00703   392   NtClose  (100, ... ) == 0x0
 00704   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00705   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\NETAPI32.dll"}, 1239072, ... ) }, 1239072, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00706   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "NETAPI32.dll"}, 1239072, ... ) }, 1239072, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00707   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 1239072, ... ) }, 1239072, ... ) == 0x0
 00708   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00709   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 100, ... 96, ) == 0x0
 00710   392   NtQuerySection  (96, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00711   392   NtClose  (100, ... ) == 0x0
 00712   392   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 00713   392   NtClose  (96, ... ) == 0x0
 00714   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... 96, ) }, ... 96, ) == 0x0
 00715   392   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 00716   392   NtClose  (96, ... ) == 0x0
 00717   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ATL.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00718   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ATL.DLL"}, 1239876, ... ) }, 1239876, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00719   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ATL.DLL"}, 1239876, ... ) }, 1239876, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00720   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 1239876, ... ) }, 1239876, ... ) == 0x0
 00721   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 5, 96, ... 96, {status=0x0, info=1}, ) }, 5, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00722   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 96, ... 100, ) == 0x0
 00723   392   NtQuerySection  (100, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00724   392   NtClose  (96, ... ) == 0x0
 00725   392   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b20000), 0x0, 86016, ) == 0x0
 00726   392   NtClose  (100, ... ) == 0x0
 00727   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rtutils.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00728   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rtutils.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00729   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rtutils.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00730   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rtutils.dll"}, 1240680, ... ) }, 1240680, ... ) == 0x0
 00731   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rtutils.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00732   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 100, ... 96, ) == 0x0
 00733   392   NtQuerySection  (96, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00734   392   NtClose  (100, ... ) == 0x0
 00735   392   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e80000), 0x0, 53248, ) == 0x0
 00736   392   NtClose  (96, ... ) == 0x0
 00737   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SAMLIB.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00738   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SAMLIB.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00739   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "SAMLIB.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00740   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 1240680, ... ) }, 1240680, ... ) == 0x0
 00741   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 5, 96, ... 96, {status=0x0, info=1}, ) }, 5, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00742   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 96, ... 100, ) == 0x0
 00743   392   NtQuerySection  (100, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00744   392   NtClose  (96, ... ) == 0x0
 00745   392   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71bf0000), 0x0, 69632, ) == 0x0
 00746   392   NtClose  (100, ... ) == 0x0
 00747   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00748   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00749   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "SETUPAPI.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00750   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 1240680, ... ) }, 1240680, ... ) == 0x0
 00751   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00752   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 100, ... 96, ) == 0x0
 00753   392   NtQuerySection  (96, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00754   392   NtClose  (100, ... ) == 0x0
 00755   392   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76670000), 0x0, 933888, ) == 0x0
 00756   392   NtClose  (96, ... ) == 0x0
 00757   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RASAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00758   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\RASAPI32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00759   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "RASAPI32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00760   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\RASAPI32.dll"}, 1241484, ... ) }, 1241484, ... ) == 0x0
 00761   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\RASAPI32.dll"}, 5, 96, ... 96, {status=0x0, info=1}, ) }, 5, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00762   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 96, ... 100, ) == 0x0
 00763   392   NtQuerySection  (100, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00764   392   NtClose  (96, ... ) == 0x0
 00765   392   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76ee0000), 0x0, 225280, ) == 0x0
 00766   392   NtClose  (100, ... ) == 0x0
 00767   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rasman.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00768   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rasman.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00769   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rasman.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00770   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman.dll"}, 1240680, ... ) }, 1240680, ... ) == 0x0
 00771   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00772   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 100, ... 96, ) == 0x0
 00773   392   NtQuerySection  (96, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00774   392   NtClose  (100, ... ) == 0x0
 00775   392   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e90000), 0x0, 69632, ) == 0x0
 00776   392   NtClose  (96, ... ) == 0x0
 00777   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "TAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00778   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\TAPI32.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00779   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "TAPI32.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00780   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 1240680, ... ) }, 1240680, ... ) == 0x0
 00781   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 5, 96, ... 96, {status=0x0, info=1}, ) }, 5, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00782   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 96, ... 100, ) == 0x0
 00783   392   NtQuerySection  (100, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00784   392   NtClose  (96, ... ) == 0x0
 00785   392   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76eb0000), 0x0, 172032, ) == 0x0
 00786   392   NtClose  (100, ... ) == 0x0
 00787   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINMM.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00788   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINMM.dll"}, 1239876, ... ) }, 1239876, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00789   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WINMM.dll"}, 1239876, ... ) }, 1239876, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00790   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINMM.dll"}, 1239876, ... ) }, 1239876, ... ) == 0x0
 00791   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINMM.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00792   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 100, ... 96, ) == 0x0
 00793   392   NtQuerySection  (96, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00794   392   NtClose  (100, ... ) == 0x0
 00795   392   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b40000), 0x0, 180224, ) == 0x0
 00796   392   NtClose  (96, ... ) == 0x0
 00797   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00798   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\Secur32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00799   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "Secur32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00800   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 1241484, ... ) }, 1241484, ... ) == 0x0
 00801   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 5, 96, ... 96, {status=0x0, info=1}, ) }, 5, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00802   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 96, ... 100, ) == 0x0
 00803   392   NtQuerySection  (100, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00804   392   NtClose  (96, ... ) == 0x0
 00805   392   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f90000), 0x0, 65536, ) == 0x0
 00806   392   NtClose  (100, ... ) == 0x0
 00807   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WZCSvc.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00808   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WZCSvc.DLL"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00809   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WZCSvc.DLL"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00810   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WZCSvc.DLL"}, 1241484, ... ) }, 1241484, ... ) == 0x0
 00811   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WZCSvc.DLL"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00812   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 100, ... 96, ) == 0x0
 00813   392   NtQuerySection  (96, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00814   392   NtClose  (100, ... ) == 0x0
 00815   392   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76da0000), 0x0, 196608, ) == 0x0
 00816   392   NtClose  (96, ... ) == 0x0
 00817   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WMI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00818   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WMI.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00819   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WMI.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00820   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WMI.dll"}, 1240680, ... ) }, 1240680, ... ) == 0x0
 00821   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WMI.dll"}, 5, 96, ... 96, {status=0x0, info=1}, ) }, 5, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00822   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 96, ... 100, ) == 0x0
 00823   392   NtQuerySection  (100, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00824   392   NtClose  (96, ... ) == 0x0
 00825   392   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d30000), 0x0, 16384, ) == 0x0
 00826   392   NtClose  (100, ... ) == 0x0
 00827   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DHCPCSVC.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00828   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DHCPCSVC.DLL"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00829   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DHCPCSVC.DLL"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00830   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DHCPCSVC.DLL"}, 1240680, ... ) }, 1240680, ... ) == 0x0
 00831   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DHCPCSVC.DLL"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00832   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 100, ... 96, ) == 0x0
 00833   392   NtQuerySection  (96, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00834   392   NtClose  (100, ... ) == 0x0
 00835   392   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d80000), 0x0, 106496, ) == 0x0
 00836   392   NtClose  (96, ... ) == 0x0
 00837   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00838   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 1239876, ... ) }, 1239876, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00839   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DNSAPI.dll"}, 1239876, ... ) }, 1239876, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00840   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 1239876, ... ) }, 1239876, ... ) == 0x0
 00841   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 5, 96, ... 96, {status=0x0, info=1}, ) }, 5, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00842   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 96, ... 100, ) == 0x0
 00843   392   NtQuerySection  (100, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00844   392   NtClose  (96, ... ) == 0x0
 00845   392   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 151552, ) == 0x0
 00846   392   NtClose  (100, ... ) == 0x0
 00847   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WTSAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00848   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WTSAPI32.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00849   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WTSAPI32.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00850   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WTSAPI32.dll"}, 1240680, ... ) }, 1240680, ... ) == 0x0
 00851   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WTSAPI32.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00852   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 100, ... 96, ) == 0x0
 00853   392   NtQuerySection  (96, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00854   392   NtClose  (100, ... ) == 0x0
 00855   392   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f50000), 0x0, 32768, ) == 0x0
 00856   392   NtClose  (96, ... ) == 0x0
 00857   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINSTA.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00858   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINSTA.dll"}, 1239876, ... ) }, 1239876, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00859   392   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WINSTA.dll"}, 1239876, ... ) }, 1239876, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00860   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINSTA.dll"}, 1239876, ... ) }, 1239876, ... ) == 0x0
 00861   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINSTA.dll"}, 5, 96, ... 96, {status=0x0, info=1}, ) }, 5, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00862   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 96, ... 100, ) == 0x0
 00863   392   NtQuerySection  (100, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00864   392   NtClose  (96, ... ) == 0x0
 00865   392   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76360000), 0x0, 61440, ) == 0x0
 00866   392   NtClose  (100, ... ) == 0x0
 00867   392   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 100, ) == 0x0
 00868   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 96, ) }, ... 96, ) == 0x0
 00869   392   NtQueryValueKey  (96,  (96, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00870   392   NtClose  (96, ... ) == 0x0
 00871   392   NtQueryDefaultLocale  (1, 1242964, ... ) == 0x0
 00872   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00873   392   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9175040, 262144, ) == 0x0
 00874   392   NtAllocateVirtualMemory  (-1, 9175040, 0, 4096, 4096, 4, ... 9175040, 4096, ) == 0x0
 00875   392   NtAllocateVirtualMemory  (-1, 9179136, 0, 8192, 4096, 4, ... 9179136, 8192, ) == 0x0
 00876   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00877   392   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00878   392   NtQueryDefaultLocale  (1, 1242924, ... ) == 0x0
 00879   392   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 00880   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 96, ) }, ... 96, ) == 0x0
 00881   392   NtQueryValueKey  (96,  (96, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00882   392   NtClose  (96, ... ) == 0x0
 00883   392   NtUserGetProcessWindowStation  (... ) == 0x28
 00884   392   NtUserGetObjectInformation  (40, 1, 1242596, 12, 1242608, ... ) == 0x1
 00885   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\WPA\PnP"}, ... 96, ) }, ... 96, ) == 0x0
 00886   392   NtQueryValueKey  (96,  (96, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) }, 16, ) == 0x0
 00887   392   NtClose  (96, ... ) == 0x0
 00888   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 96, ) }, ... 96, ) == 0x0
 00889   392   NtQueryValueKey  (96,  (96, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (96, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 00890   392   NtQueryValueKey  (96,  (96, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (96, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 00891   392   NtClose  (96, ... ) == 0x0
 00892   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 96, ) }, ... 96, ) == 0x0
 00893   392   NtQueryValueKey  (96,  (96, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (96, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 00894   392   NtQueryValueKey  (96,  (96, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (96, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 00895   392   NtClose  (96, ... ) == 0x0
 00896   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 96, ) }, ... 96, ) == 0x0
 00897   392   NtQueryValueKey  (96,  (96, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (96, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 00898   392   NtQueryValueKey  (96,  (96, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (96, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 00899   392   NtClose  (96, ... ) == 0x0
 00900   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 96, ) }, ... 96, ) == 0x0
 00901   392   NtQueryValueKey  (96,  (96, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (96, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 00902   392   NtQueryValueKey  (96,  (96, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (96, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 00903   392   NtClose  (96, ... ) == 0x0
 00904   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 96, ) }, ... 96, ) == 0x0
 00905   392   NtQueryValueKey  (96,  (96, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (96, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 00906   392   NtQueryValueKey  (96,  (96, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (96, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 00907   392   NtClose  (96, ... ) == 0x0
 00908   392   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 00909   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 96, ) }, ... 96, ) == 0x0
 00910   392   NtQueryValueKey  (96,  (96, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (96, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) }, 46, ) == 0x0
 00911   392   NtClose  (96, ... ) == 0x0
 00912   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 96, ) == 0x0
 00913   392   NtCreateMutant  (0x1f0001, 0x0, 0, ... 104, ) == 0x0
 00914   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 108, ) == 0x0
 00915   392   NtCreateMutant  (0x1f0001, 0x0, 0, ... 112, ) == 0x0
 00916   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 116, ) == 0x0
 00917   392   NtCreateMutant  (0x1f0001, 0x0, 0, ... 120, ) == 0x0
 00918   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 124, ) }, ... 124, ) == 0x0
 00919   392   NtQueryValueKey  (124,  (124, "LogLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00920   392   NtQueryValueKey  (124,  (124, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00921   392   NtOpenKey  (0x1, {24, 124, 0x40, 0, 0,  (0x1, {24, 124, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00922   392   NtClose  (124, ... ) == 0x0
 00923   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 1242516, ... ) }, 1242516, ... ) == 0x0
 00924   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 124, ) }, ... 124, ) == 0x0
 00925   392   NtQueryValueKey  (124,  (124, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (124, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (124, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 00926   392   NtClose  (124, ... ) == 0x0
 00927   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 124, ) }, ... 124, ) == 0x0
 00928   392   NtQueryValueKey  (124,  (124, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (124, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Data= (124, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) }, 52, ) == 0x0
 00929   392   NtClose  (124, ... ) == 0x0
 00930   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00931   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 124, ) }, ... 124, ) == 0x0
 00932   392   NtQueryValueKey  (124,  (124, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (124, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (124, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 00933   392   NtClose  (124, ... ) == 0x0
 00934   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 124, ) == 0x0
 00935   392   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 128, ) == 0x0
 00936   392   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 132, ) == 0x0
 00937   392   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32"}, ... 136, ) }, ... 136, ) == 0x0
 00938   392   NtQueryValueKey  (136,  (136, "wave", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00939   392   NtQueryValueKey  (136,  (136, "wave1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00940   392   NtQueryValueKey  (136,  (136, "wave2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00941   392   NtQueryValueKey  (136,  (136, "wave3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00942   392   NtQueryValueKey  (136,  (136, "wave4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00943   392   NtQueryValueKey  (136,  (136, "wave5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00944   392   NtQueryValueKey  (136,  (136, "wave6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00945   392   NtQueryValueKey  (136,  (136, "wave7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00946   392   NtQueryValueKey  (136,  (136, "wave8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00947   392   NtQueryValueKey  (136,  (136, "wave9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00948   392   NtQueryValueKey  (136,  (136, "midi", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00949   392   NtQueryValueKey  (136,  (136, "midi1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00950   392   NtQueryValueKey  (136,  (136, "midi2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00951   392   NtQueryValueKey  (136,  (136, "midi3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00952   392   NtQueryValueKey  (136,  (136, "midi4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00953   392   NtQueryValueKey  (136,  (136, "midi5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00954   392   NtQueryValueKey  (136,  (136, "midi6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00955   392   NtQueryValueKey  (136,  (136, "midi7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00956   392   NtQueryValueKey  (136,  (136, "midi8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00957   392   NtQueryValueKey  (136,  (136, "midi9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00958   392   NtQueryTimerResolution  (... 156250, 10000, 156250, ) == 0x0
 00959   392   NtQueryValueKey  (136,  (136, "aux", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00960   392   NtQueryValueKey  (136,  (136, "aux1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00961   392   NtQueryValueKey  (136,  (136, "aux2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00962   392   NtQueryValueKey  (136,  (136, "aux3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00963   392   NtQueryValueKey  (136,  (136, "aux4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00964   392   NtQueryValueKey  (136,  (136, "aux5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00965   392   NtQueryValueKey  (136,  (136, "aux6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00966   392   NtQueryValueKey  (136,  (136, "aux7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00967   392   NtQueryValueKey  (136,  (136, "aux8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00968   392   NtQueryValueKey  (136,  (136, "aux9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00969   392   NtUserRegisterWindowMessage  ( ("MSJSTICK_VJOYD_MSGSTR", ... ) , ... ) == 0xc07c
 00970   392   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm"}, ... 140, ) }, ... 140, ) == 0x0
 00971   392   NtQueryValueKey  (140,  (140, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (140, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00972   392   NtClose  (140, ... ) == 0x0
 00973   392   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 0, 0,  (0x1f0003, {24, 52, 0x80, 0, 0, "DINPUTWINMM"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00974   392   NtQueryValueKey  (136,  (136, "mixer", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00975   392   NtQueryValueKey  (136,  (136, "mixer1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00976   392   NtQueryValueKey  (136,  (136, "mixer2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00977   392   NtQueryValueKey  (136,  (136, "mixer3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00978   392   NtQueryValueKey  (136,  (136, "mixer4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00979   392   NtQueryValueKey  (136,  (136, "mixer5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00980   392   NtQueryValueKey  (136,  (136, "mixer6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00981   392   NtQueryValueKey  (136,  (136, "mixer7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00982   392   NtQueryValueKey  (136,  (136, "mixer8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00983   392   NtQueryValueKey  (136,  (136, "mixer9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00984   392   NtQueryDefaultUILanguage  (1241484, ...
 00985   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00986   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00987   392   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00988   392   NtClose  (-2147482032, ... ) == 0x0
 00989   392   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00990   392   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00991   392   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 00992   392   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00993   392   NtClose  (-2147482044, ... ) == 0x0
 00994   392   NtClose  (-2147482032, ... ) == 0x0
 00984   392   NtQueryDefaultUILanguage  ... ) == 0x0
 00995   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00996   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 1, 96, ... 140, {status=0x0, info=1}, ) }, 1, 96, ... 140, {status=0x0, info=1}, ) == 0x0
 00997   392   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 140, ... 144, ) == 0x0
 00998   392   NtMapViewOfSection  (144, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x900000), 0x0, 163840, ) == 0x0
 00999   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01000   392   NtQueryDefaultLocale  (1, 1239520, ... ) == 0x0
 01001   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01002   392   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240376, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240376, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\214\0\0\0\377\377\377\377\0\0\0\0\360Z\222\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\08\364\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 392, 1499, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\214\0\0\0\377\377\377\377\0\0\0\0\360Z\222\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\08\364\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 316, 392, 1499, 0}  (24, {128, 156, new_msg, 0, 1240376, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\214\0\0\0\377\377\377\377\0\0\0\0\360Z\222\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\08\364\22\0\0\0\0\0" ... {128, 156, reply, 0, 316, 392, 1499, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\214\0\0\0\377\377\377\377\0\0\0\0\360Z\222\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\08\364\22\0\0\0\0\0" )  ) == 0x0
 01003   392   NtClose  (140, ... ) == 0x0
 01004   392   NtClose  (144, ... ) == 0x0
 01005   392   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 01006   392   NtUnmapViewOfSection  (-1, 0x12f438, ... ) == STATUS_NOT_MAPPED_VIEW
 01007   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01008   392   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01009   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01010   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01011   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238604, ... ) }, 1238604, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01012   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01013   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01014   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01015   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1239196, ... ) }, 1239196, ... ) == 0x0
 01016   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 144, {status=0x0, info=1}, ) }, 3, 33, ... 144, {status=0x0, info=1}, ) == 0x0
 01017   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01018   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Telephony"}, ... 140, ) }, ... 140, ) == 0x0
 01019   392   NtQueryValueKey  (140,  (140, "Tapi32MaxNumRequestRetries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01020   392   NtQueryValueKey  (140,  (140, "Tapi32RequestRetryTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01021   392   NtClose  (140, ... ) == 0x0
 01022   392   NtCreateMutant  (0x1f0001, 0x0, 0, ... 140, ) == 0x0
 01023   392   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 1362976, 0,  (0x1f0001, {24, 52, 0x80, 1362976, 0, "RasPbFile"}, 0, ... ) }, 0, ... ) == STATUS_ACCESS_DENIED
 01024   392   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "RasPbFile"}, ... 148, ) }, ... 148, ) == 0x0
 01025   392   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 152, ) == 0x0
 01026   392   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 156, ) == 0x0
 01027   392   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 160, ) == 0x0
 01028   392   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 164, ) == 0x0
 01029   392   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 168, ) == 0x0
 01030   392   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 172, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 172, 2, ) , 0, ... 172, 2, ) == 0x0
 01031   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 176, ) }, ... 176, ) == 0x0
 01032   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01033   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DNS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01034   392   NtQueryValueKey  (176,  (176, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01035   392   NtQueryValueKey  (172,  (172, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01036   392   NtQueryValueKey  (176,  (176, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01037   392   NtQueryValueKey  (172,  (172, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01038   392   NtQueryValueKey  (176,  (176, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01039   392   NtQueryValueKey  (172,  (172, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01040   392   NtQueryValueKey  (176,  (176, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01041   392   NtQueryValueKey  (172,  (172, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01042   392   NtQueryValueKey  (176,  (176, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01043   392   NtQueryValueKey  (176,  (176, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01044   392   NtQueryValueKey  (176,  (176, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01045   392   NtQueryValueKey  (176,  (176, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01046   392   NtQueryValueKey  (176,  (176, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01047   392   NtQueryValueKey  (176,  (176, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01048   392   NtQueryValueKey  (176,  (176, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01049   392   NtQueryValueKey  (172,  (172, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01050   392   NtQueryValueKey  (176,  (176, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01051   392   NtQueryValueKey  (176,  (176, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01052   392   NtQueryValueKey  (172,  (172, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01053   392   NtQueryValueKey  (176,  (176, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01054   392   NtQueryValueKey  (172,  (172, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01055   392   NtQueryValueKey  (176,  (176, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01056   392   NtQueryValueKey  (172,  (172, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01057   392   NtQueryValueKey  (176,  (176, "RegistrationOverwritesInConflict", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01058   392   NtQueryValueKey  (172,  (172, "DisableReplaceAddressesInConflicts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01059   392   NtQueryValueKey  (176,  (176, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01060   392   NtQueryValueKey  (172,  (172, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01061   392   NtQueryValueKey  (176,  (176, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01062   392   NtQueryValueKey  (172,  (172, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01063   392   NtQueryValueKey  (176,  (176, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01064   392   NtQueryValueKey  (172,  (172, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01065   392   NtQueryValueKey  (176,  (176, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01066   392   NtQueryValueKey  (172,  (172, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01067   392   NtQueryValueKey  (176,  (176, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01068   392   NtQueryValueKey  (176,  (176, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01069   392   NtQueryValueKey  (176,  (176, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01070   392   NtQueryValueKey  (176,  (176, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01071   392   NtQueryValueKey  (176,  (176, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01072   392   NtQueryValueKey  (176,  (176, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01073   392   NtQueryValueKey  (176,  (176, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01074   392   NtQueryValueKey  (176,  (176, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01075   392   NtQueryValueKey  (176,  (176, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01076   392   NtQueryValueKey  (176,  (176, "UseMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01077   392   NtQueryValueKey  (176,  (176, "MulticastOnNameError", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01078   392   NtQueryValueKey  (176,  (176, "UseDotLocalDomain", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01079   392   NtQueryValueKey  (176,  (176, "ListenOnMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01080   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 180, ) }, ... 180, ) == 0x0
 01081   392   NtQueryValueKey  (180,  (180, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (180, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01082   392   NtClose  (180, ... ) == 0x0
 01083   392   NtClose  (172, ... ) == 0x0
 01084   392   NtClose  (176, ... ) == 0x0
 01085   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 176, ) }, ... 176, ) == 0x0
 01086   392   NtQueryValueKey  (176,  (176, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01087   392   NtQueryValueKey  (176,  (176, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01088   392   NtQueryValueKey  (176,  (176, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01089   392   NtClose  (176, ... ) == 0x0
 01090   392   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 01091   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 176, ) == 0x0
 01092   392   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 172, ) == 0x0
 01093   392   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 180, ) == 0x0
 01094   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01095   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4784128, 65536, ) == 0x0
 01096   392   NtAllocateVirtualMemory  (-1, 4784128, 0, 4096, 4096, 4, ... 4784128, 4096, ) == 0x0
 01097   392   NtAllocateVirtualMemory  (-1, 4788224, 0, 8192, 4096, 4, ... 4788224, 8192, ) == 0x0
 01098   392   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 184, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 184, {status=0x0, info=0}, ) == 0x0
 01099   392   NtCreateFile  (0x40000000, {24, 0, 0x40, 0, 0,  (0x40000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 188, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 188, {status=0x0, info=0}, ) == 0x0
 01100   392   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 192, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 192, {status=0x0, info=0}, ) == 0x0
 01101   392   NtCreateFile  (0x100003, {24, 0, 0x40, 0, 0,  (0x100003, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 196, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 196, {status=0x0, info=0}, ) == 0x0
 01102   392   NtCreateFile  (0x20100080, {24, 0, 0x40, 0, 1243048,  (0x20100080, {24, 0, 0x40, 0, 1243048, "\??\Ip"}, 0x0, 128, 3, 1, 64, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 64, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01103   392   NtAllocateVirtualMemory  (-1, 4796416, 0, 36864, 4096, 4, ... 4796416, 36864, ) == 0x0
 01104   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 204, ) == 0x0
 01105   392   NtDeviceIoControlFile  (184, 204, 0x0, 0x0, 0x120003,  (184, 204, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (184, 204, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 01106   392   NtClose  (204, ... ) == 0x0
 01107   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 204, ) == 0x0
 01108   392   NtDeviceIoControlFile  (184, 204, 0x0, 0x0, 0x120003,  (184, 204, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\201\213o\344\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , 36, 348, ... {status=0x0, info=118},  (184, 204, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\201\213o\344\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , ) == 0x0
 01109   392   NtClose  (204, ... ) == 0x0
 01110   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 204, ) == 0x0
 01111   392   NtDeviceIoControlFile  (184, 204, 0x0, 0x0, 0x120003,  (184, 204, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\371\246\305\0\0\1\0\0\0\5\0\0\0\252\213o\344\374\224\0\0\177\0\0\00\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\201j\0\0y\0\0\0.\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , 36, 348, ... {status=0x0, info=158},  (184, 204, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\371\246\305\0\0\1\0\0\0\5\0\0\0\252\213o\344\374\224\0\0\177\0\0\00\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\201j\0\0y\0\0\0.\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , ) == 0x0
 01112   392   NtClose  (204, ... ) == 0x0
 01113   392   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp6"}, 0x0, 128, 3, 3, 0, 0, 0, ... ) }, 0x0, 128, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01114   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 204, ) == 0x0
 01115   392   NtDeviceIoControlFile  (184, 204, 0x0, 0x0, 0x120003,  (184, 204, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (184, 204, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 01116   392   NtClose  (204, ... ) == 0x0
 01117   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 204, ) == 0x0
 01118   392   NtDeviceIoControlFile  (184, 204, 0x0, 0x0, 0x120003,  (184, 204, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , 36, 4, ... {status=0x0, info=4},  (184, 204, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , ) == 0x0
 01119   392   NtClose  (204, ... ) == 0x0
 01120   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 204, ) == 0x0
 01121   392   NtDeviceIoControlFile  (184, 204, 0x0, 0x0, 0x120003,  (184, 204, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , 36, 8, ... {status=0x0, info=8},  (184, 204, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , ) == 0x0
 01122   392   NtClose  (204, ... ) == 0x0
 01123   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9437184, 65536, ) == 0x0
 01124   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01125   392   NtAllocateVirtualMemory  (-1, 9437184, 0, 1, 4096, 4, ... 9437184, 4096, ) == 0x0
 01126   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01127   392   NtFreeVirtualMemory  (-1, (0x900000), 0, 32768, ... (0x900000), 65536, ) == 0x0
 01128   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9437184, 65536, ) == 0x0
 01129   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01130   392   NtAllocateVirtualMemory  (-1, 9437184, 0, 1, 4096, 4, ... 9437184, 4096, ) == 0x0
 01131   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01132   392   NtFreeVirtualMemory  (-1, (0x900000), 0, 32768, ... (0x900000), 65536, ) == 0x0
 01133   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9437184, 65536, ) == 0x0
 01134   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01135   392   NtAllocateVirtualMemory  (-1, 9437184, 0, 1, 4096, 4, ... 9437184, 4096, ) == 0x0
 01136   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01137   392   NtFreeVirtualMemory  (-1, (0x900000), 0, 32768, ... (0x900000), 65536, ) == 0x0
 01138   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9437184, 65536, ) == 0x0
 01139   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01140   392   NtAllocateVirtualMemory  (-1, 9437184, 0, 1, 4096, 4, ... 9437184, 4096, ) == 0x0
 01141   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01142   392   NtFreeVirtualMemory  (-1, (0x900000), 0, 32768, ... (0x900000), 65536, ) == 0x0
 01143   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9437184, 65536, ) == 0x0
 01144   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01145   392   NtAllocateVirtualMemory  (-1, 9437184, 0, 1, 4096, 4, ... 9437184, 4096, ) == 0x0
 01146   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01147   392   NtFreeVirtualMemory  (-1, (0x900000), 0, 32768, ... (0x900000), 65536, ) == 0x0
 01148   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9437184, 65536, ) == 0x0
 01149   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01150   392   NtAllocateVirtualMemory  (-1, 9437184, 0, 1, 4096, 4, ... 9437184, 4096, ) == 0x0
 01151   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01152   392   NtFreeVirtualMemory  (-1, (0x900000), 0, 32768, ... (0x900000), 65536, ) == 0x0
 01153   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9437184, 65536, ) == 0x0
 01154   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01155   392   NtAllocateVirtualMemory  (-1, 9437184, 0, 1, 4096, 4, ... 9437184, 4096, ) == 0x0
 01156   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01157   392   NtFreeVirtualMemory  (-1, (0x900000), 0, 32768, ... (0x900000), 65536, ) == 0x0
 01158   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9437184, 65536, ) == 0x0
 01159   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01160   392   NtAllocateVirtualMemory  (-1, 9437184, 0, 1, 4096, 4, ... 9437184, 4096, ) == 0x0
 01161   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01162   392   NtFreeVirtualMemory  (-1, (0x900000), 0, 32768, ... (0x900000), 65536, ) == 0x0
 01163   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9437184, 65536, ) == 0x0
 01164   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01165   392   NtAllocateVirtualMemory  (-1, 9437184, 0, 1, 4096, 4, ... 9437184, 4096, ) == 0x0
 01166   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01167   392   NtFreeVirtualMemory  (-1, (0x900000), 0, 32768, ... (0x900000), 65536, ) == 0x0
 01168   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9437184, 65536, ) == 0x0
 01169   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01170   392   NtAllocateVirtualMemory  (-1, 9437184, 0, 1, 4096, 4, ... 9437184, 4096, ) == 0x0
 01171   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01172   392   NtFreeVirtualMemory  (-1, (0x900000), 0, 32768, ... (0x900000), 65536, ) == 0x0
 01173   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9437184, 65536, ) == 0x0
 01174   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01175   392   NtAllocateVirtualMemory  (-1, 9437184, 0, 1, 4096, 4, ... 9437184, 4096, ) == 0x0
 01176   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01177   392   NtFreeVirtualMemory  (-1, (0x900000), 0, 32768, ... (0x900000), 65536, ) == 0x0
 01178   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9437184, 65536, ) == 0x0
 01179   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01180   392   NtAllocateVirtualMemory  (-1, 9437184, 0, 1, 4096, 4, ... 9437184, 4096, ) == 0x0
 01181   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01182   392   NtFreeVirtualMemory  (-1, (0x900000), 0, 32768, ... (0x900000), 65536, ) == 0x0
 01183   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9437184, 65536, ) == 0x0
 01184   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01185   392   NtAllocateVirtualMemory  (-1, 9437184, 0, 1, 4096, 4, ... 9437184, 4096, ) == 0x0
 01186   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01187   392   NtFreeVirtualMemory  (-1, (0x900000), 0, 32768, ... (0x900000), 65536, ) == 0x0
 01188   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9437184, 65536, ) == 0x0
 01189   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01190   392   NtAllocateVirtualMemory  (-1, 9437184, 0, 1, 4096, 4, ... 9437184, 4096, ) == 0x0
 01191   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01192   392   NtFreeVirtualMemory  (-1, (0x900000), 0, 32768, ... (0x900000), 65536, ) == 0x0
 01193   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9437184, 65536, ) == 0x0
 01194   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01195   392   NtAllocateVirtualMemory  (-1, 9437184, 0, 1, 4096, 4, ... 9437184, 4096, ) == 0x0
 01196   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01197   392   NtFreeVirtualMemory  (-1, (0x900000), 0, 32768, ... (0x900000), 65536, ) == 0x0
 01198   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9437184, 65536, ) == 0x0
 01199   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01200   392   NtAllocateVirtualMemory  (-1, 9437184, 0, 1, 4096, 4, ... 9437184, 4096, ) == 0x0
 01201   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01202   392   NtFreeVirtualMemory  (-1, (0x900000), 0, 32768, ... (0x900000), 65536, ) == 0x0
 01203   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9437184, 65536, ) == 0x0
 01204   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01205   392   NtAllocateVirtualMemory  (-1, 9437184, 0, 1, 4096, 4, ... 9437184, 4096, ) == 0x0
 01206   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01207   392   NtFreeVirtualMemory  (-1, (0x900000), 0, 32768, ... (0x900000), 65536, ) == 0x0
 01208   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9437184, 65536, ) == 0x0
 01209   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01210   392   NtAllocateVirtualMemory  (-1, 9437184, 0, 1, 4096, 4, ... 9437184, 4096, ) == 0x0
 01211   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01212   392   NtFreeVirtualMemory  (-1, (0x900000), 0, 32768, ... (0x900000), 65536, ) == 0x0
 01213   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9437184, 65536, ) == 0x0
 01214   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01215   392   NtAllocateVirtualMemory  (-1, 9437184, 0, 1, 4096, 4, ... 9437184, 4096, ) == 0x0
 01216   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01217   392   NtFreeVirtualMemory  (-1, (0x900000), 0, 32768, ... (0x900000), 65536, ) == 0x0
 01218   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9437184, 65536, ) == 0x0
 01219   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01220   392   NtAllocateVirtualMemory  (-1, 9437184, 0, 1, 4096, 4, ... 9437184, 4096, ) == 0x0
 01221   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01222   392   NtFreeVirtualMemory  (-1, (0x900000), 0, 32768, ... (0x900000), 65536, ) == 0x0
 01223   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9437184, 65536, ) == 0x0
 01224   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01225   392   NtAllocateVirtualMemory  (-1, 9437184, 0, 1, 4096, 4, ... 9437184, 4096, ) == 0x0
 01226   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01227   392   NtFreeVirtualMemory  (-1, (0x900000), 0, 32768, ... (0x900000), 65536, ) == 0x0
 01228   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9437184, 65536, ) == 0x0
 01229   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01230   392   NtAllocateVirtualMemory  (-1, 9437184, 0, 1, 4096, 4, ... 9437184, 4096, ) == 0x0
 01231   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01232   392   NtFreeVirtualMemory  (-1, (0x900000), 0, 32768, ... (0x900000), 65536, ) == 0x0
 01233   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9437184, 65536, ) == 0x0
 01234   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01235   392   NtAllocateVirtualMemory  (-1, 9437184, 0, 1, 4096, 4, ... 9437184, 4096, ) == 0x0
 01236   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01237   392   NtFreeVirtualMemory  (-1, (0x900000), 0, 32768, ... (0x900000), 65536, ) == 0x0
 01238   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9437184, 65536, ) == 0x0
 01239   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01240   392   NtAllocateVirtualMemory  (-1, 9437184, 0, 1, 4096, 4, ... 9437184, 4096, ) == 0x0
 01241   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01242   392   NtFreeVirtualMemory  (-1, (0x900000), 0, 32768, ... (0x900000), 65536, ) == 0x0
 01243   392   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9437184, 65536, ) == 0x0
 01244   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01245   392   NtAllocateVirtualMemory  (-1, 9437184, 0, 1, 4096, 4, ... 9437184, 4096, ) == 0x0
 01246   392   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01247   392   NtFreeVirtualMemory  (-1, (0x900000), 0, 32768, ... (0x900000), 65536, ) == 0x0
 01248   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Linkage"}, ... 204, ) }, ... 204, ) == 0x0
 01249   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"}, ... 208, ) }, ... 208, ) == 0x0
 01250   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces"}, ... 212, ) }, ... 212, ) == 0x0
 01251   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters"}, ... 216, ) }, ... 216, ) == 0x0
 01252   392   NtQueryDefaultLocale  (1, 1242984, ... ) == 0x0
 01253   392   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "Breatle AntiVirus v1.0"}, 1, ... 220, ) }, 1, ... 220, ) == 0x0
 01254   392   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\WINDOWS\System32"}, 3, 33, ... 224, {status=0x0, info=1}, ) }, 3, 33, ... 224, {status=0x0, info=1}, ) == 0x0
 01255   392   NtQueryVolumeInformationFile  (224, 1244616, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01256   392   NtClose  (12, ... ) == 0x0
 01257   392   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243564,  (0x80100080, {24, 0, 0x40, 0, 1243564, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) == 0x0
 01258   392   NtQueryInformationFile  (12, 1244500, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01259   392   NtQueryInformationFile  (12, 1244472, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01260   392   NtQueryInformationFile  (12, 1244424, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01261   392   NtAllocateVirtualMemory  (-1, 1368064, 0, 8192, 4096, 4, ... 1368064, 8192, ) == 0x0
 01262   392   NtQueryInformationFile  (12, 1365824, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01263   392   NtQueryInformationFile  (12, 1242968, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01264   392   NtQueryInformationFile  (12, 1242812, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01265   392   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1242820,  (0x40110080, {24, 0, 0x40, 0, 1242820, "\??\C:\WINDOWS\System32\windows.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01266   392   NtClose  (-2147482032, ... ) == 0x0
 01265   392   NtCreateFile  ... 228, {status=0x0, info=2}, ) == 0x0
 01267   392   NtQueryVolumeInformationFile  (228, 1242192, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 01268   392   NtQueryInformationFile  (228, 1242152, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01269   392   NtQueryVolumeInformationFile  (12, 1242192, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01270   392   NtSetInformationFile  (228, 1241980, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01271   392   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 12, ... 232, ) == 0x0
 01272   392   NtMapViewOfSection  (232, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x900000), {0, 0}, 16384, ) == 0x0
 01273   392   NtClose  (232, ... ) == 0x0
 01274   392   NtWriteFile  (228, 0, 0, 0,  (228, 0, 0, 0, "MZ\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\2\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\17\1\13\1\0\0\0\2\0\0\0\0\0\0\0\0\0\0\204\371\0\0\0\20\0\0\14\0\0\0\0\0J\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\1\0\0\2\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\211\371\0\0\24\0\0\0\267\370\0\0\244\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0MEW\0F\22\322\303\0\260\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\300\2\322u\333\212\26\353\324\0@\0\0\0\300\0\0\2359\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\300\276\34\300J\0\213\336\255\255P\255\227\262\200\244\266\200\377\23s\3713\311\377\23s\263\300\377\23s!\266\200A\260\20\377\23\22\300s\372u>\252\353\340\350v\276\0\0\2\366\203\331\1u\16\377S\374\353&\254\321\350t/\23\311\353\32\221H\301\340\10\254\377S\374=\0}\0\0s\12\200\374\5s\6\203\370\177w\2AA\225\213\305\266\0V\213\367+\360\363\244^\353\233\255\205\300u\220\255\226\255\227V\254<\0u\373\377S\360\225V\255\17\310@Yt\354y\7\254<\0u\373\221@PU\377S\364\253", 15261, 0x0, 0, ... {status=0x0, info=15261}, ) , 15261, 0x0, 0, ... {status=0x0, info=15261}, ) == 0x0
 01275   392   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 01276   392   NtSetInformationFile  (228, 1244424, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01277   392   NtClose  (12, ... ) == 0x0
 01278   392   NtClose  (228, ... ) == 0x0
 01279   392   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\windows.exe"}, 7, 2113568, ... 228, {status=0x0, info=1}, ) }, 7, 2113568, ... 228, {status=0x0, info=1}, ) == 0x0
 01280   392   NtSetInformationFile  (228, 1244624, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01281   392   NtClose  (228, ... ) == 0x0
 01282   392   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\windows.exe"}, 7, 2113568, ... 228, {status=0x0, info=1}, ) }, 7, 2113568, ... 228, {status=0x0, info=1}, ) == 0x0
 01283   392   NtSetInformationFile  (228, 1244624, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01284   392   NtClose  (228, ... ) == 0x0
 01285   392   NtOpenKey  (0x20006, {24, 28, 0x40, 0, 0,  (0x20006, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 228, ) }, ... 228, ) == 0x0
 01286   392   NtSetValueKey  (228,  (228, "WIN", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0d\0o\0w\0s\0.\0e\0x\0e\0\0\0", 64, ... , 0, 1,  (228, "WIN", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0d\0o\0w\0s\0.\0e\0x\0e\0\0\0", 64, ... , 64, ...
 01287   392   NtSetInformationFile  (-2147482808, -133331548, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01286   392   NtSetValueKey  ... ) == 0x0
 01288   392   NtClose  (228, ... ) == 0x0
 01289   392   NtOpenKey  (0x20006, {24, 28, 0x40, 0, 0,  (0x20006, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore"}, ... 228, ) }, ... 228, ) == 0x0
 01290   392   NtSetValueKey  (228,  (228, "DisableSR", 0, 4, "\1\0\0\0", 4, ... , 0, 4,  (228, "DisableSR", 0, 4, "\1\0\0\0", 4, ... , 4, ...
 01291   392   NtSetInformationFile  (-2147482808, -133331148, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01290   392   NtSetValueKey  ... ) == 0x0
 01292   392   NtClose  (228, ... ) == 0x0
 01293   392   NtOpenKey  (0x20006, {24, 60, 0x40, 0, 0,  (0x20006, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01294   392   NtOpenKey  (0x20006, {24, 28, 0x40, 0, 0,  (0x20006, {24, 28, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01295   392   NtOpenKey  (0x20006, {24, 60, 0x40, 0, 0,  (0x20006, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01296   392   NtOpenKey  (0x20006, {24, 28, 0x40, 0, 0,  (0x20006, {24, 28, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01297   392   NtOpenKey  (0x20006, {24, 60, 0x40, 0, 0,  (0x20006, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01298   392   NtOpenKey  (0x20006, {24, 28, 0x40, 0, 0,  (0x20006, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\WindowsUpdate\AU"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01299   392   NtOpenKey  (0x20006, {24, 60, 0x40, 0, 0,  (0x20006, {24, 60, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\WindowsUpdate\AU"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01300   392   NtOpenKey  (0x20006, {24, 28, 0x40, 0, 0,  (0x20006, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\WindowsUpdate\AU"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01301   392   NtOpenKey  (0x20006, {24, 60, 0x40, 0, 0,  (0x20006, {24, 60, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\WindowsUpdate\AU"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01302   392   NtOpenKey  (0x20006, {24, 28, 0x40, 0, 0,  (0x20006, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Security Center"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01303   392   NtOpenKey  (0x20006, {24, 60, 0x40, 0, 0,  (0x20006, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Security Center"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01304   392   NtOpenKey  (0x20006, {24, 28, 0x40, 0, 0,  (0x20006, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Security Center"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01305   392   NtOpenKey  (0x20006, {24, 60, 0x40, 0, 0,  (0x20006, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Security Center"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01306   392   NtOpenKey  (0x20006, {24, 60, 0x40, 0, 0,  (0x20006, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Security Center"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01307   392   NtOpenKey  (0x20006, {24, 60, 0x40, 0, 0,  (0x20006, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01308   392   NtOpenKey  (0x20006, {24, 28, 0x40, 0, 0,  (0x20006, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\System"}, ... 228, ) }, ... 228, ) == 0x0
 01309   392   NtSetValueKey  (228,  (228, "DisableTaskMgr", 0, 4, "\1\0\0\0", 4, ... , 0, 4,  (228, "DisableTaskMgr", 0, 4, "\1\0\0\0", 4, ... , 4, ...
 01310   392   NtSetInformationFile  (-2147482808, -133331148, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01309   392   NtSetValueKey  ... ) == 0x0
 01311   392   NtClose  (228, ... ) == 0x0
 01312   392   NtOpenKey  (0x20006, {24, 60, 0x40, 0, 0,  (0x20006, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01313   392   NtOpenKey  (0x20006, {24, 28, 0x40, 0, 0,  (0x20006, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\System"}, ... 228, ) }, ... 228, ) == 0x0
 01314   392   NtSetValueKey  (228,  (228, "DisableRegistryTools", 0, 4, "\1\0\0\0", 4, ... ) , 0, 4,  (228, "DisableRegistryTools", 0, 4, "\1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 01315   392   NtClose  (228, ... ) == 0x0
 01316   392   NtOpenKey  (0x20006, {24, 28, 0x40, 0, 0,  (0x20006, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 228, ) }, ... 228, ) == 0x0
 01317   392   NtSetValueKey  (228,  (228, "WIN", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0d\0o\0w\0s\0.\0e\0x\0e\0\0\0", 64, ... , 0, 1,  (228, "WIN", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0d\0o\0w\0s\0.\0e\0x\0e\0\0\0", 64, ... , 64, ...
 01318   392   NtSetInformationFile  (-2147482808, -133331240, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01317   392   NtSetValueKey  ... ) == 0x0
 01319   392   NtClose  (228, ... ) == 0x0
 01320   392   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243564,  (0x80100080, {24, 0, 0x40, 0, 1243564, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 228, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 228, {status=0x0, info=1}, ) == 0x0
 01321   392   NtQueryInformationFile  (228, 1244500, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01322   392   NtQueryInformationFile  (228, 1244472, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01323   392   NtQueryInformationFile  (228, 1244424, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01324   392   NtQueryInformationFile  (228, 1366040, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01325   392   NtQueryInformationFile  (228, 1242968, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01326   392   NtQueryInformationFile  (228, 1242812, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01327   392   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1242820,  (0x40110080, {24, 0, 0x40, 0, 1242820, "\??\C:\WINDOWS\System32\attach.tmp"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01328   392   NtClose  (-2147482032, ... ) == 0x0
 01327   392   NtCreateFile  ... 12, {status=0x0, info=2}, ) == 0x0
 01329   392   NtQueryVolumeInformationFile  (12, 1242192, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 01330   392   NtQueryInformationFile  (12, 1242152, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01331   392   NtQueryVolumeInformationFile  (228, 1242192, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01332   392   NtSetInformationFile  (12, 1241980, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01333   392   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 228, ... 232, ) == 0x0
 01334   392   NtMapViewOfSection  (232, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x900000), {0, 0}, 16384, ) == 0x0
 01335   392   NtClose  (232, ... ) == 0x0
 01336   392   NtWriteFile  (12, 0, 0, 0,  (12, 0, 0, 0, "MZ\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\2\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\17\1\13\1\0\0\0\2\0\0\0\0\0\0\0\0\0\0\204\371\0\0\0\20\0\0\14\0\0\0\0\0J\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\1\0\0\2\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\211\371\0\0\24\0\0\0\267\370\0\0\244\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0MEW\0F\22\322\303\0\260\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\300\2\322u\333\212\26\353\324\0@\0\0\0\300\0\0\2359\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\300\276\34\300J\0\213\336\255\255P\255\227\262\200\244\266\200\377\23s\3713\311\377\23s\263\300\377\23s!\266\200A\260\20\377\23\22\300s\372u>\252\353\340\350v\276\0\0\2\366\203\331\1u\16\377S\374\353&\254\321\350t/\23\311\353\32\221H\301\340\10\254\377S\374=\0}\0\0s\12\200\374\5s\6\203\370\177w\2AA\225\213\305\266\0V\213\367+\360\363\244^\353\233\255\205\300u\220\255\226\255\227V\254<\0u\373\377S\360\225V\255\17\310@Yt\354y\7\254<\0u\373\221@PU\377S\364\253", 15261, 0x0, 0, ... {status=0x0, info=15261}, ) , 15261, 0x0, 0, ... {status=0x0, info=15261}, ) == 0x0
 01337   392   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 01338   392   NtSetInformationFile  (12, 1244424, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01339   392   NtClose  (228, ... ) == 0x0
 01340   392   NtClose  (12, ... ) == 0x0
 01341   392   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\attach.tmp"}, 7, 2113568, ... 12, {status=0x0, info=1}, ) }, 7, 2113568, ... 12, {status=0x0, info=1}, ) == 0x0
 01342   392   NtSetInformationFile  (12, 1244624, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01343   392   NtClose  (12, ... ) == 0x0
 01344   392   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\attach.tmp"}, 7, 2113568, ... 12, {status=0x0, info=1}, ) }, 7, 2113568, ... 12, {status=0x0, info=1}, ) == 0x0
 01345   392   NtSetInformationFile  (12, 1244624, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01346   392   NtClose  (12, ... ) == 0x0
 01347   392   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 12, ) }, ... 12, ) == 0x0
 01348   392   NtDeleteValueKey  (12,  (12, "Symantec", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01349   392   NtClose  (12, ... ) == 0x0
 01350   392   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 12, ) }, ... 12, ) == 0x0
 01351   392   NtDeleteValueKey  (12,  (12, "Symantec", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01352   392   NtClose  (12, ... ) == 0x0
 01353   392   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9437184, 1048576, ) == 0x0
 01354   392   NtAllocateVirtualMemory  (-1, 10477568, 0, 8192, 4096, 4, ... 10477568, 8192, ) == 0x0
 01355   392   NtProtectVirtualMemory  (-1, (0x9fe000), 4096, 260, ... (0x9fe000), 4096, 4, ) == 0x0
 01356   392   NtCreateThread  (0x1f03ff, 0x0, -1, 1244284, 1245000, 1, ... 12, {316, 568}, ) == 0x0
 01357   392   NtQueryInformationThread  (12, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=316,Tid=568,}, 0x0, ) == 0x0
 01358   392   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 7602273, 6357108, 6815843, 7602222}  (24, {28, 56, new_msg, 0, 7602273, 6357108, 6815843, 7602222} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\14\0\0\0<\1\0\08\2\0\0" ... {28, 56, reply, 0, 316, 392, 1500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\14\0\0\0<\1\0\08\2\0\0" )  ... {28, 56, reply, 0, 316, 392, 1500, 0}  (24, {28, 56, new_msg, 0, 7602273, 6357108, 6815843, 7602222} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\14\0\0\0<\1\0\08\2\0\0" ... {28, 56, reply, 0, 316, 392, 1500, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\14\0\0\0<\1\0\08\2\0\0" )  ) == 0x0
 01359   392   NtResumeThread  (12, ... 1, ) == 0x0
 01360   568   NtAllocateVirtualMemory  (-1, 4468736, 0, 4096, 4096, 4, ... 4468736, 4096, ) == 0x0
 01361   568   NtTestAlert  (... ) == 0x0
 01362   568   NtContinue  (10485040, 1, ...
 01363   568   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01364   568   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 228, ) }, ... 228, ) == 0x0
 01365   568   NtQueryValueKey  (228,  (228, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (228, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01366   392   NtQueryValueKey  (88,  (88, "FromCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01367   392   NtQueryValueKey  (88,  (88, "SecureProtocols", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01368   392   NtQueryValueKey  (88,  (88, "CertificateRevocation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01369   392   NtQueryValueKey  (88,  (88, "DisableKeepAlive", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01370   392   NtQueryValueKey  (88,  (88, "DisablePassport", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01371   392   NtQueryValueKey  (88,  (88, "CacheMode", Partial, 144, ... , Partial, 144, ...
 01372   568   NtQueryValueKey  (228,  (228, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (228, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01373   568   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 232, ) == 0x0
 01374   568   NtOpenKey  (0x2000000, {24, 228, 0x40, 0, 0,  (0x2000000, {24, 228, 0x40, 0, 0, "Protocol_Catalog9"}, ... 236, ) }, ... 236, ) == 0x0
 01375   568   NtQueryValueKey  (236,  (236, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (236, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 01376   568   NtNotifyChangeKey  (236, 232, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 01377   568   NtQueryValueKey  (236,  (236, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (236, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 01371   392   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01378   392   NtQueryValueKey  (88,  (88, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01379   392   NtQueryValueKey  (88,  (88, "ProxyHttp1.1", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01380   392   NtQueryValueKey  (88,  (88, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01381   392   NtOpenEvent  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\SECURITY\LSA_AUTHENTICATION_INITIALIZED"}, ... 240, ) }, ... 240, ) == 0x0
 01382   392   NtQueryEvent  (240, Basic, 8, ... {EventType=0,SignalState=1,}, 0x0, ) == 0x0
 01383   392   NtClose  (240, ...
 01384   568   NtOpenKey  (0x2000000, {24, 236, 0x40, 0, 0,  (0x2000000, {24, 236, 0x40, 0, 0, "00000019"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01385   568   NtQueryValueKey  (236,  (236, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (236, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) }, 16, ) == 0x0
 01386   568   NtQueryValueKey  (236,  (236, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (236, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 01387   568   NtOpenKey  (0x2000000, {24, 236, 0x40, 0, 0,  (0x2000000, {24, 236, 0x40, 0, 0, "Catalog_Entries"}, ... 244, ) }, ... 244, ) == 0x0
 01388   568   NtOpenKey  (0x20019, {24, 244, 0x40, 0, 0,  (0x20019, {24, 244, 0x40, 0, 0, "000000000001"}, ... 248, ) }, ... 248, ) == 0x0
 01389   568   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 144, ... , Partial, 144, ...
 01383   392   NtClose  ... ) == 0x0
 01390   392   NtConnectPort  ( ("\LsaAuthenticationPort", {12, 2, 1, 0}, 0x0, 0x0, 1243212, 140, ... 240, 0x0, 0x0, 256, 140, ) , {12, 2, 1, 0}, 0x0, 0x0, 1243212, 140, ... 240, 0x0, 0x0, 256, 140, ) == 0x0
 01391   392   NtRequestWaitReplyPort  (240, {28, 52, new_msg, 0, 0, 0, 0, 0}  (240, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\20\325\24\0" ...  ...
 01389   568   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01392   568   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01393   568   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0o\5\0\0<\1\0\0\210\1\0\0\223\0\0\0\1\0\1\0\0\0\0\0\320\0\0\0\0\0\0\0\260\0\0\0\260\0\310\0\2\0\0\0<\1\0\0\210\1\0\0\336\5\0\0\0\0\0\0\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0r\5\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\00\0\0\0X\0\0\0\0\0\0\0\22\0\12\2\0\354\375\177\0\0\0\0S\0y\0n\0c\0M\0o\0d\0e\05\0\0\0\2\0\0\0\220\0\0\0r\5\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\04\0\0\300\0\0\0\0s\5\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\264\0\0\0\17\0\0\0\0\0\0\0\30\0\0\0\34\0\0\0\214\372\22\0@\0\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0o\5\0\0<\1\0\0\210\1\0\0\223\0\0\0\1\0\1\0\0\0\0\0\320\0\0\0\0\0\0\0\260\0\0\0\260\0\310\0\2\0\0\0<\1\0\0\210\1\0\0\336\5\0\0\0\0\0\0\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0r\5\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\00\0\0\0X\0\0\0\0\0\0\0\22\0\12\2\0\354\375\177\0\0\0\0S\0y\0n\0c\0M\0o\0d\0e\05\0\0\0\2\0\0\0\220\0\0\0r\5\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\04\0\0\300\0\0\0\0s\5\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\264\0\0\0\17\0\0\0\0\0\0\0\30\0\0\0\34\0\0\0\214\372\22\0@\0\0\0"}, 900, ) }, 900, ) == 0x0
 01391   392   NtRequestWaitReplyPort  ... {176, 200, reply, 0, 316, 392, 1502, 0}  ... {176, 200, reply, 0, 316, 392, 1502, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ) == 0x0
 01394   392   NtQueryValueKey  (88,  (88, "SyncMode5", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01395   392   NtOpenKey  (0xf, {24, 28, 0x40, 0, 0,  (0xf, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache"}, ... 252, ) }, ... 252, ) == 0x0
 01396   392   NtQueryValueKey  (252,  (252, "FixupKey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01397   392   NtClose  (252, ... ) == 0x0
 01398   392   NtOpenKey  (0xf, {24, 28, 0x40, 0, 0,  (0xf, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 252, ) }, ... 252, ) == 0x0
 01399   392   NtQueryValueKey  (252,  (252, "SessionStartTimeDefaultDeltaSecs", Partial, 144, ... , Partial, 144, ...
 01400   568   NtClose  (248, ... ) == 0x0
 01401   568   NtOpenKey  (0x20019, {24, 244, 0x40, 0, 0,  (0x20019, {24, 244, 0x40, 0, 0, "000000000002"}, ... 248, ) }, ... 248, ) == 0x0
 01402   568   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01403   568   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01404   568   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0}\5\0\0<\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0}\5\0\0<\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0w\5\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\04\0\0\300\0\0\0\0~\5\0\0<\1\0\0\210\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\374\0\0\0~\5\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\177\5\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\274\0\0\0\17\0\0\0\0\0\0\0\30\0\0\0\34\0\0\0\200\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\212\0\214\0\230R\24\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\05\0.\00\0\\0C\0a\0c\0h\0e\0\0\0\177\5\0\0<\1\0\0\210\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0}\5\0\0<\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0}\5\0\0<\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0w\5\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\04\0\0\300\0\0\0\0~\5\0\0<\1\0\0\210\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\374\0\0\0~\5\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\177\5\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\274\0\0\0\17\0\0\0\0\0\0\0\30\0\0\0\34\0\0\0\200\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\212\0\214\0\230R\24\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\05\0.\00\0\\0C\0a\0c\0h\0e\0\0\0\177\5\0\0<\1\0\0\210\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0"}, 900, ) }, 900, ) == 0x0
 01405   568   NtClose  (248, ... ) == 0x0
 01399   392   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01406   392   NtClose  (252, ... ) == 0x0
 01407   392   NtOpenKey  (0xf, {24, 28, 0x40, 0, 0,  (0xf, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 252, ) }, ... 252, ) == 0x0
 01408   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 248, ) }, ... 248, ) == 0x0
 01409   392   NtQueryValueKey  (248,  (248, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (248, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01410   392   NtClose  (248, ... ) == 0x0
 01411   392   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... }, ...
 01412   568   NtOpenKey  (0x20019, {24, 244, 0x40, 0, 0,  (0x20019, {24, 244, 0x40, 0, 0, "000000000003"}, ... 248, ) }, ... 248, ) == 0x0
 01413   568   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01414   568   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01415   568   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\210\5\0\0<\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0\210\5\0\0<\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\211\5\0\0<\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\250\370\237\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\330\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\211\5\0\0<\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0\203\5\0\0<\1\0\0\210\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\0\1\0\0\212\5\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\274\0\0\0\17\0\0\0\0\0\0\0\30\0\0\0<\0\0\0\200\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\212\0\214\0\230R\24\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\210\5\0\0<\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0\210\5\0\0<\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\211\5\0\0<\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\250\370\237\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\330\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\211\5\0\0<\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0\203\5\0\0<\1\0\0\210\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\0\1\0\0\212\5\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\274\0\0\0\17\0\0\0\0\0\0\0\30\0\0\0<\0\0\0\200\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\212\0\214\0\230R\24\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0"}, 900, ) }, 900, ) == 0x0
 01416   568   NtClose  (248, ... ) == 0x0
 01417   568   NtOpenKey  (0x20019, {24, 244, 0x40, 0, 0,  (0x20019, {24, 244, 0x40, 0, 0, "000000000004"}, ... 248, ) }, ... 248, ) == 0x0
 01411   392   NtOpenKey  ... 256, ) == 0x0
 01418   392   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 260, ) }, ... 260, ) == 0x0
 01419   392   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 264, ) }, ... 264, ) == 0x0
 01420   392   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 268, ) }, ... 268, ) == 0x0
 01421   392   NtQueryValueKey  (268,  (268, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (268, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 01422   392   NtQueryValueKey  (268,  (268, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (268, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 01423   392   NtClose  (268, ...
 01424   568   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01425   568   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01426   568   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\223\5\0\0<\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0\223\5\0\0<\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\5\0\0<\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\250\370\237\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\330\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\224\5\0\0<\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0\225\5\0\0<\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\225\5\0\0<\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\217\5\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\226\5\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\274\0\0\0\17\0\0\0\0\0\0\0\30\0\0\0<\0\0\0\270\360\22\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\223\5\0\0<\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0\223\5\0\0<\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\5\0\0<\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\250\370\237\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\330\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\224\5\0\0<\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0\225\5\0\0<\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\225\5\0\0<\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\217\5\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\226\5\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\274\0\0\0\17\0\0\0\0\0\0\0\30\0\0\0<\0\0\0\270\360\22\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\225\5\0\0<\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\217\5\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\226\5\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\274\0\0\0\17\0\0\0\0\0\0\0\30\0\0\0<\0\0\0\270\360\22\0"}, 900, ) == 0x0
 01427   568   NtClose  (248, ... ) == 0x0
 01428   568   NtOpenKey  (0x20019, {24, 244, 0x40, 0, 0,  (0x20019, {24, 244, 0x40, 0, 0, "000000000005"}, ... 248, ) }, ... 248, ) == 0x0
 01429   568   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01423   392   NtClose  ... ) == 0x0
 01430   392   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 268, ) }, ... 268, ) == 0x0
 01431   392   NtQueryValueKey  (268,  (268, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (268, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 01432   392   NtQueryValueKey  (268,  (268, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (268, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 01433   392   NtQueryValueKey  (268,  (268, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (268, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 01434   392   NtQueryValueKey  (268,  (268, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (268, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 01435   392   NtQueryValueKey  (268,  (268, "History", Partial, 144, ... , Partial, 144, ...
 01436   568   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01437   568   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\236\5\0\0<\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0\236\5\0\0<\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\237\5\0\0<\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\250\370\237\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\330\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\237\5\0\0<\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0\240\5\0\0<\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\240\5\0\0<\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\241\5\0\0<\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\236\5\0\0<\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0\236\5\0\0<\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\237\5\0\0<\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\250\370\237\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\330\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\237\5\0\0<\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0\240\5\0\0<\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\240\5\0\0<\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\241\5\0\0<\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\240\5\0\0<\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\241\5\0\0<\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0 (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\236\5\0\0<\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0\236\5\0\0<\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\237\5\0\0<\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\250\370\237\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\330\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\237\5\0\0<\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0\240\5\0\0<\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\240\5\0\0<\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\241\5\0\0<\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01438   568   NtClose  (248, ... ) == 0x0
 01439   568   NtOpenKey  (0x20019, {24, 244, 0x40, 0, 0,  (0x20019, {24, 244, 0x40, 0, 0, "000000000006"}, ... 248, ) }, ... 248, ) == 0x0
 01440   568   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01441   568   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01435   392   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 01442   392   NtQueryValueKey  (268,  (268, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (268, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 01443   392   NtClose  (268, ... ) == 0x0
 01444   392   NtOpenKey  (0xf, {24, 260, 0x40, 0, 0,  (0xf, {24, 260, 0x40, 0, 0, "Content"}, ... 268, ) }, ... 268, ) == 0x0
 01445   392   NtQueryValueKey  (268,  (268, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (268, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01446   392   NtClose  (268, ... ) == 0x0
 01447   392   NtOpenKey  (0xf, {24, 260, 0x40, 0, 0,  (0xf, {24, 260, 0x40, 0, 0, "Content"}, ... }, ...
 01448   568   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\251\5\0\0<\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0\251\5\0\0<\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\252\5\0\0<\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\250\370\237\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\330\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\252\5\0\0<\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0\253\5\0\0<\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\253\5\0\0<\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\254\5\0\0<\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\251\5\0\0<\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0\251\5\0\0<\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\252\5\0\0<\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\250\370\237\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\330\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\252\5\0\0<\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0\253\5\0\0<\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\253\5\0\0<\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\254\5\0\0<\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\253\5\0\0<\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\254\5\0\0<\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0 (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\251\5\0\0<\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0\251\5\0\0<\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\252\5\0\0<\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\250\370\237\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\330\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\252\5\0\0<\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\370\0\0\0\253\5\0\0<\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\253\5\0\0<\1\0\08\2\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\254\5\0\0<\1\0\08\2\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\370\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01449   568   NtClose  (248, ... ) == 0x0
 01450   568   NtOpenKey  (0x20019, {24, 244, 0x40, 0, 0,  (0x20019, {24, 244, 0x40, 0, 0, "000000000007"}, ... 248, ) }, ... 248, ) == 0x0
 01451   568   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01452   568   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01453   568   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\247\5\0\0<\1\0\0\210\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\14\1\0\0\256\5\0\0<\1\0\0\210\1\0\0Z\0\0\0\0\0\1\0\0\0\0\0\14\0\0\0\376\377\377\377\14\0\0\0\1\0\0\0\256\5\0\0<\1\0\0\210\1\0\0Z\0\0\0\1\0\1\0|\0\0\300\0\0\0\0\257\5\0\0<\1\0\0\210\1\0\0"\0\0\0\0\0\1\0\0\0\0\0\220\0\0\0\3\0\37\0\0\0\0\0\30\0\0\04\0\0\0\324\356\22\0\200\0\0\0\310\323\24\0\0\0\0\0\0\0\0\0X\0Z\0\0\354\375\177\0\0\0\0s\0h\0e\0l\0l\0.\0{\02\01\00\0A\04\0B\0A\00\0-\03\0A\0E\0A\0-\01\00\06\09\0-\0A\02\0D\09\0-\00\08\00\00\02\0B\03\00\03\00\09\0D\0}\0\0\0\0\0\377\377\377\177\257\5\0\0<\1\0\0\210\1\0\0"\0\0\0\1\0\1\0\0\0\0@\10\0\0\0\0\0\0\0\20\1\0\0\260\5\0\0<\1\0\0\210\1\0\0\214\0\0\0\0\0\1\0\0\0\0\0\10\0\0\0\20\1\0\0\1\0\0\0\260\5\0\0<\1\0\0\210\1\0\0\214\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\261\5\0\0<\1\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\247\5\0\0<\1\0\0\210\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\14\1\0\0\256\5\0\0<\1\0\0\210\1\0\0Z\0\0\0\0\0\1\0\0\0\0\0\14\0\0\0\376\377\377\377\14\0\0\0\1\0\0\0\256\5\0\0<\1\0\0\210\1\0\0Z\0\0\0\1\0\1\0|\0\0\300\0\0\0\0\257\5\0\0<\1\0\0\210\1\0\0"\0\0\0\0\0\1\0\0\0\0\0\220\0\0\0\3\0\37\0\0\0\0\0\30\0\0\04\0\0\0\324\356\22\0\200\0\0\0\310\323\24\0\0\0\0\0\0\0\0\0X\0Z\0\0\354\375\177\0\0\0\0s\0h\0e\0l\0l\0.\0{\02\01\00\0A\04\0B\0A\00\0-\03\0A\0E\0A\0-\01\00\06\09\0-\0A\02\0D\09\0-\00\08\00\00\02\0B\03\00\03\00\09\0D\0}\0\0\0\0\0\377\377\377\177\257\5\0\0<\1\0\0\210\1\0\0"\0\0\0\1\0\1\0\0\0\0@\10\0\0\0\0\0\0\0\20\1\0\0\260\5\0\0<\1\0\0\210\1\0\0\214\0\0\0\0\0\1\0\0\0\0\0\10\0\0\0\20\1\0\0\1\0\0\0\260\5\0\0<\1\0\0\210\1\0\0\214\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\261\5\0\0<\1\0\0"}, 900, ) \0\0\0\0\0\1\0\0\0\0\0\220\0\0\0\3\0\37\0\0\0\0\0\30\0\0\04\0\0\0\324\356\22\0\200\0\0\0\310\323\24\0\0\0\0\0\0\0\0\0X\0Z\0\0\354\375\177\0\0\0\0s\0h\0e\0l\0l\0.\0{\02\01\00\0A\04\0B\0A\00\0-\03\0A\0E\0A\0-\01\00\06\09\0-\0A\02\0D\09\0-\00\08\00\00\02\0B\03\00\03\00\09\0D\0}\0\0\0\0\0\377\377\377\177\257\5\0\0<\1\0\0\210\1\0\0 (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\247\5\0\0<\1\0\0\210\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\14\1\0\0\256\5\0\0<\1\0\0\210\1\0\0Z\0\0\0\0\0\1\0\0\0\0\0\14\0\0\0\376\377\377\377\14\0\0\0\1\0\0\0\256\5\0\0<\1\0\0\210\1\0\0Z\0\0\0\1\0\1\0|\0\0\300\0\0\0\0\257\5\0\0<\1\0\0\210\1\0\0"\0\0\0\0\0\1\0\0\0\0\0\220\0\0\0\3\0\37\0\0\0\0\0\30\0\0\04\0\0\0\324\356\22\0\200\0\0\0\310\323\24\0\0\0\0\0\0\0\0\0X\0Z\0\0\354\375\177\0\0\0\0s\0h\0e\0l\0l\0.\0{\02\01\00\0A\04\0B\0A\00\0-\03\0A\0E\0A\0-\01\00\06\09\0-\0A\02\0D\09\0-\00\08\00\00\02\0B\03\00\03\00\09\0D\0}\0\0\0\0\0\377\377\377\177\257\5\0\0<\1\0\0\210\1\0\0"\0\0\0\1\0\1\0\0\0\0@\10\0\0\0\0\0\0\0\20\1\0\0\260\5\0\0<\1\0\0\210\1\0\0\214\0\0\0\0\0\1\0\0\0\0\0\10\0\0\0\20\1\0\0\1\0\0\0\260\5\0\0<\1\0\0\210\1\0\0\214\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\261\5\0\0<\1\0\0"}, 900, ) }, 900, ) == 0x0
 01447   392   NtOpenKey  ... 268, ) == 0x0
 01454   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01455   392   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1364936, 0,  (0x1f0003, {24, 52, 0x80, 1364936, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 272, ) }, 0, 2147483647, ... 272, ) == STATUS_OBJECT_NAME_EXISTS
 01456   392   NtReleaseSemaphore  (272, 1, ... 0, ) == 0x0
 01457   392   NtWaitForSingleObject  (272, 0, {0, 0}, ... ) == 0x0
 01458   392   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 276, 2, ) }, 0, 0x0, 0, ... 276, 2, ) == 0x0
 01459   568   NtClose  (248, ... ) == 0x0
 01460   568   NtOpenKey  (0x20019, {24, 244, 0x40, 0, 0,  (0x20019, {24, 244, 0x40, 0, 0, "000000000008"}, ... 248, ) }, ... 248, ) == 0x0
 01461   568   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01462   568   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01463   568   NtQueryValueKey  (248,  (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\270\5\0\0<\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0\270\5\0\0<\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\271\5\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0(\0\0\0\24\1\0\0\0\0\0\0\12\0\14\0\260c=w\0\0\0\0C\0a\0c\0h\0e\0\0\0\2\0\0\0\220\0\0\0\271\5\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\0\0\0\0\214\0\0\0\0\0\0\0\2\0\0\0x\0\0\0\0\0\0\0\2\0\0\0l\0\0\0%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0\0\0\0\0x\0\0\0\272\5\0\0<\1\0\0\210\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\24\1\0\0\272\5\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\5\0\0<\1\0\0\210\1\0\0c\0\0\0\0\0\1\0\0\0\0\0\314\0\0\0\0\0\0\0\30\0\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (248, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\270\5\0\0<\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\370\0\0\0\270\5\0\0<\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\271\5\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0(\0\0\0\24\1\0\0\0\0\0\0\12\0\14\0\260c=w\0\0\0\0C\0a\0c\0h\0e\0\0\0\2\0\0\0\220\0\0\0\271\5\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\0\0\0\0\214\0\0\0\0\0\0\0\2\0\0\0x\0\0\0\0\0\0\0\2\0\0\0l\0\0\0%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0\0\0\0\0x\0\0\0\272\5\0\0<\1\0\0\210\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\24\1\0\0\272\5\0\0<\1\0\0\210\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\5\0\0<\1\0\0\210\1\0\0c\0\0\0\0\0\1\0\0\0\0\0\314\0\0\0\0\0\0\0\30\0\0\0"}, 900, ) }, 900, ) == 0x0
 01464   568   NtClose  (248, ... ) == 0x0
 01465   392   NtQueryValueKey  (276,  (276, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (276, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 01466   392   NtClose  (276, ... ) == 0x0
 01467   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1240440, ... ) }, 1240440, ... ) == 0x0
 01468   392   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 276, 2, ) }, 0, 0x0, 0, ... 276, 2, ) == 0x0
 01469   392   NtSetValueKey  (276,  (276, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 150, ... ) , 0, 1,  (276, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 150, ... ) , 150, ... ) == 0x0
 01470   392   NtClose  (276, ... ) == 0x0
 01471   568   NtOpenKey  (0x20019, {24, 244, 0x40, 0, 0,  (0x20019, {24, 244, 0x40, 0, 0, "000000000009"}, ... 276, ) }, ... 276, ) == 0x0
 01472   568   NtQueryValueKey  (276,  (276, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01473   568   NtQueryValueKey  (276,  (276, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01474   568   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0
 01475   568   NtQueryValueKey  (276,  (276, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\304\5\0\0<\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\24\1\0\0\304\5\0\0<\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\305\5\0\0<\1\0\0\210\1\0\0c\0\0\0\0\0\1\0\0\0\0\0\314\0\0\0\0\0\0\0\30\0\0\0\0\0\0\0\370\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\234\0\32\2\240 \24\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\254\362\22\0\305\5\0\0<\1\0\0\210\1\0\0c\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\306\5\0\0<\1\0\0\210\1\0\0c\0\0\0\0\0\1\0\0\0\0\0\314\0\0\0\0\0\0\0\30\0\0\0\0\0\0\0\354\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\234\0\32\2\240 \24\0\0\0\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (276, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\304\5\0\0<\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\24\1\0\0\304\5\0\0<\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\305\5\0\0<\1\0\0\210\1\0\0c\0\0\0\0\0\1\0\0\0\0\0\314\0\0\0\0\0\0\0\30\0\0\0\0\0\0\0\370\362\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\234\0\32\2\240 \24\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\254\362\22\0\305\5\0\0<\1\0\0\210\1\0\0c\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\306\5\0\0<\1\0\0\210\1\0\0c\0\0\0\0\0\1\0\0\0\0\0\314\0\0\0\0\0\0\0\30\0\0\0\0\0\0\0\354\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\234\0\32\2\240 \24\0\0\0\0\0"}, 900, ) }, 900, ) == 0x0
 01476   568   NtClose  (276, ... ) == 0x0
 01477   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1241772, ... ) }, 1241772, ... ) == 0x0
 01478   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1241504, ... ) }, 1241504, ... ) == 0x0
 01479   392   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 7, 2113568, ... 276, {status=0x0, info=1}, ) }, 7, 2113568, ... 276, {status=0x0, info=1}, ) == 0x0
 01480   392   NtSetInformationFile  (276, 1241480, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01481   392   NtClose  (276, ... ) == 0x0
 01482   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\desktop.ini"}, 1241504, ... ) }, 1241504, ... ) == 0x0
 01483   568   NtOpenKey  (0x20019, {24, 244, 0x40, 0, 0,  (0x20019, {24, 244, 0x40, 0, 0, "000000000010"}, ... 276, ) }, ... 276, ) == 0x0
 01484   568   NtQueryValueKey  (276,  (276, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01485   568   NtQueryValueKey  (276,  (276, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01486   568   NtQueryValueKey  (276,  (276, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\317\5\0\0<\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\24\1\0\0\317\5\0\0<\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\320\5\0\0<\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\250\370\237\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\330\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\320\5\0\0<\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\24\1\0\0\321\5\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\04\0\0\0\14\1\0\0\0\0\0\0\26\0\12\2\0\354\375\177\0\0\0\0C\0a\0c\0h\0e\0P\0r\0e\0f\0i\0x\0\0\0\2\0\0\0\220\0\0\0\321\5\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\0\0\0\0$\0\0\0\0\0\0\0\2\0\0\0\16\0\0\0\0\0\0\0\1\0\0\0\2\0\0\0\0\0h\0\0\0\0\0\16\0\0\0\322\5\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\04\0\0\0\14\1\0\0\0\0\0\0\26\0\12\2\0\354\375\177\0\0\0\0C\0a\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (276, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\317\5\0\0<\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\24\1\0\0\317\5\0\0<\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\320\5\0\0<\1\0\08\2\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\364\0\0\0\250\370\237\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\310\330\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\320\5\0\0<\1\0\08\2\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\24\1\0\0\321\5\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\04\0\0\0\14\1\0\0\0\0\0\0\26\0\12\2\0\354\375\177\0\0\0\0C\0a\0c\0h\0e\0P\0r\0e\0f\0i\0x\0\0\0\2\0\0\0\220\0\0\0\321\5\0\0<\1\0\0\210\1\0\0\200\0\0\0\1\0\1\0\0\0\0\0$\0\0\0\0\0\0\0\2\0\0\0\16\0\0\0\0\0\0\0\1\0\0\0\2\0\0\0\0\0h\0\0\0\0\0\16\0\0\0\322\5\0\0<\1\0\0\210\1\0\0\200\0\0\0\0\0\1\0\0\0\0\04\0\0\0\14\1\0\0\0\0\0\0\26\0\12\2\0\354\375\177\0\0\0\0C\0a\0"}, 900, ) }, 900, ) == 0x0
 01487   568   NtClose  (276, ... ) == 0x0
 01488   568   NtOpenKey  (0x20019, {24, 244, 0x40, 0, 0,  (0x20019, {24, 244, 0x40, 0, 0, "000000000011"}, ... 276, ) }, ... 276, ) == 0x0
 01489   392   NtQueryValueKey  (268,  (268, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (268, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01490   392   NtQueryValueKey  (268,  (268, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (268, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01491   392   NtQueryValueKey  (268,  (268, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\251~\1\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (268, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\251~\1\0"}, 16, ) }, 16, ) == 0x0
 01492   392   NtOpenKey  (0xf, {24, 28, 0x40, 0, 0,  (0xf, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache"}, ... 248, ) }, ... 248, ) == 0x0
 01493   392   NtOpenKey  (0xf, {24, 248, 0x40, 0, 0,  (0xf, {24, 248, 0x40, 0, 0, "Paths"}, ... 280, ) }, ... 280, ) == 0x0
 01494   392   NtOpenKey  (0xf, {24, 280, 0x40, 0, 0,  (0xf, {24, 280, 0x40, 0, 0, "Path1"}, ... 284, ) }, ... 284, ) == 0x0
 01495   568   NtQueryValueKey  (276,  (276, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01496   568   NtQueryValueKey  (276,  (276, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01497   568   NtQueryValueKey  (276,  (276, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\332\5\0\0<\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\24\1\0\0\332\5\0\0<\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\333\5\0\0<\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\364\0\0\0\333\5\0\0<\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\334\5\0\0<\1\0\08\2\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\350\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\335\5\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0<\0\0\0\17\0\0\0\0\0\0\0\30\0\0\0\30\1\0\0\334\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\12\0\14\08\363\24\0\0\0\0\0P\0a\0t\0h\02\0a\0\335\5\0\0<\1\0\0\210\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\364\0\0\0\336\5\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0<\0\0\0\17\0\0\0\0\0\0\0\30\0\0\0\30\1\0\0\334\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\12\0\14\08\363\24\0\0\0\0\0P\0a\0t\0h\03\0a\0\336\5\0\0<\1\0\0\210\1\0\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (276, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\332\5\0\0<\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\24\1\0\0\332\5\0\0<\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\333\5\0\0<\1\0\08\2\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\364\0\0\0\333\5\0\0<\1\0\08\2\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\334\5\0\0<\1\0\08\2\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\350\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\335\5\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0<\0\0\0\17\0\0\0\0\0\0\0\30\0\0\0\30\1\0\0\334\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\12\0\14\08\363\24\0\0\0\0\0P\0a\0t\0h\02\0a\0\335\5\0\0<\1\0\0\210\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\364\0\0\0\336\5\0\0<\1\0\0\210\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0<\0\0\0\17\0\0\0\0\0\0\0\30\0\0\0\30\1\0\0\334\361\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\12\0\14\08\363\24\0\0\0\0\0P\0a\0t\0h\03\0a\0\336\5\0\0<\1\0\0\210\1\0\0"}, 900, ) }, 900, ) == 0x0
 01498   568   NtClose  (276, ... ) == 0x0
 01499   568   NtClose  (244, ... ) == 0x0
 01500   568   NtWaitForSingleObject  (232, 0, {0, 0}, ...
 01501   392   NtOpenKey  (0xf, {24, 280, 0x40, 0, 0,  (0xf, {24, 280, 0x40, 0, 0, "Path2"}, ... 244, ) }, ... 244, ) == 0x0
 01502   392   NtOpenKey  (0xf, {24, 280, 0x40, 0, 0,  (0xf, {24, 280, 0x40, 0, 0, "Path3"}, ... 276, ) }, ... 276, ) == 0x0
 01503   392   NtOpenKey  (0xf, {24, 280, 0x40, 0, 0,  (0xf, {24, 280, 0x40, 0, 0, "Path4"}, ... 288, ) }, ... 288, ) == 0x0
 01500   568   NtWaitForSingleObject  ... ) == 0x102
 01504   568   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 292, ) == 0x0
 01505   568   NtOpenKey  (0x2000000, {24, 228, 0x40, 0, 0,  (0x2000000, {24, 228, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 296, ) }, ... 296, ) == 0x0
 01506   568   NtQueryValueKey  (296,  (296, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (296, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01507   568   NtNotifyChangeKey  (296, 292, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 01508   392   NtOpenKey  (0xf, {24, 248, 0x40, 0, 0,  (0xf, {24, 248, 0x40, 0, 0, "Special Paths"}, ... 300, ) }, ... 300, ) == 0x0
 01509   392   NtSetValueKey  (280,  (280, "Directory", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\0\0", 174, ... ) , 0, 1,  (280, "Directory", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\0\0", 174, ... ) , 174, ... ) == 0x0
 01510   392   NtSetValueKey  (280,  (280, "Paths", 0, 4, "\4\0\0\0", 4, ... ) , 0, 4,  (280, "Paths", 0, 4, "\4\0\0\0", 4, ... ) , 4, ... ) == 0x0
 01511   392   NtSetValueKey  (284,  (284, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\01\0\0\0", 188, ... ) , 0, 1,  (284, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\01\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01512   392   NtSetValueKey  (244,  (244, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\02\0\0\0", 188, ... ) , 0, 1,  (244, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\02\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01513   392   NtSetValueKey  (276,  (276, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\03\0\0\0", 188, ... ) , 0, 1,  (276, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\03\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01514   568   NtQueryValueKey  (296,  (296, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (296, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01515   568   NtOpenKey  (0x2000000, {24, 296, 0x40, 0, 0,  (0x2000000, {24, 296, 0x40, 0, 0, "00000004"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01516   568   NtQueryValueKey  (296,  (296, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (296, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 01517   568   NtOpenKey  (0x2000000, {24, 296, 0x40, 0, 0,  (0x2000000, {24, 296, 0x40, 0, 0, "Catalog_Entries"}, ... 304, ) }, ... 304, ) == 0x0
 01518   568   NtOpenKey  (0x20019, {24, 304, 0x40, 0, 0,  (0x20019, {24, 304, 0x40, 0, 0, "000000000001"}, ... 308, ) }, ... 308, ) == 0x0
 01519   568   NtQueryValueKey  (308,  (308, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01520   392   NtSetValueKey  (288,  (288, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\04\0\0\0", 188, ... ) , 0, 1,  (288, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\04\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01521   392   NtSetValueKey  (284,  (284, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (284, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01522   392   NtSetValueKey  (244,  (244, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (244, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01523   392   NtSetValueKey  (276,  (276, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (276, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01524   392   NtSetValueKey  (288,  (288, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (288, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01525   392   NtClose  (288, ... ) == 0x0
 01526   568   NtQueryValueKey  (308,  (308, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01527   568   NtQueryValueKey  (308,  (308, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01528   568   NtQueryValueKey  (308,  (308, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01529   568   NtQueryValueKey  (308,  (308, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01530   568   NtQueryValueKey  (308,  (308, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01531   568   NtQueryValueKey  (308,  (308, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (308, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 01532   392   NtClose  (276, ... ) == 0x0
 01533   392   NtClose  (244, ... ) == 0x0
 01534   392   NtClose  (284, ... ) == 0x0
 01535   392   NtClose  (280, ... ) == 0x0
 01536   392   NtClose  (300, ... ) == 0x0
 01537   392   NtClose  (248, ... ) == 0x0
 01538   568   NtQueryValueKey  (308,  (308, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01539   568   NtQueryValueKey  (308,  (308, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (308, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 01540   568   NtQueryValueKey  (308,  (308, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (308, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01541   568   NtQueryValueKey  (308,  (308, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (308, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01542   568   NtQueryValueKey  (308,  (308, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (308, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01543   568   NtClose  (308, ... ) == 0x0
 01544   392   NtOpenKey  (0xf, {24, 260, 0x40, 0, 0,  (0xf, {24, 260, 0x40, 0, 0, "Cookies"}, ... 308, ) }, ... 308, ) == 0x0
 01545   392   NtQueryValueKey  (308,  (308, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (308, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01546   392   NtClose  (308, ... ) == 0x0
 01547   392   NtClose  (268, ... ) == 0x0
 01548   392   NtOpenKey  (0xf, {24, 260, 0x40, 0, 0,  (0xf, {24, 260, 0x40, 0, 0, "Cookies"}, ... 268, ) }, ... 268, ) == 0x0
 01549   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01550   568   NtOpenKey  (0x20019, {24, 304, 0x40, 0, 0,  (0x20019, {24, 304, 0x40, 0, 0, "000000000002"}, ... 308, ) }, ... 308, ) == 0x0
 01551   568   NtQueryValueKey  (308,  (308, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01552   568   NtQueryValueKey  (308,  (308, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01553   568   NtQueryValueKey  (308,  (308, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01554   568   NtQueryValueKey  (308,  (308, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01555   568   NtQueryValueKey  (308,  (308, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01556   392   NtReleaseSemaphore  (272, 1, ... 0, ) == 0x0
 01557   392   NtWaitForSingleObject  (272, 0, {0, 0}, ... ) == 0x0
 01558   392   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 248, 2, ) }, 0, 0x0, 0, ... 248, 2, ) == 0x0
 01559   392   NtQueryValueKey  (248,  (248, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (248, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 01560   392   NtClose  (248, ... ) == 0x0
 01561   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies"}, 1240440, ... }, 1240440, ...
 01562   568   NtQueryValueKey  (308,  (308, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01563   568   NtQueryValueKey  (308,  (308, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (308, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 01564   568   NtQueryValueKey  (308,  (308, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01565   568   NtQueryValueKey  (308,  (308, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (308, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 01566   568   NtQueryValueKey  (308,  (308, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (308, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01567   568   NtQueryValueKey  (308,  (308, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (308, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01561   392   NtQueryAttributesFile  ... ) == 0x0
 01568   392   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 248, 2, ) }, 0, 0x0, 0, ... 248, 2, ) == 0x0
 01569   392   NtSetValueKey  (248,  (248, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 86, ... ) , 0, 1,  (248, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 86, ... ) , 86, ... ) == 0x0
 01570   392   NtClose  (248, ... ) == 0x0
 01571   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies"}, 1241772, ... ) }, 1241772, ... ) == 0x0
 01572   392   NtQueryValueKey  (268,  (268, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (268, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 01573   392   NtQueryValueKey  (268,  (268, "CachePrefix", Partial, 144, ... , Partial, 144, ...
 01574   568   NtQueryValueKey  (308,  (308, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (308, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01575   568   NtClose  (308, ... ) == 0x0
 01576   568   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ... 1380352, 4096, ) == 0x0
 01577   568   NtOpenKey  (0x20019, {24, 304, 0x40, 0, 0,  (0x20019, {24, 304, 0x40, 0, 0, "000000000003"}, ... 308, ) }, ... 308, ) == 0x0
 01578   568   NtQueryValueKey  (308,  (308, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01579   568   NtQueryValueKey  (308,  (308, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01573   392   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 01580   392   NtQueryValueKey  (268,  (268, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (268, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01581   392   NtOpenKey  (0xf, {24, 260, 0x40, 0, 0,  (0xf, {24, 260, 0x40, 0, 0, "History"}, ... 248, ) }, ... 248, ) == 0x0
 01582   392   NtQueryValueKey  (248,  (248, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (248, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01583   392   NtClose  (248, ... ) == 0x0
 01584   392   NtClose  (268, ... ) == 0x0
 01585   392   NtOpenKey  (0xf, {24, 260, 0x40, 0, 0,  (0xf, {24, 260, 0x40, 0, 0, "History"}, ... }, ...
 01586   568   NtQueryValueKey  (308,  (308, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01587   568   NtQueryValueKey  (308,  (308, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01588   568   NtQueryValueKey  (308,  (308, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01589   568   NtQueryValueKey  (308,  (308, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (308, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01590   568   NtQueryValueKey  (308,  (308, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (308, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 01591   568   NtQueryValueKey  (308,  (308, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01585   392   NtOpenKey  ... 268, ) == 0x0
 01592   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01593   392   NtReleaseSemaphore  (272, 1, ... 0, ) == 0x0
 01594   392   NtWaitForSingleObject  (272, 0, {0, 0}, ... ) == 0x0
 01595   392   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 248, 2, ) }, 0, 0x0, 0, ... 248, 2, ) == 0x0
 01596   392   NtQueryValueKey  (248,  (248, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (248, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 01597   568   NtQueryValueKey  (308,  (308, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (308, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 01598   568   NtQueryValueKey  (308,  (308, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (308, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01599   568   NtQueryValueKey  (308,  (308, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (308, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01600   568   NtQueryValueKey  (308,  (308, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (308, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01601   568   NtClose  (308, ... ) == 0x0
 01602   568   NtClose  (304, ... ) == 0x0
 01603   392   NtClose  (248, ... ) == 0x0
 01604   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1240440, ... ) }, 1240440, ... ) == 0x0
 01605   392   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 248, 2, ) }, 0, 0x0, 0, ... 248, 2, ) == 0x0
 01606   392   NtSetValueKey  (248,  (248, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 116, ... ) , 0, 1,  (248, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 116, ... ) , 116, ... ) == 0x0
 01607   392   NtClose  (248, ... ) == 0x0
 01608   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1241772, ... ) }, 1241772, ... ) == 0x0
 01609   568   NtWaitForSingleObject  (292, 0, {0, 0}, ... ) == 0x102
 01610   568   NtClose  (228, ... ) == 0x0
 01611   568   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01612   568   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01613   568   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 228, ) }, ... 228, ) == 0x0
 01614   568   NtQueryValueKey  (228,  (228, "Ws2_32NumHandleBuckets", Partial, 144, ... , Partial, 144, ...
 01615   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1241504, ... ) }, 1241504, ... ) == 0x0
 01616   392   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 7, 2113568, ... 248, {status=0x0, info=1}, ) }, 7, 2113568, ... 248, {status=0x0, info=1}, ) == 0x0
 01617   392   NtSetInformationFile  (248, 1241480, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01618   392   NtClose  (248, ... ) == 0x0
 01619   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\desktop.ini"}, 1241504, ... ) }, 1241504, ... ) == 0x0
 01620   392   NtQueryValueKey  (268,  (268, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (268, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 01614   568   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01621   568   NtClose  (228, ... ) == 0x0
 01622   568   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 228, ) == 0x0
 01623   568   NtWaitForSingleObject  (232, 0, {0, 0}, ... ) == 0x102
 01624   568   NtAllocateVirtualMemory  (-1, 10473472, 0, 4096, 4096, 260, ... 10473472, 4096, ) == 0x0
 01625   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 10480744, ... ) }, 10480744, ... ) == 0x0
 01626   392   NtQueryValueKey  (268,  (268, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (268, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 01627   392   NtQueryValueKey  (268,  (268, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (268, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01628   392   NtClose  (268, ... ) == 0x0
 01629   392   NtClose  (264, ... ) == 0x0
 01630   392   NtClose  (256, ... ) == 0x0
 01631   392   NtClose  (260, ... ) == 0x0
 01632   568   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 260, {status=0x0, info=1}, ) }, 5, 96, ... 260, {status=0x0, info=1}, ) == 0x0
 01633   568   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 260, ... 256, ) == 0x0
 01634   568   NtClose  (260, ... ) == 0x0
 01635   568   NtMapViewOfSection  (256, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa00000), 0x0, 229376, ) == 0x0
 01636   568   NtClose  (256, ... ) == 0x0
 01637   568   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 01638   392   NtClose  (252, ... ) == 0x0
 01639   392   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "_!MSFTHISTORY!_"}, ... 252, ) }, ... 252, ) == 0x0
 01640   392   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "c:!documents and settings!sri-user!local settings!temporary internet files!content.ie5!"}, ... 256, ) }, ... 256, ) == 0x0
 01641   392   NtWaitForSingleObject  (256, 0, 0x0, ... ) == 0x0
 01642   392   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 260, ) == 0x0
 01643   392   NtWaitForSingleObject  (260, 0, 0x0, ...
 01644   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 10481060, ... ) }, 10481060, ... ) == 0x0
 01645   568   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 264, {status=0x0, info=1}, ) }, 5, 96, ... 264, {status=0x0, info=1}, ) == 0x0
 01646   568   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 264, ... 268, ) == 0x0
 01647   568   NtQuerySection  (268, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01648   568   NtClose  (264, ... ) == 0x0
 01649   568   NtMapViewOfSection  (268, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 241664, ) == 0x0
 01650   568   NtClose  (268, ... ) == 0x0
 01651   568   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01652   568   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01653   568   NtSetEventBoostPriority  (260, ...
 01643   392   NtWaitForSingleObject  ... ) == 0x0
 01654   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 3, 8388641, ... 268, {status=0x0, info=1}, ) }, 3, 8388641, ... 268, {status=0x0, info=1}, ) == 0x0
 01655   392   NtQueryVolumeInformationFile  (268, 1243024, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01656   392   NtClose  (268, ... ) == 0x0
 01657   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 268, {status=0x0, info=1}, ) }, 3, 8388641, ... 268, {status=0x0, info=1}, ) == 0x0
 01658   392   NtQueryVolumeInformationFile  (268, 1243048, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01653   568   NtSetEventBoostPriority  ... ) == 0x0
 01659   568   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 264, ) == 0x0
 01660   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 10480388, ... ) }, 10480388, ... ) == 0x0
 01661   568   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... 248, ) }, ... 248, ) == 0x0
 01662   568   NtQueryValueKey  (248,  (248, "Transports", Partial, 144, ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=7, Data= (248, "Transports", Partial, 144, ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) }, 42, ) == 0x0
 01663   568   NtQueryValueKey  (248,  (248, "Transports", Partial, 144, ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=7, Data= (248, "Transports", Partial, 144, ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) }, 42, ) == 0x0
 01664   392   NtClose  (268, ... ) == 0x0
 01665   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 1243376, ... ) }, 1243376, ... ) == 0x0
 01666   392   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 268, {status=0x0, info=1}, ) }, 7, 2113568, ... 268, {status=0x0, info=1}, ) == 0x0
 01667   392   NtSetInformationFile  (268, 1243352, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01668   392   NtClose  (268, ... ) == 0x0
 01669   392   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1364936, 1243368,  (0xc0100080, {24, 0, 0x40, 1364936, 1243368, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 268, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 268, {status=0x0, info=1}, ) == 0x0
 01670   568   NtClose  (248, ... ) == 0x0
 01671   568   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... 248, ) }, ... 248, ) == 0x0
 01672   568   NtQueryValueKey  (248,  (248, "Mapping", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01673   568   NtQueryValueKey  (248,  (248, "Mapping", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01674   568   NtQueryValueKey  (248,  (248, "Mapping", Partial, 152, ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) , Partial, 152, ... TitleIdx=0, Type=3, Data= (248, "Mapping", Partial, 152, ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 01675   568   NtClose  (248, ... ) == 0x0
 01676   392   NtSetInformationFile  (268, 1243420, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01677   392   NtQueryInformationFile  (268, 1243420, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01678   392   NtClose  (268, ... ) == 0x0
 01679   392   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1364936, 1243352,  (0xc0100080, {24, 0, 0x40, 1364936, 1243352, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 268, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 268, {status=0x0, info=1}, ) == 0x0
 01680   392   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Local Settings_Temporary Internet Files_Content.IE5_index.dat_32768"}, ... 248, ) }, ... 248, ) == 0x0
 01681   392   NtMapViewOfSection  (248, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa00000), {0, 0}, 32768, ) == 0x0
 01682   568   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ... 1384448, 4096, ) == 0x0
 01683   568   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... 304, ) }, ... 304, ) == 0x0
 01684   568   NtQueryValueKey  (304,  (304, "MinSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (304, "MinSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01685   568   NtQueryValueKey  (304,  (304, "MaxSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (304, "MaxSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01686   568   NtQueryValueKey  (304,  (304, "UseDelayedAcceptance", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (304, "UseDelayedAcceptance", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01687   568   NtQueryValueKey  (304,  (304, "HelperDllName", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (304, "HelperDllName", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 01688   392   NtReleaseMutant  (256, ... 0x0, ) == 0x0
 01689   392   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "c:!documents and settings!sri-user!cookies!"}, ... 308, ) }, ... 308, ) == 0x0
 01690   392   NtWaitForSingleObject  (308, 0, 0x0, ... ) == 0x0
 01691   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 3, 8388641, ... 300, {status=0x0, info=1}, ) }, 3, 8388641, ... 300, {status=0x0, info=1}, ) == 0x0
 01692   392   NtQueryVolumeInformationFile  (300, 1243024, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01693   392   NtClose  (300, ...
 01694   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 10481308, ... ) }, 10481308, ... ) == 0x0
 01695   568   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 280, {status=0x0, info=1}, ) }, 5, 96, ... 280, {status=0x0, info=1}, ) == 0x0
 01696   568   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 280, ... 284, ) == 0x0
 01697   568   NtClose  (280, ... ) == 0x0
 01698   568   NtMapViewOfSection  (284, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa10000), 0x0, 20480, ) == 0x0
 01699   568   NtClose  (284, ... ) == 0x0
 01693   392   NtClose  ... ) == 0x0
 01700   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 300, {status=0x0, info=1}, ) }, 3, 8388641, ... 300, {status=0x0, info=1}, ) == 0x0
 01701   392   NtQueryVolumeInformationFile  (300, 1243048, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01702   392   NtClose  (300, ... ) == 0x0
 01703   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 1243376, ... ) }, 1243376, ... ) == 0x0
 01704   392   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 7, 2113568, ... 300, {status=0x0, info=1}, ) }, 7, 2113568, ... 300, {status=0x0, info=1}, ) == 0x0
 01705   392   NtSetInformationFile  (300, 1243352, 40, Basic, ...
 01706   568   NtUnmapViewOfSection  (-1, 0xa10000, ... ) == 0x0
 01707   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 10481624, ... ) }, 10481624, ... ) == 0x0
 01708   568   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 284, {status=0x0, info=1}, ) }, 5, 96, ... 284, {status=0x0, info=1}, ) == 0x0
 01709   568   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 284, ... 280, ) == 0x0
 01710   568   NtQuerySection  (280, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01711   568   NtClose  (284, ... ) == 0x0
 01705   392   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 01712   392   NtClose  (300, ... ) == 0x0
 01713   392   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1364936, 1243368,  (0xc0100080, {24, 0, 0x40, 1364936, 1243368, "\??\C:\Documents and Settings\SRI-user\Cookies\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 300, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 300, {status=0x0, info=1}, ) == 0x0
 01714   392   NtSetInformationFile  (300, 1243420, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01715   392   NtQueryInformationFile  (300, 1243420, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01716   392   NtClose  (300, ... ) == 0x0
 01717   392   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1364936, 1243352,  (0xc0100080, {24, 0, 0x40, 1364936, 1243352, "\??\C:\Documents and Settings\SRI-user\Cookies\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... }, 0x0, 0, 3, 3, 2144, 0, 0, ...
 01718   568   NtMapViewOfSection  (280, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a90000), 0x0, 32768, ) == 0x0
 01719   568   NtClose  (280, ... ) == 0x0
 01720   568   NtClose  (304, ... ) == 0x0
 01721   568   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 10483824, 67, ... 304, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 10483824, 67, ... 304, {status=0x0, info=0}, ) == 0x0
 01722   568   NtDeviceIoControlFile  (304, 264, 0x0, 0x0, 0x1207b,  (304, 264, 0x0, 0x0, 0x1207b, "\7\0\0\0\340\0\0\0 \33\25\0\17\346\367w", 16, 16, ... {status=0x0, info=16}, "\7\0\0\0B\0\0\0\0 \0\0\340\241\14\201", ) , 16, 16, ... {status=0x0, info=16},  (304, 264, 0x0, 0x0, 0x1207b, "\7\0\0\0\340\0\0\0 \33\25\0\17\346\367w", 16, 16, ... {status=0x0, info=16}, "\7\0\0\0B\0\0\0\0 \0\0\340\241\14\201", ) , ) == 0x0
 01723   568   NtDeviceIoControlFile  (304, 264, 0x0, 0x0, 0x1207b,  (304, 264, 0x0, 0x0, 0x1207b, "\6\0\0\0B\0\0\0\0 \0\0\340\241\14\201", 16, 16, ... {status=0x0, info=16}, "\6\0\0\0B\0\0\0\0 \0\0\340\241\14\201", ) , 16, 16, ... {status=0x0, info=16},  (304, 264, 0x0, 0x0, 0x1207b, "\6\0\0\0B\0\0\0\0 \0\0\340\241\14\201", 16, 16, ... {status=0x0, info=16}, "\6\0\0\0B\0\0\0\0 \0\0\340\241\14\201", ) , ) == 0x0
 01717   392   NtCreateFile  ... 280, {status=0x0, info=1}, ) == 0x0
 01724   392   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Cookies_index.dat_16384"}, ... 300, ) }, ... 300, ) == 0x0
 01725   392   NtMapViewOfSection  (300, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa10000), {0, 0}, 16384, ) == 0x0
 01726   392   NtReleaseMutant  (308, ... 0x0, ) == 0x0
 01727   392   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "c:!documents and settings!sri-user!local settings!history!history.ie5!"}, ... 284, ) }, ... 284, ) == 0x0
 01728   392   NtWaitForSingleObject  (284, 0, 0x0, ... ) == 0x0
 01729   568   NtDeviceIoControlFile  (304, 264, 0x0, 0x0, 0x12047,  (304, 264, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0 \33\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 01730   568   NtWaitForSingleObject  (232, 0, {0, 0}, ... ) == 0x102
 01731   568   NtDeviceIoControlFile  (304, 264, 0x0, 0x0, 0x12047,  (304, 264, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\20\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 01732   568   NtDeviceIoControlFile  (304, 264, 0x0, 0x0, 0x1203b,  (304, 264, 0x0, 0x0, 0x1203b, "\2\0\0\0 \31\25\0\1\0\0\0\0\0\24\0", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 01733   568   NtDeviceIoControlFile  (304, 264, 0x0, 0x0, 0x12003,  (304, 264, 0x0, 0x0, 0x12003, "\1\0\0\0\1\0\0\0\16\0\2\0"\265\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=244}, "\1\0\0\0\1\0\0\0\16\0\2\0"\265\0\0\0\0\0\0\0\0\0\0\0\0", ) \265\0\0\0\0\0\0\0\0\0\0\0\0 (304, 264, 0x0, 0x0, 0x12003, "\1\0\0\0\1\0\0\0\16\0\2\0"\265\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=244}, "\1\0\0\0\1\0\0\0\16\0\2\0"\265\0\0\0\0\0\0\0\0\0\0\0\0", ) \1\0\0\0\1\0\0\0\16\0\2\0 (304, 264, 0x0, 0x0, 0x12003, "\1\0\0\0\1\0\0\0\16\0\2\0"\265\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=244}, "\1\0\0\0\1\0\0\0\16\0\2\0"\265\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01734   568   NtDeviceIoControlFile  (304, 264, 0x0, 0x0, 0x12047,  (304, 264, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0P\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\0\0\0\0\2\0"\265\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... \265\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ...
 01735   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 3, 8388641, ... 276, {status=0x0, info=1}, ) }, 3, 8388641, ... 276, {status=0x0, info=1}, ) == 0x0
 01736   392   NtQueryVolumeInformationFile  (276, 1243024, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01737   392   NtClose  (276, ... ) == 0x0
 01738   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 276, {status=0x0, info=1}, ) }, 3, 8388641, ... 276, {status=0x0, info=1}, ) == 0x0
 01739   392   NtQueryVolumeInformationFile  (276, 1243048, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01740   392   NtClose  (276, ... ) == 0x0
 01734   568   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01741   568   NtDeviceIoControlFile  (304, 264, 0x0, 0x0, 0x1200b,  (304, 264, 0x0, 0x0, 0x1200b, "\0\21\252q\12\0\0\0\0\0\0\0", 12, 0, ... {status=0x0, info=0}, 0x0, ) , 12, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 01742   568   NtDeviceIoControlFile  (304, 264, 0x0, 0x0, 0x12047,  (304, 264, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0Q\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\0\0\0\0\2\0"\265\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) \265\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 01743   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 1243376, ... ) }, 1243376, ... ) == 0x0
 01744   392   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 7, 2113568, ... 276, {status=0x0, info=1}, ) }, 7, 2113568, ... 276, {status=0x0, info=1}, ) == 0x0
 01745   392   NtSetInformationFile  (276, 1243352, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01746   392   NtClose  (276, ... ) == 0x0
 01747   392   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1364936, 1243368,  (0xc0100080, {24, 0, 0x40, 1364936, 1243368, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 276, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 276, {status=0x0, info=1}, ) == 0x0
 01748   392   NtSetInformationFile  (276, 1243420, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01749   392   NtQueryInformationFile  (276, 1243420, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01750   392   NtClose  (276, ... ) == 0x0
 01751   392   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1364936, 1243352,  (0xc0100080, {24, 0, 0x40, 1364936, 1243352, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 276, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 276, {status=0x0, info=1}, ) == 0x0
 01752   392   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Local Settings_History_History.IE5_index.dat_32768"}, ... 288, ) }, ... 288, ) == 0x0
 01753   392   NtMapViewOfSection  (288, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 32768, ) == 0x0
 01754   392   NtReleaseMutant  (284, ... 0x0, ) == 0x0
 01755   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 1243432, ... ) }, 1243432, ... ) == 0x0
 01756   392   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 312, {status=0x0, info=1}, ) }, 7, 2113568, ... 312, {status=0x0, info=1}, ) == 0x0
 01757   392   NtSetInformationFile  (312, 1243408, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01758   392   NtClose  (312, ... ) == 0x0
 01759   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini"}, 1243432, ... ) }, 1243432, ... ) == 0x0
 01760   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 1243432, ... ) }, 1243432, ... ) == 0x0
 01761   392   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 7, 2113568, ... 312, {status=0x0, info=1}, ) }, 7, 2113568, ... 312, {status=0x0, info=1}, ) == 0x0
 01762   392   NtSetInformationFile  (312, 1243408, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01763   392   NtClose  (312, ... ) == 0x0
 01764   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\desktop.ini"}, 1243432, ... ) }, 1243432, ... ) == 0x0
 01765   392   NtWaitForSingleObject  (256, 0, 0x0, ... ) == 0x0
 01766   392   NtQueryInformationFile  (268, 1241816, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01767   392   NtReleaseMutant  (256, ... 0x0, ) == 0x0
 01768   392   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 312, ) }, ... 312, ) == 0x0
 01769   392   NtOpenKey  (0xf, {24, 312, 0x40, 0, 0,  (0xf, {24, 312, 0x40, 0, 0, "Extensible Cache"}, ... 316, ) }, ... 316, ) == 0x0
 01770   392   NtClose  (312, ... ) == 0x0
 01771   392   NtWaitForSingleObject  (252, 0, {-600000000, -1}, ... ) == 0x0
 01772   392   NtEnumerateKey  (316, 0, Basic, 288, ... {LastWrite={0x89210de2,0x1c79d95}, TitleIdx=0, Name= (316, 0, Basic, 288, ... {LastWrite={0x89210de2,0x1c79d95}, TitleIdx=0, Name="MSHist012007051420070521"}, 64, ) }, 64, ) == 0x0
 01773   392   NtOpenKey  (0xf, {24, 316, 0x40, 0, 0,  (0xf, {24, 316, 0x40, 0, 0, "MSHist012007051420070521"}, ... 312, ) }, ... 312, ) == 0x0
 01774   392   NtQueryValueKey  (312,  (312, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (312, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01775   392   NtQueryValueKey  (312,  (312, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01776   392   NtQueryValueKey  (312,  (312, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (312, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01777   392   NtQueryValueKey  (312,  (312, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01778   392   NtQueryValueKey  (312,  (312, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (312, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01779   392   NtQueryValueKey  (312,  (312, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (312, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01780   392   NtQueryValueKey  (312,  (312, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (312, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01781   392   NtQueryValueKey  (312,  (312, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (312, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01782   392   NtQueryValueKey  (312,  (312, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (312, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 01783   392   NtClose  (312, ... ) == 0x0
 01784   392   NtEnumerateKey  (316, 1, Basic, 288, ... {LastWrite={0xfe4bb184,0x1c7a3a9}, TitleIdx=0, Name= (316, 1, Basic, 288, ... {LastWrite={0xfe4bb184,0x1c7a3a9}, TitleIdx=0, Name="MSHist012007052120070528"}, 64, ) }, 64, ) == 0x0
 01785   392   NtOpenKey  (0xf, {24, 316, 0x40, 0, 0,  (0xf, {24, 316, 0x40, 0, 0, "MSHist012007052120070528"}, ... 312, ) }, ... 312, ) == 0x0
 01786   392   NtQueryValueKey  (312,  (312, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (312, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01787   392   NtQueryValueKey  (312,  (312, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01788   392   NtQueryValueKey  (312,  (312, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (312, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01789   392   NtQueryValueKey  (312,  (312, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01790   392   NtQueryValueKey  (312,  (312, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (312, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01791   392   NtQueryValueKey  (312,  (312, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (312, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01792   392   NtQueryValueKey  (312,  (312, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (312, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01793   392   NtQueryValueKey  (312,  (312, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (312, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01794   392   NtQueryValueKey  (312,  (312, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (312, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 01795   392   NtClose  (312, ... ) == 0x0
 01796   392   NtEnumerateKey  (316, 2, Basic, 288, ... {LastWrite={0xfe4e13de,0x1c7a3a9}, TitleIdx=0, Name= (316, 2, Basic, 288, ... {LastWrite={0xfe4e13de,0x1c7a3a9}, TitleIdx=0, Name="MSHist012007053120070601"}, 64, ) }, 64, ) == 0x0
 01797   392   NtOpenKey  (0xf, {24, 316, 0x40, 0, 0,  (0xf, {24, 316, 0x40, 0, 0, "MSHist012007053120070601"}, ... 312, ) }, ... 312, ) == 0x0
 01798   392   NtQueryValueKey  (312,  (312, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (312, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01799   392   NtQueryValueKey  (312,  (312, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01800   392   NtQueryValueKey  (312,  (312, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (312, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01801   392   NtQueryValueKey  (312,  (312, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01802   392   NtQueryValueKey  (312,  (312, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (312, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01803   392   NtQueryValueKey  (312,  (312, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (312, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01804   392   NtQueryValueKey  (312,  (312, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (312, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01805   392   NtQueryValueKey  (312,  (312, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (312, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01806   392   NtQueryValueKey  (312,  (312, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (312, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 01807   392   NtClose  (312, ... ) == 0x0
 01808   392   NtEnumerateKey  (316, 3, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 01809   392   NtReleaseMutant  (252, ... 0x0, ) == 0x0
 01810   392   NtClose  (316, ... ) == 0x0
 01811   392   NtWaitForSingleObject  (256, 0, 0x0, ... ) == 0x0
 01812   392   NtQueryInformationFile  (268, 1243744, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01813   392   NtReleaseMutant  (256, ... 0x0, ) == 0x0
 01814   392   NtWaitForSingleObject  (256, 0, 0x0, ... ) == 0x0
 01815   392   NtQueryInformationFile  (268, 1243816, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01816   392   NtReleaseMutant  (256, ... 0x0, ) == 0x0
 01817   392   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01818   392   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01819   392   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01820   392   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01821   392   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01822   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 316, ) }, ... 316, ) == 0x0
 01823   392   NtQueryValueKey  (316,  (316, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01824   392   NtClose  (316, ... ) == 0x0
 01825   392   NtQueryValueKey  (88,  (88, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01826   392   NtQueryValueKey  (88,  (88, "DisableReadRange", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01827   392   NtQueryValueKey  (88,  (88, "SocketSendBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01828   392   NtQueryValueKey  (88,  (88, "SocketReceiveBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01829   392   NtQueryValueKey  (88,  (88, "KeepAliveTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01830   392   NtQueryValueKey  (88,  (88, "MaxHttpRedirects", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01831   392   NtQueryValueKey  (88,  (88, "MaxConnectionsPerServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01832   392   NtQueryValueKey  (88,  (88, "MaxConnectionsPer1_0Server", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01833   392   NtQueryValueKey  (88,  (88, "ServerInfoTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01834   392   NtQueryValueKey  (88,  (88, "ReceiveTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01835   392   NtQueryValueKey  (88,  (88, "DisableNTLMPreAuth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01836   392   NtQueryValueKey  (88,  (88, "ScavengeCacheLowerBound", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01837   392   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 316, ) }, ... 316, ) == 0x0
 01838   392   NtQueryValueKey  (316,  (316, "ScavengeCacheFileLifeTime", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01839   392   NtClose  (316, ... ) == 0x0
 01840   392   NtQueryValueKey  (88,  (88, "HttpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01841   392   NtQueryValueKey  (88,  (88, "FtpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01842   392   NtQueryValueKey  (88,  (88, "GopherDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01843   392   NtQueryValueKey  (88,  (88, "DisableCachingOfSSLPages", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01844   392   NtQueryValueKey  (88,  (88, "PerUserCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01845   392   NtQueryValueKey  (88,  (88, "LeashLegacyCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01846   392   NtQueryValueKey  (88,  (88, "DisableNT4RasCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01847   392   NtQueryValueKey  (88,  (88, "DialupUseLanSettings", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01848   392   NtQueryValueKey  (88,  (88, "SendExtraCRLF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01849   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 316, ) }, ... 316, ) == 0x0
 01850   392   NtQueryValueKey  (316,  (316, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01851   392   NtClose  (316, ... ) == 0x0
 01852   392   NtQueryValueKey  (88,  (88, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01853   392   NtQueryValueKey  (88,  (88, "NonBlockingClient32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01854   392   NtQueryValueKey  (88,  (88, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01855   392   NtQueryValueKey  (88,  (88, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01856   392   NtQueryValueKey  (88,  (88, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01857   392   NtQueryValueKey  (88,  (88, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (88, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01858   392   NtQueryValueKey  (88,  (88, "HeaderExclusionListForCache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01859   392   NtQueryValueKey  (88,  (88, "DnsCacheEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01860   392   NtQueryValueKey  (88,  (88, "DnsCacheEntries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01861   392   NtQueryValueKey  (88,  (88, "DnsCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01862   392   NtQueryValueKey  (88,  (88, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (88, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01863   392   NtQueryValueKey  (88,  (88, "WarnAlwaysOnPost", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01864   392   NtQueryValueKey  (88,  (88, "WarnOnZoneCrossing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01865   392   NtQueryValueKey  (88,  (88, "WarnOnBadCertSending", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01866   392   NtQueryValueKey  (88,  (88, "WarnOnBadCertRecving", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01867   392   NtQueryValueKey  (88,  (88, "WarnOnPostRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01868   392   NtQueryValueKey  (88,  (88, "AlwaysDrainOnRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01869   392   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "WininetStartupMutex"}, ... 316, ) }, ... 316, ) == 0x0
 01870   392   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 312, ) == 0x0
 01871   392   NtQueryValueKey  (88,  (88, "GlobalUserOffline", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01872   392   NtWaitForSingleObject  (256, 0, 0x0, ... ) == 0x0
 01873   392   NtQueryInformationFile  (268, 1243792, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01874   392   NtReleaseMutant  (256, ... 0x0, ) == 0x0
 01875   392   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "WininetConnectionMutex"}, ... 320, ) }, ... 320, ) == 0x0
 01876   392   NtCreateMutant  (0x1f0001, 0x0, 0, ... 324, ) == 0x0
 01877   392   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "WininetProxyRegistryMutex"}, ... 328, ) }, ... 328, ) == 0x0
 01878   392   NtQueryValueKey  (88,  (88, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01879   392   NtQueryValueKey  (88,  (88, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01880   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 332, ) }, ... 332, ) == 0x0
 01881   392   NtQueryValueKey  (332,  (332, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (332, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 01882   392   NtQueryValueKey  (332,  (332, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (332, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 01883   392   NtClose  (332, ... ) == 0x0
 01884   392   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 01885   392   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 01886   392   NtWaitForSingleObject  (324, 0, 0x0, ... ) == 0x0
 01887   392   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 332, ) == 0x0
 01888   392   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 336, ) == 0x0
 01889   392   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 340, ) == 0x0
 01890   392   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 344, ) == 0x0
 01891   392   NtCreateKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\Tracing"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 01892   392   NtQueryValueKey  (348,  (348, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (348, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01893   392   NtClose  (348, ... ) == 0x0
 01894   392   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 01895   392   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 348, ) == 0x0
 01896   392   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 352, ) == 0x0
 01897   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Tracing\RASAPI32"}, ... 356, ) }, ... 356, ) == 0x0
 01898   392   NtQueryValueKey  (356,  (356, "EnableFileTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (356, "EnableFileTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01899   392   NtQueryValueKey  (356,  (356, "FileTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (356, "FileTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) }, 16, ) == 0x0
 01900   392   NtQueryValueKey  (356,  (356, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (356, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01901   392   NtQueryValueKey  (356,  (356, "ConsoleTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (356, "ConsoleTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) }, 16, ) == 0x0
 01902   392   NtQueryValueKey  (356,  (356, "MaxFileSize", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\20\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (356, "MaxFileSize", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\20\0"}, 16, ) }, 16, ) == 0x0
 01903   392   NtQueryValueKey  (356,  (356, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (356, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) }, 46, ) == 0x0
 01904   392   NtQueryValueKey  (356,  (356, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (356, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) }, 46, ) == 0x0
 01905   392   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 360, ) == 0x0
 01906   392   NtNotifyChangeKey  (356, 360, 0, 0, 2011390432, 14, 0, 0, 0, 1, ... ) == 0x103
 01907   392   NtQueryValueKey  (356,  (356, "EnableFileTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (356, "EnableFileTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01908   392   NtQueryValueKey  (356,  (356, "FileTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (356, "FileTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) }, 16, ) == 0x0
 01909   392   NtQueryValueKey  (356,  (356, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (356, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01910   392   NtQueryValueKey  (356,  (356, "ConsoleTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (356, "ConsoleTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) }, 16, ) == 0x0
 01911   392   NtQueryValueKey  (356,  (356, "MaxFileSize", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\20\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (356, "MaxFileSize", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\20\0"}, 16, ) }, 16, ) == 0x0
 01912   392   NtQueryValueKey  (356,  (356, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (356, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) }, 46, ) == 0x0
 01913   392   NtQueryValueKey  (356,  (356, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (356, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) }, 46, ) == 0x0
 01914   392   NtNotifyChangeKey  (356, 360, 0, 0, 2011390432, 14, 0, 0, 0, 1, ... ) == 0x103
 01915   392   NtSetEvent  (344, ... 0x0, ) == 0x0
 01916   392   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 364, ) }, ... 364, ) == 0x0
 01917   392   NtWaitForSingleObject  (364, 0, {-1800000000, -1}, ... ) == 0x0
 01918   392   NtClose  (364, ... ) == 0x0
 01919   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01920   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01921   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 364, ) }, ... 364, ) == 0x0
 01922   392   NtQueryValueKey  (364,  (364, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01923   392   NtClose  (364, ... ) == 0x0
 01924   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01925   392   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 364, ) == 0x0
 01926   392   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 368, ) == 0x0
 01927   392   NtQuerySystemTime  (... {-1058317718, 29889232}, ) == 0x0
 01928   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 372, ) == 0x0
 01929   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01930   392   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01931   568   NtDeviceIoControlFile  (304, 264, 0x0, 0x0, 0x12024,  (304, 264, 0x0, 0x0, 0x12024, "\377\377\377\377\377\377\377\177\1\0\0\0\0\0\0\00\1\0\0\31\0\0\0\0\0\0\0", 28, 28, ... {status=0xb5220002, info=0}, "", ) , 28, 28, ... {status=0xb5220002, info=0}, "", ) == 0x103
 01932   568   NtWaitForSingleObject  (264, 1, {-5000000, -1}, ...
 01933   392   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01934   392   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01935   392   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 376, ) == 0x0
 01936   392   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 380, ) == 0x0
 01937   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 384, ) }, ... 384, ) == 0x0
 01938   392   NtOpenKey  (0x20019, {24, 384, 0x40, 0, 0,  (0x20019, {24, 384, 0x40, 0, 0, "ActiveComputerName"}, ... 388, ) }, ... 388, ) == 0x0
 01939   392   NtQueryValueKey  (388,  (388, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (388, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (388, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01940   392   NtClose  (388, ... ) == 0x0
 01941   392   NtClose  (384, ... ) == 0x0
 01942   392   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 384, ) == 0x0
 01943   392   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 388, ) == 0x0
 01944   392   NtDuplicateObject  (-1, 384, -1, 0x0, 0, 2, ... 392, ) == 0x0
 01945   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01946   392   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ... 1396736, 4096, ) == 0x0
 01947   392   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 396, ) == 0x0
 01948   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01949   392   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01950   392   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1242340,  (0xc0100080, {24, 0, 0x40, 0, 1242340, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 400, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 400, {status=0x0, info=1}, ) == 0x0
 01951   392   NtSetInformationFile  (400, 1242396, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01952   392   NtSetInformationFile  (400, 1242388, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01953   392   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01954   392   NtWriteFile  (400, 377, 0, 0,  (400, 377, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01955   392   NtReadFile  (400, 377, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (400, 377, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\313 \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01956   392   NtFsControlFile  (400, 377, 0x0, 0x0, 0x11c017,  (400, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\313 \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (400, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\313 \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01957   392   NtFsControlFile  (400, 377, 0x0, 0x0, 0x11c017,  (400, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\330\206+\372\303~\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\330\206+\372\303~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 76, 1024, ... {status=0x103, info=48},  (400, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\330\206+\372\303~\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\330\206+\372\303~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01958   392   NtFsControlFile  (400, 377, 0x0, 0x0, 0x11c017,  (400, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\331\206+\372\303~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\331\206+\372\303~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (400, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\331\206+\372\303~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\331\206+\372\303~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01959   392   NtFsControlFile  (400, 377, 0x0, 0x0, 0x11c017,  (400, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\331\206+\372\303~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (400, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\331\206+\372\303~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01960   392   NtFsControlFile  (400, 377, 0x0, 0x0, 0x11c017,  (400, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\330\206+\372\303~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (400, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\330\206+\372\303~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01961   392   NtClose  (396, ... ) == 0x0
 01962   392   NtClose  (400, ... ) == 0x0
 01963   392   NtReleaseMutant  (324, ... 0x0, ) == 0x0
 01964   392   NtQueryValueKey  (88,  (88, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01965   392   NtQueryValueKey  (88,  (88, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01966   392   NtOpenEvent  (0x100000, {24, 0, 0x0, 0, 0,  (0x100000, {24, 0, 0x0, 0, 0, "\INSTALLATION_SECURITY_HOLD"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01967   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01968   392   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 400, ) == 0x0
 01969   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01970   392   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01971   392   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1239844,  (0xc0100080, {24, 0, 0x40, 0, 1239844, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 396, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 396, {status=0x0, info=1}, ) == 0x0
 01972   392   NtSetInformationFile  (396, 1239900, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01973   392   NtSetInformationFile  (396, 1239892, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01974   392   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01975   392   NtWriteFile  (396, 377, 0, 0,  (396, 377, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0j(\319\14\261\320\21\233\250\0\300O\331.\365\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01976   392   NtReadFile  (396, 377, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (396, 377, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\207\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01977   392   NtFsControlFile  (396, 377, 0x0, 0x0, 0x11c017,  (396, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\32\0\0\0\1\0\0\0\2\0\0\0\0\0\0\0\1\0", 26, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\207\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 26, 1024, ... {status=0x103, info=68},  (396, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\32\0\0\0\1\0\0\0\2\0\0\0\0\0\0\0\1\0", 26, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\207\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01978   392   NtClose  (400, ... ) == 0x0
 01979   392   NtClose  (396, ... ) == 0x0
 01980   392   NtCreateKey  (0x2001d, {24, 28, 0x40, 0, 0,  (0x2001d, {24, 28, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 396, 2, ) }, 0, 0x0, 0, ... 396, 2, ) == 0x0
 01981   392   NtCreateKey  (0x20019, {24, 396, 0x40, 0, 0,  (0x20019, {24, 396, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 400, 2, ) }, 0, 0x0, 0, ... 400, 2, ) == 0x0
 01982   392   NtClose  (396, ... ) == 0x0
 01983   392   NtQueryValueKey  (400,  (400, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01984   392   NtClose  (400, ... ) == 0x0
 01985   392   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 400, ) }, ... 400, ) == 0x0
 01986   392   NtWaitForSingleObject  (400, 0, {-1800000000, -1}, ... ) == 0x0
 01987   392   NtClose  (400, ... ) == 0x0
 01988   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01989   392   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 400, ) == 0x0
 01990   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01991   392   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01992   392   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1241928,  (0xc0100080, {24, 0, 0x40, 0, 1241928, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 396, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 396, {status=0x0, info=1}, ) == 0x0
 01993   392   NtSetInformationFile  (396, 1241984, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01994   392   NtSetInformationFile  (396, 1241976, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01995   392   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01996   392   NtWriteFile  (396, 377, 0, 0,  (396, 377, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01997   392   NtReadFile  (396, 377, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (396, 377, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\314 \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01998   392   NtFsControlFile  (396, 377, 0x0, 0x0, 0x11c017,  (396, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\33\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\314 \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (396, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\33\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\314 \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01999   392   NtFsControlFile  (396, 377, 0x0, 0x0, 0x11c017,  (396, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\2\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\332\206+\372\303~\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\24\374\22\0\0\0\0\0", 64, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\332\206+\372\303~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 64, 1024, ... {status=0x103, info=48},  (396, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\2\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\332\206+\372\303~\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\24\374\22\0\0\0\0\0", 64, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\332\206+\372\303~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02000   392   NtWaitForSingleObject  (377, 0, 0x0, ... ) == 0x0
 02001   392   NtFsControlFile  (396, 377, 0x0, 0x0, 0x11c017,  (396, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\3\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\332\206+\372\303~\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\24\374\22\02\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\2\0\0\0X\2\0\0\0\0\0\0@\2\0\0.\2\0\0\22\2\0\0 \0\0\0\4\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\2\0\0\340\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\316\1\0\0\240\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\226\1\0\0~\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\1\0\0B\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\1\0\0\32\1\0\0 \0\0\0\4\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\16\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0E\0R\0S\0v\0c\0\0\0DNS Client\0\0i\0e\0n\0t\0\0\0Dnscache\0\0c\0h\0e\0\0\0Logical Disk Manager\0\0k\0 \0M\0a\0n\0a\0g\0e\0r\0\0\0dmserver\0\0v\0e\0r\0\0\0DHCP Client\0l\0i\0e\0n\0t\0\0\0Dhcp\0\0p\0\0\0Cryptographic Services\0\0c\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0CryptSvc\0\0", ) , 64, 1024, ... {status=0x103, info=624},  (396, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\3\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\332\206+\372\303~\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\24\374\22\02\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\2\0\0\0X\2\0\0\0\0\0\0@\2\0\0.\2\0\0\22\2\0\0 \0\0\0\4\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\2\0\0\340\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\316\1\0\0\240\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\226\1\0\0~\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\1\0\0B\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\1\0\0\32\1\0\0 \0\0\0\4\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\16\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0E\0R\0S\0v\0c\0\0\0DNS Client\0\0i\0e\0n\0t\0\0\0Dnscache\0\0c\0h\0e\0\0\0Logical Disk Manager\0\0k\0 \0M\0a\0n\0a\0g\0e\0r\0\0\0dmserver\0\0v\0e\0r\0\0\0DHCP Client\0l\0i\0e\0n\0t\0\0\0Dhcp\0\0p\0\0\0Cryptographic Services\0\0c\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0CryptSvc\0\0", ) , ) == 0x103
 02002   392   NtFsControlFile  (396, 377, 0x0, 0x0, 0x11c017,  (396, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\4\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\332\206+\372\303~\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\24\374\22\0>\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\3\0\0\0X\2\0\0\0\0\0\0@\2\0\04\2\0\0\4\2\0\0 \0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\362\1\0\0\336\1\0\0 \0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\306\1\0\0\242\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0d\1\0\0 \1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\1\0\0\356\0\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Help and Support\0\0S\0u\0p\0p\0o\0r\0t\0\0\0helpsvc\0s\0v\0c\0\0\0Fast User Switching Compatibility\0n\0g\0 \0C\0o\0m\0p\0a\0t\0i\0b\0i\0l\0i\0t\0y\0\0\0FastUserSwitchingCompatibility\0\0g\0C\0o\0m\0p\0a\0t\0i\0b\0i\0l\0i\0t\0y\0\0\0COM+ Event System\0t\0 \0S\0y\0s\0t\0e\0m\0\0\0EventSystem\0y\0s\0t\0", ) , 64, 1024, ... {status=0x103, info=624},  (396, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\4\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\332\206+\372\303~\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\24\374\22\0>\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\3\0\0\0X\2\0\0\0\0\0\0@\2\0\04\2\0\0\4\2\0\0 \0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\362\1\0\0\336\1\0\0 \0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\306\1\0\0\242\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0d\1\0\0 \1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\1\0\0\356\0\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Help and Support\0\0S\0u\0p\0p\0o\0r\0t\0\0\0helpsvc\0s\0v\0c\0\0\0Fast User Switching Compatibility\0n\0g\0 \0C\0o\0m\0p\0a\0t\0i\0b\0i\0l\0i\0t\0y\0\0\0FastUserSwitchingCompatibility\0\0g\0C\0o\0m\0p\0a\0t\0i\0b\0i\0l\0i\0t\0y\0\0\0COM+ Event System\0t\0 \0S\0y\0s\0t\0e\0m\0\0\0EventSystem\0y\0s\0t\0", ) , ) == 0x103
 02003   392   NtWaitForSingleObject  (377, 0, 0x0, ... ) == 0x0
 02004   392   NtFsControlFile  (396, 377, 0x0, 0x0, 0x11c017,  (396, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\5\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\332\206+\372\303~\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\24\374\22\0p\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\4\0\0\0X\2\0\0\0\0\0\0@\2\0\0&\2\0\0\30\2\0\0 \0\0\0\4\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\364\1\0\0\334\1\0\0 \0\0\0\4\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\314\1\0\0\240\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\214\1\0\0x\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0j\1\0\0B\1\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\1\0\0\370\0\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Network Location Awareness (NLA)\0\0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0\0\0Nla\0a\0\0\0Network Connections\0n\0n\0e\0c\0t\0i\0o\0n\0s\0\0\0Netman\0\0a\0n\0\0\0Messenger\0n\0g\0e\0r\0\0\0Messenger\0n\0g\0e\0r\0\0\0TCP/IP NetBIOS Helper\0I\0O\0S\0 \0H\0e\0l\0p\0e\0r\0\0\0LmHosts\0s\0t\0", ) , 64, 1024, ... {status=0x103, info=624},  (396, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\5\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\332\206+\372\303~\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\24\374\22\0p\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\4\0\0\0X\2\0\0\0\0\0\0@\2\0\0&\2\0\0\30\2\0\0 \0\0\0\4\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\364\1\0\0\334\1\0\0 \0\0\0\4\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\314\1\0\0\240\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\214\1\0\0x\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0j\1\0\0B\1\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\1\0\0\370\0\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Network Location Awareness (NLA)\0\0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0\0\0Nla\0a\0\0\0Network Connections\0n\0n\0e\0c\0t\0i\0o\0n\0s\0\0\0Netman\0\0a\0n\0\0\0Messenger\0n\0g\0e\0r\0\0\0Messenger\0n\0g\0e\0r\0\0\0TCP/IP NetBIOS Helper\0I\0O\0S\0 \0H\0e\0l\0p\0e\0r\0\0\0LmHosts\0s\0t\0", ) , ) == 0x103
 02005   392   NtFsControlFile  (396, 377, 0x0, 0x0, 0x11c017,  (396, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\6\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\332\206+\372\303~\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\24\374\22\0\242\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\5\0\0\0X\2\0\0\0\0\0\0@\2\0\0.\2\0\0\22\2\0\0 \0\0\0\4\0\0\0\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\372\1\0\0\334\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\272\1\0\0\226\1\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\0\0X\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0L\1\0\0\24\1\0\0 \0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0a\0m\0S\0s\0\0\0Remote Procedure Call (RPC)\0r\0e\0 \0C\0a\0l\0l\0 \0(\0R\0P\0C\0)\0\0\0RpcSs\0S\0s\0\0\0Remote Registry\0e\0g\0i\0s\0t\0r\0y\0\0\0RemoteRegistry\0\0g\0i\0s\0t\0r\0y\0\0\0Protected Storage\0 \0S\0t\0o\0r\0a\0g\0e\0\0\0ProtectedStorage\0\0S\0t\0o\0r\0a\0g\0", ) , 64, 1024, ... {status=0x103, info=624},  (396, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\6\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\332\206+\372\303~\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\24\374\22\0\242\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\5\0\0\0X\2\0\0\0\0\0\0@\2\0\0.\2\0\0\22\2\0\0 \0\0\0\4\0\0\0\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\372\1\0\0\334\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\272\1\0\0\226\1\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\0\0X\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0L\1\0\0\24\1\0\0 \0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0a\0m\0S\0s\0\0\0Remote Procedure Call (RPC)\0r\0e\0 \0C\0a\0l\0l\0 \0(\0R\0P\0C\0)\0\0\0RpcSs\0S\0s\0\0\0Remote Registry\0e\0g\0i\0s\0t\0r\0y\0\0\0RemoteRegistry\0\0g\0i\0s\0t\0r\0y\0\0\0Protected Storage\0 \0S\0t\0o\0r\0a\0g\0e\0\0\0ProtectedStorage\0\0S\0t\0o\0r\0a\0g\0", ) , ) == 0x103
 02006   392   NtFsControlFile  (396, 377, 0x0, 0x0, 0x11c017,  (396, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\7\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\332\206+\372\303~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\6\0\0\0X\2\0\0\0\0\0\0@\2\0\04\2\0\0\0\2\0\0 \0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\356\1\0\0\320\1\0\0 \1\0\0\4\0\0\0G\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\276\1\0\0\236\1\0\0 \1\0\0\4\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\1\0\0`\1\0\0 \0\0\0\4\0\0\0A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0>\1\0\0\14\1\0\0 \0\0\0\4\0\0\0\207\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\374\0\0\0\340\0\0\0\20\1\0\0\4\0\0\0E\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Print Spooler\0p\0o\0o\0l\0e\0r\0\0\0Spooler\0l\0e\0r\0\0\0Shell Hardware Detection\0\0e\0 \0D\0e\0t\0e\0c\0t\0i\0o\0n\0\0\0ShellHWDetection\0\0t\0e\0c\0t\0i\0o\0n\0\0\0System Event Notification\0N\0o\0t\0i\0f\0i\0c\0a\0t\0i\0o\0n\0\0\0SENS\0\0S\0\0\0Secondary Logon\0y\0 \0L\0o\0g\0o\0n\0\0\0seclogon\0\0g\0o\0n\0\0\0Task Sch", ) , 44, 1024, ... {status=0x103, info=624},  (396, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\7\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\332\206+\372\303~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\6\0\0\0X\2\0\0\0\0\0\0@\2\0\04\2\0\0\0\2\0\0 \0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\356\1\0\0\320\1\0\0 \1\0\0\4\0\0\0G\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\276\1\0\0\236\1\0\0 \1\0\0\4\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\1\0\0`\1\0\0 \0\0\0\4\0\0\0A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0>\1\0\0\14\1\0\0 \0\0\0\4\0\0\0\207\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\374\0\0\0\340\0\0\0\20\1\0\0\4\0\0\0E\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Print Spooler\0p\0o\0o\0l\0e\0r\0\0\0Spooler\0l\0e\0r\0\0\0Shell Hardware Detection\0\0e\0 \0D\0e\0t\0e\0c\0t\0i\0o\0n\0\0\0ShellHWDetection\0\0t\0e\0c\0t\0i\0o\0n\0\0\0System Event Notification\0N\0o\0t\0i\0f\0i\0c\0a\0t\0i\0o\0n\0\0\0SENS\0\0S\0\0\0Secondary Logon\0y\0 \0L\0o\0g\0o\0n\0\0\0seclogon\0\0g\0o\0n\0\0\0Task Sch", ) , ) == 0x103
 02007   392   NtClose  (400, ... ) == 0x0
 02008   392   NtClose  (396, ... ) == 0x0
 02009   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "sensapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02010   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\sensapi.dll"}, 1242188, ... ) }, 1242188, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02011   392   NtQueryAttributesFile  ({24, 224, 0x40, 0, 0,  ({24, 224, 0x40, 0, 0, "sensapi.dll"}, 1242188, ... ) }, 1242188, ... ) == 0x0
 02012   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sensapi.dll"}, 5, 96, ... 396, {status=0x0, info=1}, ) }, 5, 96, ... 396, {status=0x0, info=1}, ) == 0x0
 02013   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 396, ... 400, ) == 0x0
 02014   392   NtQuerySection  (400, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02015   392   NtClose  (396, ... ) == 0x0
 02016   392   NtMapViewOfSection  (400, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x722b0000), 0x0, 20480, ) == 0x0
 02017   392   NtClose  (400, ... ) == 0x0
 02018   392   NtOpenSection  (0x4, {24, 52, 0x0, 0, 0,  (0x4, {24, 52, 0x0, 0, 0, "SENS Information Cache"}, ... 400, ) }, ... 400, ) == 0x0
 02019   392   NtMapViewOfSection  (400, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xa30000), {0, 0}, 4096, ) == 0x0
 02020   392   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 396, ) == 0x0
 02021   392   NtConnectPort  ( ("\RPC Control\senssvc", {12, 2, 1, 1}, 0x0, 0x0, 1242652, 112, ... 404, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1242652, 112, ... 404, 0x0, 0x0, 0x0, 112, ) == 0x0
 02022   392   NtRequestWaitReplyPort  (404, {128, 152, new_msg, 0, 1310720, 127984, 1310720, 1242416}  (404, {128, 152, new_msg, 0, 1310720, 127984, 1310720, 1242416} "\0$\370w\340\373\22\0\2$\370w$\344\373c) \321\21\215\270\0\252\0J\275^\1\0\0\0\1\0\0\0HA\25\0\4\0\0\0HA\25\0\20\344\314wHA\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\0\0HW\25\0xP\25\0\240\1\24\0\4\0\0\0@W\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0Z\0\0\0" ... {128, 152, reply, 0, 316, 392, 1504, 0} "\7$\370w\340\373\22\0\2$\370w$\344\373c) \321\21\215\270\0\252\0J\275^\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0HA\25\0\377\377\377\377HA\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\0\0HW\25\0xP\25\0\240\1\24\0\4\0\0\0@W\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0Z\0\0\0" )  ... {128, 152, reply, 0, 316, 392, 1504, 0}  (404, {128, 152, new_msg, 0, 1310720, 127984, 1310720, 1242416} "\0$\370w\340\373\22\0\2$\370w$\344\373c) \321\21\215\270\0\252\0J\275^\1\0\0\0\1\0\0\0HA\25\0\4\0\0\0HA\25\0\20\344\314wHA\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\0\0HW\25\0xP\25\0\240\1\24\0\4\0\0\0@W\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0Z\0\0\0" ... {128, 152, reply, 0, 316, 392, 1504, 0} "\7$\370w\340\373\22\0\2$\370w$\344\373c) \321\21\215\270\0\252\0J\275^\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0HA\25\0\377\377\377\377HA\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\0\0HW\25\0xP\25\0\240\1\24\0\4\0\0\0@W\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0Z\0\0\0" )  ) == 0x0
 02023   392   NtRequestWaitReplyPort  (404, {32, 56, new_msg, 0, 44, 7, 20, 0}  (404, {32, 56, new_msg, 0, 44, 7, 20, 0} "\1\0\0\0A\2\0\0\303~\334\21\261\310\0\14)\371\246\3050\0\0\0\377\377\377\377@\2\0\0" ... {124, 148, reply, 0, 316, 392, 1505, 0} "\2 \372\177\1\00\300\0\0\0\0\224\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\304K#\370X\5O\200\0 \372\177\0\0\0\0\0\0\0\0\230\202\22\201 \240\34\201\1\240\34\201\0\0\0\0\210\376\37\300 \240\34\201\0\0\0\0\0\0\324\0\377\377\323\0\0\0\0\0\0\0\324\0\0\4\0\0 \240\34\201 )  ... {124, 148, reply, 0, 316, 392, 1505, 0}  (404, {32, 56, new_msg, 0, 44, 7, 20, 0} "\1\0\0\0A\2\0\0\303~\334\21\261\310\0\14)\371\246\3050\0\0\0\377\377\377\377@\2\0\0" ... {124, 148, reply, 0, 316, 392, 1505, 0} "\2 \372\177\1\00\300\0\0\0\0\224\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\304K#\370X\5O\200\0 \372\177\0\0\0\0\0\0\0\0\230\202\22\201 \240\34\201\1\240\34\201\0\0\0\0\210\376\37\300 \240\34\201\0\0\0\0\0\0\324\0\377\377\323\0\0\0\0\0\0\0\324\0\0\4\0\0 \240\34\201 )  ) == 0x0
 02024   392   NtWaitForSingleObject  (256, 0, 0x0, ... ) == 0x0
 02025   392   NtQueryInformationFile  (268, 1243760, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02026   392   NtReleaseMutant  (256, ... 0x0, ) == 0x0
 02027   392   NtRequestWaitReplyPort  (240, {28, 52, new_msg, 0, 0, 0, 0, 0}  (240, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\0\28]\25\0" ... {176, 200, reply, 0, 316, 392, 1506, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\0\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ... {176, 200, reply, 0, 316, 392, 1506, 0}  (240, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\0\28]\25\0" ... {176, 200, reply, 0, 316, 392, 1506, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\0\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ) == 0x0
 02028   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02029   392   NtOpenThreadToken  (-2, 0x20008, 1, ... ) == STATUS_NO_TOKEN
 02030   392   NtOpenProcessToken  (-1, 0x20008, ... 408, ) == 0x0
 02031   392   NtQueryInformationToken  (408, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02032   392   NtClose  (408, ... ) == 0x0
 02033   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER"}, ... 408, ) }, ... 408, ) == 0x0
 02034   392   NtSetInformationObject  (408, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 02035   392   NtOpenKey  (0x3, {24, 408, 0x40, 0, 0,  (0x3, {24, 408, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 412, ) }, ... 412, ) == 0x0
 02036   392   NtOpenKey  (0x1, {24, 412, 0x40, 0, 0,  (0x1, {24, 412, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, ... 416, ) }, ... 416, ) == 0x0
 02037   392   NtQueryValueKey  (416,  (416, "MigrateProxy", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (416, "MigrateProxy", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02038   392   NtClose  (416, ... ) == 0x0
 02039   392   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ... 1400832, 4096, ) == 0x0
 02040   392   NtAllocateVirtualMemory  (-1, 1404928, 0, 20480, 4096, 4, ... 1404928, 20480, ) == 0x0
 02041   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02042   392   NtOpenProcessToken  (-1, 0xc, ... 416, ) == 0x0
 02043   392   NtReleaseSemaphore  (272, 1, ... 0, ) == 0x0
 02044   392   NtWaitForSingleObject  (272, 0, {0, 0}, ... ) == 0x0
 02045   392   NtCreateKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 420, 2, ) }, 0, 0x0, 0, ... 420, 2, ) == 0x0
 02046   392   NtQueryValueKey  (420,  (420, "Common AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (420, "Common AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 82, ) }, 82, ) == 0x0
 02047   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USERENV.dll"}, ... 424, ) }, ... 424, ) == 0x0
 02048   392   NtMapViewOfSection  (424, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75a70000), 0x0, 667648, ) == 0x0
 02049   392   NtClose  (424, ... ) == 0x0
 02050   392   NtAllocateVirtualMemory  (-1, 3293184, 0, 4096, 4096, 4, ... 3293184, 4096, ) == 0x0
 02051   392   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 424, ) }, ... 424, ) == 0x0
 02052   392   NtQueryValueKey  (424,  (424, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02053   392   NtClose  (424, ... ) == 0x0
 02054   392   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 424, ) }, ... 424, ) == 0x0
 02055   392   NtQueryValueKey  (424,  (424, "ChkAccDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02056   392   NtClose  (424, ... ) == 0x0
 02057   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\ProductOptions"}, ... 424, ) }, ... 424, ) == 0x0
 02058   392   NtQueryValueKey  (424,  (424, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (424, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) }, 24, ) == 0x0
 02059   392   NtClose  (424, ... ) == 0x0
 02060   392   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1238972, 0,  (0x1f0003, {24, 52, 0x80, 1238972, 0, "Global\userenv:  User Profile setup event"}, 0, 1, ... 424, ) }, 0, 1, ... 424, ) == STATUS_OBJECT_NAME_EXISTS
 02061   392   NtQueryDefaultLocale  (1, 1236808, ... ) == 0x0
 02062   392   NtQueryDefaultLocale  (1, 1236808, ... ) == 0x0
 02063   392   NtQueryDefaultLocale  (1, 1236808, ... ) == 0x0
 02064   392   NtQueryDefaultLocale  (1, 1236808, ... ) == 0x0
 02065   392   NtQueryDefaultLocale  (1, 1236808, ... ) == 0x0
 02066   392   NtQueryDefaultLocale  (1, 1236808, ... ) == 0x0
 02067   392   NtQueryDefaultLocale  (1, 1236808, ... ) == 0x0
 02068   392   NtQueryDefaultLocale  (1, 1236808, ... ) == 0x0
 02069   392   NtQueryDefaultLocale  (1, 1236808, ... ) == 0x0
 02070   392   NtQueryDefaultLocale  (1, 1236808, ... ) == 0x0
 02071   392   NtQueryDefaultLocale  (1, 1236808, ... ) == 0x0
 02072   392   NtQueryDefaultLocale  (1, 1236808, ... ) == 0x0
 02073   392   NtQueryDefaultLocale  (1, 1236808, ... ) == 0x0
 02074   392   NtQueryDefaultLocale  (1, 1236808, ... ) == 0x0
 02075   392   NtQueryDefaultLocale  (1, 1236808, ... ) == 0x0
 02076   392   NtQueryDefaultLocale  (1, 1236808, ... ) == 0x0
 02077   392   NtQueryDefaultLocale  (1, 1236808, ... ) == 0x0
 02078   392   NtQueryDefaultLocale  (1, 1236808, ... ) == 0x0
 02079   392   NtQueryDefaultLocale  (1, 1236808, ... ) == 0x0
 02080   392   NtQueryDefaultLocale  (1, 1236808, ... ) == 0x0
 02081   392   NtQueryDefaultLocale  (1, 1236808, ... ) == 0x0
 02082   392   NtQueryDefaultLocale  (1, 1236808, ... ) == 0x0
 02083   392   NtQueryDefaultLocale  (1, 1236808, ... ) == 0x0
 02084   392   NtQueryDefaultLocale  (1, 1236808, ... ) == 0x0
 02085   392   NtQueryDefaultLocale  (1, 1236808, ... ) == 0x0
 02086   392   NtQueryDefaultLocale  (1, 1236808, ... ) == 0x0
 02087   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02088   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 428, ) == 0x0
 02089   392   NtQueryInformationToken  (428, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02090   392   NtClose  (428, ... ) == 0x0
 02091   392   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 428, ) }, ... 428, ) == 0x0
 02092   392   NtOpenKey  (0x20019, {24, 428, 0x40, 0, 0,  (0x20019, {24, 428, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 432, ) }, ... 432, ) == 0x0
 02093   392   NtQueryValueKey  (432,  (432, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (432, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) }, 66, ) == 0x0
 02094   392   NtQueryDefaultLocale  (1, 1236808, ... ) == 0x0
 02095   392   NtQueryValueKey  (432,  (432, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (432, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) }, 70, ) == 0x0
 02096   392   NtQueryDefaultLocale  (1, 1236808, ... ) == 0x0
 02097   392   NtQueryDefaultLocale  (1, 1236808, ... ) == 0x0
 02098   392   NtQueryDefaultLocale  (1, 1236808, ... ) == 0x0
 02099   392   NtQueryDefaultLocale  (1, 1236808, ... ) == 0x0
 02100   392   NtClose  (432, ... ) == 0x0
 02101   392   NtClose  (428, ... ) == 0x0
 02102   392   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 428, ) }, ... 428, ) == 0x0
 02103   392   NtQueryValueKey  (428,  (428, "RsopDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02104   392   NtClose  (428, ... ) == 0x0
 02105   392   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 428, ) }, ... 428, ) == 0x0
 02106   392   NtQueryValueKey  (428,  (428, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02107   392   NtQueryValueKey  (428,  (428, "RsopLogging", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02108   392   NtClose  (428, ... ) == 0x0
 02109   392   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02110   392   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 428, ) }, ... 428, ) == 0x0
 02111   392   NtQueryValueKey  (428,  (428, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02112   392   NtClose  (428, ... ) == 0x0
 02113   392   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02114   392   NtAllocateVirtualMemory  (-1, 0, 0, 1, 4096, 4, ... 10747904, 4096, ) == 0x0
 02115   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02116   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02117   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 428, ) }, ... 428, ) == 0x0
 02118   392   NtQueryValueKey  (428,  (428, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (428, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 02119   392   NtClose  (428, ... ) == 0x0
 02120   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 428, ) }, ... 428, ) == 0x0
 02121   392   NtQueryValueKey  (428,  (428, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (428, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) }, 32, ) == 0x0
 02122   392   NtClose  (428, ... ) == 0x0
 02123   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02124   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\Environment"}, ... 428, ) }, ... 428, ) == 0x0
 02125   392   NtQueryKey  (428, Full, 176, ... {LastWrite={0x7838d13c,0x1c73999}, TitleIdx=0, Subkeys=0, Values=12, Class=""}, 44, ) == 0x0
 02126   392   NtQuerySecurityObject  (428, 7, 0, ... ) == STATUS_ACCESS_DENIED
 02127   392   NtEnumerateValueKey  (428, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (428, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (428, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 02128   392   NtEnumerateValueKey  (428, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (428, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (428, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 02129   392   NtEnumerateValueKey  (428, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (428, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (428, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 02130   392   NtEnumerateValueKey  (428, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (428, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 02131   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02132   392   NtEnumerateValueKey  (428, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (428, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 02133   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02134   392   NtEnumerateValueKey  (428, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (428, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 02135   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02136   392   NtEnumerateValueKey  (428, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (428, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 02137   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02138   392   NtEnumerateValueKey  (428, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (428, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 02139   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02140   392   NtEnumerateValueKey  (428, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (428, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 02141   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02142   392   NtEnumerateValueKey  (428, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (428, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 02143   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02144   392   NtEnumerateValueKey  (428, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (428, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (428, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02145   392   NtEnumerateValueKey  (428, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (428, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (428, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02146   392   NtEnumerateValueKey  (428, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (428, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (428, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 02147   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02148   392   NtEnumerateValueKey  (428, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (428, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (428, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 02149   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02150   392   NtEnumerateValueKey  (428, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (428, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (428, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 02151   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02152   392   NtEnumerateValueKey  (428, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (428, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 02153   392   NtEnumerateValueKey  (428, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (428, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 02154   392   NtEnumerateValueKey  (428, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (428, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 02155   392   NtEnumerateValueKey  (428, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (428, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 02156   392   NtEnumerateValueKey  (428, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (428, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 02157   392   NtEnumerateValueKey  (428, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (428, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 02158   392   NtEnumerateValueKey  (428, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (428, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 02159   392   NtEnumerateValueKey  (428, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (428, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (428, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02160   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02161   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02162   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 1239896, ... ) }, 1239896, ... ) == 0x0
 02163   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02164   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02165   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02166   392   NtEnumerateValueKey  (428, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (428, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (428, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02167   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02168   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02169   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 1239896, ... ) }, 1239896, ... ) == 0x0
 02170   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02171   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02172   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02173   392   NtClose  (428, ... ) == 0x0
 02174   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 428, ) }, ... 428, ) == 0x0
 02175   392   NtOpenKey  (0x20019, {24, 428, 0x40, 0, 0,  (0x20019, {24, 428, 0x40, 0, 0, "ActiveComputerName"}, ... 432, ) }, ... 432, ) == 0x0
 02176   392   NtQueryValueKey  (432,  (432, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (432, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (432, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 02177   392   NtClose  (432, ... ) == 0x0
 02178   392   NtClose  (428, ... ) == 0x0
 02179   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02180   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 428, ) }, ... 428, ) == 0x0
 02181   392   NtQueryValueKey  (428,  (428, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (428, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 02182   392   NtClose  (428, ... ) == 0x0
 02183   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 428, ) }, ... 428, ) == 0x0
 02184   392   NtQueryValueKey  (428,  (428, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (428, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) }, 38, ) == 0x0
 02185   392   NtClose  (428, ... ) == 0x0
 02186   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02187   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 428, ) }, ... 428, ) == 0x0
 02188   392   NtQueryValueKey  (428,  (428, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (428, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 02189   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02190   392   NtQueryValueKey  (428,  (428, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (428, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) }, 72, ) == 0x0
 02191   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02192   392   NtClose  (428, ... ) == 0x0
 02193   392   NtQueryInformationToken  (416, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 02194   392   NtOpenKey  (0x20019, {24, 408, 0x40, 0, 0,  (0x20019, {24, 408, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 428, ) }, ... 428, ) == 0x0
 02195   392   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 02196   392   NtQueryInformationToken  (416, Type, 4, ... {token info, class 8, size 4}, 4, ) == 0x0
 02197   392   NtDuplicateToken  (416, 0xc, {24, 0, 0x0, 0, 1241280, 0x0}, 0, 2, ... ) == STATUS_ACCESS_DENIED
 02198   392   NtQueryInformationToken  (416, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 02199   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02200   392   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 432, ) == 0x0
 02201   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02202   392   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02203   392   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1239484,  (0xc0100080, {24, 0, 0x40, 0, 1239484, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 436, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 436, {status=0x0, info=1}, ) == 0x0
 02204   392   NtSetInformationFile  (436, 1239540, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02205   392   NtSetInformationFile  (436, 1239532, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02206   392   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02207   392   NtWriteFile  (436, 377, 0, 0,  (436, 377, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02208   392   NtReadFile  (436, 377, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (436, 377, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\208\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02209   392   NtFsControlFile  (436, 377, 0x0, 0x0, 0x11c017,  (436, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p\360\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\208\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (436, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p\360\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\208\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02210   392   NtFsControlFile  (436, 377, 0x0, 0x0, 0x11c017,  (436, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0n$)\372\303~\334\21\261\310\0\14)\371\246\305\1\0\0\0\250\360\22\0\1\0\0\0\260\266\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0n$)\372\303~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (436, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0n$)\372\303~\334\21\261\310\0\14)\371\246\305\1\0\0\0\250\360\22\0\1\0\0\0\260\266\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0n$)\372\303~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02211   392   NtFsControlFile  (436, 377, 0x0, 0x0, 0x11c017,  (436, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0n$)\372\303~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\330\266\25\0\1\0\0\0\344\266\25\0 \0\0\0\1\0\0\0\16\0\20\0\360\266\25\0\0\267\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\220\271\25\0\1\0\0\0\1\0\0\0\20\0\22\0\244\271\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (436, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0n$)\372\303~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\330\266\25\0\1\0\0\0\344\266\25\0 \0\0\0\1\0\0\0\16\0\20\0\360\266\25\0\0\267\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\220\271\25\0\1\0\0\0\1\0\0\0\20\0\22\0\244\271\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02212   392   NtClose  (432, ... ) == 0x0
 02213   392   NtClose  (436, ... ) == 0x0
 02214   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02215   392   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 436, ) == 0x0
 02216   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02217   392   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02218   392   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1239480,  (0xc0100080, {24, 0, 0x40, 0, 1239480, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 432, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 432, {status=0x0, info=1}, ) == 0x0
 02219   392   NtSetInformationFile  (432, 1239536, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02220   392   NtSetInformationFile  (432, 1239528, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02221   392   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02222   392   NtWriteFile  (432, 377, 0, 0,  (432, 377, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02223   392   NtReadFile  (432, 377, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (432, 377, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\209\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02224   392   NtFsControlFile  (432, 377, 0x0, 0x0, 0x11c017,  (432, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\360\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\209\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (432, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\360\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\209\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02225   392   NtFsControlFile  (432, 377, 0x0, 0x0, 0x11c017,  (432, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0o$)\372\303~\334\21\261\310\0\14)\371\246\305\1\0\0\0\244\360\22\0\1\0\0\0\260\266\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0o$)\372\303~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (432, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0o$)\372\303~\334\21\261\310\0\14)\371\246\305\1\0\0\0\244\360\22\0\1\0\0\0\260\266\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0o$)\372\303~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02226   392   NtFsControlFile  (432, 377, 0x0, 0x0, 0x11c017,  (432, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0o$)\372\303~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\330\266\25\0\1\0\0\0\344\266\25\0 \0\0\0\1\0\0\0\16\0\20\0\360\266\25\0\0\267\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\220\271\25\0\1\0\0\0\1\0\0\0\20\0\22\0\244\271\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (432, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0o$)\372\303~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\330\266\25\0\1\0\0\0\344\266\25\0 \0\0\0\1\0\0\0\16\0\20\0\360\266\25\0\0\267\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\220\271\25\0\1\0\0\0\1\0\0\0\20\0\22\0\244\271\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02227   392   NtClose  (436, ... ) == 0x0
 02228   392   NtClose  (432, ... ) == 0x0
 02229   392   NtOpenEvent  (0x100000, {24, 0, 0x0, 0, 0,  (0x100000, {24, 0, 0x0, 0, 0, "\INSTALLATION_SECURITY_HOLD"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02230   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02231   392   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 432, ) == 0x0
 02232   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02233   392   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02234   392   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1239112,  (0xc0100080, {24, 0, 0x40, 0, 1239112, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 436, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 436, {status=0x0, info=1}, ) == 0x0
 02235   392   NtSetInformationFile  (436, 1239168, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02236   392   NtSetInformationFile  (436, 1239160, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02237   392   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02238   392   NtWriteFile  (436, 377, 0, 0,  (436, 377, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0j(\319\14\261\320\21\233\250\0\300O\331.\365\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02239   392   NtReadFile  (436, 377, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (436, 377, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20:\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02240   392   NtFsControlFile  (436, 377, 0x0, 0x0, 0x11c017,  (436, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\32\0\0\0\1\0\0\0\2\0\0\0\0\0\0\0\1\0", 26, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20:\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 26, 1024, ... {status=0x103, info=68},  (436, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\32\0\0\0\1\0\0\0\2\0\0\0\0\0\0\0\1\0", 26, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20:\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02241   392   NtClose  (432, ... ) == 0x0
 02242   392   NtClose  (436, ... ) == 0x0
 02243   392   NtAllocateVirtualMemory  (-1, 1425408, 0, 4096, 4096, 4, ... 1425408, 4096, ) == 0x0
 02244   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02245   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02246   392   NtQueryInformationToken  (416, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 02247   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 436, ) }, ... 436, ) == 0x0
 02248   392   NtQueryValueKey  (436,  (436, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (436, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) }, 104, ) == 0x0
 02249   392   NtClose  (436, ... ) == 0x0
 02250   392   NtCreateKey  (0x2001f, {24, 428, 0x40, 0, 0,  (0x2001f, {24, 428, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Winlogon"}, 0, 0x0, 0, ... 436, 2, ) }, 0, 0x0, 0, ... 436, 2, ) == 0x0
 02251   392   NtQueryValueKey  (436,  (436, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (436, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02252   392   NtClose  (436, ... ) == 0x0
 02253   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02254   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02255   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\c:\autoexec.bat"}, 1241184, ... ) }, 1241184, ... ) == 0x0
 02256   392   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241192,  (0x80100080, {24, 0, 0x40, 0, 1241192, "\??\c:\autoexec.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 436, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 436, {status=0x0, info=1}, ) == 0x0
 02257   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02258   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02259   392   NtQueryInformationFile  (436, 1241208, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02260   392   NtReadFile  (436, 0, 0, 0, 0, 0x0, 0, ... {status=0x0, info=0}, "", ) == 0x0
 02261   392   NtClose  (436, ... ) == 0x0
 02262   392   NtOpenKey  (0x20019, {24, 428, 0x40, 0, 0,  (0x20019, {24, 428, 0x40, 0, 0, "Environment"}, ... 436, ) }, ... 436, ) == 0x0
 02263   392   NtAllocateVirtualMemory  (-1, 1429504, 0, 12288, 4096, 4, ... 1429504, 12288, ) == 0x0
 02264   392   NtEnumerateValueKey  (436, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (436, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (436, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02265   392   NtEnumerateValueKey  (436, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (436, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (436, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02266   392   NtEnumerateValueKey  (436, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02267   392   NtEnumerateValueKey  (436, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (436, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (436, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02268   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02269   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02270   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 1239924, ... ) }, 1239924, ... ) == 0x0
 02271   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 432, {status=0x0, info=1}, ) }, 3, 16417, ... 432, {status=0x0, info=1}, ) == 0x0
 02272   392   NtQueryDirectoryFile  (432, 0, 0, 0, 1239284, 616, BothDirectory, 1,  (432, 0, 0, 0, 1239284, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 02273   392   NtClose  (432, ... ) == 0x0
 02274   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 432, {status=0x0, info=1}, ) }, 3, 16417, ... 432, {status=0x0, info=1}, ) == 0x0
 02275   392   NtQueryDirectoryFile  (432, 0, 0, 0, 1239284, 616, BothDirectory, 1,  (432, 0, 0, 0, 1239284, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 02276   392   NtClose  (432, ... ) == 0x0
 02277   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02278   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02279   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02280   392   NtEnumerateValueKey  (436, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (436, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (436, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02281   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02282   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02283   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 1239924, ... ) }, 1239924, ... ) == 0x0
 02284   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 432, {status=0x0, info=1}, ) }, 3, 16417, ... 432, {status=0x0, info=1}, ) == 0x0
 02285   392   NtQueryDirectoryFile  (432, 0, 0, 0, 1239284, 616, BothDirectory, 1,  (432, 0, 0, 0, 1239284, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 02286   392   NtClose  (432, ... ) == 0x0
 02287   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 432, {status=0x0, info=1}, ) }, 3, 16417, ... 432, {status=0x0, info=1}, ) == 0x0
 02288   392   NtQueryDirectoryFile  (432, 0, 0, 0, 1239284, 616, BothDirectory, 1,  (432, 0, 0, 0, 1239284, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 02289   392   NtClose  (432, ... ) == 0x0
 02290   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02291   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02292   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02293   392   NtEnumerateValueKey  (436, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02294   392   NtClose  (436, ... ) == 0x0
 02295   392   NtOpenKey  (0x20019, {24, 428, 0x40, 0, 0,  (0x20019, {24, 428, 0x40, 0, 0, "Volatile Environment"}, ... 436, ) }, ... 436, ) == 0x0
 02296   392   NtEnumerateValueKey  (436, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (436, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (436, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 02297   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02298   392   NtEnumerateValueKey  (436, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (436, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (436, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 02299   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02300   392   NtEnumerateValueKey  (436, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (436, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (436, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 02301   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02302   392   NtEnumerateValueKey  (436, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (436, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (436, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 02303   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02304   392   NtEnumerateValueKey  (436, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (436, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (436, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 02305   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02306   392   NtEnumerateValueKey  (436, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (436, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (436, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 02307   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02308   392   NtEnumerateValueKey  (436, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (436, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (436, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 02309   392   NtEnumerateValueKey  (436, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02310   392   NtEnumerateValueKey  (436, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (436, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (436, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 02311   392   NtEnumerateValueKey  (436, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (436, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (436, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 02312   392   NtEnumerateValueKey  (436, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (436, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (436, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 02313   392   NtEnumerateValueKey  (436, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (436, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (436, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 02314   392   NtEnumerateValueKey  (436, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (436, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (436, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 02315   392   NtEnumerateValueKey  (436, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (436, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (436, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 02316   392   NtEnumerateValueKey  (436, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (436, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (436, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 02317   392   NtEnumerateValueKey  (436, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02318   392   NtClose  (436, ... ) == 0x0
 02319   392   NtClose  (428, ... ) == 0x0
 02320   392   NtFreeVirtualMemory  (-1, (0xa40000), 0, 32768, ... (0xa40000), 4096, ) == 0x0
 02321   392   NtClose  (420, ... ) == 0x0
 02322   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Application Data"}, 1241848, ... ) }, 1241848, ... ) == 0x0
 02323   392   NtCreateKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 420, 2, ) }, 0, 0x0, 0, ... 420, 2, ) == 0x0
 02324   392   NtSetValueKey  (420,  (420, "Common AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 106, ... ) , 0, 1,  (420, "Common AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 106, ... ) , 106, ... ) == 0x0
 02325   392   NtClose  (420, ... ) == 0x0
 02326   392   NtClose  (416, ... ) == 0x0
 02327   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\"}, 3, 16417, ... 416, {status=0x0, info=1}, ) }, 3, 16417, ... 416, {status=0x0, info=1}, ) == 0x0
 02328   392   NtQueryDirectoryFile  (416, 0, 0, 0, 1240824, 616, BothDirectory, 1,  (416, 0, 0, 0, 1240824, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 02329   392   NtClose  (416, ... ) == 0x0
 02330   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Ras\"}, 3, 16417, ... 416, {status=0x0, info=1}, ) }, 3, 16417, ... 416, {status=0x0, info=1}, ) == 0x0
 02331   392   NtQueryDirectoryFile  (416, 0, 0, 0, 1240824, 616, BothDirectory, 1,  (416, 0, 0, 0, 1240824, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 02332   392   NtClose  (416, ... ) == 0x0
 02333   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02334   392   NtOpenProcessToken  (-1, 0xc, ... 416, ) == 0x0
 02335   392   NtQueryInformationToken  (416, User, 64, ... {token info, class 1, size 36}, 36, ) == 0x0
 02336   392   NtOpenKey  (0x2001f, {24, 408, 0x40, 0, 0,  (0x2001f, {24, 408, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 420, ) }, ... 420, ) == 0x0
 02337   392   NtCreateKey  (0x2000000, {24, 420, 0x40, 0, 0,  (0x2000000, {24, 420, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 428, 2, ) }, 0, 0x0, 0, ... 428, 2, ) == 0x0
 02338   392   NtClose  (420, ... ) == 0x0
 02339   392   NtQueryValueKey  (428,  (428, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (428, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) }, 74, ) == 0x0
 02340   392   NtAllocateVirtualMemory  (-1, 0, 0, 1, 4096, 4, ... 10747904, 4096, ) == 0x0
 02341   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02342   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02343   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 420, ) }, ... 420, ) == 0x0
 02344   392   NtQueryValueKey  (420,  (420, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (420, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 02345   392   NtClose  (420, ... ) == 0x0
 02346   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 420, ) }, ... 420, ) == 0x0
 02347   392   NtQueryValueKey  (420,  (420, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) }, 32, ) == 0x0
 02348   392   NtClose  (420, ... ) == 0x0
 02349   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02350   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\Environment"}, ... 420, ) }, ... 420, ) == 0x0
 02351   392   NtQueryKey  (420, Full, 176, ... {LastWrite={0x7838d13c,0x1c73999}, TitleIdx=0, Subkeys=0, Values=12, Class=""}, 44, ) == 0x0
 02352   392   NtQuerySecurityObject  (420, 7, 0, ... ) == STATUS_ACCESS_DENIED
 02353   392   NtEnumerateValueKey  (420, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (420, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 02354   392   NtEnumerateValueKey  (420, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (420, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 02355   392   NtEnumerateValueKey  (420, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (420, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 02356   392   NtEnumerateValueKey  (420, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (420, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 02357   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02358   392   NtEnumerateValueKey  (420, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (420, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 02359   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02360   392   NtEnumerateValueKey  (420, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (420, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 02361   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02362   392   NtEnumerateValueKey  (420, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (420, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 02363   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02364   392   NtEnumerateValueKey  (420, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (420, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 02365   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02366   392   NtEnumerateValueKey  (420, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (420, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 02367   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02368   392   NtEnumerateValueKey  (420, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (420, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 02369   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02370   392   NtEnumerateValueKey  (420, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (420, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02371   392   NtEnumerateValueKey  (420, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (420, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02372   392   NtEnumerateValueKey  (420, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (420, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 02373   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02374   392   NtEnumerateValueKey  (420, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (420, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 02375   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02376   392   NtEnumerateValueKey  (420, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (420, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 02377   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02378   392   NtEnumerateValueKey  (420, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (420, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 02379   392   NtEnumerateValueKey  (420, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (420, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 02380   392   NtEnumerateValueKey  (420, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (420, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 02381   392   NtEnumerateValueKey  (420, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (420, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 02382   392   NtEnumerateValueKey  (420, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (420, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 02383   392   NtEnumerateValueKey  (420, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (420, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 02384   392   NtEnumerateValueKey  (420, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (420, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 02385   392   NtEnumerateValueKey  (420, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (420, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02386   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02387   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02388   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 1239896, ... ) }, 1239896, ... ) == 0x0
 02389   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02390   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02391   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02392   392   NtEnumerateValueKey  (420, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (420, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02393   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02394   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02395   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 1239896, ... ) }, 1239896, ... ) == 0x0
 02396   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02397   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02398   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02399   392   NtClose  (420, ... ) == 0x0
 02400   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 420, ) }, ... 420, ) == 0x0
 02401   392   NtOpenKey  (0x20019, {24, 420, 0x40, 0, 0,  (0x20019, {24, 420, 0x40, 0, 0, "ActiveComputerName"}, ... 436, ) }, ... 436, ) == 0x0
 02402   392   NtQueryValueKey  (436,  (436, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (436, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (436, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 02403   392   NtClose  (436, ... ) == 0x0
 02404   392   NtClose  (420, ... ) == 0x0
 02405   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02406   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 420, ) }, ... 420, ) == 0x0
 02407   392   NtQueryValueKey  (420,  (420, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (420, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 02408   392   NtClose  (420, ... ) == 0x0
 02409   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 420, ) }, ... 420, ) == 0x0
 02410   392   NtQueryValueKey  (420,  (420, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) }, 38, ) == 0x0
 02411   392   NtClose  (420, ... ) == 0x0
 02412   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02413   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 420, ) }, ... 420, ) == 0x0
 02414   392   NtQueryValueKey  (420,  (420, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 02415   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02416   392   NtQueryValueKey  (420,  (420, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) }, 72, ) == 0x0
 02417   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02418   392   NtClose  (420, ... ) == 0x0
 02419   392   NtQueryInformationToken  (416, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 02420   392   NtOpenKey  (0x20019, {24, 408, 0x40, 0, 0,  (0x20019, {24, 408, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 420, ) }, ... 420, ) == 0x0
 02421   392   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 02422   392   NtQueryInformationToken  (416, Type, 4, ... {token info, class 8, size 4}, 4, ) == 0x0
 02423   392   NtDuplicateToken  (416, 0xc, {24, 0, 0x0, 0, 1241280, 0x0}, 0, 2, ... ) == STATUS_ACCESS_DENIED
 02424   392   NtQueryInformationToken  (416, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 02425   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02426   392   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 436, ) == 0x0
 02427   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02428   392   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02429   392   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1239484,  (0xc0100080, {24, 0, 0x40, 0, 1239484, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 432, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 432, {status=0x0, info=1}, ) == 0x0
 02430   392   NtSetInformationFile  (432, 1239540, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02431   392   NtSetInformationFile  (432, 1239532, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02432   392   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02433   392   NtWriteFile  (432, 377, 0, 0,  (432, 377, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02434   392   NtReadFile  (432, 377, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (432, 377, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20;\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02435   392   NtFsControlFile  (432, 377, 0x0, 0x0, 0x11c017,  (432, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p\360\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20;\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (432, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p\360\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20;\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02436   392   NtFsControlFile  (432, 377, 0x0, 0x0, 0x11c017,  (432, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0p$)\372\303~\334\21\261\310\0\14)\371\246\305\1\0\0\0\250\360\22\0\1\0\0\0@\267\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0p$)\372\303~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (432, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0p$)\372\303~\334\21\261\310\0\14)\371\246\305\1\0\0\0\250\360\22\0\1\0\0\0@\267\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0p$)\372\303~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02437   392   NtFsControlFile  (432, 377, 0x0, 0x0, 0x11c017,  (432, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0p$)\372\303~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0(\245\25\0\1\0\0\04\245\25\0 \0\0\0\1\0\0\0\16\0\20\0@\245\25\0P\245\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\220\271\25\0\1\0\0\0\1\0\0\0\20\0\22\0\244\271\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (432, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0p$)\372\303~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0(\245\25\0\1\0\0\04\245\25\0 \0\0\0\1\0\0\0\16\0\20\0@\245\25\0P\245\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\220\271\25\0\1\0\0\0\1\0\0\0\20\0\22\0\244\271\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02438   392   NtClose  (436, ... ) == 0x0
 02439   392   NtClose  (432, ... ) == 0x0
 02440   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02441   392   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 432, ) == 0x0
 02442   392   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02443   392   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02444   392   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1239480,  (0xc0100080, {24, 0, 0x40, 0, 1239480, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 436, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 436, {status=0x0, info=1}, ) == 0x0
 02445   392   NtSetInformationFile  (436, 1239536, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02446   392   NtSetInformationFile  (436, 1239528, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02447   392   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02448   392   NtWriteFile  (436, 377, 0, 0,  (436, 377, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02449   392   NtReadFile  (436, 377, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (436, 377, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20<\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02450   392   NtFsControlFile  (436, 377, 0x0, 0x0, 0x11c017,  (436, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\360\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20<\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (436, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\360\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20<\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02451   392   NtFsControlFile  (436, 377, 0x0, 0x0, 0x11c017,  (436, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0q$)\372\303~\334\21\261\310\0\14)\371\246\305\1\0\0\0\244\360\22\0\1\0\0\0@\267\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0q$)\372\303~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (436, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0q$)\372\303~\334\21\261\310\0\14)\371\246\305\1\0\0\0\244\360\22\0\1\0\0\0@\267\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0q$)\372\303~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02452   392   NtFsControlFile  (436, 377, 0x0, 0x0, 0x11c017,  (436, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0q$)\372\303~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0(\245\25\0\1\0\0\04\245\25\0 \0\0\0\1\0\0\0\16\0\20\0@\245\25\0P\245\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\220\271\25\0\1\0\0\0\1\0\0\0\20\0\22\0\244\271\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (436, 377, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0q$)\372\303~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0(\245\25\0\1\0\0\04\245\25\0 \0\0\0\1\0\0\0\16\0\20\0@\245\25\0P\245\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\220\271\25\0\1\0\0\0\1\0\0\0\20\0\22\0\244\271\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02453   392   NtClose  (432, ... ) == 0x0
 02454   392   NtClose  (436, ... ) == 0x0
 02455   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02456   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02457   392   NtQueryInformationToken  (416, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 02458   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 436, ) }, ... 436, ) == 0x0
 02459   392   NtQueryValueKey  (436,  (436, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (436, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) }, 104, ) == 0x0
 02460   392   NtClose  (436, ... ) == 0x0
 02461   392   NtCreateKey  (0x2001f, {24, 420, 0x40, 0, 0,  (0x2001f, {24, 420, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Winlogon"}, 0, 0x0, 0, ... 436, 2, ) }, 0, 0x0, 0, ... 436, 2, ) == 0x0
 02462   392   NtQueryValueKey  (436,  (436, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (436, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02463   392   NtClose  (436, ... ) == 0x0
 02464   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02465   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02466   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\c:\autoexec.bat"}, 1241184, ... ) }, 1241184, ... ) == 0x0
 02467   392   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241192,  (0x80100080, {24, 0, 0x40, 0, 1241192, "\??\c:\autoexec.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 436, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 436, {status=0x0, info=1}, ) == 0x0
 02468   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02469   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02470   392   NtQueryInformationFile  (436, 1241208, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02471   392   NtReadFile  (436, 0, 0, 0, 0, 0x0, 0, ... {status=0x0, info=0}, "", ) == 0x0
 02472   392   NtClose  (436, ... ) == 0x0
 02473   392   NtOpenKey  (0x20019, {24, 420, 0x40, 0, 0,  (0x20019, {24, 420, 0x40, 0, 0, "Environment"}, ... 436, ) }, ... 436, ) == 0x0
 02474   392   NtEnumerateValueKey  (436, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (436, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (436, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02475   392   NtEnumerateValueKey  (436, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (436, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (436, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02476   392   NtEnumerateValueKey  (436, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02477   392   NtEnumerateValueKey  (436, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (436, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (436, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02478   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02479   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02480   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 1239924, ... ) }, 1239924, ... ) == 0x0
 02481   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 432, {status=0x0, info=1}, ) }, 3, 16417, ... 432, {status=0x0, info=1}, ) == 0x0
 02482   392   NtQueryDirectoryFile  (432, 0, 0, 0, 1239284, 616, BothDirectory, 1,  (432, 0, 0, 0, 1239284, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 02483   392   NtClose  (432, ... ) == 0x0
 02484   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 432, {status=0x0, info=1}, ) }, 3, 16417, ... 432, {status=0x0, info=1}, ) == 0x0
 02485   392   NtQueryDirectoryFile  (432, 0, 0, 0, 1239284, 616, BothDirectory, 1,  (432, 0, 0, 0, 1239284, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 02486   392   NtClose  (432, ... ) == 0x0
 02487   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02488   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02489   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02490   392   NtEnumerateValueKey  (436, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (436, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (436, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02491   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02492   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02493   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 1239924, ... ) }, 1239924, ... ) == 0x0
 02494   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 432, {status=0x0, info=1}, ) }, 3, 16417, ... 432, {status=0x0, info=1}, ) == 0x0
 02495   392   NtQueryDirectoryFile  (432, 0, 0, 0, 1239284, 616, BothDirectory, 1,  (432, 0, 0, 0, 1239284, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 02496   392   NtClose  (432, ... ) == 0x0
 02497   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 432, {status=0x0, info=1}, ) }, 3, 16417, ... 432, {status=0x0, info=1}, ) == 0x0
 02498   392   NtQueryDirectoryFile  (432, 0, 0, 0, 1239284, 616, BothDirectory, 1,  (432, 0, 0, 0, 1239284, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 02499   392   NtClose  (432, ... ) == 0x0
 02500   392   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02501   392   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02502   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02503   392   NtEnumerateValueKey  (436, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02504   392   NtClose  (436, ... ) == 0x0
 02505   392   NtOpenKey  (0x20019, {24, 420, 0x40, 0, 0,  (0x20019, {24, 420, 0x40, 0, 0, "Volatile Environment"}, ... 436, ) }, ... 436, ) == 0x0
 02506   392   NtEnumerateValueKey  (436, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (436, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (436, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 02507   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02508   392   NtEnumerateValueKey  (436, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (436, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (436, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 02509   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02510   392   NtEnumerateValueKey  (436, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (436, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (436, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 02511   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02512   392   NtEnumerateValueKey  (436, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (436, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (436, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 02513   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02514   392   NtEnumerateValueKey  (436, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (436, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (436, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 02515   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02516   392   NtEnumerateValueKey  (436, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (436, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (436, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 02517   392   NtQueryVirtualMemory  (-1, 0xa40000, Basic, 28, ... {BaseAddress=0xa40000,AllocationBase=0xa40000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02518   392   NtEnumerateValueKey  (436, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (436, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (436, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 02519   392   NtEnumerateValueKey  (436, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02520   392   NtEnumerateValueKey  (436, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (436, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (436, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 02521   392   NtEnumerateValueKey  (436, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (436, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (436, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 02522   392   NtEnumerateValueKey  (436, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (436, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (436, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 02523   392   NtEnumerateValueKey  (436, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (436, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (436, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 02524   392   NtEnumerateValueKey  (436, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (436, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (436, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 02525   392   NtEnumerateValueKey  (436, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (436, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (436, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 02526   392   NtEnumerateValueKey  (436, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (436, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (436, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 02527   392   NtEnumerateValueKey  (436, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02528   392   NtClose  (436, ... ) == 0x0
 02529   392   NtClose  (420, ... ) == 0x0
 02530   392   NtFreeVirtualMemory  (-1, (0xa40000), 0, 32768, ... (0xa40000), 4096, ) == 0x0
 02531   392   NtClose  (428, ... ) == 0x0
 02532   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data"}, 1241848, ... ) }, 1241848, ... ) == 0x0
 02533   392   NtQueryInformationToken  (416, User, 64, ... {token info, class 1, size 36}, 36, ) == 0x0
 02534   392   NtOpenKey  (0x2001f, {24, 408, 0x40, 0, 0,  (0x2001f, {24, 408, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 428, ) }, ... 428, ) == 0x0
 02535   392   NtCreateKey  (0x2000000, {24, 428, 0x40, 0, 0,  (0x2000000, {24, 428, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 420, 2, ) }, 0, 0x0, 0, ... 420, 2, ) == 0x0
 02536   392   NtClose  (428, ... ) == 0x0
 02537   392   NtSetValueKey  (420,  (420, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 0, 1,  (420, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 104, ... ) == 0x0
 02538   392   NtClose  (420, ... ) == 0x0
 02539   392   NtClose  (416, ... ) == 0x0
 02540   392   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data\Microsoft\Network\Connections\Pbk\"}, 3, 16417, ... ) }, 3, 16417, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02541   392   NtCreateKey  (0x2, {24, 412, 0x40, 0, 0,  (0x2, {24, 412, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, 0, "", 0, ... 416, 2, ) }, 0, "", 0, ... 416, 2, ) == 0x0
 02542   392   NtSetValueKey  (416,  (416, "MigrateProxy", 0, 4, "\1\0\0\0", 4, ... ) , 0, 4,  (416, "MigrateProxy", 0, 4, "\1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 02543   392   NtClose  (416, ... ) == 0x0
 02544   392   NtOpenKey  (0x20019, {24, 412, 0x40, 0, 0,  (0x20019, {24, 412, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, ... 416, ) }, ... 416, ) == 0x0
 02545   392   NtQueryValueKey  (416,  (416, "ProxyEnable", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (416, "ProxyEnable", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02546   392   NtQueryValueKey  (416,  (416, "ProxyServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02547   392   NtQueryValueKey  (416,  (416, "ProxyOverride", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02548   392   NtQueryValueKey  (416,  (416, "AutoConfigURL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02549   392   NtClose  (416, ... ) == 0x0
 02550   392   NtWaitForSingleObject  (328, 0, 0x0, ... ) == 0x0
 02551   392   NtCreateKey  (0x1, {24, 412, 0x40, 0, 0,  (0x1, {24, 412, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections"}, 0, "", 0, ... 416, 2, ) }, 0, "", 0, ... 416, 2, ) == 0x0
 02552   392   NtQueryValueKey  (416,  (416, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (416, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 02553   392   NtQueryValueKey  (416,  (416, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (416, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 02554   392   NtReleaseMutant  (328, ... 0x0, ) == 0x0
 02555   392   NtClose  (416, ... ) == 0x0
 02556   392   NtWaitForSingleObject  (328, 0, 0x0, ... ) == 0x0
 02557   392   NtCreateKey  (0x1, {24, 412, 0x40, 0, 0,  (0x1, {24, 412, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections"}, 0, "", 0, ... 416, 2, ) }, 0, "", 0, ... 416, 2, ) == 0x0
 02558   392   NtQueryValueKey  (416,  (416, "DefaultConnectionSettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\3\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (416, "DefaultConnectionSettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\3\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 02559   392   NtQueryValueKey  (416,  (416, "DefaultConnectionSettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\3\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (416, "DefaultConnectionSettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\3\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 02560   392   NtReleaseMutant  (328, ... 0x0, ) == 0x0
 02561   392   NtClose  (416, ... ) == 0x0
 02562   392   NtWaitForSingleObject  (312, 0, 0x0, ... ) == 0x0
 02563   392   NtClearEvent  (312, ... ) == 0x0
 02564   392   NtSetEvent  (312, ... 0x0, ) == 0x0
 02565   392   NtCreateKey  (0x20006, {24, 412, 0x40, 0, 0,  (0x20006, {24, 412, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, 0, "", 0, ... 416, 2, ) }, 0, "", 0, ... 416, 2, ) == 0x0
 02566   392   NtSetValueKey  (416,  (416, "ProxyEnable", 0, 4, "\0\0\0\0", 4, ... ) , 0, 4,  (416, "ProxyEnable", 0, 4, "\0\0\0\0", 4, ... ) , 4, ... ) == 0x0
 02567   392   NtDeleteValueKey  (416,  (416, "ProxyServer", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02568   392   NtDeleteValueKey  (416,  (416, "ProxyOverride", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02569   392   NtDeleteValueKey  (416,  (416, "AutoConfigURL", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02570   392   NtClose  (416, ... ) == 0x0
 02571   392   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT"}, ... 416, ) }, ... 416, ) == 0x0
 02572   392   NtCreateKey  (0x2, {24, 416, 0x40, 0, 0,  (0x2, {24, 416, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, 0, "", 0, ... 420, 2, ) }, 0, "", 0, ... 420, 2, ) == 0x0
 02573   392   NtSetValueKey  (420,  (420, "ProxyEnable", 0, 4, "\0\0\0\0", 4, ... ) , 0, 4,  (420, "ProxyEnable", 0, 4, "\0\0\0\0", 4, ... ) , 4, ... ) == 0x0
 02574   392   NtClose  (420, ... ) == 0x0
 02575   392   NtWaitForSingleObject  (328, 0, 0x0, ... ) == 0x0
 02576   392   NtCreateKey  (0x1, {24, 412, 0x40, 0, 0,  (0x1, {24, 412, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections"}, 0, "", 0, ... 420, 2, ) }, 0, "", 0, ... 420, 2, ) == 0x0
 02577   392   NtQueryValueKey  (420,  (420, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (420, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 02578   392   NtQueryValueKey  (420,  (420, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (420, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 02579   392   NtCreateKey  (0x2, {24, 412, 0x40, 0, 0,  (0x2, {24, 412, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections"}, 0, "", 0, ... 428, 2, ) }, 0, "", 0, ... 428, 2, ) == 0x0
 02580   392   NtReleaseMutant  (328, ... 0x0, ) == 0x0
 02581   392   NtClose  (420, ... ) == 0x0
 02582   392   NtSetValueKey  (428,  (428, "SavedLegacySettings", 0, 3, "<\0\0\0\27\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0", 56, ... , 0, 3,  (428, "SavedLegacySettings", 0, 3, "<\0\0\0\27\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0", 56, ... , 56, ...
 02583   392   NtSetInformationFile  (-2147482736, -133331148, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02584   392   NtSetInformationFile  (-2147482736, -133331184, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02585   392   NtSetInformationFile  (-2147482736, -133331248, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02582   392   NtSetValueKey  ... ) == 0x0
 02586   392   NtClose  (428, ... ) == 0x0
 02587   392   NtWaitForSingleObject  (256, 0, 0x0, ... ) == 0x0
 02588   392   NtQueryInformationFile  (268, 1243916, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02589   392   NtReleaseMutant  (256, ... 0x0, ) == 0x0
 02590   392   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02591   392   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10747904, 1048576, ) == 0x0
 02592   392   NtAllocateVirtualMemory  (-1, 11788288, 0, 8192, 4096, 4, ... 11788288, 8192, ) == 0x0
 02593   392   NtProtectVirtualMemory  (-1, (0xb3e000), 4096, 260, ... (0xb3e000), 4096, 4, ) == 0x0
 02594   392   NtCreateThread  (0x1f03ff, 0x0, -1, 1244284, 1245000, 1, ... 428, {316, 572}, ) == 0x0
 02595   392   NtQueryInformationThread  (428, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=316,Tid=572,}, 0x0, ) == 0x0
 02596   392   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1981821644, 0, 1244052, 1981821578}  (24, {28, 56, new_msg, 0, 1981821644, 0, 1244052, 1981821578} "\0\0\0\0\1\0\1\0\0\0\0\0\314\373\22\0\254\1\0\0<\1\0\0<\2\0\0" ... {28, 56, reply, 0, 316, 392, 1507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\314\373\22\0\254\1\0\0<\1\0\0<\2\0\0" )  ... {28, 56, reply, 0, 316, 392, 1507, 0}  (24, {28, 56, new_msg, 0, 1981821644, 0, 1244052, 1981821578} "\0\0\0\0\1\0\1\0\0\0\0\0\314\373\22\0\254\1\0\0<\1\0\0<\2\0\0" ... {28, 56, reply, 0, 316, 392, 1507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\314\373\22\0\254\1\0\0<\1\0\0<\2\0\0" )  ) == 0x0
 02597   392   NtResumeThread  (428, ... 1, ) == 0x0
 02598   392   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11796480, 1048576, ) == 0x0
 02599   572   NtTestAlert  (... ) == 0x0
 02600   572   NtContinue  (11795760, 1, ...
 02601   572   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02602   572   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02603   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 420, {status=0x0, info=1}, ) }, 3, 16417, ... 420, {status=0x0, info=1}, ) == 0x0
 02604   572   NtQueryDirectoryFile  (420, 0, 0, 0, 11794152, 616, BothDirectory, 1,  (420, 0, 0, 0, 11794152, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 02605   392   NtAllocateVirtualMemory  (-1, 12836864, 0, 8192, 4096, 4, ... 12836864, 8192, ) == 0x0
 02606   392   NtProtectVirtualMemory  (-1, (0xc3e000), 4096, 260, ... (0xc3e000), 4096, 4, ) == 0x0
 02607   392   NtCreateThread  (0x1f03ff, 0x0, -1, 1244284, 1245000, 1, ... 436, {316, 588}, ) == 0x0
 02608   392   NtQueryInformationThread  (436, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=316,Tid=588,}, 0x0, ) == 0x0
 02609   392   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 316, 392, 1507, 0}  (24, {28, 56, new_msg, 0, 316, 392, 1507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\314\373\22\0\264\1\0\0<\1\0\0L\2\0\0" ... {28, 56, reply, 0, 316, 392, 1508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\314\373\22\0\264\1\0\0<\1\0\0L\2\0\0" )  ... {28, 56, reply, 0, 316, 392, 1508, 0}  (24, {28, 56, new_msg, 0, 316, 392, 1507, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\314\373\22\0\264\1\0\0<\1\0\0L\2\0\0" ... {28, 56, reply, 0, 316, 392, 1508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\314\373\22\0\264\1\0\0<\1\0\0L\2\0\0" )  ) == 0x0
 02610   392   NtResumeThread  (436, ...
 02611   572   NtQueryDirectoryFile  (420, 0, 0, 0, 1436272, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4018}, ) == 0x0
 02612   572   NtAllocateVirtualMemory  (-1, 11784192, 0, 4096, 4096, 260, ... 11784192, 4096, ) == 0x0
 02613   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 432, {status=0x0, info=1}, ) }, 3, 16417, ... 432, {status=0x0, info=1}, ) == 0x0
 02614   572   NtQueryDirectoryFile  (432, 0, 0, 0, 11793532, 616, BothDirectory, 1,  (432, 0, 0, 0, 11793532, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 02615   572   NtQueryDirectoryFile  (432, 0, 0, 0, 1423840, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=3982}, ) == 0x0
 02616   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 440, {status=0x0, info=1}, ) }, 3, 16417, ... 440, {status=0x0, info=1}, ) == 0x0
 02610   392   NtResumeThread  ... 1, ) == 0x0
 02617   392   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 12845056, 1048576, ) == 0x0
 02618   392   NtAllocateVirtualMemory  (-1, 13885440, 0, 8192, 4096, 4, ... 13885440, 8192, ) == 0x0
 02619   392   NtProtectVirtualMemory  (-1, (0xd3e000), 4096, 260, ... (0xd3e000), 4096, 4, ) == 0x0
 02620   392   NtCreateThread  (0x1f03ff, 0x0, -1, 1244284, 1245000, 1, ... 444, {316, 584}, ) == 0x0
 02621   392   NtQueryInformationThread  (444, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=316,Tid=584,}, 0x0, ) == 0x0
 02622   392   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 316, 392, 1508, 0}  (24, {28, 56, new_msg, 0, 316, 392, 1508, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\314\373\22\0\274\1\0\0<\1\0\0H\2\0\0" ...  ...
 02623   572   NtQueryDirectoryFile  (440, 0, 0, 0, 11792912, 616, BothDirectory, 1,  (440, 0, 0, 0, 11792912, 616, BothDirectory, 1, "*", 0, ... , 0, ...
 02624   588   NtTestAlert  (...
 02623   572   NtQueryDirectoryFile  ... {status=0x0, info=96}, ) == 0x0
 02624   588   NtTestAlert  ... ) == 0x0
 02625   572   NtQueryDirectoryFile  (440, 0, 0, 0, 1427944, 4096, BothDirectory, 0, 0x0, 0, ...
 02626   588   NtContinue  (12844336, 1, ...
 02625   572   NtQueryDirectoryFile  ... {status=0x0, info=4094}, ) == 0x0
 02627   588   NtRegisterThreadTerminatePort  (24, ...
 02628   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\config\"}, 3, 16417, ... }, 3, 16417, ...
 02627   588   NtRegisterThreadTerminatePort  ... ) == 0x0
 02628   572   NtOpenFile  ... 448, {status=0x0, info=1}, ) == 0x0
 02622   392   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 316, 392, 1509, 0}  ... {28, 56, reply, 0, 316, 392, 1509, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\314\373\22\0\274\1\0\0<\1\0\0H\2\0\0" )  ) == 0x0
 02629   588   NtWaitForSingleObject  (320, 0, 0x0, ...
 02630   392   NtResumeThread  (444, ...
 02629   588   NtWaitForSingleObject  ... ) == 0x0
 02630   392   NtResumeThread  ... 1, ) == 0x0
 02631   588   NtWaitForSingleObject  (324, 0, 0x0, ... ) == 0x0
 02632   588   NtReleaseMutant  (324, ... 0x0, ) == 0x0
 02633   588   NtQueryValueKey  (88,  (88, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02634   588   NtQueryValueKey  (88,  (88, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02635   572   NtQueryDirectoryFile  (448, 0, 0, 0, 11792292, 616, BothDirectory, 1,  (448, 0, 0, 0, 11792292, 616, BothDirectory, 1, "*", 0, ... , 0, ...
 02636   584   NtTestAlert  (...
 02635   572   NtQueryDirectoryFile  ... {status=0x0, info=96}, ) == 0x0
 02636   584   NtTestAlert  ... ) == 0x0
 02637   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ...
 02638   584   NtContinue  (13892912, 1, ...
 02637   572   NtQueryDirectoryFile  ... {status=0x0, info=2666}, ) == 0x0
 02639   584   NtRegisterThreadTerminatePort  (24, ...
 02640   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\config\systemprofile\"}, 3, 16417, ... }, 3, 16417, ...
 02639   584   NtRegisterThreadTerminatePort  ... ) == 0x0
 02640   572   NtOpenFile  ... 452, {status=0x0, info=1}, ) == 0x0
 02641   588   NtAllocateVirtualMemory  (-1, 12832768, 0, 4096, 4096, 260, ...
 02642   584   NtWaitForSingleObject  (320, 0, 0x0, ...
 02641   588   NtAllocateVirtualMemory  ... 12832768, 4096, ) == 0x0
 02643   588   NtCreateKey  (0x2001d, {24, 28, 0x40, 0, 0,  (0x2001d, {24, 28, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 456, 2, ) }, 0, 0x0, 0, ... 456, 2, ) == 0x0
 02644   588   NtCreateKey  (0x20019, {24, 456, 0x40, 0, 0,  (0x20019, {24, 456, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 460, 2, ) }, 0, 0x0, 0, ... 460, 2, ) == 0x0
 02645   588   NtClose  (456, ... ) == 0x0
 02646   588   NtQueryValueKey  (460,  (460, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02647   588   NtClose  (460, ... ) == 0x0
 02648   572   NtQueryDirectoryFile  (452, 0, 0, 0, 11791672, 616, BothDirectory, 1,  (452, 0, 0, 0, 11791672, 616, BothDirectory, 1, "*", 0, ... , 0, ...
 02649   588   NtWaitForSingleObject  (256, 0, 0x0, ... ) == 0x0
 02650   588   NtQueryInformationFile  (268, 12842912, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02651   588   NtReleaseMutant  (256, ... 0x0, ) == 0x0
 02652   588   NtWaitForSingleObject  (256, 0, 0x0, ... ) == 0x0
 02653   588   NtQueryInformationFile  (268, 12843068, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02654   588   NtReleaseMutant  (256, ... 0x0, ) == 0x0
 02655   588   NtReleaseMutant  (320, ...
 02642   584   NtWaitForSingleObject  ... ) == 0x0
 02656   584   NtWaitForSingleObject  (324, 0, 0x0, ... ) == 0x0
 02657   584   NtReleaseMutant  (324, ... 0x0, ) == 0x0
 02658   584   NtQueryValueKey  (88,  (88, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02659   584   NtQueryValueKey  (88,  (88, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02655   588   NtReleaseMutant  ... 0x0, ) == 0x0
 02660   588   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 460, ) == 0x0
 02661   588   NtWaitForSingleObject  (232, 0, {0, 0}, ... ) == 0x102
 02662   588   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 456, ) == 0x0
 02663   588   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 12843932, 79, ... }, 0x0, 0, 3, 3, 0, 12843932, 79, ...
 02664   584   NtCreateKey  (0x2001d, {24, 28, 0x40, 0, 0,  (0x2001d, {24, 28, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 464, 2, ) }, 0, 0x0, 0, ... 464, 2, ) == 0x0
 02665   584   NtCreateKey  (0x20019, {24, 464, 0x40, 0, 0,  (0x20019, {24, 464, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 468, 2, ) }, 0, 0x0, 0, ... 468, 2, ) == 0x0
 02666   584   NtClose  (464, ... ) == 0x0
 02667   584   NtQueryValueKey  (468,  (468, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02668   584   NtClose  (468, ... ) == 0x0
 02669   584   NtWaitForSingleObject  (256, 0, 0x0, ...
 02663   588   NtCreateFile  ... 468, {status=0x0, info=0}, ) == 0x0
 02670   588   NtDeviceIoControlFile  (468, 456, 0x0, 0x0, 0x12047,  (468, 456, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\353\3\0\0\11\6\2\0\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\0\376\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 02671   588   NtWaitForSingleObject  (232, 0, {0, 0}, ... ) == 0x102
 02669   584   NtWaitForSingleObject  ... ) == 0x0
 02672   584   NtQueryInformationFile  (268, 13892192, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02673   584   NtReleaseMutant  (256, ... 0x0, ) == 0x0
 02674   584   NtWaitForSingleObject  (256, 0, 0x0, ... ) == 0x0
 02675   584   NtQueryInformationFile  (268, 13892348, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02676   584   NtReleaseMutant  (256, ... 0x0, ) == 0x0
 02677   588   NtDeviceIoControlFile  (468, 456, 0x0, 0x0, 0x12037,  (468, 456, 0x0, 0x0, 0x12037, "\3\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (468, 456, 0x0, 0x0, 0x12037, "\3\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02678   588   NtDeviceIoControlFile  (468, 456, 0x0, 0x0, 0x12047,  (468, 456, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\353\3\0\0\11\6\2\0\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\1\0\0\0\1\0\0\0\1\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 02679   588   NtWaitForSingleObject  (292, 0, {0, 0}, ... ) == 0x102
 02680   588   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 12840452, ... ) }, 12840452, ... ) == 0x0
 02681   588   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 464, ) == 0x0
 02682   588   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02683   584   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02684   584   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13893632, 1048576, ) == 0x0
 02685   584   NtAllocateVirtualMemory  (-1, 14934016, 0, 8192, 4096, 4, ... 14934016, 8192, ) == 0x0
 02686   584   NtProtectVirtualMemory  (-1, (0xe3e000), 4096, 260, ... (0xe3e000), 4096, 4, ) == 0x0
 02687   584   NtCreateThread  (0x1f03ff, 0x0, -1, 13892716, 13893432, 1, ... 472, {316, 580}, ) == 0x0
 02688   584   NtQueryInformationThread  (472, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=316,Tid=580,}, 0x0, ) == 0x0
 02682   588   NtDuplicateObject  ... 476, ) == 0x0
 02689   588   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 480, ) == 0x0
 02690   588   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 12841044, 112, ... 484, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 12841044, 112, ... 484, 0x0, 0x0, 0x0, 112, ) == 0x0
 02691   588   NtRequestWaitReplyPort  (484, {128, 152, new_msg, 0, 1310720, 126504, 1310720, 12840808}  (484, {128, 152, new_msg, 0, 1310720, 126504, 1310720, 12840808} "\0$\370w\30\366\303\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\240Z\25\0\4\0\0\0\240Z\25\0\20\344\314w\240Z\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\3\0\210\263\25\0\1\0\0\0\7\0\0\08\3\24\0\200\263\25\0\360\264\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\12\0\0\0" ... {128, 152, reply, 0, 316, 588, 1511, 0} "\7$\370w\30\366\303\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\240Z\25\0\377\377\377\377\240Z\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\3\0\210\263\25\0\1\0\0\0\7\0\0\08\3\24\0\200\263\25\0\360\264\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\12\0\0\0" )  ... {128, 152, reply, 0, 316, 588, 1511, 0}  (484, {128, 152, new_msg, 0, 1310720, 126504, 1310720, 12840808} "\0$\370w\30\366\303\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\240Z\25\0\4\0\0\0\240Z\25\0\20\344\314w\240Z\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\3\0\210\263\25\0\1\0\0\0\7\0\0\08\3\24\0\200\263\25\0\360\264\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\12\0\0\0" ... {128, 152, reply, 0, 316, 588, 1511, 0} "\7$\370w\30\366\303\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\240Z\25\0\377\377\377\377\240Z\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\3\0\210\263\25\0\1\0\0\0\7\0\0\08\3\24\0\200\263\25\0\360\264\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\12\0\0\0" )  ) == 0x0
 02692   588   NtRequestWaitReplyPort  (484, {64, 88, new_msg, 0, 7143521, 4587552, 7077993, 7536741}  (484, {64, 88, new_msg, 0, 7143521, 4587552, 7077993, 7536741} "\1\0\0\0A\2\10\0m\0o\0n\0 \0F\0i\0l\0e\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02693   584   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1981821644, 0, 13892484, 1981821578}  (24, {28, 56, new_msg, 0, 1981821644, 0, 13892484, 1981821578} "\0\0\0\0\1\0\1\0\0\0\0\0\274\373\323\0\330\1\0\0<\1\0\0D\2\0\0" ... {28, 56, reply, 0, 316, 584, 1513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\274\373\323\0\330\1\0\0<\1\0\0D\2\0\0" )  ... {28, 56, reply, 0, 316, 584, 1513, 0}  (24, {28, 56, new_msg, 0, 1981821644, 0, 13892484, 1981821578} "\0\0\0\0\1\0\1\0\0\0\0\0\274\373\323\0\330\1\0\0<\1\0\0D\2\0\0" ... {28, 56, reply, 0, 316, 584, 1513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\274\373\323\0\330\1\0\0<\1\0\0D\2\0\0" )  ) == 0x0
 02694   584   NtResumeThread  (472, ... 1, ) == 0x0
 02695   584   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02696   580   NtTestAlert  (... ) == 0x0
 02697   580   NtContinue  (14941488, 1, ...
 02698   580   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02699   580   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 488, ) == 0x0
 02700   580   NtWaitForSingleObject  (232, 0, {0, 0}, ... ) == 0x102
 02701   580   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02695   584   NtAllocateVirtualMemory  ... 14942208, 1048576, ) == 0x0
 02692   588   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 316, 588, 1512, 0}  ... {52, 76, reply, 0, 316, 588, 1512, 0} "\2\200\372\177\1\00\300\0\0\0\0\17\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200W\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 02702   584   NtAllocateVirtualMemory  (-1, 15982592, 0, 8192, 4096, 4, ...
 02701   580   NtCreateEvent  ... 492, ) == 0x0
 02702   584   NtAllocateVirtualMemory  ... 15982592, 8192, ) == 0x0
 02703   580   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 14941428, 67, ... }, 0x0, 0, 3, 3, 0, 14941428, 67, ...
 02704   584   NtProtectVirtualMemory  (-1, (0xf3e000), 4096, 260, ...
 02703   580   NtCreateFile  ... 496, {status=0x0, info=0}, ) == 0x0
 02704   584   NtProtectVirtualMemory  ... (0xf3e000), 4096, 4, ) == 0x0
 02705   580   NtDeviceIoControlFile  (496, 492, 0x0, 0x0, 0x12047,  (496, 492, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\200\250\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 02706   584   NtCreateThread  (0x1f03ff, 0x0, -1, 13892716, 13893432, 1, ...
 02705   580   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 02707   588   NtClose  (480, ...
 02708   580   NtWaitForSingleObject  (232, 0, {0, 0}, ...
 02707   588   NtClose  ... ) == 0x0
 02706   584   NtCreateThread  ... 480, {316, 636}, ) == 0x0
 02709   588   NtClose  (484, ...
 02710   584   NtQueryInformationThread  (480, Basic, 28, ...
 02709   588   NtClose  ... ) == 0x0
 02710   584   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=316,Tid=636,}, 0x0, ) == 0x0
 02711   588   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 02712   584   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 316, 584, 1513, 0}  (24, {28, 56, new_msg, 0, 316, 584, 1513, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\274\373\323\0\340\1\0\0<\1\0\0|\2\0\0" ...  ...
 02711   588   NtCreateKey  ... 484, 2, ) == 0x0
 02712   584   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 316, 584, 1515, 0}  ... {28, 56, reply, 0, 316, 584, 1515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\274\373\323\0\340\1\0\0<\1\0\0|\2\0\0" )  ) == 0x0
 02708   580   NtWaitForSingleObject  ... ) == 0x102
 02713   588   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 02714   580   NtDeviceIoControlFile  (496, 492, 0x0, 0x0, 0x1203b,  (496, 492, 0x0, 0x0, 0x1203b, "\2\0\0\0 \31\25\0\1\0\0\0\0\0\0\0", 16, 0, ... , 16, 0, ...
 02713   588   NtOpenKey  ... 500, ) == 0x0
 02714   580   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02715   588   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 02716   580   NtDeviceIoControlFile  (496, 492, 0x0, 0x0, 0x12003,  (496, 492, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 02715   588   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02716   580   NtDeviceIoControlFile  ... {status=0x0, info=504},  ... {status=0x0, info=504}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\13\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02717   588   NtQueryValueKey  (484,  (484, "Hostname", Partial, 144, ... , Partial, 144, ...
 02718   584   NtResumeThread  (480, ...
 02717   588   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02718   584   NtResumeThread  ... 1, ) == 0x0
 02719   580   NtDeviceIoControlFile  (496, 492, 0x0, 0x0, 0x12047,  (496, 492, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\240\247\25\0\2\0\4\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 02720   584   NtDelayExecution  (0, {-500000, -1}, ...
 02719   580   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02721   580   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 508, ) == 0x0
 02722   580   NtSetInformationObject  (508, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 02723   580   NtAllocateVirtualMemory  (-1, 14929920, 0, 4096, 4096, 260, ... 14929920, 4096, ) == 0x0
 02724   580   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 14938744, ... ) }, 14938744, ... ) == 0x0
 02725   580   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 512, ) == 0x0
 02726   588   NtQueryValueKey  (484,  (484, "Hostname", Partial, 144, ... , Partial, 144, ...
 02727   636   NtTestAlert  (...
 02726   588   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02727   636   NtTestAlert  ... ) == 0x0
 02728   588   NtClose  (484, ...
 02729   636   NtContinue  (15990064, 1, ...
 02728   588   NtClose  ... ) == 0x0
 02730   636   NtRegisterThreadTerminatePort  (24, ...
 02731   588   NtClose  (500, ...
 02730   636   NtRegisterThreadTerminatePort  ... ) == 0x0
 02731   588   NtClose  ... ) == 0x0
 02732   580   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02733   636   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02732   580   NtAllocateVirtualMemory  ... 15990784, 1048576, ) == 0x0
 02733   636   NtDuplicateObject  ... 500, ) == 0x0
 02734   580   NtAllocateVirtualMemory  (-1, 17031168, 0, 8192, 4096, 4, ...
 02735   636   NtWaitForSingleObject  (292, 0, {0, 0}, ...
 02734   580   NtAllocateVirtualMemory  ... 17031168, 8192, ) == 0x0
 02735   636   NtWaitForSingleObject  ... ) == 0x102
 02736   580   NtProtectVirtualMemory  (-1, (0x103e000), 4096, 260, ...
 02737   636   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 02736   580   NtProtectVirtualMemory  ... (0x103e000), 4096, 4, ) == 0x0
 02738   588   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 02737   636   NtCreateEvent  ... 484, ) == 0x0
 02738   588   NtCreateEvent  ... 516, ) == 0x0
 02739   636   NtWaitForSingleObject  (484, 0, 0x0, ...
 02740   588   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 12840908, 112, ... 520, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 12840908, 112, ... 520, 0x0, 0x0, 0x0, 112, ) == 0x0
 02741   588   NtRequestWaitReplyPort  (520, {128, 152, new_msg, 0, 1310720, 126368, 1310720, 12840672}  (520, {128, 152, new_msg, 0, 1310720, 126368, 1310720, 12840672} "\0$\370w\220\365\303\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\240Z\25\0\4\0\0\0\240Z\25\0\20\344\314w\240Z\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\4\0\0\0\0\0x\260\25\0\0\0\0\0\320\251\25\0\200\251\25\0\250\251\25\0\0\0\0\0\0\0\0\0\0\0\0\0\320\251\25\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {128, 152, reply, 0, 316, 588, 1517, 0} "\7$\370w\220\365\303\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\240Z\25\0\377\377\377\377\240Z\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\4\0\0\0\0\0x\260\25\0\0\0\0\0\320\251\25\0\200\251\25\0\250\251\25\0\0\0\0\0\0\0\0\0\0\0\0\0\320\251\25\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {128, 152, reply, 0, 316, 588, 1517, 0}  (520, {128, 152, new_msg, 0, 1310720, 126368, 1310720, 12840672} "\0$\370w\220\365\303\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\240Z\25\0\4\0\0\0\240Z\25\0\20\344\314w\240Z\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\4\0\0\0\0\0x\260\25\0\0\0\0\0\320\251\25\0\200\251\25\0\250\251\25\0\0\0\0\0\0\0\0\0\0\0\0\0\320\251\25\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {128, 152, reply, 0, 316, 588, 1517, 0} "\7$\370w\220\365\303\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\240Z\25\0\377\377\377\377\240Z\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\4\0\0\0\0\0x\260\25\0\0\0\0\0\320\251\25\0\200\251\25\0\250\251\25\0\0\0\0\0\0\0\0\0\0\0\0\0\320\251\25\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02742   588   NtRequestWaitReplyPort  (520, {44, 68, new_msg, 0, 316, 588, 1512, 0}  (520, {44, 68, new_msg, 0, 316, 588, 1512, 0} "\1\200\0\0A\2\4\0\0\0\0\0\17\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0" ...  ...
 02743   580   NtCreateThread  (0x1f03ff, 0x0, -1, 14940244, 14940960, 1, ... 524, {316, 732}, ) == 0x0
 02744   580   NtQueryInformationThread  (524, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=316,Tid=732,}, 0x0, ) == 0x0
 02745   580   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\14\2\0\0<\1\0\0\334\2\0\0" ... {28, 56, reply, 0, 316, 580, 1519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\14\2\0\0<\1\0\0\334\2\0\0" )  ... {28, 56, reply, 0, 316, 580, 1519, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\14\2\0\0<\1\0\0\334\2\0\0" ... {28, 56, reply, 0, 316, 580, 1519, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\14\2\0\0<\1\0\0\334\2\0\0" )  ) == 0x0
 02746   580   NtResumeThread  (524, ... 1, ) == 0x0
 02747   580   NtClose  (524, ... ) == 0x0
 02748   580   NtCreateFile  (0xc0100000, {24, 0, 0x40, 0, 0,  (0xc0100000, {24, 0, 0x40, 0, 0, "\Device\Afd\AsyncConnectHlp"}, 0x0, 0, 3, 3, 0, 0, 0, ... }, 0x0, 0, 3, 3, 0, 0, 0, ...
 02749   732   NtTestAlert  (... ) == 0x0
 02750   732   NtContinue  (17038640, 1, ...
 02751   732   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02752   732   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 02753   732   NtRemoveIoCompletion  (508, {1294967296, -1}, ...
 02748   580   NtCreateFile  ... 524, {status=0x0, info=0}, ) == 0x0
 02754   580   NtSetInformationFile  (524, 14941348, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02755   580   NtSetInformationObject  (524, Handle, {Inherit=0,ProtectFromClose=1,}, 4456704, ... ) == 0x0
 02756   580   NtDeviceIoControlFile  (524, 0, 0x0, 0x15aa80, 0x12007,  (524, 0, 0x0, 0x15aa80, 0x12007, "\0\0\0\0\16\0\2\0\360\1\0\0\1\0\0\0\16\0\2\0\1\275\201\345\300\232\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 02753   732   NtRemoveIoCompletion  ... 1906658213, 1419904, {status=0xc000023d, info=0}, ) == 0x0
 02757   732   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 528, ) == 0x0
 02758   732   NtWaitForSingleObject  (528, 0, 0x0, ...
 02756   580   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 02759   580   NtSetEventBoostPriority  (528, ...
 02758   732   NtWaitForSingleObject  ... ) == 0x0
 02760   732   NtDeviceIoControlFile  (496, 512, 0x0, 0x0, 0x12037,  (496, 512, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (496, 512, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02761   732   NtRemoveIoCompletion  (508, {1294967296, -1}, ...
 02759   580   NtSetEventBoostPriority  ... ) == 0x0
 02762   580   NtDeviceIoControlFile  (496, 492, 0x0, 0x0, 0x12024,  (496, 492, 0x0, 0x0, 0x12024, "\0yl\374\377\377\377\377\1\0\0\0\0\0\0\0\360\1\0\0\4\0\0\0\364\374\343\0", 28, 28, ... {status=0x71a561a7, info=0}, "", ) , 28, 28, ... {status=0x71a561a7, info=0}, "", ) == 0x103
 02763   580   NtWaitForSingleObject  (492, 1, {-5000000, -1}, ...
 02742   588   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 316, 588, 1518, 0}  ... {40, 64, reply, 0, 316, 588, 1518, 0} "\2\200\372\177\4\00\300\0\0\0\0\17\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\1\0\0\240,\11\0" )  ) == 0x0
 02764   588   NtRequestWaitReplyPort  (520, {64, 88, new_msg, 56, 0, 1, 0, 0}  (520, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\361\303\0@\0\314w`\261\25\0\224\361\303\0\374\361\303\0\0\267\362v\374\361\303\0`\261\25\0\1\0\0\0\310\252\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {64, 88, reply, 56, 316, 588, 1520, 0} "\10\361\303\0@\0\314w`\261\25\0\224\361\303\0\374\361\303\0\0\267\362v\374\361\303\0`\261\25\0\1\0\0\0\310\252\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {64, 88, reply, 56, 316, 588, 1520, 0}  (520, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\361\303\0@\0\314w`\261\25\0\224\361\303\0\374\361\303\0\0\267\362v\374\361\303\0`\261\25\0\1\0\0\0\310\252\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {64, 88, reply, 56, 316, 588, 1520, 0} "\10\361\303\0@\0\314w`\261\25\0\224\361\303\0\374\361\303\0\0\267\362v\374\361\303\0`\261\25\0\1\0\0\0\310\252\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02765   588   NtClose  (516, ... ) == 0x0
 02766   588   NtClose  (520, ... ) == 0x0
 02767   588   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 520, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 520, 2, ) , 0, ... 520, 2, ) == 0x0
 02768   588   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 516, ) }, ... 516, ) == 0x0
 02769   588   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02770   588   NtQueryValueKey  (520,  (520, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (520, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02771   588   NtQueryValueKey  (520,  (520, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (520, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02772   588   NtClose  (520, ... ) == 0x0
 02773   588   NtClose  (516, ... ) == 0x0
 02774   588   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 516, ) }, ... 516, ) == 0x0
 02775   588   NtQueryValueKey  (516,  (516, "DnsNbtLookupOrder", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02776   588   NtClose  (516, ... ) == 0x0
 02777   588   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 12840452, ... ) }, 12840452, ... ) == 0x0
 02778   588   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 516, {status=0x0, info=1}, ) }, 5, 96, ... 516, {status=0x0, info=1}, ) == 0x0
 02779   588   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 516, ... 520, ) == 0x0
 02780   588   NtClose  (516, ... ) == 0x0
 02781   588   NtMapViewOfSection  (520, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1040000), 0x0, 16384, ) == 0x0
 02782   588   NtClose  (520, ... ) == 0x0
 02783   588   NtUnmapViewOfSection  (-1, 0x1040000, ... ) == 0x0
 02784   588   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 12840768, ... ) }, 12840768, ... ) == 0x0
 02785   588   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 520, {status=0x0, info=1}, ) }, 5, 96, ... 520, {status=0x0, info=1}, ) == 0x0
 02786   588   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 520, ... 516, ) == 0x0
 02787   588   NtQuerySection  (516, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02788   588   NtClose  (520, ... ) == 0x0
 02789   588   NtMapViewOfSection  (516, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fb0000), 0x0, 28672, ) == 0x0
 02790   588   NtClose  (516, ... ) == 0x0
 02791   588   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 12840452, ... ) }, 12840452, ... ) == 0x0
 02792   588   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02793   588   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 17039360, 65536, ) == 0x0
 02794   588   NtAllocateVirtualMemory  (-1, 17039360, 0, 4096, 4096, 4, ... 17039360, 4096, ) == 0x0
 02795   588   NtAllocateVirtualMemory  (-1, 17043456, 0, 8192, 4096, 4, ... 17043456, 8192, ) == 0x0
 02796   588   NtSetEventBoostPriority  (484, ...
 02739   636   NtWaitForSingleObject  ... ) == 0x0
 02797   636   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 516, ) == 0x0
 02798   636   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 520, ) == 0x0
 02799   636   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 532, ) == 0x0
 02800   636   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 536, ) == 0x0
 02796   588   NtSetEventBoostPriority  ... ) == 0x0
 02801   636   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 15987336, 112, ... 540, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 15987336, 112, ... 540, 0x0, 0x0, 0x0, 112, ) == 0x0
 02802   636   NtRequestWaitReplyPort  (540, {128, 152, new_msg, 0, 127068, 1310720, 15987100, 2012750850}  (540, {128, 152, new_msg, 0, 127068, 1310720, 15987100, 2012750850} "\0\370\363\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\240Z\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\5\0\310\261\25\0\340v\25\0\0\0\0\0\330v\25\0\0w\25\0px\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\24\0\0\0\0\0m\5\0\0\5\0\0\0" ... {128, 152, reply, 0, 316, 636, 1523, 0} "\7\370\363\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\5\0\310\261\25\0\340v\25\0\0\0\0\0\330v\25\0\0w\25\0px\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\24\0\0\0\0\0m\5\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 316, 636, 1523, 0}  (540, {128, 152, new_msg, 0, 127068, 1310720, 15987100, 2012750850} "\0\370\363\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\240Z\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\5\0\310\261\25\0\340v\25\0\0\0\0\0\330v\25\0\0w\25\0px\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\24\0\0\0\0\0m\5\0\0\5\0\0\0" ... {128, 152, reply, 0, 316, 636, 1523, 0} "\7\370\363\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\5\0\310\261\25\0\340v\25\0\0\0\0\0\330v\25\0\0w\25\0px\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\24\0\0\0\0\0m\5\0\0\5\0\0\0" )  ) == 0x0
 02803   636   NtRequestWaitReplyPort  (540, {64, 88, new_msg, 0, 0, 0, 0, 0}  (540, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 316, 636, 1524, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 316, 636, 1524, 0}  (540, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 316, 636, 1524, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 02804   636   NtClose  (536, ... ) == 0x0
 02805   636   NtClose  (540, ...
 02806   588   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 536, ) == 0x0
 02807   588   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 12840728, 112, ... 544, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 12840728, 112, ... 544, 0x0, 0x0, 0x0, 112, ) == 0x0
 02808   588   NtRequestWaitReplyPort  (544, {128, 152, new_msg, 0, 126188, 1310720, 12840492, 2012750850}  (544, {128, 152, new_msg, 0, 126188, 1310720, 12840492, 2012750850} "\0\364\303\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\240Z\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\6\0\0\0\0\0\210\263\25\0\0\0\0\0\230}\25\0\0|\25\0p}\25\0\0\0\0\0\0\0\0\0\0\0\0\0\230}\25\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02805   636   NtClose  ... ) == 0x0
 02809   636   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 540, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 540, 2, ) , 0, ... 540, 2, ) == 0x0
 02810   636   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 548, ) }, ... 548, ) == 0x0
 02811   636   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 02808   588   NtRequestWaitReplyPort  ... {128, 152, reply, 0, 316, 588, 1526, 0}  ... {128, 152, reply, 0, 316, 588, 1526, 0} "\7\364\303\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\6\0\0\0\0\0\210\263\25\0\0\0\0\0\230}\25\0\0|\25\0p}\25\0\0\0\0\0\0\0\0\0\0\0\0\0\230}\25\0x\1\24\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02812   588   NtRequestWaitReplyPort  (544, {104, 128, new_msg, 0, 316, 588, 1518, 0}  (544, {104, 128, new_msg, 0, 316, 588, 1518, 0} "\1\200\0\0A\2\11\0\0\0\0\0\17\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\34\202\25\0\21\0\0\0\0\0\0\0\21\0\0\0w\0w\0w\0.\0s\0y\0m\0a\0n\0t\0e\0c\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02811   636   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02813   636   NtQueryValueKey  (540,  (540, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (540, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02814   636   NtQueryValueKey  (540,  (540, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (540, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02815   636   NtClose  (540, ...
 02812   588   NtRequestWaitReplyPort  ... {44, 68, reply, 0, 316, 588, 1528, 0}  ... {44, 68, reply, 0, 316, 588, 1528, 0} "\2\200\372\177\1\00\300\0\0\0\0\17\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 02816   588   NtClose  (536, ... ) == 0x0
 02817   588   NtClose  (544, ... ) == 0x0
 02818   588   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 544, ) }, ... 544, ) == 0x0
 02819   588   NtQueryValueKey  (544,  (544, "WinSock_Registry_Version", Partial, 144, ... , Partial, 144, ...
 02815   636   NtClose  ... ) == 0x0
 02820   636   NtClose  (548, ... ) == 0x0
 02821   636   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 548, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 548, 2, ) , 0, ... 548, 2, ) == 0x0
 02822   636   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 540, ) }, ... 540, ) == 0x0
 02823   636   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02824   636   NtQueryValueKey  (548,  (548, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (548, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02825   636   NtQueryValueKey  (548,  (548, "Domain", Partial, 144, ... , Partial, 144, ...
 02819   588   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 02826   588   NtQueryValueKey  (544,  (544, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (544, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 02827   588   NtQueryValueKey  (544,  (544, "AutodialDLL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02828   588   NtClose  (544, ... ) == 0x0
 02829   588   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rasadhlp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02830   588   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rasadhlp.dll"}, 12841488, ... }, 12841488, ...
 02825   636   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02831   636   NtClose  (548, ... ) == 0x0
 02832   636   NtClose  (540, ... ) == 0x0
 02648   572   NtQueryDirectoryFile  ... {status=0x0, info=96}, ) == 0x0
 02833   572   NtQueryDirectoryFile  (452, 0, 0, 0, 1409616, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=1692}, ) == 0x0
 02834   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\config\systemprofile\Local Settings\"}, 3, 16417, ... 540, {status=0x0, info=1}, ) }, 3, 16417, ... 540, {status=0x0, info=1}, ) == 0x0
 02835   572   NtQueryDirectoryFile  (540, 0, 0, 0, 11791052, 616, BothDirectory, 1,  (540, 0, 0, 0, 11791052, 616, BothDirectory, 1, "*", 0, ... , 0, ...
 02836   636   NtWaitForSingleObject  (292, 0, {0, 0}, ...
 02835   572   NtQueryDirectoryFile  ... {status=0x0, info=96}, ) == 0x0
 02836   636   NtWaitForSingleObject  ... ) == 0x102
 02837   636   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 548, ) == 0x0
 02838   636   NtAllocateVirtualMemory  (-1, 15978496, 0, 4096, 4096, 260, ... 15978496, 4096, ) == 0x0
 02839   636   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 15987136, 112, ... 544, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 15987136, 112, ... 544, 0x0, 0x0, 0x0, 112, ) == 0x0
 02840   636   NtRequestWaitReplyPort  (544, {128, 152, new_msg, 0, 126868, 1310720, 15986900, 2012750850}  (544, {128, 152, new_msg, 0, 126868, 1310720, 15986900, 2012750850} "\0\367\363\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\240Z\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\7\0 \0\0\0\0\0\0\0\240\1\24\0\240\1\24\0\200\263\25\0\0|\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\240\1\24\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 316, 636, 1531, 0} "\7\367\363\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\7\0 \0\0\0\0\0\0\0\240\1\24\0\240\1\24\0\200\263\25\0\0|\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\240\1\24\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 316, 636, 1531, 0}  (544, {128, 152, new_msg, 0, 126868, 1310720, 15986900, 2012750850} "\0\367\363\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\240Z\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\7\0 \0\0\0\0\0\0\0\240\1\24\0\240\1\24\0\200\263\25\0\0|\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\240\1\24\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 316, 636, 1531, 0} "\7\367\363\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\7\0 \0\0\0\0\0\0\0\240\1\24\0\240\1\24\0\200\263\25\0\0|\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\240\1\24\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 02841   572   NtQueryDirectoryFile  (540, 0, 0, 0, 1413720, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=692}, ) == 0x0
 02842   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\"}, 3, 16417, ... 536, {status=0x0, info=1}, ) }, 3, 16417, ... 536, {status=0x0, info=1}, ) == 0x0
 02843   572   NtQueryDirectoryFile  (536, 0, 0, 0, 11790432, 616, BothDirectory, 1,  (536, 0, 0, 0, 11790432, 616, BothDirectory, 1, "*", 0, ... , 0, ...
 02844   636   NtRequestWaitReplyPort  (544, {64, 88, new_msg, 0, 316, 636, 1524, 0}  (544, {64, 88, new_msg, 0, 316, 636, 1524, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 316, 636, 1532, 0} "\2\200\372\177\1\00\300\0\0\0\0\17\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200W\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 316, 636, 1532, 0}  (544, {64, 88, new_msg, 0, 316, 636, 1524, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 316, 636, 1532, 0} "\2\200\372\177\1\00\300\0\0\0\0\17\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200W\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 02845   636   NtClose  (548, ... ) == 0x0
 02846   636   NtClose  (544, ... ) == 0x0
 02847   636   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 544, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 544, 2, ) , 0, ... 544, 2, ) == 0x0
 02848   636   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 548, ) }, ... 548, ) == 0x0
 02849   636   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 02830   588   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02850   588   NtQueryAttributesFile  ({24, 224, 0x40, 0, 0,  ({24, 224, 0x40, 0, 0, "rasadhlp.dll"}, 12841488, ... ) }, 12841488, ... ) == 0x0
 02851   588   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasadhlp.dll"}, 5, 96, ... 552, {status=0x0, info=1}, ) }, 5, 96, ... 552, {status=0x0, info=1}, ) == 0x0
 02852   588   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 552, ... 556, ) == 0x0
 02853   588   NtQuerySection  (556, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02854   588   NtClose  (552, ...
 02849   636   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02855   636   NtQueryValueKey  (544,  (544, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (544, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02856   636   NtQueryValueKey  (544,  (544, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (544, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02857   636   NtClose  (544, ... ) == 0x0
 02858   636   NtClose  (548, ... ) == 0x0
 02859   636   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 548, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 548, 2, ) , 0, ... 548, 2, ) == 0x0
 02860   636   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 02854   588   NtClose  ... ) == 0x0
 02861   588   NtMapViewOfSection  (556, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fc0000), 0x0, 20480, ) == 0x0
 02862   588   NtClose  (556, ... ) == 0x0
 02863   588   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 556, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 556, {status=0x0, info=0}, ) == 0x0
 02864   588   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 552, ) == 0x0
 02865   588   NtDeviceIoControlFile  (556, 552, 0x0, 0x0, 0xf14014,  (556, 552, 0x0, 0x0, 0xf14014, "\3\0\0\0www.symantec.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 02866   588   NtClose  (552, ...
 02860   636   NtOpenKey  ... 544, ) == 0x0
 02867   636   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02868   636   NtQueryValueKey  (548,  (548, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (548, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02869   636   NtQueryValueKey  (548,  (548, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (548, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02870   636   NtClose  (548, ... ) == 0x0
 02871   636   NtClose  (544, ... ) == 0x0
 02872   636   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... }, 0x0, 128, 3, 3, 0, 0, 0, ...
 02866   588   NtClose  ... ) == 0x0
 02873   588   NtClose  (556, ... ) == 0x0
 02872   636   NtCreateFile  ... 556, {status=0x0, info=0}, ) == 0x0
 02874   636   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 552, ) == 0x0
 02875   636   NtDeviceIoControlFile  (556, 552, 0x0, 0x0, 0xf14014,  (556, 552, 0x0, 0x0, 0xf14014, "\3\0\0\0MYWORLD\0\231%\362v\2\0\0\200\330\304\362v\0\0\0\0<\367\363\0O\345\367w{\30\335w\0\0\0\0\300.\24\0\0\0\24\0\360\377\25\0\0\0\0\0L\370\363\0\277\37\365w\0\0\24\0\203 \365w\10\6\24\0\215\26\365w\0\0\0\0\260\263\25\0\370\376\25\0\24\232\347w\23\264\26\0\300Z\25\0\316Z\25\0\24\264\25\0\377\377\0\0\0\0\0\0\24\264\25\0\7\0\0\0\300Z\25\0\370\367\363\0\177;\245q\0\0\0\0\0\0\0\0\300Z\25\0\0\0\0\0\24\264\25\0\377\377\0\0\1\0\0\0\210\1\24\0\370\377\25\0\4\0\0\0\0\0\0\0\210\1\24\0\360\377\25\0\0\0\0\0\0\0\0\0\0\0\0\0\365<\245q\10\264\25\0\364\263\25\0\2\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\370\376\1\1\0\0\24\0\220\367\363\0p\374\363\0\334\377\363\0\2$\370w\370T\367wa/\245q\2642\250q\0\0\0\0\0\0\0\0:/\245q\370\376\25\0\30m\25\0\250\377\25\0\300\377\25\0\300Z\25\0\316Z\25\0\24\264\25\0\377\377\0\0\0\0\0\0\24\264\25\0\7\0\0\0\300Z\25\0\300\370\363\0\177;\245q\0\0\0\0\0\0\0\0\300Z\25\0\0\0\0\0\24\264\25\0\377\377\0\0\1\0\0\0\210\1\24\0x\372\25\0\4\0\0\0\0\0\0\0\210\1\24\0p\372\25\0\0\0\0\0\0\0\0\0\0\0\0\0\365<\245q\10\264\25\0\364\263\25\0\2\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0(-\1\1\0\0\24\0X\370\363\08\375\363\0\334\377\363\0\2$\370w\370T\367wa/\245q\2642\250q\0\0\0\0\0\0\0\0:/\245q(-\25\00m\25\0\250\377\25\0", 1552, 0, ... {status=0x0, info=0}, 0x0, ) , 1552, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02876   636   NtClose  (552, ... ) == 0x0
 02877   636   NtClose  (556, ... ) == 0x0
 02878   636   NtWaitForSingleObject  (232, 0, {0, 0}, ... ) == 0x102
 02879   636   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 15989992, 67, ... 556, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 15989992, 67, ... 556, {status=0x0, info=0}, ) == 0x0
 02880   636   NtDeviceIoControlFile  (556, 516, 0x0, 0x0, 0x12047,  (556, 516, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0xx\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\374k\25\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0RLD\0\3\250\2\0\0\0\0\0\300\0\0\0\0\0\0F\2\0\0\0\21\0\0\0\2\0\0\0\6\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 02881   636   NtWaitForSingleObject  (232, 0, {0, 0}, ... ) == 0x102
 02882   636   NtDeviceIoControlFile  (556, 516, 0x0, 0x0, 0x1203b,  (556, 516, 0x0, 0x0, 0x1203b, "\2\0\0\0\360\30\25\0\1\0\0\0\0\0\0\0", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02883   636   NtDeviceIoControlFile  (556, 516, 0x0, 0x0, 0x12003,  (556, 516, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=552}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\14\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=552},  (556, 516, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=552}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\14\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02884   636   NtDeviceIoControlFile  (556, 516, 0x0, 0x0, 0x12047,  (556, 516, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\10z\25\0\2\0\4\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\374k\25\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0RLD\0\3\250\2\0\0\0\0\0\300\0\0\0\0\0\0F\2\0\0\0\21\0\0\0\2\0\0\0\6\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02885   636   NtDeviceIoControlFile  (524, 0, 0x0, 0x15aa80, 0x12007,  (524, 0, 0x0, 0x15aa80, 0x12007, "\0\0\0\0\16\0\2\0,\2\0\0\1\0\0\0\16\0\2\0\1\275\300\250\265\313h\376\363\0MYWO", 34, 8, ... , 34, 8, ...
 02761   732   NtRemoveIoCompletion  ... 1906658213, 1419904, {status=0xc000023d, info=0}, ) == 0x0
 02886   732   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 544, ) == 0x0
 02887   732   NtWaitForSingleObject  (544, 0, 0x0, ...
 02885   636   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 02888   636   NtSetEventBoostPriority  (544, ...
 02887   732   NtWaitForSingleObject  ... ) == 0x0
 02889   732   NtDeviceIoControlFile  (556, 512, 0x0, 0x0, 0x12037,  (556, 512, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (556, 512, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02890   732   NtRemoveIoCompletion  (508, {1294967296, -1}, ...
 02888   636   NtSetEventBoostPriority  ... ) == 0x0
 02891   636   NtDeviceIoControlFile  (556, 516, 0x0, 0x0, 0x12024,  (556, 516, 0x0, 0x0, 0x12024, "\0yl\374\377\377\377\377\1\0\0\0\0\0\0\0,\2\0\0\4\0\0\0\350\374\363\0", 28, 28, ... {status=0x71a561a7, info=0}, "", ) , 28, 28, ... {status=0x71a561a7, info=0}, "", ) == 0x103
 02892   636   NtWaitForSingleObject  (516, 1, {-5000000, -1}, ...
 02843   572   NtQueryDirectoryFile  ... {status=0x0, info=96}, ) == 0x0
 02893   572   NtAllocateVirtualMemory  (-1, 1441792, 0, 8192, 4096, 4, ... 1441792, 8192, ) == 0x0
 02894   572   NtQueryDirectoryFile  (536, 0, 0, 0, 1441784, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=208}, ) == 0x0
 02895   588   NtDeviceIoControlFile  (468, 456, 0x0, 0x0, 0x12003,  (468, 456, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 02896   392   NtCreateKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\DownloadManager"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 02895   588   NtDeviceIoControlFile  ... {status=0x0, info=548},  ... {status=0x0, info=548}, "\1\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02897   392   NtSetInformationFile  (-2147482808, -133331932, 8, EndOfFile, ...
 02898   588   NtDeviceIoControlFile  (468, 456, 0x0, 0x0, 0x12037,  (468, 456, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... , 4, 8, ...
 02899   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\F-Secure\"}, 3, 16417, ... }, 3, 16417, ...
 02898   588   NtDeviceIoControlFile  ... {status=0x0, info=8},  ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02899   572   NtOpenFile  ... 560, {status=0x0, info=1}, ) == 0x0
 02897   392   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02900   572   NtQueryDirectoryFile  (560, 0, 0, 0, 11789812, 616, BothDirectory, 1,  (560, 0, 0, 0, 11789812, 616, BothDirectory, 1, "*", 0, ... , 0, ...
 02896   392   NtCreateKey  ... 564, 1, ) == 0x0
 02901   392   NtQueryValueKey  (564,  (564, "CacheOk", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02902   392   NtClose  (564, ... ) == 0x0
 02903   588   NtDeviceIoControlFile  (548, 0, 0x0, 0x0, 0x120028,  (548, 0, 0x0, 0x0, 0x120028, "\0\4\0\0\0\0\0\0\0\2\0\0\0\2\0\0\14\0\0\0\4\0\0\0\1\0\0\00}\0\0", 32, 0, ... {status=0x0, info=0}, 0x0, ) , 32, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02904   588   NtDeviceIoControlFile  (468, 456, 0x0, 0x0, 0x12047,  (468, 456, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\353\3\0\0\11\6\2\0\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\220\271\25\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\1\0\0\0\1\0\0\0\1\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02905   588   NtDeviceIoControlFile  (468, 456, 0x0, 0x0, 0x12023,  (468, 456, 0x0, 0x0, 0x12023, "\300\374\303\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\1\0\0\0\1\0\0\0\1\0\0 \0\0\0\0\0\0\0\0\0\0\0\26\0\0\0@\374\303\0", 56, 0, ... {status=0xc0000207, info=0}, 0x0, ) , 56, 0, ... {status=0xc0000207, info=0}, 0x0, ) == 0x103
 02906   588   NtWaitForSingleObject  (456, 1, {-5000000, -1}, ... ) == 0x0
 02907   588   NtDeviceIoControlFile  (468, 456, 0x0, 0x0, 0x12037,  (468, 456, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (468, 456, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02908   588   NtClose  (548, ... ) == 0x0
 02909   588   NtClose  (468, ... ) == 0x0
 02910   588   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02911   588   NtWaitForSingleObject  (324, 0, 0x0, ... ) == 0x0
 02912   588   NtReleaseMutant  (324, ... 0x0, ) == 0x0
 02913   588   NtQueryValueKey  (88,  (88, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02914   588   NtQueryValueKey  (88,  (88, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02915   588   NtCreateKey  (0x2001d, {24, 28, 0x40, 0, 0,  (0x2001d, {24, 28, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 468, 2, ) }, 0, 0x0, 0, ... 468, 2, ) == 0x0
 02916   588   NtCreateKey  (0x20019, {24, 468, 0x40, 0, 0,  (0x20019, {24, 468, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 548, 2, ) }, 0, 0x0, 0, ... 548, 2, ) == 0x0
 02917   588   NtClose  (468, ... ) == 0x0
 02918   588   NtQueryValueKey  (548,  (548, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02919   588   NtClose  (548, ... ) == 0x0
 02920   588   NtWaitForSingleObject  (256, 0, 0x0, ... ) == 0x0
 02921   588   NtQueryInformationFile  (268, 12842912, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02922   588   NtReleaseMutant  (256, ... 0x0, ) == 0x0
 02923   588   NtWaitForSingleObject  (256, 0, 0x0, ... ) == 0x0
 02924   588   NtQueryInformationFile  (268, 12843068, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02925   588   NtReleaseMutant  (256, ... 0x0, ) == 0x0
 02926   588   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02927   588   NtWaitForSingleObject  (232, 0, {0, 0}, ... ) == 0x102
 02928   588   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 12843932, 79, ... 548, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 12843932, 79, ... 548, {status=0x0, info=0}, ) == 0x0
 02929   588   NtDeviceIoControlFile  (548, 456, 0x0, 0x0, 0x12047,  (548, 456, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\353\3\0\0\11\6\2\0\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\0\376\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 02930   588   NtWaitForSingleObject  (232, 0, {0, 0}, ... ) == 0x102
 02931   588   NtDeviceIoControlFile  (548, 456, 0x0, 0x0, 0x12037,  (548, 456, 0x0, 0x0, 0x12037, "\3\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (548, 456, 0x0, 0x0, 0x12037, "\3\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02932   588   NtDeviceIoControlFile  (548, 456, 0x0, 0x0, 0x12047,  (548, 456, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\353\3\0\0\11\6\2\0\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\1\0\0\0\1\0\0\0\1\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 02933   588   NtWaitForSingleObject  (292, 0, {0, 0}, ... ) == 0x102
 02934   588   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 468, ) == 0x0
 02935   588   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 12840728, 112, ... 564, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 12840728, 112, ... 564, 0x0, 0x0, 0x0, 112, ) == 0x0
 02936   588   NtRequestWaitReplyPort  (564, {128, 152, new_msg, 0, 126188, 1310720, 12840492, 2012750850}  (564, {128, 152, new_msg, 0, 126188, 1310720, 12840492, 2012750850} "\0\364\303\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\240Z\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\10\0\310\261\25\0\370\264\25\0\0\0\0\0\377\377\377\377T\22\365wR\32\335w\0\0\0\0\0\0\0\0|\362\303\0$\2\0\0\330\1\24\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 316, 588, 1535, 0} "\7\364\303\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\10\0\310\261\25\0\370\264\25\0\0\0\0\0\377\377\377\377T\22\365wR\32\335w\0\0\0\0\0\0\0\0|\362\303\0$\2\0\0\330\1\24\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 316, 588, 1535, 0}  (564, {128, 152, new_msg, 0, 126188, 1310720, 12840492, 2012750850} "\0\364\303\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\240Z\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\10\0\310\261\25\0\370\264\25\0\0\0\0\0\377\377\377\377T\22\365wR\32\335w\0\0\0\0\0\0\0\0|\362\303\0$\2\0\0\330\1\24\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 316, 588, 1535, 0} "\7\364\303\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\10\0\310\261\25\0\370\264\25\0\0\0\0\0\377\377\377\377T\22\365wR\32\335w\0\0\0\0\0\0\0\0|\362\303\0$\2\0\0\330\1\24\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 02937   588   NtRequestWaitReplyPort  (564, {104, 128, new_msg, 0, 316, 588, 1528, 0}  (564, {104, 128, new_msg, 0, 316, 588, 1528, 0} "\1\200\0\0A\2\11\0\0\0\0\0\17\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\34\202\25\0\21\0\0\0\0\0\0\0\21\0\0\0w\0w\0w\0.\0s\0y\0m\0a\0n\0t\0e\0c\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 316, 588, 1536, 0} "\2\200\372\177\1\00\300\0\0\0\0\17\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ... {44, 68, reply, 0, 316, 588, 1536, 0}  (564, {104, 128, new_msg, 0, 316, 588, 1528, 0} "\1\200\0\0A\2\11\0\0\0\0\0\17\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\34\202\25\0\21\0\0\0\0\0\0\0\21\0\0\0w\0w\0w\0.\0s\0y\0m\0a\0n\0t\0e\0c\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 316, 588, 1536, 0} "\2\200\372\177\1\00\300\0\0\0\0\17\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 02938   588   NtClose  (468, ... ) == 0x0
 02939   588   NtClose  (564, ... ) == 0x0
 02940   588   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 564, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 564, {status=0x0, info=0}, ) == 0x0
 02941   588   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 468, ) == 0x0
 02942   588   NtDeviceIoControlFile  (564, 468, 0x0, 0x0, 0xf14014,  (564, 468, 0x0, 0x0, 0xf14014, "\3\0\0\0www.symantec.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 02943   588   NtClose  (468, ... ) == 0x0
 02944   588   NtClose  (564, ... ) == 0x0
 02945   588   NtDeviceIoControlFile  (548, 456, 0x0, 0x0, 0x12003,  (548, 456, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=564}, "\1\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=564},  (548, 456, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=564}, "\1\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02946   588   NtDeviceIoControlFile  (548, 456, 0x0, 0x0, 0x12037,  (548, 456, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (548, 456, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02947   588   NtDeviceIoControlFile  (564, 0, 0x0, 0x0, 0x120028,  (564, 0, 0x0, 0x0, 0x120028, "\0\4\0\0\0\0\0\0\0\2\0\0\0\2\0\0\14\0\0\0\4\0\0\0\1\0\0\00}\0\0", 32, 0, ... {status=0x0, info=0}, 0x0, ) , 32, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02948   588   NtDeviceIoControlFile  (548, 456, 0x0, 0x0, 0x12047,  (548, 456, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\353\3\0\0\11\6\2\0\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\220\271\25\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\1\0\0\0\1\0\0\0\1\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02949   588   NtDeviceIoControlFile  (548, 456, 0x0, 0x0, 0x12023,  (548, 456, 0x0, 0x0, 0x12023, "\300\374\303\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\1\0\0\0\1\0\0\0\1\0\0 \0\0\0\0\0\0\0\0\0\0\0\26\0\0\0@\374\303\0", 56, 0, ... {status=0xc0000207, info=0}, 0x0, ) , 56, 0, ... {status=0xc0000207, info=0}, 0x0, ) == 0x103
 02950   588   NtWaitForSingleObject  (456, 1, {-5000000, -1}, ... ) == 0x0
 02951   588   NtDeviceIoControlFile  (548, 456, 0x0, 0x0, 0x12037,  (548, 456, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (548, 456, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02952   588   NtClose  (564, ... ) == 0x0
 02953   588   NtClose  (548, ... ) == 0x0
 02954   588   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02955   588   NtWaitForSingleObject  (324, 0, 0x0, ... ) == 0x0
 02956   588   NtReleaseMutant  (324, ... 0x0, ) == 0x0
 02957   588   NtQueryValueKey  (88,  (88, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02958   588   NtQueryValueKey  (88,  (88, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02959   588   NtCreateKey  (0x2001d, {24, 28, 0x40, 0, 0,  (0x2001d, {24, 28, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 548, 2, ) }, 0, 0x0, 0, ... 548, 2, ) == 0x0
 02960   588   NtCreateKey  (0x20019, {24, 548, 0x40, 0, 0,  (0x20019, {24, 548, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 564, 2, ) }, 0, 0x0, 0, ... 564, 2, ) == 0x0
 02961   588   NtClose  (548, ... ) == 0x0
 02962   588   NtQueryValueKey  (564,  (564, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02963   588   NtClose  (564, ... ) == 0x0
 02964   588   NtWaitForSingleObject  (256, 0, 0x0, ... ) == 0x0
 02965   588   NtQueryInformationFile  (268, 12842912, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02966   588   NtReleaseMutant  (256, ... 0x0, ) == 0x0
 02967   588   NtWaitForSingleObject  (256, 0, 0x0, ... ) == 0x0
 02968   588   NtQueryInformationFile  (268, 12843068, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02969   588   NtReleaseMutant  (256, ... 0x0, ) == 0x0
 02970   588   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 02971   588   NtWaitForSingleObject  (232, 0, {0, 0}, ... ) == 0x102
 02972   588   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 12843932, 79, ... 564, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 12843932, 79, ... 564, {status=0x0, info=0}, ) == 0x0
 02973   588   NtDeviceIoControlFile  (564, 456, 0x0, 0x0, 0x12047,  (564, 456, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\353\3\0\0\11\6\2\0\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\0\376\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 02974   588   NtWaitForSingleObject  (232, 0, {0, 0}, ... ) == 0x102
 02975   588   NtDeviceIoControlFile  (564, 456, 0x0, 0x0, 0x12037,  (564, 456, 0x0, 0x0, 0x12037, "\3\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (564, 456, 0x0, 0x0, 0x12037, "\3\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02976   588   NtDeviceIoControlFile  (564, 456, 0x0, 0x0, 0x12047,  (564, 456, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\353\3\0\0\11\6\2\0\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\1\0\0\0\1\0\0\0\1\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 02977   588   NtWaitForSingleObject  (292, 0, {0, 0}, ... ) == 0x102
 02978   588   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 548, ) == 0x0
 02979   588   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 12840728, 112, ... 468, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 12840728, 112, ... 468, 0x0, 0x0, 0x0, 112, ) == 0x0
 02980   588   NtRequestWaitReplyPort  (468, {128, 152, new_msg, 0, 126188, 1310720, 12840492, 2012750850}  (468, {128, 152, new_msg, 0, 126188, 1310720, 12840492, 2012750850} "\0\364\303\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\240Z\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\0\310\261\25\0\210\263\25\0\0\0\0\0\377\377\377\377T\22\365wR\32\335w\0\0\0\0\0\0\0\0|\362\303\04\2\0\0\30\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 316, 588, 1539, 0} "\7\364\303\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\0\310\261\25\0\210\263\25\0\0\0\0\0\377\377\377\377T\22\365wR\32\335w\0\0\0\0\0\0\0\0|\362\303\04\2\0\0\30\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 316, 588, 1539, 0}  (468, {128, 152, new_msg, 0, 126188, 1310720, 12840492, 2012750850} "\0\364\303\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\240Z\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\0\310\261\25\0\210\263\25\0\0\0\0\0\377\377\377\377T\22\365wR\32\335w\0\0\0\0\0\0\0\0|\362\303\04\2\0\0\30\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 316, 588, 1539, 0} "\7\364\303\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\0\310\261\25\0\210\263\25\0\0\0\0\0\377\377\377\377T\22\365wR\32\335w\0\0\0\0\0\0\0\0|\362\303\04\2\0\0\30\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 02981   588   NtRequestWaitReplyPort  (468, {104, 128, new_msg, 0, 316, 588, 1536, 0}  (468, {104, 128, new_msg, 0, 316, 588, 1536, 0} "\1\200\0\0A\2\11\0\0\0\0\0\17\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\34\202\25\0\21\0\0\0\0\0\0\0\21\0\0\0w\0w\0w\0.\0s\0y\0m\0a\0n\0t\0e\0c\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 316, 588, 1540, 0} "\2\200\372\177\1\00\300\0\0\0\0\17\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ... {44, 68, reply, 0, 316, 588, 1540, 0}  (468, {104, 128, new_msg, 0, 316, 588, 1536, 0} "\1\200\0\0A\2\11\0\0\0\0\0\17\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\34\202\25\0\21\0\0\0\0\0\0\0\21\0\0\0w\0w\0w\0.\0s\0y\0m\0a\0n\0t\0e\0c\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 316, 588, 1540, 0} "\2\200\372\177\1\00\300\0\0\0\0\17\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 02982   588   NtClose  (548, ... ) == 0x0
 02983   588   NtClose  (468, ... ) == 0x0
 02984   588   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 468, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 468, {status=0x0, info=0}, ) == 0x0
 02985   588   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 548, ) == 0x0
 02986   588   NtDeviceIoControlFile  (468, 548, 0x0, 0x0, 0xf14014,  (468, 548, 0x0, 0x0, 0xf14014, "\3\0\0\0www.symantec.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 02987   588   NtClose  (548, ... ) == 0x0
 02988   588   NtClose  (468, ... ) == 0x0
 02989   588   NtDeviceIoControlFile  (564, 456, 0x0, 0x0, 0x12003,  (564, 456, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=468}, "\1\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=468},  (564, 456, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=468}, "\1\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02990   588   NtDeviceIoControlFile  (564, 456, 0x0, 0x0, 0x12037,  (564, 456, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (564, 456, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02991   588   NtDeviceIoControlFile  (468, 0, 0x0, 0x0, 0x120028,  (468, 0, 0x0, 0x0, 0x120028, "\0\4\0\0\0\0\0\0\0\2\0\0\0\2\0\0\14\0\0\0\4\0\0\0\1\0\0\00}\0\0", 32, 0, ... {status=0x0, info=0}, 0x0, ) , 32, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02992   588   NtDeviceIoControlFile  (564, 456, 0x0, 0x0, 0x12047,  (564, 456, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\353\3\0\0\11\6\2\0\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\220\271\25\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\1\0\0\0\1\0\0\0\1\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02993   588   NtDeviceIoControlFile  (564, 456, 0x0, 0x0, 0x12023,  (564, 456, 0x0, 0x0, 0x12023, "\300\374\303\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\1\0\0\0\1\0\0\0\1\0\0 \0\0\0\0\0\0\0\0\0\0\0\26\0\0\0@\374\303\0", 56, 0, ... {status=0xc0000207, info=0}, 0x0, ) , 56, 0, ... {status=0xc0000207, info=0}, 0x0, ) == 0x103
 02994   588   NtWaitForSingleObject  (456, 1, {-5000000, -1}, ... ) == 0x0
 02995   588   NtDeviceIoControlFile  (564, 456, 0x0, 0x0, 0x12037,  (564, 456, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (564, 456, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02996   588   NtClose  (468, ... ) == 0x0
 02997   588   NtClose  (564, ... ) == 0x0
 02998   588   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 02999   588   NtWaitForSingleObject  (324, 0, 0x0, ... ) == 0x0
 03000   588   NtReleaseMutant  (324, ... 0x0, ) == 0x0
 03001   588   NtQueryValueKey  (88,  (88, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03002   588   NtQueryValueKey  (88,  (88, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03003   588   NtCreateKey  (0x2001d, {24, 28, 0x40, 0, 0,  (0x2001d, {24, 28, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 564, 2, ) }, 0, 0x0, 0, ... 564, 2, ) == 0x0
 03004   588   NtCreateKey  (0x20019, {24, 564, 0x40, 0, 0,  (0x20019, {24, 564, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 468, 2, ) }, 0, 0x0, 0, ... 468, 2, ) == 0x0
 03005   588   NtClose  (564, ... ) == 0x0
 03006   588   NtQueryValueKey  (468,  (468, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03007   588   NtClose  (468, ... ) == 0x0
 03008   588   NtWaitForSingleObject  (256, 0, 0x0, ... ) == 0x0
 03009   588   NtQueryInformationFile  (268, 12842912, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03010   588   NtReleaseMutant  (256, ... 0x0, ) == 0x0
 03011   588   NtWaitForSingleObject  (256, 0, 0x0, ... ) == 0x0
 03012   588   NtQueryInformationFile  (268, 12843068, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03013   588   NtReleaseMutant  (256, ... 0x0, ) == 0x0
 03014   588   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 03015   588   NtWaitForSingleObject  (232, 0, {0, 0}, ... ) == 0x102
 03016   588   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 12843932, 79, ... 468, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 12843932, 79, ... 468, {status=0x0, info=0}, ) == 0x0
 03017   588   NtDeviceIoControlFile  (468, 456, 0x0, 0x0, 0x12047,  (468, 456, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\353\3\0\0\11\6\2\0\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\0\376\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03018   588   NtWaitForSingleObject  (232, 0, {0, 0}, ... ) == 0x102
 03019   588   NtDeviceIoControlFile  (468, 456, 0x0, 0x0, 0x12037,  (468, 456, 0x0, 0x0, 0x12037, "\3\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (468, 456, 0x0, 0x0, 0x12037, "\3\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03020   588   NtDeviceIoControlFile  (468, 456, 0x0, 0x0, 0x12047,  (468, 456, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\353\3\0\0\11\6\2\0\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\1\0\0\0\1\0\0\0\1\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03021   588   NtWaitForSingleObject  (292, 0, {0, 0}, ... ) == 0x102
 03022   588   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 564, ) == 0x0
 03023   588   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 12840728, 112, ... 548, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 12840728, 112, ... 548, 0x0, 0x0, 0x0, 112, ) == 0x0
 03024   588   NtRequestWaitReplyPort  (548, {128, 152, new_msg, 0, 126188, 1310720, 12840492, 2012750850}  (548, {128, 152, new_msg, 0, 126188, 1310720, 12840492, 2012750850} "\0\364\303\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\240Z\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\12\0\310\261\25\0\10|\25\0\0\0\0\0\377\377\377\377T\22\365wR\32\335w\0\0\0\0\0\0\0\0|\362\303\0\324\1\0\0\30\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 316, 588, 1543, 0} "\7\364\303\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\12\0\310\261\25\0\10|\25\0\0\0\0\0\377\377\377\377T\22\365wR\32\335w\0\0\0\0\0\0\0\0|\362\303\0\324\1\0\0\30\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 316, 588, 1543, 0}  (548, {128, 152, new_msg, 0, 126188, 1310720, 12840492, 2012750850} "\0\364\303\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\240Z\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\12\0\310\261\25\0\10|\25\0\0\0\0\0\377\377\377\377T\22\365wR\32\335w\0\0\0\0\0\0\0\0|\362\303\0\324\1\0\0\30\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 316, 588, 1543, 0} "\7\364\303\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\12\0\310\261\25\0\10|\25\0\0\0\0\0\377\377\377\377T\22\365wR\32\335w\0\0\0\0\0\0\0\0|\362\303\0\324\1\0\0\30\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 03025   588   NtRequestWaitReplyPort  (548, {104, 128, new_msg, 0, 316, 588, 1540, 0}  (548, {104, 128, new_msg, 0, 316, 588, 1540, 0} "\1\200\0\0A\2\11\0\0\0\0\0\17\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\34\202\25\0\21\0\0\0\0\0\0\0\21\0\0\0w\0w\0w\0.\0s\0y\0m\0a\0n\0t\0e\0c\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 316, 588, 1544, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ... {44, 68, reply, 0, 316, 588, 1544, 0}  (548, {104, 128, new_msg, 0, 316, 588, 1540, 0} "\1\200\0\0A\2\11\0\0\0\0\0\17\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\34\202\25\0\21\0\0\0\0\0\0\0\21\0\0\0w\0w\0w\0.\0s\0y\0m\0a\0n\0t\0e\0c\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 316, 588, 1544, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 03026   588   NtClose  (564, ... ) == 0x0
 03027   588   NtClose  (548, ... ) == 0x0
 03028   588   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 548, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 548, {status=0x0, info=0}, ) == 0x0
 03029   588   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 564, ) == 0x0
 03030   588   NtDeviceIoControlFile  (548, 564, 0x0, 0x0, 0xf14014,  (548, 564, 0x0, 0x0, 0xf14014, "\3\0\0\0www.symantec.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 03031   588   NtClose  (564, ... ) == 0x0
 03032   588   NtClose  (548, ... ) == 0x0
 03033   588   NtDeviceIoControlFile  (468, 456, 0x0, 0x0, 0x12003,  (468, 456, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=548}, "\1\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=548},  (468, 456, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=548}, "\1\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03034   588   NtDeviceIoControlFile  (468, 456, 0x0, 0x0, 0x12037,  (468, 456, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (468, 456, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03035   588   NtDeviceIoControlFile  (548, 0, 0x0, 0x0, 0x120028,  (548, 0, 0x0, 0x0, 0x120028, "\0\4\0\0\0\0\0\0\0\2\0\0\0\2\0\0\14\0\0\0\4\0\0\0\1\0\0\00}\0\0", 32, 0, ... {status=0x0, info=0}, 0x0, ) , 32, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03036   588   NtDeviceIoControlFile  (468, 456, 0x0, 0x0, 0x12047,  (468, 456, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\353\3\0\0\11\6\2\0\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\220\271\25\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\1\0\0\0\1\0\0\0\1\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03037   588   NtDeviceIoControlFile  (468, 456, 0x0, 0x0, 0x12023,  (468, 456, 0x0, 0x0, 0x12023, "\300\374\303\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\1\0\0\0\1\0\0\0\1\0\0 \0\0\0\0\0\0\0\0\0\0\0\26\0\0\0@\374\303\0", 56, 0, ... {status=0xc0000207, info=0}, 0x0, ) , 56, 0, ... {status=0xc0000207, info=0}, 0x0, ) == 0x103
 03038   588   NtWaitForSingleObject  (456, 1, {-5000000, -1}, ... ) == 0x0
 03039   588   NtDeviceIoControlFile  (468, 456, 0x0, 0x0, 0x12037,  (468, 456, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (468, 456, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03040   588   NtClose  (548, ... ) == 0x0
 03041   588   NtClose  (468, ... ) == 0x0
 03042   588   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 03043   588   NtWaitForSingleObject  (324, 0, 0x0, ... ) == 0x0
 03044   588   NtReleaseMutant  (324, ... 0x0, ) == 0x0
 03045   588   NtQueryValueKey  (88,  (88, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03046   588   NtQueryValueKey  (88,  (88, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03047   588   NtCreateKey  (0x2001d, {24, 28, 0x40, 0, 0,  (0x2001d, {24, 28, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 468, 2, ) }, 0, 0x0, 0, ... 468, 2, ) == 0x0
 03048   588   NtCreateKey  (0x20019, {24, 468, 0x40, 0, 0,  (0x20019, {24, 468, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 548, 2, ) }, 0, 0x0, 0, ... 548, 2, ) == 0x0
 03049   588   NtClose  (468, ... ) == 0x0
 03050   588   NtQueryValueKey  (548,  (548, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03051   588   NtClose  (548, ... ) == 0x0
 03052   588   NtWaitForSingleObject  (256, 0, 0x0, ... ) == 0x0
 03053   588   NtQueryInformationFile  (268, 12842912, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03054   588   NtReleaseMutant  (256, ... 0x0, ) == 0x0
 03055   588   NtWaitForSingleObject  (256, 0, 0x0, ... ) == 0x0
 03056   588   NtQueryInformationFile  (268, 12843068, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03057   588   NtReleaseMutant  (256, ... 0x0, ) == 0x0
 03058   588   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 03059   588   NtWaitForSingleObject  (232, 0, {0, 0}, ... ) == 0x102
 03060   588   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 12843932, 79, ... 548, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 12843932, 79, ... 548, {status=0x0, info=0}, ) == 0x0
 03061   588   NtDeviceIoControlFile  (548, 456, 0x0, 0x0, 0x12047,  (548, 456, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\353\3\0\0\11\6\2\0\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\0\376\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03062   588   NtWaitForSingleObject  (232, 0, {0, 0}, ... ) == 0x102
 03063   588   NtDeviceIoControlFile  (548, 456, 0x0, 0x0, 0x12037,  (548, 456, 0x0, 0x0, 0x12037, "\3\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (548, 456, 0x0, 0x0, 0x12037, "\3\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03064   588   NtDeviceIoControlFile  (548, 456, 0x0, 0x0, 0x12047,  (548, 456, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\353\3\0\0\11\6\2\0\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\1\0\0\0\1\0\0\0\1\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03065   588   NtWaitForSingleObject  (292, 0, {0, 0}, ... ) == 0x102
 03066   588   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 468, ) == 0x0
 03067   588   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 12840728, 112, ... 564, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 12840728, 112, ... 564, 0x0, 0x0, 0x0, 112, ) == 0x0
 03068   588   NtRequestWaitReplyPort  (564, {128, 152, new_msg, 0, 126188, 1310720, 12840492, 2012750850}  (564, {128, 152, new_msg, 0, 126188, 1310720, 12840492, 2012750850} "\0\364\303\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\240Z\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\13\0\310\261\25\0`\242\25\0\0\0\0\0\377\377\377\377T\22\365wR\32\335w\0\0\0\0\0\0\0\0|\362\303\0$\2\0\0\30\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 316, 588, 1547, 0} "\7\364\303\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\13\0\310\261\25\0`\242\25\0\0\0\0\0\377\377\377\377T\22\365wR\32\335w\0\0\0\0\0\0\0\0|\362\303\0$\2\0\0\30\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 316, 588, 1547, 0}  (564, {128, 152, new_msg, 0, 126188, 1310720, 12840492, 2012750850} "\0\364\303\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\240Z\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\13\0\310\261\25\0`\242\25\0\0\0\0\0\377\377\377\377T\22\365wR\32\335w\0\0\0\0\0\0\0\0|\362\303\0$\2\0\0\30\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 316, 588, 1547, 0} "\7\364\303\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\13\0\310\261\25\0`\242\25\0\0\0\0\0\377\377\377\377T\22\365wR\32\335w\0\0\0\0\0\0\0\0|\362\303\0$\2\0\0\30\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 03069   588   NtRequestWaitReplyPort  (564, {104, 128, new_msg, 0, 316, 588, 1544, 0}  (564, {104, 128, new_msg, 0, 316, 588, 1544, 0} "\1\0\0\0A\2\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\34\202\25\0\21\0\0\0\0\0\0\0\21\0\0\0w\0w\0w\0.\0s\0y\0m\0a\0n\0t\0e\0c\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 316, 588, 1548, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ... {44, 68, reply, 0, 316, 588, 1548, 0}  (564, {104, 128, new_msg, 0, 316, 588, 1544, 0} "\1\0\0\0A\2\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\34\202\25\0\21\0\0\0\0\0\0\0\21\0\0\0w\0w\0w\0.\0s\0y\0m\0a\0n\0t\0e\0c\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 316, 588, 1548, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 03070   588   NtClose  (468, ... ) == 0x0
 03071   588   NtClose  (564, ... ) == 0x0
 03072   588   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 564, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 564, {status=0x0, info=0}, ) == 0x0
 03073   588   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 468, ) == 0x0
 03074   588   NtDeviceIoControlFile  (564, 468, 0x0, 0x0, 0xf14014,  (564, 468, 0x0, 0x0, 0xf14014, "\3\0\0\0www.symantec.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 03075   588   NtClose  (468, ... ) == 0x0
 03076   588   NtClose  (564, ... ) == 0x0
 03077   588   NtDeviceIoControlFile  (548, 456, 0x0, 0x0, 0x12003,  (548, 456, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=564}, "\1\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=564},  (548, 456, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=564}, "\1\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03078   588   NtDeviceIoControlFile  (548, 456, 0x0, 0x0, 0x12037,  (548, 456, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (548, 456, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03079   588   NtDeviceIoControlFile  (564, 0, 0x0, 0x0, 0x120028,  (564, 0, 0x0, 0x0, 0x120028, "\0\4\0\0\0\0\0\0\0\2\0\0\0\2\0\0\14\0\0\0\4\0\0\0\1\0\0\00}\0\0", 32, 0, ... {status=0x0, info=0}, 0x0, ) , 32, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03080   588   NtDeviceIoControlFile  (548, 456, 0x0, 0x0, 0x12047,  (548, 456, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\353\3\0\0\11\6\2\0\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\220\271\25\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\1\0\0\0\1\0\0\0\1\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03081   588   NtDeviceIoControlFile  (548, 456, 0x0, 0x0, 0x12023,  (548, 456, 0x0, 0x0, 0x12023, "\300\374\303\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\1\0\0\0\1\0\0\0\1\0\0 \0\0\0\0\0\0\0\0\0\0\0\26\0\0\0@\374\303\0", 56, 0, ... {status=0xc0000207, info=0}, 0x0, ) , 56, 0, ... {status=0xc0000207, info=0}, 0x0, ) == 0x103
 03082   588   NtWaitForSingleObject  (456, 1, {-5000000, -1}, ... ) == 0x0
 03083   588   NtDeviceIoControlFile  (548, 456, 0x0, 0x0, 0x12037,  (548, 456, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (548, 456, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03084   588   NtClose  (564, ... ) == 0x0
 03085   588   NtClose  (548, ... ) == 0x0
 03086   588   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 03087   588   NtWaitForSingleObject  (324, 0, 0x0, ... ) == 0x0
 03088   588   NtReleaseMutant  (324, ... 0x0, ) == 0x0
 03089   588   NtQueryValueKey  (88,  (88, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03090   588   NtQueryValueKey  (88,  (88, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03091   588   NtCreateKey  (0x2001d, {24, 28, 0x40, 0, 0,  (0x2001d, {24, 28, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 548, 2, ) }, 0, 0x0, 0, ... 548, 2, ) == 0x0
 03092   588   NtCreateKey  (0x20019, {24, 548, 0x40, 0, 0,  (0x20019, {24, 548, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 564, 2, ) }, 0, 0x0, 0, ... 564, 2, ) == 0x0
 03093   588   NtClose  (548, ... ) == 0x0
 03094   588   NtQueryValueKey  (564,  (564, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03095   588   NtClose  (564, ... ) == 0x0
 03096   588   NtWaitForSingleObject  (256, 0, 0x0, ... ) == 0x0
 03097   588   NtQueryInformationFile  (268, 12842912, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03098   588   NtReleaseMutant  (256, ... 0x0, ) == 0x0
 03099   588   NtWaitForSingleObject  (256, 0, 0x0, ... ) == 0x0
 03100   588   NtQueryInformationFile  (268, 12843068, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03101   588   NtReleaseMutant  (256, ... 0x0, ) == 0x0
 03102   588   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 03103   588   NtWaitForSingleObject  (232, 0, {0, 0}, ... ) == 0x102
 03104   588   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 12843932, 79, ... 564, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 12843932, 79, ... 564, {status=0x0, info=0}, ) == 0x0
 03105   588   NtDeviceIoControlFile  (564, 456, 0x0, 0x0, 0x12047,  (564, 456, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\353\3\0\0\11\6\2\0\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\0\376\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03106   588   NtWaitForSingleObject  (232, 0, {0, 0}, ... ) == 0x102
 03107   588   NtDeviceIoControlFile  (564, 456, 0x0, 0x0, 0x12037,  (564, 456, 0x0, 0x0, 0x12037, "\3\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (564, 456, 0x0, 0x0, 0x12037, "\3\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03108   588   NtDeviceIoControlFile  (564, 456, 0x0, 0x0, 0x12047,  (564, 456, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\353\3\0\0\11\6\2\0\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\1\0\0\0\1\0\0\0\1\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03109   588   NtWaitForSingleObject  (292, 0, {0, 0}, ... ) == 0x102
 03110   588   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 548, ) == 0x0
 03111   588   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 12840728, 112, ... 468, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 12840728, 112, ... 468, 0x0, 0x0, 0x0, 112, ) == 0x0
 03112   588   NtRequestWaitReplyPort  (468, {128, 152, new_msg, 0, 126188, 1310720, 12840492, 2012750850}  (468, {128, 152, new_msg, 0, 126188, 1310720, 12840492, 2012750850} "\0\364\303\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\240Z\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\14\0\310\261\25\0\370\264\25\0\0\0\0\0\377\377\377\377T\22\365wR\32\335w\0\0\0\0\0\0\0\0|\362\303\04\2\0\0\30\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 316, 588, 1551, 0} "\7\364\303\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\14\0\310\261\25\0\370\264\25\0\0\0\0\0\377\377\377\377T\22\365wR\32\335w\0\0\0\0\0\0\0\0|\362\303\04\2\0\0\30\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 316, 588, 1551, 0}  (468, {128, 152, new_msg, 0, 126188, 1310720, 12840492, 2012750850} "\0\364\303\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\240Z\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\14\0\310\261\25\0\370\264\25\0\0\0\0\0\377\377\377\377T\22\365wR\32\335w\0\0\0\0\0\0\0\0|\362\303\04\2\0\0\30\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 316, 588, 1551, 0} "\7\364\303\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\14\0\310\261\25\0\370\264\25\0\0\0\0\0\377\377\377\377T\22\365wR\32\335w\0\0\0\0\0\0\0\0|\362\303\04\2\0\0\30\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 03113   588   NtRequestWaitReplyPort  (468, {104, 128, new_msg, 0, 316, 588, 1548, 0}  (468, {104, 128, new_msg, 0, 316, 588, 1548, 0} "\1\0\0\0A\2\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\34\202\25\0\21\0\0\0\0\0\0\0\21\0\0\0w\0w\0w\0.\0s\0y\0m\0a\0n\0t\0e\0c\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 316, 588, 1552, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ... {44, 68, reply, 0, 316, 588, 1552, 0}  (468, {104, 128, new_msg, 0, 316, 588, 1548, 0} "\1\0\0\0A\2\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\34\202\25\0\21\0\0\0\0\0\0\0\21\0\0\0w\0w\0w\0.\0s\0y\0m\0a\0n\0t\0e\0c\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 316, 588, 1552, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 03114   588   NtClose  (548, ... ) == 0x0
 03115   588   NtClose  (468, ... ) == 0x0
 03116   588   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 468, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 468, {status=0x0, info=0}, ) == 0x0
 03117   588   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 548, ) == 0x0
 03118   588   NtDeviceIoControlFile  (468, 548, 0x0, 0x0, 0xf14014,  (468, 548, 0x0, 0x0, 0xf14014, "\3\0\0\0www.symantec.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 03119   588   NtClose  (548, ... ) == 0x0
 03120   588   NtClose  (468, ... ) == 0x0
 03121   588   NtDeviceIoControlFile  (564, 456, 0x0, 0x0, 0x12003,  (564, 456, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=468}, "\1\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=468},  (564, 456, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=468}, "\1\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03122   588   NtDeviceIoControlFile  (564, 456, 0x0, 0x0, 0x12037,  (564, 456, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (564, 456, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03123   588   NtDeviceIoControlFile  (468, 0, 0x0, 0x0, 0x120028,  (468, 0, 0x0, 0x0, 0x120028, "\0\4\0\0\0\0\0\0\0\2\0\0\0\2\0\0\14\0\0\0\4\0\0\0\1\0\0\00}\0\0", 32, 0, ... {status=0x0, info=0}, 0x0, ) , 32, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03124   588   NtDeviceIoControlFile  (564, 456, 0x0, 0x0, 0x12047,  (564, 456, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\353\3\0\0\11\6\2\0\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\220\271\25\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\1\0\0\0\1\0\0\0\1\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03125   588   NtDeviceIoControlFile  (564, 456, 0x0, 0x0, 0x12023,  (564, 456, 0x0, 0x0, 0x12023, "\300\374\303\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\1\0\0\0\1\0\0\0\1\0\0 \0\0\0\0\0\0\0\0\0\0\0\26\0\0\0@\374\303\0", 56, 0, ... {status=0xc0000207, info=0}, 0x0, ) , 56, 0, ... {status=0xc0000207, info=0}, 0x0, ) == 0x103
 03126   588   NtWaitForSingleObject  (456, 1, {-5000000, -1}, ... ) == 0x0
 03127   588   NtDeviceIoControlFile  (564, 456, 0x0, 0x0, 0x12037,  (564, 456, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (564, 456, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03128   588   NtClose  (468, ... ) == 0x0
 03129   588   NtClose  (564, ... ) == 0x0
 03130   588   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 03131   588   NtWaitForSingleObject  (324, 0, 0x0, ... ) == 0x0
 03132   588   NtReleaseMutant  (324, ... 0x0, ) == 0x0
 03133   588   NtQueryValueKey  (88,  (88, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03134   588   NtQueryValueKey  (88,  (88, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03135   588   NtCreateKey  (0x2001d, {24, 28, 0x40, 0, 0,  (0x2001d, {24, 28, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 564, 2, ) }, 0, 0x0, 0, ... 564, 2, ) == 0x0
 03136   588   NtCreateKey  (0x20019, {24, 564, 0x40, 0, 0,  (0x20019, {24, 564, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 468, 2, ) }, 0, 0x0, 0, ... 468, 2, ) == 0x0
 03137   588   NtClose  (564, ... ) == 0x0
 03138   588   NtQueryValueKey  (468,  (468, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03139   588   NtClose  (468, ... ) == 0x0
 03140   588   NtWaitForSingleObject  (256, 0, 0x0, ... ) == 0x0
 03141   588   NtQueryInformationFile  (268, 12842912, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03142   588   NtReleaseMutant  (256, ... 0x0, ) == 0x0
 03143   588   NtWaitForSingleObject  (256, 0, 0x0, ... ) == 0x0
 03144   588   NtQueryInformationFile  (268, 12843068, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03145   588   NtReleaseMutant  (256, ... 0x0, ) == 0x0
 03146   588   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 03147   588   NtWaitForSingleObject  (232, 0, {0, 0}, ... ) == 0x102
 03148   588   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 12843932, 79, ... 468, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 12843932, 79, ... 468, {status=0x0, info=0}, ) == 0x0
 03149   588   NtDeviceIoControlFile  (468, 456, 0x0, 0x0, 0x12047,  (468, 456, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\353\3\0\0\11\6\2\0\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\0\376\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03150   588   NtWaitForSingleObject  (232, 0, {0, 0}, ... ) == 0x102
 03151   588   NtDeviceIoControlFile  (468, 456, 0x0, 0x0, 0x12037,  (468, 456, 0x0, 0x0, 0x12037, "\3\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (468, 456, 0x0, 0x0, 0x12037, "\3\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03152   588   NtDeviceIoControlFile  (468, 456, 0x0, 0x0, 0x12047,  (468, 456, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\353\3\0\0\11\6\2\0\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\3\0\0\0\377\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\1\0\0\0\1\0\0\0\1\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03153   588   NtWaitForSingleObject  (292, 0, {0, 0}, ... ) == 0x102
 03154   588   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 564, ) == 0x0
 03155   588   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 12840728, 112, ... 548, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 12840728, 112, ... 548, 0x0, 0x0, 0x0, 112, ) == 0x0
 03156   588   NtRequestWaitReplyPort  (548, {128, 152, new_msg, 0, 126188, 1310720, 12840492, 2012750850}  (548, {128, 152, new_msg, 0, 126188, 1310720, 12840492, 2012750850} "\0\364\303\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\240Z\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\15\0\310\261\25\0\210\263\25\0\0\0\0\0\377\377\377\377T\22\365wR\32\335w\0\0\0\0\0\0\0\0|\362\303\0\324\1\0\0\30\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 316, 588, 1555, 0} "\7\364\303\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\15\0\310\261\25\0\210\263\25\0\0\0\0\0\377\377\377\377T\22\365wR\32\335w\0\0\0\0\0\0\0\0|\362\303\0\324\1\0\0\30\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 316, 588, 1555, 0}  (548, {128, 152, new_msg, 0, 126188, 1310720, 12840492, 2012750850} "\0\364\303\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\240Z\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\15\0\310\261\25\0\210\263\25\0\0\0\0\0\377\377\377\377T\22\365wR\32\335w\0\0\0\0\0\0\0\0|\362\303\0\324\1\0\0\30\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 316, 588, 1555, 0} "\7\364\303\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\15\0\310\261\25\0\210\263\25\0\0\0\0\0\377\377\377\377T\22\365wR\32\335w\0\0\0\0\0\0\0\0|\362\303\0\324\1\0\0\30\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 03157   588   NtRequestWaitReplyPort  (548, {104, 128, new_msg, 0, 316, 588, 1552, 0}  (548, {104, 128, new_msg, 0, 316, 588, 1552, 0} "\1\0\0\0A\2\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\34\202\25\0\21\0\0\0\0\0\0\0\21\0\0\0w\0w\0w\0.\0s\0y\0m\0a\0n\0t\0e\0c\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 02900   572   NtQueryDirectoryFile  ... {status=0x0, info=96}, ) == 0x0
 03158   572   NtQueryDirectoryFile  (560, 0, 0, 0, 1445888, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=212}, ) == 0x0
 03159   572   NtAllocateVirtualMemory  (-1, 11780096, 0, 4096, 4096, 260, ... 11780096, 4096, ) == 0x0
 03160   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\F-Secure\Anti-Virus\"}, 3, 16417, ... 568, {status=0x0, info=1}, ) }, 3, 16417, ... 568, {status=0x0, info=1}, ) == 0x0
 03161   572   NtQueryDirectoryFile  (568, 0, 0, 0, 11789192, 616, BothDirectory, 1,  (568, 0, 0, 0, 11789192, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 03162   572   NtAllocateVirtualMemory  (-1, 1449984, 0, 4096, 4096, 4, ... 1449984, 4096, ) == 0x0
 03163   572   NtAllocateVirtualMemory  (-1, 1454080, 0, 8192, 4096, 4, ... 1454080, 8192, ) == 0x0
 03164   572   NtQueryDirectoryFile  (568, 0, 0, 0, 1450048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=98}, ) == 0x0
 03165   572   NtQueryDirectoryFile  (568, 0, 0, 0, 1450048, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03166   572   NtClose  (568, ... ) == 0x0
 03167   572   NtQueryDirectoryFile  (560, 0, 0, 0, 1445888, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03168   392   NtUserRegisterClassExWOW  (1239696, 1239772, 1239788, 1239760, 0, 386, 0, ... ) == 0x810dc0cb
 03169   392   NtUserCreateWindowEx  (-2147483648, 1239796, 1239608, 0x0, 0, 0, 0, 0, 0, -3, 0, 1980694528, 0, 1073742848, 0, ...
 03170   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1235992, ... ) }, 1235992, ... ) == 0x0
 03171   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 568, {status=0x0, info=1}, ) }, 5, 96, ... 568, {status=0x0, info=1}, ) == 0x0
 03172   392   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 568, ... 572, ) == 0x0
 03173   392   NtClose  (568, ...
 03174   572   NtClose  (560, ... ) == 0x0
 03175   572   NtQueryDirectoryFile  (536, 0, 0, 0, 1441784, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03176   572   NtClose  (536, ... ) == 0x0
 03177   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\config\systemprofile\Local Settings\History\"}, 3, 16417, ... 536, {status=0x0, info=1}, ) }, 3, 16417, ... 536, {status=0x0, info=1}, ) == 0x0
 03178   572   NtQueryDirectoryFile  (536, 0, 0, 0, 11790432, 616, BothDirectory, 1,  (536, 0, 0, 0, 11790432, 616, BothDirectory, 1, "*", 0, ... , 0, ...
 03173   392   NtClose  ... ) == 0x0
 03179   392   NtMapViewOfSection  (572, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1050000), 0x0, 204800, ) == 0x0
 03180   392   NtClose  (572, ... ) == 0x0
 03181   392   NtUnmapViewOfSection  (-1, 0x1050000, ...
 03178   572   NtQueryDirectoryFile  ... {status=0x0, info=96}, ) == 0x0
 03181   392   NtUnmapViewOfSection  ... ) == 0x0
 03182   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1236308, ... ) }, 1236308, ... ) == 0x0
 03183   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 572, {status=0x0, info=1}, ) }, 5, 96, ... 572, {status=0x0, info=1}, ) == 0x0
 03184   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 572, ... 568, ) == 0x0
 03185   392   NtQuerySection  (568, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03186   392   NtClose  (572, ... ) == 0x0
 03187   392   NtMapViewOfSection  (568, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 03188   572   NtQueryDirectoryFile  (536, 0, 0, 0, 1454896, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=332}, ) == 0x0
 03189   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\"}, 3, 16417, ... 572, {status=0x0, info=1}, ) }, 3, 16417, ... 572, {status=0x0, info=1}, ) == 0x0
 03190   572   NtQueryDirectoryFile  (572, 0, 0, 0, 11789812, 616, BothDirectory, 1,  (572, 0, 0, 0, 11789812, 616, BothDirectory, 1, "*", 0, ... , 0, ...
 03187   392   NtMapViewOfSection  ... (0x5ad70000), 0x0, 212992, ) == 0x0
 03191   392   NtClose  (568, ... ) == 0x0
 03192   392   NtUserGetWindowDC  (0, ... ) == 0x1010053
 03193   392   NtUserCallOneParam  (16842835, 56, ...
 03190   572   NtQueryDirectoryFile  ... {status=0x0, info=96}, ) == 0x0
 03194   572   NtQueryDirectoryFile  (572, 0, 0, 0, 1441784, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=474}, ) == 0x0
 03195   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007011620070117\"}, 3, 16417, ... 568, {status=0x0, info=1}, ) }, 3, 16417, ... 568, {status=0x0, info=1}, ) == 0x0
 03196   572   NtQueryDirectoryFile  (568, 0, 0, 0, 11789192, 616, BothDirectory, 1,  (568, 0, 0, 0, 11789192, 616, BothDirectory, 1, "*", 0, ... , 0, ...
 03193   392   NtUserCallOneParam  ... ) == 0x1
 03197   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03198   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 560, ) == 0x0
 03199   392   NtQueryInformationToken  (560, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03200   392   NtClose  (560, ... ) == 0x0
 03201   392   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 560, ) }, ... 560, ) == 0x0
 03202   392   NtOpenKey  (0x1, {24, 560, 0x40, 0, 0,  (0x1, {24, 560, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 576, ) }, ... 576, ) == 0x0
 03203   392   NtQueryValueKey  (576,  (576, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03204   392   NtClose  (576, ... ) == 0x0
 03205   392   NtClose  (560, ... ) == 0x0
 03206   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03207   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 560, ) == 0x0
 03208   392   NtQueryInformationToken  (560, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03209   392   NtClose  (560, ... ) == 0x0
 03210   392   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 560, ) }, ... 560, ) == 0x0
 03211   392   NtOpenKey  (0x1, {24, 560, 0x40, 0, 0,  (0x1, {24, 560, 0x40, 0, 0, "Control Panel\Desktop"}, ... 576, ) }, ... 576, ) == 0x0
 03212   392   NtQueryValueKey  (576,  (576, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03213   392   NtClose  (576, ... ) == 0x0
 03214   392   NtClose  (560, ... ) == 0x0
 03215   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 1235808, ... ) }, 1235808, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03216   392   NtQueryAttributesFile  ({24, 224, 0x40, 0, 0,  ({24, 224, 0x40, 0, 0, "UxTheme.dll"}, 1235808, ... ) }, 1235808, ... ) == 0x0
 03217   392   NtUserGetProcessWindowStation  (... ) == 0x28
 03218   392   NtUserGetObjectInformation  (40, 2, 0, 0, 1238104, ... ) == 0x0
 03219   392   NtUserGetObjectInformation  (40, 2, 1423224, 16, 1238104, ... ) == 0x1
 03220   392   NtUserGetGUIThreadInfo  (392, 1238060, ... ) == 0x1
 03221   392   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1237880, 64, ... 560, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1237880, 64, ... 560, 0x0, 0x0, 0x0, 64, ) == 0x0
 03222   392   NtRequestWaitReplyPort  (560, {32, 56, new_msg, 0, 0, 0, 0, 0}  (560, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 316, 392, 1558, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 316, 392, 1558, 0}  (560, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 316, 392, 1558, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 03223   392   NtRequestWaitReplyPort  (560, {32, 56, new_msg, 0, 0, 0, 0, 0}  (560, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 316, 392, 1559, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 316, 392, 1559, 0}  (560, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 316, 392, 1559, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 03224   392   NtUserCallNoParam  (29, ...
 03225   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1235352, ... ) }, 1235352, ... ) == 0x0
 03224   392   NtUserCallNoParam  ... ) == 0x0
 03226   392   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 03227   392   NtGdiHfontCreate  (1237432, 356, 0, 0, 1451840, ... ) == 0x490a03df
 03228   392   NtGdiHfontCreate  (1237432, 356, 0, 0, 1451832, ... ) == 0x40a03e3
 03229   392   NtRequestWaitReplyPort  (560, {32, 56, new_msg, 0, 0, 0, 0, 0}  (560, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 316, 392, 1560, 0} "\0\0\0\0\0\0\0\0@\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 316, 392, 1560, 0}  (560, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 316, 392, 1560, 0} "\0\0\0\0\0\0\0\0@\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 03230   392   NtMapViewOfSection  (576, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x1050000), {0, 0}, 331776, ) == 0x0
 03231   392   NtUserGetWindowDC  (0, ... ) == 0x1010053
 03232   392   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 03233   392   NtUserGetWindowDC  (0, ... ) == 0x1010053
 03234   392   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 03235   392   NtUserGetWindowDC  (0, ... ) == 0x1010053
 03236   392   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 03237   392   NtUserGetWindowDC  (0, ... ) == 0x1010053
 03238   392   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 03239   392   NtUserGetWindowDC  (0, ... ) == 0x1010053
 03240   392   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 03241   392   NtUserGetWindowDC  (0, ... ) == 0x1010053
 03242   392   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 03243   392   NtUserGetWindowDC  (0, ... ) == 0x1010053
 03244   392   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 03245   392   NtUserGetWindowDC  (0, ... ) == 0x1010053
 03246   392   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 03247   392   NtUserGetWindowDC  (0, ... ) == 0x1010053
 03248   392   NtGdiCreatePatternBrushInternal  (59048373, 0, 0, ... ) == 0x1b100383
 03249   392   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 03250   392   NtUserCallNoParam  (29, ...
 03251   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1234796, ... ) }, 1234796, ... ) == 0x0
 03250   392   NtUserCallNoParam  ... ) == 0x0
 03252   392   NtUserCallNoParam  (29, ...
 03253   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1234792, ... ) }, 1234792, ... ) == 0x0
 03252   392   NtUserCallNoParam  ... ) == 0x0
 03254   392   NtUserMessageCall  (0x200ae, WM_NCCREATE, 0x0, 0x12e548, 0, 670, 1, ... ) == 0x1
 03255   392   NtUserMessageCall  (0x200ae, WM_NCCALCSIZE, 0x0, 0x12e598, 0, 670, 1, ... ) == 0x0
 03256   392   NtUserGetClassName  (65558, 0, 1237316, ... ) == 0x7
 03257   392   NtUserSetProp  (131246, 43288, -2, ... ) == 0x1
 03169   392   NtUserCreateWindowEx  ... ) == 0x200ae
 03258   392   NtAllocateVirtualMemory  (-1, 1462272, 0, 12288, 4096, 4, ... 1462272, 12288, ) == 0x0
 03259   392   NtQueryKey  (74, Name, 384, ... {Name= (74, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES"}, 138, ) }, 138, ) == 0x0
 03260   392   NtOpenKey  (0x20019, {24, 74, 0x40, 0, 0,  (0x20019, {24, 74, 0x40, 0, 0, "PROTOCOLS\Name-Space Handler\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03261   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\PROTOCOLS\Name-Space Handler"}, ... 580, ) }, ... 580, ) == 0x0
 03262   392   NtQueryKey  (74, Name, 384, ... {Name= (74, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESm"}, 138, ) }, 138, ) == 0x0
 03263   392   NtOpenKey  (0x20019, {24, 74, 0x40, 0, 0,  (0x20019, {24, 74, 0x40, 0, 0, "PROTOCOLS\Name-Space Handler\http\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03264   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\PROTOCOLS\Name-Space Handler\http"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03265   392   NtQueryKey  (74, Name, 384, ... {Name= (74, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESm"}, 138, ) }, 138, ) == 0x0
 03266   392   NtOpenKey  (0x20019, {24, 74, 0x40, 0, 0,  (0x20019, {24, 74, 0x40, 0, 0, "PROTOCOLS\Name-Space Handler\*\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03267   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\PROTOCOLS\Name-Space Handler\*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03268   392   NtClose  (582, ... ) == 0x0
 03269   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "mlang.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03270   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\mlang.dll"}, 1237864, ... ) }, 1237864, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03271   392   NtQueryAttributesFile  ({24, 224, 0x40, 0, 0,  ({24, 224, 0x40, 0, 0, "mlang.dll"}, 1237864, ... ) }, 1237864, ... ) == 0x0
 03272   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mlang.dll"}, 5, 96, ... 580, {status=0x0, info=1}, ) }, 5, 96, ... 580, {status=0x0, info=1}, ) == 0x0
 03273   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 580, ...
 02720   584   NtDelayExecution  ... ) == 0x0
 03274   584   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 17498112, 1048576, ) == 0x0
 03275   584   NtAllocateVirtualMemory  (-1, 18538496, 0, 8192, 4096, 4, ... 18538496, 8192, ) == 0x0
 03276   584   NtProtectVirtualMemory  (-1, (0x11ae000), 4096, 260, ... (0x11ae000), 4096, 4, ) == 0x0
 03277   584   NtCreateThread  (0x1f03ff, 0x0, -1, 13892716, 13893432, 1, ...
 03196   572   NtQueryDirectoryFile  ... {status=0x0, info=96}, ) == 0x0
 03278   572   NtQueryDirectoryFile  (568, 0, 0, 0, 1467200, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=216}, ) == 0x0
 03279   572   NtQueryDirectoryFile  (568, 0, 0, 0, 1467200, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03280   572   NtClose  (568, ... ) == 0x0
 03281   572   NtQueryDirectoryFile  (572, 0, 0, 0, 1441784, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03277   584   NtCreateThread  ... 568, {316, 716}, ) == 0x0
 03282   584   NtQueryInformationThread  (568, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=316,Tid=716,}, 0x0, ) == 0x0
 03283   584   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 316, 584, 1515, 0}  (24, {28, 56, new_msg, 0, 316, 584, 1515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\274\373\323\08\2\0\0<\1\0\0\314\2\0\0" ... {28, 56, reply, 0, 316, 584, 1561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\274\373\323\08\2\0\0<\1\0\0\314\2\0\0" )  ... {28, 56, reply, 0, 316, 584, 1561, 0}  (24, {28, 56, new_msg, 0, 316, 584, 1515, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\274\373\323\08\2\0\0<\1\0\0\314\2\0\0" ... {28, 56, reply, 0, 316, 584, 1561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\274\373\323\08\2\0\0<\1\0\0\314\2\0\0" )  ) == 0x0
 03284   584   NtResumeThread  (568, ... 1, ) == 0x0
 03285   584   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 18546688, 1048576, ) == 0x0
 03286   584   NtAllocateVirtualMemory  (-1, 19587072, 0, 8192, 4096, 4, ... 19587072, 8192, ) == 0x0
 03287   572   NtClose  (572, ...
 03288   716   NtWaitForSingleObject  (260, 0, 0x0, ...
 03287   572   NtClose  ... ) == 0x0
 03289   572   NtQueryDirectoryFile  (536, 0, 0, 0, 1454896, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03290   572   NtClose  (536, ... ) == 0x0
 03291   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\"}, 3, 16417, ... 536, {status=0x0, info=1}, ) }, 3, 16417, ... 536, {status=0x0, info=1}, ) == 0x0
 03292   572   NtQueryDirectoryFile  (536, 0, 0, 0, 11790432, 616, BothDirectory, 1,  (536, 0, 0, 0, 11790432, 616, BothDirectory, 1, "*", 0, ... , 0, ...
 03293   584   NtProtectVirtualMemory  (-1, (0x12ae000), 4096, 260, ... (0x12ae000), 4096, 4, ) == 0x0
 03294   584   NtCreateThread  (0x1f03ff, 0x0, -1, 13892716, 13893432, 1, ... 572, {316, 836}, ) == 0x0
 03295   584   NtQueryInformationThread  (572, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=316,Tid=836,}, 0x0, ) == 0x0
 03296   584   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 316, 584, 1561, 0}  (24, {28, 56, new_msg, 0, 316, 584, 1561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\274\373\323\0<\2\0\0<\1\0\0D\3\0\0" ... {28, 56, reply, 0, 316, 584, 1562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\274\373\323\0<\2\0\0<\1\0\0D\3\0\0" )  ... {28, 56, reply, 0, 316, 584, 1562, 0}  (24, {28, 56, new_msg, 0, 316, 584, 1561, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\274\373\323\0<\2\0\0<\1\0\0D\3\0\0" ... {28, 56, reply, 0, 316, 584, 1562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\274\373\323\0<\2\0\0<\1\0\0D\3\0\0" )  ) == 0x0
 03297   584   NtResumeThread  (572, ... 1, ) == 0x0
 03298   584   NtDelayExecution  (0, {-500000, -1}, ...
 03299   836   NtWaitForSingleObject  (260, 0, 0x0, ...
 03273   392   NtCreateSection  ... 584, ) == 0x0
 03300   392   NtQuerySection  (584, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03301   392   NtClose  (580, ... ) == 0x0
 03302   392   NtMapViewOfSection  (584, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 03292   572   NtQueryDirectoryFile  ... {status=0x0, info=96}, ) == 0x0
 03302   392   NtMapViewOfSection  ... (0x74770000), 0x0, 585728, ) == 0x0
 03303   392   NtClose  (584, ... ) == 0x0
 03304   572   NtQueryDirectoryFile  (536, 0, 0, 0, 1454896, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=332}, ) == 0x0
 03305   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\"}, 3, 16417, ... 584, {status=0x0, info=1}, ) }, 3, 16417, ... 584, {status=0x0, info=1}, ) == 0x0
 03306   572   NtQueryDirectoryFile  (584, 0, 0, 0, 11789812, 616, BothDirectory, 1,  (584, 0, 0, 0, 11789812, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 03307   572   NtQueryDirectoryFile  (584, 0, 0, 0, 1441784, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=784}, ) == 0x0
 03308   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KASP1H0O\"}, 3, 16417, ... 580, {status=0x0, info=1}, ) }, 3, 16417, ... 580, {status=0x0, info=1}, ) == 0x0
 03309   572   NtQueryDirectoryFile  (580, 0, 0, 0, 11789192, 616, BothDirectory, 1,  (580, 0, 0, 0, 11789192, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 03310   572   NtQueryDirectoryFile  (580, 0, 0, 0, 1467200, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=220}, ) == 0x0
 03311   572   NtQueryDirectoryFile  (580, 0, 0, 0, 1467200, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03312   572   NtClose  (580, ... ) == 0x0
 03313   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\L014ODDE\"}, 3, 16417, ... 580, {status=0x0, info=1}, ) }, 3, 16417, ... 580, {status=0x0, info=1}, ) == 0x0
 03314   572   NtQueryDirectoryFile  (580, 0, 0, 0, 11789192, 616, BothDirectory, 1,  (580, 0, 0, 0, 11789192, 616, BothDirectory, 1, "*", 0, ... , 0, ...
 03315   392   NtQueryDefaultUILanguage  (1236240, ...
 03316   392   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03314   572   NtQueryDirectoryFile  ... {status=0x0, info=96}, ) == 0x0
 03317   572   NtQueryDirectoryFile  (580, 0, 0, 0, 1467200, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=220}, ) == 0x0
 03318   572   NtQueryDirectoryFile  (580, 0, 0, 0, 1467200, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03319   572   NtClose  (580, ... ) == 0x0
 03320   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\22NJR936\"}, 3, 16417, ... 580, {status=0x0, info=1}, ) }, 3, 16417, ... 580, {status=0x0, info=1}, ) == 0x0
 03321   392   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482072, ) == 0x0
 03322   392   NtQueryInformationToken  (-2147482072, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03323   392   NtClose  (-2147482072, ... ) == 0x0
 03324   392   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482072, ) }, ... -2147482072, ) == 0x0
 03325   392   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03326   392   NtOpenKey  (0x80000000, {24, -2147482072, 0x640, 0, 0,  (0x80000000, {24, -2147482072, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482076, ) }, ... -2147482076, ) == 0x0
 03327   572   NtQueryDirectoryFile  (580, 0, 0, 0, 11789192, 616, BothDirectory, 1,  (580, 0, 0, 0, 11789192, 616, BothDirectory, 1, "*", 0, ... , 0, ...
 03328   392   NtQueryValueKey  (-2147482076,  (-2147482076, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03329   392   NtClose  (-2147482076, ... ) == 0x0
 03330   392   NtClose  (-2147482072, ...
 03327   572   NtQueryDirectoryFile  ... {status=0x0, info=96}, ) == 0x0
 03331   572   NtQueryDirectoryFile  (580, 0, 0, 0, 1467200, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=220}, ) == 0x0
 03332   572   NtQueryDirectoryFile  (580, 0, 0, 0, 1467200, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03333   572   NtClose  (580, ... ) == 0x0
 03334   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OWIVSBA9\"}, 3, 16417, ... 580, {status=0x0, info=1}, ) }, 3, 16417, ... 580, {status=0x0, info=1}, ) == 0x0
 03330   392   NtClose  ... ) == 0x0
 03335   572   NtQueryDirectoryFile  (580, 0, 0, 0, 11789192, 616, BothDirectory, 1,  (580, 0, 0, 0, 11789192, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 03336   572   NtQueryDirectoryFile  (580, 0, 0, 0, 1467200, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=220}, ) == 0x0
 03337   572   NtQueryDirectoryFile  (580, 0, 0, 0, 1467200, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03338   572   NtClose  (580, ... ) == 0x0
 03339   572   NtQueryDirectoryFile  (584, 0, 0, 0, 1441784, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03315   392   NtQueryDefaultUILanguage  ... ) == 0x0
 03340   392   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03341   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mlang.dll"}, 1, 96, ... 580, {status=0x0, info=1}, ) }, 1, 96, ... 580, {status=0x0, info=1}, ) == 0x0
 03342   392   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 580, ... 588, ) == 0x0
 03343   392   NtMapViewOfSection  (588, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x12b0000), 0x0, 577536, ) == 0x0
 03344   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mlang.dll.123.Manifest"}, 1, 96, ... }, 1, 96, ...
 03345   572   NtClose  (584, ... ) == 0x0
 03346   572   NtQueryDirectoryFile  (536, 0, 0, 0, 1454896, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03347   572   NtClose  (536, ... ) == 0x0
 03348   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\"}, 3, 16417, ... 536, {status=0x0, info=1}, ) }, 3, 16417, ... 536, {status=0x0, info=1}, ) == 0x0
 03349   572   NtQueryDirectoryFile  (536, 0, 0, 0, 11790432, 616, BothDirectory, 1,  (536, 0, 0, 0, 11790432, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 03344   392   NtOpenFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03350   572   NtQueryDirectoryFile  (536, 0, 0, 0, 1454896, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=98}, ) == 0x0
 03351   572   NtQueryDirectoryFile  (536, 0, 0, 0, 1454896, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03352   572   NtClose  (536, ... ) == 0x0
 03353   572   NtQueryDirectoryFile  (540, 0, 0, 0, 1413720, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03354   572   NtClose  (540, ... ) == 0x0
 03355   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\config\systemprofile\Templates\"}, 3, 16417, ... 540, {status=0x0, info=1}, ) }, 3, 16417, ... 540, {status=0x0, info=1}, ) == 0x0
 03356   572   NtQueryDirectoryFile  (540, 0, 0, 0, 11791052, 616, BothDirectory, 1,  (540, 0, 0, 0, 11791052, 616, BothDirectory, 1, "*", 0, ... , 0, ...
 03357   392   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 03358   392   NtQueryDefaultLocale  (1, 1234276, ... ) == 0x0
 03359   392   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mlang.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03360   392   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1235132, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1235132, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\334\22\0\1\0\0\0\0\0\11\4\1\1\1\0:\0<\0\250\6\31\1D\2\0\0\377\377\377\377\0\0\0\0`\26.\1\0\0\0\0\262\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\344\6\31\1\0\0\0\0\0\0\0\0\274\337\22\0\0\0\0\0" ...  ...
 03356   572   NtQueryDirectoryFile  ... {status=0x0, info=96}, ) == 0x0
 03361   572   NtQueryDirectoryFile  (540, 0, 0, 0, 1413720, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=1522}, ) == 0x0
 03362   572   NtQueryDirectoryFile  (540, 0, 0, 0, 1413720, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03363   572   NtClose  (540, ... ) == 0x0
 03364   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\config\systemprofile\Start Menu\"}, 3, 16417, ... 540, {status=0x0, info=1}, ) }, 3, 16417, ... 540, {status=0x0, info=1}, ) == 0x0
 03365   572   NtQueryDirectoryFile  (540, 0, 0, 0, 11791052, 616, BothDirectory, 1,  (540, 0, 0, 0, 11791052, 616, BothDirectory, 1, "*", 0, ... , 0, ...
 03360   392   NtRequestWaitReplyPort  ... {128, 156, reply, 0, 316, 392, 1563, 0}  ... {128, 156, reply, 0, 316, 392, 1563, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\334\22\0\1\0\0\0\0\0\11\4\1\1\1\0:\0<\0\250\6\31\1D\2\0\0\377\377\377\377\0\0\0\0`\26.\1\0\0\0\0\262\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\344\6\31\1\0\0\0\0\0\0\0\0\274\337\22\0\0\0\0\0" )  ) == 0x0
 03366   392   NtClose  (580, ... ) == 0x0
 03367   392   NtClose  (588, ... ) == 0x0
 03368   392   NtUnmapViewOfSection  (-1, 0x12b0000, ... ) == 0x0
 03365   572   NtQueryDirectoryFile  ... {status=0x0, info=96}, ) == 0x0
 03369   572   NtQueryDirectoryFile  (540, 0, 0, 0, 1413720, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=324}, ) == 0x0
 03370   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\"}, 3, 16417, ... 588, {status=0x0, info=1}, ) }, 3, 16417, ... 588, {status=0x0, info=1}, ) == 0x0
 03371   572   NtQueryDirectoryFile  (588, 0, 0, 0, 11790432, 616, BothDirectory, 1,  (588, 0, 0, 0, 11790432, 616, BothDirectory, 1, "*", 0, ... , 0, ...
 03372   392   NtUnmapViewOfSection  (-1, 0x12dfbc, ... ) == STATUS_NOT_MAPPED_VIEW
 03373   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03374   392   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03371   572   NtQueryDirectoryFile  ... {status=0x0, info=96}, ) == 0x0
 03375   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03376   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03377   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1233360, ... }, 1233360, ...
 03378   572   NtQueryDirectoryFile  (588, 0, 0, 0, 1454896, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=716}, ) == 0x0
 03379   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\"}, 3, 16417, ... 580, {status=0x0, info=1}, ) }, 3, 16417, ... 580, {status=0x0, info=1}, ) == 0x0
 03380   572   NtQueryDirectoryFile  (580, 0, 0, 0, 11789812, 616, BothDirectory, 1,  (580, 0, 0, 0, 11789812, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 03381   572   NtQueryDirectoryFile  (580, 0, 0, 0, 1441784, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=1248}, ) == 0x0
 03382   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\"}, 3, 16417, ... 536, {status=0x0, info=1}, ) }, 3, 16417, ... 536, {status=0x0, info=1}, ) == 0x0
 03383   572   NtQueryDirectoryFile  (536, 0, 0, 0, 11789192, 616, BothDirectory, 1,  (536, 0, 0, 0, 11789192, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 03384   572   NtQueryDirectoryFile  (536, 0, 0, 0, 1467200, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=220}, ) == 0x0
 03385   572   NtQueryDirectoryFile  (536, 0, 0, 0, 1467200, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03386   572   NtClose  (536, ... ) == 0x0
 03387   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\"}, 3, 16417, ... 536, {status=0x0, info=1}, ) }, 3, 16417, ... 536, {status=0x0, info=1}, ) == 0x0
 03388   572   NtQueryDirectoryFile  (536, 0, 0, 0, 11789192, 616, BothDirectory, 1,  (536, 0, 0, 0, 11789192, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 03389   572   NtQueryDirectoryFile  (536, 0, 0, 0, 1467200, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=722}, ) == 0x0
 03377   392   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03390   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03391   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03392   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03393   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1233952, ... ) }, 1233952, ... ) == 0x0
 03394   572   NtQueryDirectoryFile  (536, 0, 0, 0, 1467200, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03395   572   NtClose  (536, ... ) == 0x0
 03396   572   NtQueryDirectoryFile  (580, 0, 0, 0, 1441784, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03397   572   NtClose  (580, ... ) == 0x0
 03398   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\"}, 3, 16417, ... 580, {status=0x0, info=1}, ) }, 3, 16417, ... 580, {status=0x0, info=1}, ) == 0x0
 03399   572   NtQueryDirectoryFile  (580, 0, 0, 0, 11789812, 616, BothDirectory, 1,  (580, 0, 0, 0, 11789812, 616, BothDirectory, 1, "*", 0, ... , 0, ...
 03400   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 536, {status=0x0, info=1}, ) }, 3, 33, ... 536, {status=0x0, info=1}, ) == 0x0
 03401   392   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03402   392   NtSetEventBoostPriority  (260, ...
 03288   716   NtWaitForSingleObject  ... ) == 0x0
 03403   716   NtSetEventBoostPriority  (260, ...
 03299   836   NtWaitForSingleObject  ... ) == 0x0
 03404   836   NtTestAlert  (... ) == 0x0
 03403   716   NtSetEventBoostPriority  ... ) == 0x0
 03402   392   NtSetEventBoostPriority  ... ) == 0x0
 03399   572   NtQueryDirectoryFile  ... {status=0x0, info=96}, ) == 0x0
 03405   836   NtContinue  (19594544, 1, ...
 03406   716   NtTestAlert  (...
 03407   572   NtQueryDirectoryFile  (580, 0, 0, 0, 1441784, 4096, BothDirectory, 0, 0x0, 0, ...
 03408   836   NtRegisterThreadTerminatePort  (24, ...
 03406   716   NtTestAlert  ... ) == 0x0
 03407   572   NtQueryDirectoryFile  ... {status=0x0, info=220}, ) == 0x0
 03408   836   NtRegisterThreadTerminatePort  ... ) == 0x0
 03409   716   NtContinue  (18545968, 1, ...
 03410   572   NtQueryDirectoryFile  (580, 0, 0, 0, 1441784, 4096, BothDirectory, 0, 0x0, 0, ...
 03411   836   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03412   716   NtRegisterThreadTerminatePort  (24, ...
 03410   572   NtQueryDirectoryFile  ... ) == STATUS_NO_MORE_FILES
 03411   836   NtDuplicateObject  ... 584, ) == 0x0
 03412   716   NtRegisterThreadTerminatePort  ... ) == 0x0
 03413   836   NtWaitForSingleObject  (292, 0, {0, 0}, ...
 03414   716   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03415   572   NtClose  (580, ...
 03413   836   NtWaitForSingleObject  ... ) == 0x102
 03416   392   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent"}, ... }, ...
 03415   572   NtClose  ... ) == 0x0
 03417   836   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03416   392   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03418   572   NtQueryDirectoryFile  (588, 0, 0, 0, 1454896, 4096, BothDirectory, 0, 0x0, 0, ...
 03417   836   NtCreateEvent  ... 580, ) == 0x0
 03419   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent"}, ... }, ...
 03418   572   NtQueryDirectoryFile  ... ) == STATUS_NO_MORE_FILES
 03420   836   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03419   392   NtOpenKey  ... 592, ) == 0x0
 03421   572   NtClose  (588, ...
 03420   836   NtCreateEvent  ... 596, ) == 0x0
 03414   716   NtDuplicateObject  ... 600, ) == 0x0
 03421   572   NtClose  ... ) == 0x0
 03422   392   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent"}, ... }, ...
 03423   716   NtWaitForSingleObject  (232, 0, {0, 0}, ...
 03424   836   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03422   392   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03423   716   NtWaitForSingleObject  ... ) == 0x102
 03424   836   NtDuplicateObject  ... 588, ) == 0x0
 03425   392   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent"}, ... }, ...
 03426   716   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03427   836   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 03425   392   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03426   716   NtCreateEvent  ... 604, ) == 0x0
 03427   836   NtCreateEvent  ... 608, ) == 0x0
 03428   392   NtOpenKey  (0x1, {24, 592, 0x40, 0, 0,  (0x1, {24, 592, 0x40, 0, 0, "UA Tokens"}, ... }, ...
 03429   572   NtQueryDirectoryFile  (540, 0, 0, 0, 1413720, 4096, BothDirectory, 0, 0x0, 0, ...
 03430   836   NtRequestWaitReplyPort  (548, {64, 88, new_msg, 0, 0, 0, 0, 0}  (548, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 03428   392   NtOpenKey  ... 612, ) == 0x0
 03429   572   NtQueryDirectoryFile  ... ) == STATUS_NO_MORE_FILES
 03431   716   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 18545908, 67, ... }, 0x0, 0, 3, 3, 0, 18545908, 67, ...
 03432   572   NtClose  (540, ...
 03431   716   NtCreateFile  ... 616, {status=0x0, info=0}, ) == 0x0
 03432   572   NtClose  ... ) == 0x0
 03433   716   NtDeviceIoControlFile  (616, 604, 0x0, 0x0, 0x12047,  (616, 604, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\10\30\26\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 03434   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\config\systemprofile\SendTo\"}, 3, 16417, ... }, 3, 16417, ...
 03433   716   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 03434   572   NtOpenFile  ... 540, {status=0x0, info=1}, ) == 0x0
 03435   716   NtWaitForSingleObject  (232, 0, {0, 0}, ...
 03436   392   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... }, ...
 03430   836   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 316, 836, 1564, 0}  ... {52, 76, reply, 0, 316, 836, 1564, 0} "\2\200\372\177\1\00\300\0\0\0\0\17\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 _\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 03436   392   NtOpenKey  ... 620, ) == 0x0
 03437   836   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 03438   392   NtQueryValueKey  (620,  (620, "User Agent", Partial, 144, ... , Partial, 144, ...
 03437   836   NtCreateKey  ... 624, 2, ) == 0x0
 03438   392   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0o\0z\0i\0l\0l\0a\0/\04\0.\00\0 \0(\0c\0o\0m\0p\0a\0t\0i\0b\0l\0e\0;\0 \0M\0S\0I\0E\0 \06\0.\00\0;\0 \0W\0i\0n\03\02\0)\0\0\0"}, 96, ) }, 96, ) == 0x0
 03439   836   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 03440   392   NtQueryValueKey  (620,  (620, "User Agent", Partial, 144, ... , Partial, 144, ...
 03439   836   NtOpenKey  ... 628, ) == 0x0
 03440   392   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0o\0z\0i\0l\0l\0a\0/\04\0.\00\0 \0(\0c\0o\0m\0p\0a\0t\0i\0b\0l\0e\0;\0 \0M\0S\0I\0E\0 \06\0.\00\0;\0 \0W\0i\0n\03\02\0)\0\0\0"}, 96, ) }, 96, ) == 0x0
 03441   836   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 03442   572   NtQueryDirectoryFile  (540, 0, 0, 0, 11791052, 616, BothDirectory, 1,  (540, 0, 0, 0, 11791052, 616, BothDirectory, 1, "*", 0, ... , 0, ...
 03435   716   NtWaitForSingleObject  ... ) == 0x102
 03443   392   NtClose  (620, ...
 03442   572   NtQueryDirectoryFile  ... {status=0x0, info=96}, ) == 0x0
 03444   716   NtDeviceIoControlFile  (616, 604, 0x0, 0x0, 0x1203b,  (616, 604, 0x0, 0x0, 0x1203b, "\2\0\0\0\300\30\25\0\1\0\0\0\0\0\0\0", 16, 0, ... , 16, 0, ...
 03443   392   NtClose  ... ) == 0x0
 03445   572   NtQueryDirectoryFile  (540, 0, 0, 0, 1413720, 4096, BothDirectory, 0, 0x0, 0, ...
 03444   716   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 03446   392   NtEnumerateValueKey  (612, 0, Full, 220, ...
 03445   572   NtQueryDirectoryFile  ... {status=0x0, info=694}, ) == 0x0
 03447   716   NtDeviceIoControlFile  (616, 604, 0x0, 0x0, 0x12003,  (616, 604, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 03446   392   NtEnumerateValueKey  ... TitleIdx=0, Type=1, Name=" ... TitleIdx=0, Type=1, Name="", Data="\0\0"}, 22, ) \0\0"}, 22, ) == 0x0
 03441   836   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03447   716   NtDeviceIoControlFile  ... {status=0x0, info=620},  ... {status=0x0, info=620}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\15\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03448   392   NtEnumerateValueKey  (612, 1, Full, 220, ...
 03449   836   NtQueryValueKey  (624,  (624, "Hostname", Partial, 144, ... , Partial, 144, ...
 03450   716   NtDeviceIoControlFile  (616, 604, 0x0, 0x0, 0x12047,  (616, 604, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0p\13\26\0\2\0\4\15\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 03448   392   NtEnumerateValueKey  ... TitleIdx=0, Type=1, Name= ... TitleIdx=0, Type=1, Name="MSN 2.0", Data="\0\0"}, 38, ) , Data= ... TitleIdx=0, Type=1, Name="MSN 2.0", Data="\0\0"}, 38, ) }, 38, ) == 0x0
 03449   836   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03451   572   NtQueryDirectoryFile  (540, 0, 0, 0, 1413720, 4096, BothDirectory, 0, 0x0, 0, ...
 03450   716   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 03452   836   NtQueryValueKey  (624,  (624, "Hostname", Partial, 144, ... , Partial, 144, ...
 03451   572   NtQueryDirectoryFile  ... ) == STATUS_NO_MORE_FILES
 03453   716   NtDeviceIoControlFile  (524, 0, 0x0, 0x1624f8, 0x12007,  (524, 0, 0x0, 0x1624f8, 0x12007, "\0\0\0\0\16\0\2\0h\2\0\0\1\0\0\0\16\0\2\0\1\275\33$\220\252\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03452   836   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03454   572   NtClose  (540, ...
 03453   716   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03455   836   NtClose  (624, ...
 02890   732   NtRemoveIoCompletion  ... 1906658213, 1451256, {status=0xc000023d, info=0}, ) == 0x0
 03454   572   NtClose  ... ) == 0x0
 03456   716   NtDeviceIoControlFile  (616, 604, 0x0, 0x0, 0x12024,  (616, 604, 0x0, 0x0, 0x12024, "\0yl\374\377\377\377\377\1\0\0\0\0\0\0\0h\2\0\0\4\0\0\0\364\374\32\1", 28, 28, ... , 28, 28, ...
 03457   392   NtEnumerateValueKey  (612, 2, Full, 220, ...
 03458   732   NtDeviceIoControlFile  (616, 512, 0x0, 0x0, 0x12037,  (616, 512, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... , 4, 8, ...
 03459   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\config\systemprofile\Recent\"}, 3, 16417, ... }, 3, 16417, ...
 03456   716   NtDeviceIoControlFile  ... {status=0x71a561a7, info=0}, "", ) == 0x103
 03458   732   NtDeviceIoControlFile  ... {status=0x0, info=8},  ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03457   392   NtEnumerateValueKey  ... TitleIdx=0, Type=1, Name= ... TitleIdx=0, Type=1, Name="MSN 2.5", Data="\0\0"}, 38, ) , Data= ... TitleIdx=0, Type=1, Name="MSN 2.5", Data="\0\0"}, 38, ) }, 38, ) == 0x0
 03459   572   NtOpenFile  ... 540, {status=0x0, info=1}, ) == 0x0
 03460   732   NtRemoveIoCompletion  (508, {1294967296, -1}, ...
 03461   716   NtWaitForSingleObject  (604, 1, {-5000000, -1}, ...
 03462   392   NtEnumerateValueKey  (612, 3, Full, 220, ...
 03455   836   NtClose  ... ) == 0x0
 03463   572   NtQueryDirectoryFile  (540, 0, 0, 0, 11791052, 616, BothDirectory, 1,  (540, 0, 0, 0, 11791052, 616, BothDirectory, 1, "*", 0, ... , 0, ...
 03462   392   NtEnumerateValueKey  ... ) == STATUS_NO_MORE_ENTRIES
 03464   836   NtClose  (628, ...
 03463   572   NtQueryDirectoryFile  ... {status=0x0, info=96}, ) == 0x0
 03465   392   NtClose  (612, ...
 03464   836   NtClose  ... ) == 0x0
 03466   572   NtQueryDirectoryFile  (540, 0, 0, 0, 1413720, 4096, BothDirectory, 0, 0x0, 0, ...
 03465   392   NtClose  ... ) == 0x0
 03467   836   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 03466   572   NtQueryDirectoryFile  ... {status=0x0, info=98}, ) == 0x0
 03467   836   NtCreateKey  ... 612, 2, ) == 0x0
 03468   392   NtOpenKey  (0x1, {24, 592, 0x40, 0, 0,  (0x1, {24, 592, 0x40, 0, 0, "Pre Platform"}, ... }, ...
 03469   836   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 03468   392   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03470   572   NtQueryDirectoryFile  (540, 0, 0, 0, 1413720, 4096, BothDirectory, 0, 0x0, 0, ...
 03471   392   NtQuerySystemInformation  (Basic, 44, ...
 03470   572   NtQueryDirectoryFile  ... ) == STATUS_NO_MORE_FILES
 03471   392   NtQuerySystemInformation  ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 03472   572   NtClose  (540, ...
 03473   392   NtQuerySystemInformation  (Processor, 12, ...
 03472   572   NtClose  ... ) == 0x0
 03473   392   NtQuerySystemInformation  ... {system info, class 1, size 12}, 0x0, ) == 0x0
 03474   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\config\systemprofile\PrintHood\"}, 3, 16417, ... }, 3, 16417, ...
 03469   836   NtOpenKey  ... 540, ) == 0x0
 03474   572   NtOpenFile  ... 628, {status=0x0, info=1}, ) == 0x0
 03475   836   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 03476   392   NtOpenKey  (0x1, {24, 592, 0x40, 0, 0,  (0x1, {24, 592, 0x40, 0, 0, "Post Platform"}, ... }, ...
 03475   836   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03476   392   NtOpenKey  ... 624, ) == 0x0
 03477   836   NtQueryValueKey  (612,  (612, "Domain", Partial, 144, ... , Partial, 144, ...
 03478   392   NtEnumerateValueKey  (624, 0, Full, 220, ...
 03477   836   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03478   392   NtEnumerateValueKey  ... ) == STATUS_NO_MORE_ENTRIES
 03479   836   NtQueryValueKey  (612,  (612, "Domain", Partial, 144, ... , Partial, 144, ...
 03480   392   NtClose  (624, ...
 03481   572   NtQueryDirectoryFile  (628, 0, 0, 0, 11791052, 616, BothDirectory, 1,  (628, 0, 0, 0, 11791052, 616, BothDirectory, 1, "*", 0, ... , 0, ...
 03480   392   NtClose  ... ) == 0x0
 03481   572   NtQueryDirectoryFile  ... {status=0x0, info=96}, ) == 0x0
 03479   836   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03482   572   NtQueryDirectoryFile  (628, 0, 0, 0, 1413720, 4096, BothDirectory, 0, 0x0, 0, ...
 03483   836   NtClose  (612, ...
 03482   572   NtQueryDirectoryFile  ... {status=0x0, info=98}, ) == 0x0
 03483   836   NtClose  ... ) == 0x0
 03484   392   NtClose  (592, ...
 03485   836   NtClose  (540, ...
 03484   392   NtClose  ... ) == 0x0
 03485   836   NtClose  ... ) == 0x0
 03486   392   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ...
 03487   836   NtWaitForSingleObject  (292, 0, {0, 0}, ...
 03486   392   NtCreateEvent  ... 540, ) == 0x0
 03488   572   NtQueryDirectoryFile  (628, 0, 0, 0, 1413720, 4096, BothDirectory, 0, 0x0, 0, ...
 03489   392   NtWaitForSingleObject  (540, 0, 0x0, ...
 03488   572   NtQueryDirectoryFile  ... ) == STATUS_NO_MORE_FILES
 03490   572   NtClose  (628, ... ) == 0x0
 03491   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\config\systemprofile\My Documents\"}, 3, 16417, ... 628, {status=0x0, info=1}, ) }, 3, 16417, ... 628, {status=0x0, info=1}, ) == 0x0
 03492   572   NtQueryDirectoryFile  (628, 0, 0, 0, 11791052, 616, BothDirectory, 1,  (628, 0, 0, 0, 11791052, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 03493   572   NtQueryDirectoryFile  (628, 0, 0, 0, 1413720, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=98}, ) == 0x0
 03487   836   NtWaitForSingleObject  ... ) == 0x102
 03489   392   NtWaitForSingleObject  ... ) == 0x0
 03494   836   NtRequestWaitReplyPort  (548, {64, 88, new_msg, 0, 316, 836, 1564, 0}  (548, {64, 88, new_msg, 0, 316, 836, 1564, 0} "\1\200\0\0A\2\10\0\0\0\0\0\17\6\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 03495   392   NtClearEvent  (540, ... ) == 0x0
 03496   392   NtSetEvent  (540, ... 0x0, ) == 0x0
 03497   392   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wsock32.dll"}, ... }, ...
 03494   836   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 316, 836, 1566, 0}  ... {52, 76, reply, 0, 316, 836, 1566, 0} "\2\200\372\177\1\00\300\0\0\0\0\17\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 _\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 03498   572   NtQueryDirectoryFile  (628, 0, 0, 0, 1413720, 4096, BothDirectory, 0, 0x0, 0, ...
 03499   836   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 03498   572   NtQueryDirectoryFile  ... ) == STATUS_NO_MORE_FILES
 03497   392   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03500   572   NtClose  (628, ...
 03501   392   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wsock32.dll"}, 1237320, ... }, 1237320, ...
 03500   572   NtClose  ... ) == 0x0
 03502   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\config\systemprofile\NetHood\"}, 3, 16417, ... 628, {status=0x0, info=1}, ) }, 3, 16417, ... 628, {status=0x0, info=1}, ) == 0x0
 03503   572   NtQueryDirectoryFile  (628, 0, 0, 0, 11791052, 616, BothDirectory, 1,  (628, 0, 0, 0, 11791052, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 03504   572   NtQueryDirectoryFile  (628, 0, 0, 0, 1413720, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=98}, ) == 0x0
 03499   836   NtCreateKey  ... 592, 2, ) == 0x0
 03505   836   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 612, ) }, ... 612, ) == 0x0
 03506   836   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03507   836   NtQueryValueKey  (592,  (592, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (592, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03508   836   NtQueryValueKey  (592,  (592, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (592, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03509   836   NtClose  (592, ... ) == 0x0
 03510   836   NtClose  (612, ...
 03511   572   NtQueryDirectoryFile  (628, 0, 0, 0, 1413720, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03512   572   NtClose  (628, ... ) == 0x0
 03513   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\config\systemprofile\Favorites\"}, 3, 16417, ... 628, {status=0x0, info=1}, ) }, 3, 16417, ... 628, {status=0x0, info=1}, ) == 0x0
 03514   572   NtQueryDirectoryFile  (628, 0, 0, 0, 11791052, 616, BothDirectory, 1,  (628, 0, 0, 0, 11791052, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 03515   572   NtQueryDirectoryFile  (628, 0, 0, 0, 1413720, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=98}, ) == 0x0
 03510   836   NtClose  ... ) == 0x0
 03516   836   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 612, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 612, 2, ) , 0, ... 612, 2, ) == 0x0
 03517   836   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 592, ) }, ... 592, ) == 0x0
 03518   836   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03519   836   NtQueryValueKey  (612,  (612, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (612, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03520   836   NtQueryValueKey  (612,  (612, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (612, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03521   836   NtClose  (612, ...
 03522   572   NtQueryDirectoryFile  (628, 0, 0, 0, 1413720, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03523   572   NtClose  (628, ... ) == 0x0
 03524   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\config\systemprofile\Desktop\"}, 3, 16417, ... 628, {status=0x0, info=1}, ) }, 3, 16417, ... 628, {status=0x0, info=1}, ) == 0x0
 03525   572   NtQueryDirectoryFile  (628, 0, 0, 0, 11791052, 616, BothDirectory, 1,  (628, 0, 0, 0, 11791052, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 03526   572   NtQueryDirectoryFile  (628, 0, 0, 0, 1413720, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=98}, ) == 0x0
 03521   836   NtClose  ... ) == 0x0
 03501   392   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03527   836   NtClose  (592, ...
 03528   392   NtQueryAttributesFile  ({24, 224, 0x40, 0, 0,  ({24, 224, 0x40, 0, 0, "wsock32.dll"}, 1237320, ... }, 1237320, ...
 03527   836   NtClose  ... ) == 0x0
 03528   392   NtQueryAttributesFile  ... ) == 0x0
 03529   836   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... }, 0x0, 128, 3, 3, 0, 0, 0, ...
 03530   392   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wsock32.dll"}, 5, 96, ... }, 5, 96, ...
 03529   836   NtCreateFile  ... 592, {status=0x0, info=0}, ) == 0x0
 03530   392   NtOpenFile  ... 612, {status=0x0, info=1}, ) == 0x0
 03531   836   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 03532   392   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 612, ...
 03533   572   NtQueryDirectoryFile  (628, 0, 0, 0, 1413720, 4096, BothDirectory, 0, 0x0, 0, ...
 03531   836   NtCreateEvent  ... 624, ) == 0x0
 03533   572   NtQueryDirectoryFile  ... ) == STATUS_NO_MORE_FILES
 03534   836   NtDeviceIoControlFile  (592, 624, 0x0, 0x0, 0xf14014,  (592, 624, 0x0, 0x0, 0xf14014, "\3\0\0\0MYWORLD\0\231%\362v\2\0\0\200\330\304\362v\0\0\0\0<\367*\1O\345\367w{\30\335w\0\0\0\0\300.\24\0\0\0\24\0\210\260\25\0\0\0\0\0L\370*\1\277\37\365w\0\0\24\0\203 \365w\10\6\24\0\215\26\365w\0\0\0\00|\25\0`4\26\0\24\232\347w\223|\26\0\270\17\26\0\306\17\26\0\224|\25\0\377\377\0\0\0\0\0\0\224|\25\0\7\0\0\0\270\17\26\0\370\367*\1\177;\245q\0\0\0\0\0\0\0\0\270\17\26\0\0\0\0\0\224|\25\0\377\377\0\0\1\0\0\0\210\1\24\0\220\260\25\0\4\0\0\0\0\0\0\0\210\1\24\0\210\260\25\0\0\0\0\0\0\0\0\0\0\0\0\0\365<\245q\210|\25\0t|\25\0\2\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0`4\1\1\0\0\24\0\220\367*\1p\374*\1\334\377*\1\2$\370w\370T\367wa/\245q\2642\250q\0\0\0\0\0\0\0\0:/\245q`4\26\00m\25\0\320'\26\0\350'\26\0\270\17\26\0\306\17\26\0\224|\25\0\377\377\0\0\0\0\0\0\224|\25\0\7\0\0\0\270\17\26\0\300\370*\1\177;\245q\0\0\0\0\0\0\0\0\270\17\26\0\0\0\0\0\224|\25\0\377\377\0\0\1\0\0\0\210\1\24\0\340\35\26\0\4\0\0\0\0\0\0\0\210\1\24\0\330\35\26\0\0\0\0\0\0\0\0\0\0\0\0\0\365<\245q\210|\25\0t|\25\0\2\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0(-\1\1\0\0\24\0X\370*\18\375*\1\334\377*\1\2$\370w\370T\367wa/\245q\2642\250q\0\0\0\0\0\0\0\0:/\245q(-\25\00m\25\0\320'\26\0", 1552, 0, ... , 1552, 0, ...
 03535   572   NtClose  (628, ...
 03534   836   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 03535   572   NtClose  ... ) == 0x0
 03536   836   NtClose  (624, ...
 03537   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\config\systemprofile\Cookies\"}, 3, 16417, ... }, 3, 16417, ...
 03536   836   NtClose  ... ) == 0x0
 03537   572   NtOpenFile  ... 624, {status=0x0, info=1}, ) == 0x0
 03538   836   NtClose  (592, ...
 03532   392   NtCreateSection  ... 628, ) == 0x0
 03539   572   NtQueryDirectoryFile  (624, 0, 0, 0, 11791052, 616, BothDirectory, 1,  (624, 0, 0, 0, 11791052, 616, BothDirectory, 1, "*", 0, ... , 0, ...
 03540   392   NtQuerySection  (628, Image, 48, ...
 03539   572   NtQueryDirectoryFile  ... {status=0x0, info=96}, ) == 0x0
 03540   392   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03541   572   NtQueryDirectoryFile  (624, 0, 0, 0, 1413720, 4096, BothDirectory, 0, 0x0, 0, ...
 03542   392   NtClose  (612, ...
 03541   572   NtQueryDirectoryFile  ... {status=0x0, info=216}, ) == 0x0
 03542   392   NtClose  ... ) == 0x0
 03538   836   NtClose  ... ) == 0x0
 03543   392   NtMapViewOfSection  (628, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 03544   836   NtWaitForSingleObject  (232, 0, {0, 0}, ...
 03545   572   NtQueryDirectoryFile  (624, 0, 0, 0, 1413720, 4096, BothDirectory, 0, 0x0, 0, ...
 03544   836   NtWaitForSingleObject  ... ) == 0x102
 03545   572   NtQueryDirectoryFile  ... ) == STATUS_NO_MORE_FILES
 03546   836   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 19594472, 67, ... }, 0x0, 0, 3, 3, 0, 19594472, 67, ...
 03547   572   NtClose  (624, ...
 03546   836   NtCreateFile  ... 592, {status=0x0, info=0}, ) == 0x0
 03547   572   NtClose  ... ) == 0x0
 03543   392   NtMapViewOfSection  ... (0x71ad0000), 0x0, 32768, ) == 0x0
 03548   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\config\systemprofile\Application Data\"}, 3, 16417, ... }, 3, 16417, ...
 03549   392   NtClose  (628, ...
 03548   572   NtOpenFile  ... 624, {status=0x0, info=1}, ) == 0x0
 03549   392   NtClose  ... ) == 0x0
 03550   836   NtDeviceIoControlFile  (592, 580, 0x0, 0x0, 0x12047,  (592, 580, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\0\34\26\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0<5\26\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0RLD\0\3\250\2\0\0\0\0\0\300\0\0\0\0\0\0F\2\0\0\0\21\0\0\0\2\0\0\0\6\0\0\0\30\0W\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03551   836   NtWaitForSingleObject  (232, 0, {0, 0}, ... ) == 0x102
 03552   836   NtDeviceIoControlFile  (592, 580, 0x0, 0x0, 0x1203b,  (592, 580, 0x0, 0x0, 0x1203b, "\2\0\0\0 \31\25\0\1\0\0\0\0\0\0\0", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03553   836   NtDeviceIoControlFile  (592, 580, 0x0, 0x0, 0x12003,  (592, 580, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=628}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\16\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=628},  (592, 580, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=628}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\16\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03554   836   NtDeviceIoControlFile  (592, 580, 0x0, 0x0, 0x12047,  (592, 580, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\260\36\26\0\2\0\4\16\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0<5\26\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0RLD\0\3\250\2\0\0\0\0\0\300\0\0\0\0\0\0F\2\0\0\0\21\0\0\0\2\0\0\0\6\0\0\0\30\0W\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03555   836   NtDeviceIoControlFile  (524, 0, 0x0, 0x1624f8, 0x12007,  (524, 0, 0x0, 0x1624f8, 0x12007, "\0\0\0\0\16\0\2\0P\2\0\0\1\0\0\0\16\0\2\0\1\275\300\250\33$h\376*\1MYWO", 34, 8, ... , 34, 8, ...
 03556   572   NtQueryDirectoryFile  (624, 0, 0, 0, 11791052, 616, BothDirectory, 1,  (624, 0, 0, 0, 11791052, 616, BothDirectory, 1, "*", 0, ... , 0, ...
 03298   584   NtDelayExecution  ... ) == 0x0
 03557   392   NtClearEvent  (312, ...
 03556   572   NtQueryDirectoryFile  ... {status=0x0, info=96}, ) == 0x0
 03558   584   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03557   392   NtClearEvent  ... ) == 0x0
 03559   572   NtQueryDirectoryFile  (624, 0, 0, 0, 1413720, 4096, BothDirectory, 0, 0x0, 0, ...
 03558   584   NtAllocateVirtualMemory  ... 20250624, 1048576, ) == 0x0
 03560   392   NtSetEvent  (312, ...
 03559   572   NtQueryDirectoryFile  ... {status=0x0, info=332}, ) == 0x0
 03561   584   NtAllocateVirtualMemory  (-1, 21291008, 0, 8192, 4096, 4, ...
 03560   392   NtSetEvent  ... 0x0, ) == 0x0
 03460   732   NtRemoveIoCompletion  ... 1906658213, 1451256, {status=0xc000023d, info=0}, ) == 0x0
 03555   836   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03561   584   NtAllocateVirtualMemory  ... 21291008, 8192, ) == 0x0
 03562   392   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03563   732   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 03564   836   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 03565   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\"}, 3, 16417, ... }, 3, 16417, ...
 03563   732   NtCreateEvent  ... 612, ) == 0x0
 03562   392   NtAllocateVirtualMemory  ... 21299200, 1048576, ) == 0x0
 03564   836   NtCreateEvent  ... 632, ) == 0x0
 03566   732   NtWaitForSingleObject  (612, 0, 0x0, ...
 03565   572   NtOpenFile  ... 636, {status=0x0, info=1}, ) == 0x0
 03567   584   NtProtectVirtualMemory  (-1, (0x144e000), 4096, 260, ...
 03568   836   NtClose  (632, ...
 03569   572   NtQueryDirectoryFile  (636, 0, 0, 0, 11790432, 616, BothDirectory, 1,  (636, 0, 0, 0, 11790432, 616, BothDirectory, 1, "*", 0, ... , 0, ...
 03567   584   NtProtectVirtualMemory  ... (0x144e000), 4096, 4, ) == 0x0
 03568   836   NtClose  ... ) == 0x0
 03569   572   NtQueryDirectoryFile  ... {status=0x0, info=96}, ) == 0x0
 03570   584   NtCreateThread  (0x1f03ff, 0x0, -1, 13892716, 13893432, 1, ...
 03571   836   NtSetEventBoostPriority  (612, ...
 03572   392   NtAllocateVirtualMemory  (-1, 22339584, 0, 8192, 4096, 4, ...
 03570   584   NtCreateThread  ... 632, {316, 860}, ) == 0x0
 03573   572   NtQueryDirectoryFile  (636, 0, 0, 0, 1467200, 4096, BothDirectory, 0, 0x0, 0, ...
 03572   392   NtAllocateVirtualMemory  ... 22339584, 8192, ) == 0x0
 03574   584   NtQueryInformationThread  (632, Basic, 28, ...
 03573   572   NtQueryDirectoryFile  ... {status=0x0, info=356}, ) == 0x0
 03575   392   NtProtectVirtualMemory  (-1, (0x154e000), 4096, 260, ...
 03574   584   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=316,Tid=860,}, 0x0, ) == 0x0
 03576   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\"}, 3, 16417, ... }, 3, 16417, ...
 03575   392   NtProtectVirtualMemory  ... (0x154e000), 4096, 4, ) == 0x0
 03566   732   NtWaitForSingleObject  ... ) == 0x0
 03571   836   NtSetEventBoostPriority  ... ) == 0x0
 03576   572   NtOpenFile  ... 640, {status=0x0, info=1}, ) == 0x0
 03577   732   NtDeviceIoControlFile  (592, 512, 0x0, 0x0, 0x12037,  (592, 512, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... , 4, 8, ...
 03578   392   NtCreateThread  (0x1f03ff, 0x0, -1, 1238976, 1239692, 1, ...
 03579   836   NtDeviceIoControlFile  (592, 580, 0x0, 0x0, 0x12024,  (592, 580, 0x0, 0x0, 0x12024, "\0yl\374\377\377\377\377\1\0\0\0\0\0\0\0P\2\0\0\4\0\0\0\350\374*\1", 28, 28, ... , 28, 28, ...
 03577   732   NtDeviceIoControlFile  ... {status=0x0, info=8},  ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03580   572   NtQueryDirectoryFile  (640, 0, 0, 0, 11789812, 616, BothDirectory, 1,  (640, 0, 0, 0, 11789812, 616, BothDirectory, 1, "*", 0, ... , 0, ...
 03578   392   NtCreateThread  ... 644, {316, 864}, ) == 0x0
 03579   836   NtDeviceIoControlFile  ... {status=0x71a561a7, info=0}, "", ) == 0x103
 03581   732   NtRemoveIoCompletion  (508, {1294967296, -1}, ...
 03580   572   NtQueryDirectoryFile  ... {status=0x0, info=96}, ) == 0x0
 03582   584   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 316, 584, 1562, 0}  (24, {28, 56, new_msg, 0, 316, 584, 1562, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\274\373\323\0x\2\0\0<\1\0\0\\3\0\0" ...  ...
 03583   836   NtWaitForSingleObject  (580, 1, {-5000000, -1}, ...
 03584   572   NtAllocateVirtualMemory  (-1, 1474560, 0, 8192, 4096, 4, ...
 03582   584   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 316, 584, 1567, 0}  ... {28, 56, reply, 0, 316, 584, 1567, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\274\373\323\0x\2\0\0<\1\0\0\\3\0\0" )  ) == 0x0
 03584   572   NtAllocateVirtualMemory  ... 1474560, 8192, ) == 0x0
 03585   584   NtResumeThread  (632, ...
 03586   572   NtQueryDirectoryFile  (640, 0, 0, 0, 1471304, 4096, BothDirectory, 0, 0x0, 0, ...
 03585   584   NtResumeThread  ... 1, ) == 0x0
 03586   572   NtQueryDirectoryFile  ... {status=0x0, info=340}, ) == 0x0
 03587   584   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03588   392   NtQueryInformationThread  (644, Basic, 28, ...
 03589   860   NtTestAlert  (...
 03590   572   NtDelayExecution  (0, {-10000, -1}, ...
 03588   392   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=316,Tid=864,}, 0x0, ) == 0x0
 03589   860   NtTestAlert  ... ) == 0x0
 03591   392   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1238910, 1907058752, 80, 1238812}  (24, {28, 56, new_msg, 0, 1238910, 1907058752, 80, 1238812} "\0\0\0\0\1\0\1\0r\0\0\0\0\0\253q\204\2\0\0<\1\0\0`\3\0\0" ...  ...
 03592   860   NtContinue  (21298480, 1, ...
 03591   392   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 316, 392, 1568, 0}  ... {28, 56, reply, 0, 316, 392, 1568, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\253q\204\2\0\0<\1\0\0`\3\0\0" )  ) == 0x0
 03593   860   NtRegisterThreadTerminatePort  (24, ...
 03594   392   NtResumeThread  (644, ...
 03593   860   NtRegisterThreadTerminatePort  ... ) == 0x0
 03587   584   NtAllocateVirtualMemory  ... 22347776, 1048576, ) == 0x0
 03594   392   NtResumeThread  ... 1, ) == 0x0
 03595   584   NtAllocateVirtualMemory  (-1, 23388160, 0, 8192, 4096, 4, ...
 03596   392   NtWaitForSingleObject  (256, 0, 0x0, ...
 03595   584   NtAllocateVirtualMemory  ... 23388160, 8192, ) == 0x0
 03596   392   NtWaitForSingleObject  ... ) == 0x0
 03597   584   NtProtectVirtualMemory  (-1, (0x164e000), 4096, 260, ...
 03598   392   NtQueryInformationFile  (268, 1238996, 24, Standard, ...
 03597   584   NtProtectVirtualMemory  ... (0x164e000), 4096, 4, ) == 0x0
 03598   392   NtQueryInformationFile  ... {status=0x0, info=24}, ) == 0x0
 03599   584   NtCreateThread  (0x1f03ff, 0x0, -1, 13892716, 13893432, 1, ...
 03600   860   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03601   864   NtTestAlert  (...
 03602   392   NtReleaseMutant  (256, ...
 03600   860   NtDuplicateObject  ... 648, ) == 0x0
 03601   864   NtTestAlert  ... ) == 0x0
 03602   392   NtReleaseMutant  ... 0x0, ) == 0x0
 03603   860   NtWaitForSingleObject  (232, 0, {0, 0}, ...
 03604   864   NtContinue  (22347056, 1, ...
 03603   860   NtWaitForSingleObject  ... ) == 0x102
 03605   864   NtRegisterThreadTerminatePort  (24, ...
 03606   860   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03605   864   NtRegisterThreadTerminatePort  ... ) == 0x0
 03607   392   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\UrlMon Settings"}, ... }, ...
 03599   584   NtCreateThread  ... 652, {316, 868}, ) == 0x0
 03606   860   NtCreateEvent  ... 656, ) == 0x0
 03607   392   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03608   584   NtQueryInformationThread  (652, Basic, 28, ...
 03609   860   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 21298420, 67, ... }, 0x0, 0, 3, 3, 0, 21298420, 67, ...
 03610   864   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03608   584   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=316,Tid=868,}, 0x0, ) == 0x0
 03609   860   NtCreateFile  ... 660, {status=0x0, info=0}, ) == 0x0
 03610   864   NtDuplicateObject  ... 664, ) == 0x0
 03611   584   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 316, 584, 1567, 0}  (24, {28, 56, new_msg, 0, 316, 584, 1567, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\274\373\323\0\214\2\0\0<\1\0\0d\3\0\0" ...  ...
 03612   860   NtDeviceIoControlFile  (660, 656, 0x0, 0x0, 0x12047,  (660, 656, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\009\26\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 03613   864   NtWaitForSingleObject  (232, 0, {0, 0}, ...
 03611   584   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 316, 584, 1569, 0}  ... {28, 56, reply, 0, 316, 584, 1569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\274\373\323\0\214\2\0\0<\1\0\0d\3\0\0" )  ) == 0x0
 03612   860   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 03613   864   NtWaitForSingleObject  ... ) == 0x102
 03614   392   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Http Filters\RPA"}, ... }, ...
 03615   860   NtWaitForSingleObject  (232, 0, {0, 0}, ...
 03616   864   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03614   392   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03617   584   NtResumeThread  (652, ...
 03615   860   NtWaitForSingleObject  ... ) == 0x102
 03618   392   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Http Filters\RPA"}, ... }, ...
 03617   584   NtResumeThread  ... 1, ) == 0x0
 03619   860   NtDeviceIoControlFile  (660, 656, 0x0, 0x0, 0x1203b,  (660, 656, 0x0, 0x0, 0x1203b, "\2\0\0\0P\31\25\0\1\0\0\0\0\0\0\0", 16, 0, ... , 16, 0, ...
 03618   392   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03620   584   NtDelayExecution  (0, {-500000, -1}, ...
 03619   860   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 03621   392   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"}, ... }, ...
 03622   860   NtDeviceIoControlFile  (660, 656, 0x0, 0x0, 0x12003,  (660, 656, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 03621   392   NtOpenKey  ... 668, ) == 0x0
 03622   860   NtDeviceIoControlFile  ... {status=0x0, info=672},  ... {status=0x0, info=672}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\17\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03616   864   NtCreateEvent  ... 676, ) == 0x0
 03623   868   NtTestAlert  (...
 03624   392   NtOpenKey  (0x20019, {24, 668, 0x40, 0, 0,  (0x20019, {24, 668, 0x40, 0, 0, "Ranges\"}, ... }, ...
 03625   864   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 22346476, 67, ... }, 0x0, 0, 3, 3, 0, 22346476, 67, ...
 03623   868   NtTestAlert  ... ) == 0x0
 03624   392   NtOpenKey  ... 680, ) == 0x0
 03625   864   NtCreateFile  ... 684, {status=0x0, info=0}, ) == 0x0
 03626   868   NtContinue  (23395632, 1, ...
 03627   392   NtQueryKey  (680, 4, 176, ...
 03628   864   NtDeviceIoControlFile  (684, 676, 0x0, 0x0, 0x12047,  (684, 676, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\352\3\0\0\11\6\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\0C\26\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 03629   868   NtRegisterThreadTerminatePort  (24, ...
 03627   392   NtQueryKey  ... {key info, class 4, size 40}, 40, ) == 0x0
 03628   864   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 03629   868   NtRegisterThreadTerminatePort  ... ) == 0x0
 03630   392   NtClose  (680, ...
 03631   864   NtWaitForSingleObject  (232, 0, {0, 0}, ...
 03632   860   NtDeviceIoControlFile  (660, 656, 0x0, 0x0, 0x12047,  (660, 656, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0P8\26\0\2\0\4\17\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 03630   392   NtClose  ... ) == 0x0
 03633   868   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03632   860   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 03631   864   NtWaitForSingleObject  ... ) == 0x102
 03633   868   NtDuplicateObject  ... 680, ) == 0x0
 03634   860   NtDeviceIoControlFile  (524, 0, 0x0, 0x15aa80, 0x12007,  (524, 0, 0x0, 0x15aa80, 0x12007, "\0\0\0\0\16\0\2\0\224\2\0\0\1\0\0\0\16\0\2\0\1\275P\13\357\177\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03635   864   NtDeviceIoControlFile  (684, 676, 0x0, 0x0, 0x12003,  (684, 676, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\177\0\0\1\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 03636   868   NtWaitForSingleObject  (292, 0, {0, 0}, ...
 03581   732   NtRemoveIoCompletion  ... 1906658213, 1419904, {status=0xc000023d, info=0}, ) == 0x0
 03634   860   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03635   864   NtDeviceIoControlFile  ... {status=0x0, info=688},  ... {status=0x0, info=688}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\20\177\0\0\1\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03637   732   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 03636   868   NtWaitForSingleObject  ... ) == 0x102
 03638   860   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 03637   732   NtCreateEvent  ... 692, ) == 0x0
 03639   864   NtDeviceIoControlFile  (684, 676, 0x0, 0x0, 0x12037,  (684, 676, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... , 4, 8, ...
 03640   868   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03641   732   NtWaitForSingleObject  (692, 0, 0x0, ...
 03638   860   NtCreateEvent  ... 696, ) == 0x0
 03639   864   NtDeviceIoControlFile  ... {status=0x0, info=8},  ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03642   392   NtWaitForSingleObject  (256, 0, 0x0, ...
 03640   868   NtCreateEvent  ... 700, ) == 0x0
 03643   860   NtClose  (696, ...
 03642   392   NtWaitForSingleObject  ... ) == 0x0
 03644   868   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 03643   860   NtClose  ... ) == 0x0
 03645   392   NtQueryInformationFile  (268, 1234984, 24, Standard, ...
 03644   868   NtCreateEvent  ... 696, ) == 0x0
 03646   860   NtSetEventBoostPriority  (692, ...
 03645   392   NtQueryInformationFile  ... {status=0x0, info=24}, ) == 0x0
 03647   868   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03641   732   NtWaitForSingleObject  ... ) == 0x0
 03646   860   NtSetEventBoostPriority  ... ) == 0x0
 03648   392   NtReleaseMutant  (256, ...
 03649   732   NtDeviceIoControlFile  (660, 512, 0x0, 0x0, 0x12037,  (660, 512, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... , 4, 8, ...
 03647   868   NtDuplicateObject  ... 704, ) == 0x0
 03650   860   NtDeviceIoControlFile  (660, 656, 0x0, 0x0, 0x12024,  (660, 656, 0x0, 0x0, 0x12024, "\0yl\374\377\377\377\377\1\0\0\0\0\0\0\0\224\2\0\0\4\0\0\0\364\374D\1", 28, 28, ... , 28, 28, ...
 03651   864   NtDeviceIoControlFile  (684, 676, 0x0, 0x0, 0x12047,  (684, 676, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\352\3\0\0\11\6\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\0*\0\2\0\4\20\177\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 03649   732   NtDeviceIoControlFile  ... {status=0x0, info=8},  ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03652   868   NtRequestWaitReplyPort  (548, {64, 88, new_msg, 0, 1769234800, 996502626, 1230196000, 775299141}  (548, {64, 88, new_msg, 0, 1769234800, 996502626, 1230196000, 775299141} "\1;\0\0A\2\10\0ws NT 5.1)\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 03650   860   NtDeviceIoControlFile  ... {status=0x71a561a7, info=0}, "", ) == 0x103
 03651   864   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 03653   732   NtRemoveIoCompletion  (508, {1294967296, -1}, ...
 03648   392   NtReleaseMutant  ... 0x0, ) == 0x0
 03652   868   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 316, 868, 1570, 0}  ... {52, 76, reply, 0, 316, 868, 1570, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 _\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 03654   864   NtDeviceIoControlFile  (684, 676, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ...
 03655   392   NtWaitForSingleObject  (256, 0, 0x0, ...
 03656   868   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 03654   864   NtDeviceIoControlFile  ... {status=0x0, info=26},  ... {status=0x0, info=26}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\20\177\0\0\1\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03655   392   NtWaitForSingleObject  ... ) == 0x0
 03656   868   NtCreateKey  ... 708, 2, ) == 0x0
 03657   864   NtDeviceIoControlFile  (684, 676, 0x0, 0x0, 0x12007,  (684, 676, 0x0, 0x0, 0x12007, "\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\16\0\2\0\4\20\177\0\0\1\0\0\0\0\0\0\0\0", 34, 0, ... , 34, 0, ...
 03658   392   NtQueryInformationFile  (268, 1236924, 24, Standard, ...
 03659   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 03657   864   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x103
 03658   392   NtQueryInformationFile  ... {status=0x0, info=24}, ) == 0x0
 03659   868   NtOpenKey  ... 712, ) == 0x0
 03660   860   NtWaitForSingleObject  (656, 1, {-5000000, -1}, ...
 03661   864   NtWaitForSingleObject  (676, 1, {-5000000, -1}, ...
 03662   392   NtReleaseMutant  (256, ...
 03661   864   NtWaitForSingleObject  ... ) == 0x0
 03662   392   NtReleaseMutant  ... 0x0, ) == 0x0
 03663   864   NtDeviceIoControlFile  (684, 676, 0x0, 0x0, 0x12037,  (684, 676, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... , 4, 8, ...
 03664   392   NtClose  (-1, ...
 03663   864   NtDeviceIoControlFile  ... {status=0x0, info=8},  ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03664   392   NtClose  ... ) == STATUS_INVALID_HANDLE
 03665   864   NtDeviceIoControlFile  (684, 676, 0x0, 0x0, 0x12047,  (684, 676, 0x0, 0x0, 0x12047, "\3\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\352\3\0\0\11\6\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\250\205\26\0\2\0\4\20\177\0\0\1\0\0\0\0\0\0\0\0\2\0\4\20\177\0\0\1\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 03666   392   NtWaitForSingleObject  (256, 0, 0x0, ...
 03667   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03668   868   NtQueryValueKey  (708,  (708, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (708, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03669   868   NtQueryValueKey  (708,  (708, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (708, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03670   868   NtClose  (708, ... ) == 0x0
 03671   868   NtClose  (712, ... ) == 0x0
 03672   868   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 712, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 712, 2, ) , 0, ... 712, 2, ) == 0x0
 03665   864   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 03666   392   NtWaitForSingleObject  ... ) == 0x0
 03673   864   NtDeviceIoControlFile  (684, 676, 0x0, 0x0, 0x12024,  (684, 676, 0x0, 0x0, 0x12024, "\200\17\5\375\377\377\377\377\1\0\0\0\0\27\245q\254\2\0\0\31\0\0\0(\271\245q", 28, 28, ... , 28, 28, ...
 03674   392   NtQueryInformationFile  (268, 1237044, 24, Standard, ...
 03673   864   NtDeviceIoControlFile  ... {status=0x0, info=1906644165},  ... {status=0x0, info=1906644165}, "\200\17\5\375\377\377\377\377\1\0\0\0\0\27\245q\254\2\0\0\31\0\0\0(\271\245q", ) , ) == 0x103
 03674   392   NtQueryInformationFile  ... {status=0x0, info=24}, ) == 0x0
 03675   864   NtWaitForSingleObject  (676, 1, {-5000000, -1}, ...
 03676   392   NtReleaseMutant  (256, ... 0x0, ) == 0x0
 03677   392   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 708, ) == 0x0
 03678   392   NtCreateTimer  (0x1f0003, 0x0, 0, ... 716, ) == 0x0
 03679   392   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 720, ) == 0x0
 03680   392   NtSetInformationObject  (720, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ...
 03681   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 724, ) }, ... 724, ) == 0x0
 03682   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03683   868   NtQueryValueKey  (712,  (712, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (712, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03684   868   NtQueryValueKey  (712,  (712, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (712, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03685   868   NtClose  (712, ... ) == 0x0
 03686   868   NtClose  (724, ... ) == 0x0
 03680   392   NtSetInformationObject  ... ) == 0x0
 03687   392   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 23396352, 1048576, ) == 0x0
 03688   392   NtAllocateVirtualMemory  (-1, 24436736, 0, 8192, 4096, 4, ... 24436736, 8192, ) == 0x0
 03689   392   NtProtectVirtualMemory  (-1, (0x174e000), 4096, 260, ... (0x174e000), 4096, 4, ) == 0x0
 03690   392   NtCreateThread  (0x1f03ff, 0x0, -1, 1236488, 1237204, 1, ... 724, {316, 872}, ) == 0x0
 03691   392   NtQueryInformationThread  (724, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=316,Tid=872,}, 0x0, ) == 0x0
 03692   392   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1, 0, 0, 25690242}  (24, {28, 56, new_msg, 0, 1, 0, 0, 25690242} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\324\2\0\0<\1\0\0h\3\0\0" ...  ...
 03693   868   NtWaitForSingleObject  (292, 0, {0, 0}, ... ) == 0x102
 03694   868   NtRequestWaitReplyPort  (548, {64, 88, new_msg, 0, 316, 868, 1570, 0}  (548, {64, 88, new_msg, 0, 316, 868, 1570, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 316, 868, 1571, 0} "\2\200\372\177\1\00\300\0\0\0\0\17\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 _\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 316, 868, 1571, 0}  (548, {64, 88, new_msg, 0, 316, 868, 1570, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 316, 868, 1571, 0} "\2\200\372\177\1\00\300\0\0\0\0\17\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 _\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 03695   868   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 712, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 712, 2, ) , 0, ... 712, 2, ) == 0x0
 03696   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 728, ) }, ... 728, ) == 0x0
 03697   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03692   392   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 316, 392, 1572, 0}  ... {28, 56, reply, 0, 316, 392, 1572, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\324\2\0\0<\1\0\0h\3\0\0" )  ) == 0x0
 03698   392   NtResumeThread  (724, ... 0x0, ) == 0x0
 03699   392   NtWaitForSingleObject  (720, 0, 0x0, ...
 03700   868   NtQueryValueKey  (712,  (712, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (712, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03701   868   NtQueryValueKey  (712,  (712, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (712, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03702   868   NtClose  (712, ... ) == 0x0
 03703   872   NtAllocateVirtualMemory  (-1, 3297280, 0, 4096, 4096, 4, ... 3297280, 4096, ) == 0x0
 03704   872   NtTestAlert  (... ) == 0x0
 03705   872   NtContinue  (24444208, 1, ...
 03706   872   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 03707   872   NtCancelTimer  (716, 0, ... ) == 0x0
 03708   872   NtSetTimer  (716, {0, -2147483648}, 0x77f5c6d3, 0x0, 0, 0, 0, ... ) == 0x0
 03709   868   NtClose  (728, ... ) == 0x0
 03710   868   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 728, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 728, 2, ) , 0, ... 728, 2, ) == 0x0
 03711   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 712, ) }, ... 712, ) == 0x0
 03712   868   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03713   868   NtQueryValueKey  (728,  (728, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (728, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03714   868   NtQueryValueKey  (728,  (728, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (728, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03715   872   NtSetEvent  (720, ... 0x0, ) == 0x0
 03716   872   NtDelayExecution  (1, {0, -2147483648}, ...
 03717   868   NtClose  (728, ... ) == 0x0
 03718   868   NtClose  (712, ... ) == 0x0
 03719   868   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 712, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 712, {status=0x0, info=0}, ) == 0x0
 03699   392   NtWaitForSingleObject  ... ) == 0x0
 03720   392   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 03721   392   NtCreateIoCompletion  (0x1f0003, 0x0, 1, ... 728, ) == 0x0
 03722   392   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 24444928, 1048576, ) == 0x0
 03723   392   NtAllocateVirtualMemory  (-1, 25485312, 0, 8192, 4096, 4, ... 25485312, 8192, ) == 0x0
 03724   392   NtProtectVirtualMemory  (-1, (0x184e000), 4096, 260, ... (0x184e000), 4096, 4, ) == 0x0
 03725   392   NtCreateThread  (0x1f03ff, 0x0, -1, 1236568, 1237284, 1, ...
 03726   868   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 732, ) == 0x0
 03727   868   NtDeviceIoControlFile  (712, 732, 0x0, 0x0, 0xf14014,  (712, 732, 0x0, 0x0, 0xf14014, "\3\0\0\0MYWORLD\0\231%\362v\2\0\0\200\330\304\362v\0\0\0\0<\367d\1O\345\367w{\30\335w\0\0\0\0\300.\24\0\0\0\24\0 C\26\0\0\0\0\0L\370d\1\277\37\365w\0\0\24\0\203 \365w\10\6\24\0\215\26\365w\0\0\0\00|\25\0\2405\26\0\24\232\347w\223|\26\0\330\221\26\0\346\221\26\0\224|\25\0\377\377\0\0\0\0\0\0\224|\25\0\7\0\0\0\330\221\26\0\370\367d\1\177;\245q\0\0\0\0\0\0\0\0\330\221\26\0\0\0\0\0\224|\25\0\377\377\0\0\1\0\0\0\210\1\24\0(C\26\0\4\0\0\0\0\0\0\0\210\1\24\0 C\26\0\0\0\0\0\0\0\0\0\0\0\0\0\365<\245q\210|\25\0t|\25\0\2\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\2405\1\1\0\0\24\0\220\367d\1p\374d\1\334\377d\1\2$\370w\370T\367wa/\245q\2642\250q\0\0\0\0\0\0\0\0:/\245q\2405\26\0\360\37\26\0\320'\26\0\350'\26\0\330\221\26\0\346\221\26\0\224|\25\0\377\377\0\0\0\0\0\0\224|\25\0\7\0\0\0\330\221\26\0\300\370d\1\177;\245q\0\0\0\0\0\0\0\0\330\221\26\0\0\0\0\0\224|\25\0\377\377\0\0\1\0\0\0\210\1\24\0`\217\26\0\4\0\0\0\0\0\0\0\210\1\24\0X\217\26\0\0\0\0\0\0\0\0\0\0\0\0\0\365<\245q\210|\25\0t|\25\0\2\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0(-\1\1\0\0\24\0X\370d\18\375d\1\334\377d\1\2$\370w\370T\367wa/\245q\2642\250q\0\0\0\0\0\0\0\0:/\245q(-\25\0\360\37\26\0\320'\26\0", 1552, 0, ... {status=0x0, info=0}, 0x0, ) , 1552, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03728   868   NtClose  (732, ... ) == 0x0
 03729   868   NtClose  (712, ... ) == 0x0
 03730   868   NtWaitForSingleObject  (232, 0, {0, 0}, ... ) == 0x102
 03731   868   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 23395560, 67, ... }, 0x0, 0, 3, 3, 0, 23395560, 67, ...
 03725   392   NtCreateThread  ... 712, {316, 876}, ) == 0x0
 03732   392   NtQueryInformationThread  (712, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=316,Tid=876,}, 0x0, ) == 0x0
 03733   392   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1, 0, 1236444, 1236376}  (24, {28, 56, new_msg, 0, 1, 0, 1236444, 1236376} "\0\0\0\0\1\0\1\0\0\0\0\0\334\335\22\0\310\2\0\0<\1\0\0l\3\0\0" ... {28, 56, reply, 0, 316, 392, 1573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\335\22\0\310\2\0\0<\1\0\0l\3\0\0" )  ... {28, 56, reply, 0, 316, 392, 1573, 0}  (24, {28, 56, new_msg, 0, 1, 0, 1236444, 1236376} "\0\0\0\0\1\0\1\0\0\0\0\0\334\335\22\0\310\2\0\0<\1\0\0l\3\0\0" ... {28, 56, reply, 0, 316, 392, 1573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\334\335\22\0\310\2\0\0<\1\0\0l\3\0\0" )  ) == 0x0
 03734   392   NtResumeThread  (712, ... 0x0, ) == 0x0
 03735   392   NtClose  (712, ... ) == 0x0
 03736   392   NtSetIoCompletion  (728, 2012594853, 1449968, 0, 1479032, ... ) == 0x0
 03731   868   NtCreateFile  ... 712, {status=0x0, info=0}, ) == 0x0
 03737   876   NtTestAlert  (...
 03738   868   NtDeviceIoControlFile  (712, 700, 0x0, 0x0, 0x12047,  (712, 700, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\200\222\26\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0L\222\26\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0RLD\0\3\250\2\0\0\0\0\0\300\0\0\0\0\0\0F\2\0\0\0\21\0\0\0\2\0\0\0\6\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 03737   876   NtTestAlert  ... ) == 0x0
 03738   868   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 03739   876   NtContinue  (25492784, 1, ...
 03740   868   NtWaitForSingleObject  (232, 0, {0, 0}, ...
 03741   876   NtRegisterThreadTerminatePort  (24, ...
 03740   868   NtWaitForSingleObject  ... ) == 0x102
 03741   876   NtRegisterThreadTerminatePort  ... ) == 0x0
 03742   392   NtUserCallOneParam  (8, 38, ...
 03743   868   NtDeviceIoControlFile  (712, 700, 0x0, 0x0, 0x1203b,  (712, 700, 0x0, 0x0, 0x1203b, "\2\0\0\0\300\30\25\0\1\0\0\0\0\0\0\0", 16, 0, ... , 16, 0, ...
 03742   392   NtUserCallOneParam  ... ) == 0x24
 03743   868   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 03744   392   NtWaitForMultipleObjects  (1, (36, ), 1, 0, {-50000000, -1}, ...
 03745   868   NtDeviceIoControlFile  (712, 700, 0x0, 0x0, 0x12003,  (712, 700, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=732}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\21\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=732},  (712, 700, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=732}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\21\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03746   868   NtDeviceIoControlFile  (712, 700, 0x0, 0x0, 0x12047,  (712, 700, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\250\222\26\0\2\0\4\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0L\222\26\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0RLD\0\3\250\2\0\0\0\0\0\300\0\0\0\0\0\0F\2\0\0\0\21\0\0\0\2\0\0\0\6\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03747   868   NtDeviceIoControlFile  (524, 0, 0x0, 0x169490, 0x12007,  (524, 0, 0x0, 0x169490, 0x12007, "\0\0\0\0\16\0\2\0\310\2\0\0\1\0\0\0\16\0\2\0\1\275\300\250P\13h\376d\1MYWO", 34, 8, ... , 34, 8, ...
 03653   732   NtRemoveIoCompletion  ... 1906658213, 1479824, {status=0xc000023d, info=0}, ) == 0x0
 03748   732   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 736, ) == 0x0
 03749   732   NtWaitForSingleObject  (736, 0, 0x0, ...
 03747   868   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03750   868   NtSetEventBoostPriority  (736, ...
 03749   732   NtWaitForSingleObject  ... ) == 0x0
 03751   732   NtDeviceIoControlFile  (712, 512, 0x0, 0x0, 0x12037,  (712, 512, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (712, 512, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03752   732   NtRemoveIoCompletion  (508, {1294967296, -1}, ...
 03750   868   NtSetEventBoostPriority  ... ) == 0x0
 03753   868   NtDeviceIoControlFile  (712, 700, 0x0, 0x0, 0x12024,  (712, 700, 0x0, 0x0, 0x12024, "\0yl\374\377\377\377\377\1\0\0\0\0\0\0\0\310\2\0\0\4\0\0\0\350\374d\1", 28, 28, ... {status=0x71a561a7, info=0}, "", ) , 28, 28, ... {status=0x71a561a7, info=0}, "", ) == 0x103
 03754   876   NtRemoveIoCompletion  (728, {-400000000, -1}, ... 2012594853, 1449968, {status=0x0, info=1479032}, ) == 0x0
 03755   876   NtWaitForSingleObject  (320, 0, 0x0, ... ) == 0x0
 03756   876   NtWaitForSingleObject  (324, 0, 0x0, ... ) == 0x0
 03757   876   NtReleaseMutant  (324, ... 0x0, ) == 0x0
 03758   876   NtQueryValueKey  (88,  (88, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03759   868   NtWaitForSingleObject  (700, 1, {-5000000, -1}, ...
 03760   876   NtQueryValueKey  (88,  (88, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03761   876   NtWaitForSingleObject  (256, 0, 0x0, ... ) == 0x0
 03762   876   NtQueryInformationFile  (268, 25492632, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03763   876   NtReleaseMutant  (256, ... 0x0, ) == 0x0
 03764   876   NtReleaseMutant  (320, ... 0x0, ) == 0x0
 03765   876   NtAllocateVirtualMemory  (-1, 25481216, 0, 4096, 4096, 260, ... 25481216, 4096, ) == 0x0
 03766   876   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"}, ... 740, ) }, ... 740, ) == 0x0
 03767   876   NtRequestWaitReplyPort  (240, {28, 52, new_msg, 0, 0, 0, 0, 0}  (240, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\220\35\25\0" ... {176, 200, reply, 0, 316, 876, 1574, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ... {176, 200, reply, 0, 316, 876, 1574, 0}  (240, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\220\35\25\0" ... {176, 200, reply, 0, 316, 876, 1574, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ) == 0x0
 03768   876   NtCreateSection  (0xf0007, {24, 52, 0x80, 0, 0,  (0xf0007, {24, 52, 0x80, 0, 0, "UrlZonesSM_SRI-user"}, {8, 0}, 4, 134217728, 0, ... 744, ) }, {8, 0}, 4, 134217728, 0, ... 744, ) == 0x0
 03769   876   NtMapViewOfSection  (744, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x12b0000), {0, 0}, 4096, ) == 0x0
 03770   876   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 748, ) }, ... 748, ) == 0x0
 03771   876   NtQueryValueKey  (748,  (748, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (748, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03772   876   NtClose  (748, ... ) == 0x0
 03773   876   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\"}, ... 748, ) }, ... 748, ) == 0x0
 03774   876   NtOpenKey  (0x20019, {24, 748, 0x40, 0, 0,  (0x20019, {24, 748, 0x40, 0, 0, "0"}, ... 752, ) }, ... 752, ) == 0x0
 03775   876   NtClose  (752, ... ) == 0x0
 03776   876   NtOpenKey  (0x20019, {24, 748, 0x40, 0, 0,  (0x20019, {24, 748, 0x40, 0, 0, "1"}, ... 752, ) }, ... 752, ) == 0x0
 03777   876   NtClose  (752, ... ) == 0x0
 03778   876   NtOpenKey  (0x20019, {24, 748, 0x40, 0, 0,  (0x20019, {24, 748, 0x40, 0, 0, "2"}, ... 752, ) }, ... 752, ) == 0x0
 03779   876   NtClose  (752, ... ) == 0x0
 03780   876   NtOpenKey  (0x20019, {24, 748, 0x40, 0, 0,  (0x20019, {24, 748, 0x40, 0, 0, "3"}, ... 752, ) }, ... 752, ) == 0x0
 03781   876   NtClose  (752, ... ) == 0x0
 03782   876   NtOpenKey  (0x20019, {24, 748, 0x40, 0, 0,  (0x20019, {24, 748, 0x40, 0, 0, "4"}, ... 752, ) }, ... 752, ) == 0x0
 03783   876   NtClose  (752, ... ) == 0x0
 03784   876   NtClose  (748, ... ) == 0x0
 03785   876   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\"}, ... 748, ) }, ... 748, ) == 0x0
 03786   876   NtEnumerateKey  (748, 0, Basic, 288, ... {LastWrite={0x8db90da8,0x1c7399c}, TitleIdx=0, Name= (748, 0, Basic, 288, ... {LastWrite={0x8db90da8,0x1c7399c}, TitleIdx=0, Name="0"}, 18, ) }, 18, ) == 0x0
 03787   876   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0"}, ... 752, ) }, ... 752, ) == 0x0
 03788   876   NtQueryValueKey  (752,  (752, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="!\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (752, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="!\0\0\0"}, 16, ) }, 16, ) == 0x0
 03789   876   NtClose  (752, ... ) == 0x0
 03790   876   NtEnumerateKey  (748, 1, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name= (748, 1, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name="1"}, 18, ) }, 18, ) == 0x0
 03791   876   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1"}, ... 752, ) }, ... 752, ) == 0x0
 03792   876   NtQueryValueKey  (752,  (752, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\333\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (752, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\333\0\0\0"}, 16, ) }, 16, ) == 0x0
 03793   876   NtWaitForSingleObject  (64, 0, 0x0, ... ) == 0x0
 03794   876   NtReleaseMutant  (64, ... 0x0, ) == 0x0
 03795   876   NtOpenKey  (0x2001f, {24, 60, 0x40, 0, 0,  (0x2001f, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"}, ... 756, ) }, ... 756, ) == 0x0
 03796   876   NtSetValueKey  (756,  (756, "ProxyBypass", 0, 4, "\1\0\0\0", 4, ... ) , 0, 4,  (756, "ProxyBypass", 0, 4, "\1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 03797   876   NtSetValueKey  (756,  (756, "IntranetName", 0, 4, "\1\0\0\0", 4, ... ) , 0, 4,  (756, "IntranetName", 0, 4, "\1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 03798   876   NtSetValueKey  (756,  (756, "UNCAsIntranet", 0, 4, "\1\0\0\0", 4, ... ) , 0, 4,  (756, "UNCAsIntranet", 0, 4, "\1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 03799   876   NtClose  (756, ... ) == 0x0
 03800   876   NtClose  (752, ... ) == 0x0
 03801   876   NtEnumerateKey  (748, 2, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name= (748, 2, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name="2I"}, 18, ) }, 18, ) == 0x0
 03802   876   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2"}, ... 752, ) }, ... 752, ) == 0x0
 03803   876   NtQueryValueKey  (752,  (752, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="G\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (752, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="G\0\0\0"}, 16, ) }, 16, ) == 0x0
 03804   876   NtClose  (752, ... ) == 0x0
 03805   876   NtEnumerateKey  (748, 3, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name= (748, 3, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name="3"}, 18, ) }, 18, ) == 0x0
 03806   876   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3"}, ... 752, ) }, ... 752, ) == 0x0
 03807   876   NtQueryValueKey  (752,  (752, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (752, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03808   876   NtClose  (752, ... ) == 0x0
 03809   876   NtEnumerateKey  (748, 4, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name= (748, 4, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name="4"}, 18, ) }, 18, ) == 0x0
 03810   876   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4"}, ... 752, ) }, ... 752, ) == 0x0
 03811   876   NtQueryValueKey  (752,  (752, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (752, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 03812   876   NtClose  (752, ... ) == 0x0
 03813   876   NtEnumerateKey  (748, 5, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 03814   876   NtClose  (748, ... ) == 0x0
 03815   876   NtWaitForSingleObject  (64, 0, 0x0, ... ) == 0x0
 03816   876   NtReleaseMutant  (64, ... 0x0, ) == 0x0
 03817   876   NtOpenKey  (0x20019, {24, 740, 0x40, 0, 0,  (0x20019, {24, 740, 0x40, 0, 0, "Domains\j0r.biz"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03818   876   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\j0r.biz"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03819   876   NtQueryValueKey  (740,  (740, "IntranetName", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (740, "IntranetName", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03820   876   NtQueryValueKey  (740,  (740, "ProxyBypass", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (740, "ProxyBypass", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03821   876   NtClearEvent  (312, ... ) == 0x0
 03822   876   NtSetEvent  (312, ... 0x0, ) == 0x0
 03823   876   NtOpenKey  (0x20019, {24, 740, 0x40, 0, 0,  (0x20019, {24, 740, 0x40, 0, 0, "ProtocolDefaults\"}, ... 748, ) }, ... 748, ) == 0x0
 03824   876   NtQueryValueKey  (748,  (748, "http", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (748, "http", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 03825   876   NtClose  (748, ... ) == 0x0
 03826   876   NtWaitForSingleObject  (64, 0, 0x0, ... ) == 0x0
 03827   876   NtReleaseMutant  (64, ... 0x0, ) == 0x0
 03828   876   NtWaitForSingleObject  (64, 0, 0x0, ... ) == 0x0
 03829   876   NtReleaseMutant  (64, ... 0x0, ) == 0x0
 03830   876   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 03831   876   NtReleaseMutant  (68, ... 0x0, ) == 0x0
 03832   876   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3"}, ... 748, ) }, ... 748, ) == 0x0
 03833   876   NtQueryValueKey  (748,  (748, "1A10", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (748, "1A10", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03834   876   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 03835   876   NtReleaseMutant  (68, ... 0x0, ) == 0x0
 03836   876   NtWaitForSingleObject  (68, 0, 0x0, ... ) == 0x0
 03837   876   NtReleaseMutant  (68, ... 0x0, ) == 0x0
 03838   876   NtClose  (748, ... ) == 0x0
 03839   876   NtAllocateVirtualMemory  (-1, 1482752, 0, 8192, 4096, 4, ... 1482752, 8192, ) == 0x0
 03840   876   NtWaitForSingleObject  (256, 0, 0x0, ... ) == 0x0
 03841   876   NtQueryInformationFile  (268, 25492884, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03842   876   NtReleaseMutant  (256, ... 0x0, ) == 0x0
 03843   876   NtAllocateVirtualMemory  (-1, 1490944, 0, 8192, 4096, 4, ... 1490944, 8192, ) == 0x0
 03844   876   NtWaitForSingleObject  (256, 0, 0x0, ... ) == 0x0
 03845   876   NtQueryInformationFile  (268, 25490500, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03846   876   NtReleaseMutant  (256, ... 0x0, ) == 0x0
 03847   876   NtWaitForSingleObject  (308, 0, 0x0, ... ) == 0x0
 03848   876   NtQueryInformationFile  (280, 25492464, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03849   876   NtReleaseMutant  (308, ... 0x0, ) == 0x0
 03850   876   NtWaitForSingleObject  (308, 0, 0x0, ... ) == 0x0
 03851   876   NtQueryInformationFile  (280, 25492424, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03852   876   NtReleaseMutant  (308, ... 0x0, ) == 0x0
 03853   876   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 748, ) == 0x0
 03854   876   NtWaitForSingleObject  (292, 0, {0, 0}, ... ) == 0x102
 03855   876   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 752, ) == 0x0
 03856   876   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 756, ) == 0x0
 03857   876   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 760, ) == 0x0
 03858   876   NtRequestWaitReplyPort  (548, {64, 88, new_msg, 0, 0, 0, 0, 0}  (548, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 316, 876, 1575, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 _\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 316, 876, 1575, 0}  (548, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 316, 876, 1575, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 _\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 03859   876   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 764, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 764, 2, ) , 0, ... 764, 2, ) == 0x0
 03860   876   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 768, ) }, ... 768, ) == 0x0
 03861   876   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03862   876   NtQueryValueKey  (764,  (764, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (764, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03863   876   NtQueryValueKey  (764,  (764, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (764, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03864   876   NtClose  (764, ... ) == 0x0
 03865   876   NtClose  (768, ... ) == 0x0
 03866   876   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 768, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 768, 2, ) , 0, ... 768, 2, ) == 0x0
 03867   876   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 764, ) }, ... 764, ) == 0x0
 03868   876   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03869   876   NtQueryValueKey  (768,  (768, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (768, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03870   876   NtQueryValueKey  (768,  (768, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (768, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03871   876   NtClose  (768, ... ) == 0x0
 03872   876   NtClose  (764, ... ) == 0x0
 03873   876   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\VxD\MSTCP"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03874   876   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\ComputerName\ComputerName"}, ... 764, ) }, ... 764, ) == 0x0
 03875   876   NtQueryValueKey  (764,  (764, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (764, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03876   876   NtQueryValueKey  (764,  (764, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (764, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03877   876   NtClose  (764, ... ) == 0x0
 03878   876   NtWaitForSingleObject  (232, 0, {0, 0}, ... ) == 0x102
 03879   876   NtWaitForSingleObject  (232, 0, {0, 0}, ... ) == 0x102
 03880   876   NtWaitForSingleObject  (232, 0, {0, 0}, ... ) == 0x102
 03881   876   NtWaitForSingleObject  (292, 0, {0, 0}, ... ) == 0x102
 03882   876   NtRequestWaitReplyPort  (548, {84, 108, new_msg, 0, 316, 876, 1575, 0}  (548, {84, 108, new_msg, 0, 316, 876, 1575, 0} "\1\0\0\0A\2\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0d\254\26\0\10\0\0\0\0\0\0\0\10\0\0\0j\00\0r\0.\0b\0i\0z\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 03590   572   NtDelayExecution  ... ) == 0x0
 03883   572   NtCreateFile  (0x80100080, {24, 0, 0x42, 0, 11790260,  (0x80100080, {24, 0, 0x42, 0, 11790260, "\??\C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\brndlog.txt"}, 0x0, 128, 3, 1, 96, 0, 0, ... 764, {status=0x0, info=1}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 764, {status=0x0, info=1}, ) == 0x0
 03884   572   NtQueryVolumeInformationFile  (764, 11790364, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03885   572   NtAllocateVirtualMemory  (-1, 3301376, 0, 8192, 4096, 4, ... 3301376, 8192, ) == 0x0
 03886   572   NtReadFile  (764, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=141},  (764, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=141}, "\15\1201/16/2007 10:09:22 Cleaning install stubs; Company GUID is ">{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS"...\15\1201/16/2007 10:09:22 Done.\15\12", ) >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS (764, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=141}, "\15\1201/16/2007 10:09:22 Cleaning install stubs; Company GUID is ">{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS"...\15\1201/16/2007 10:09:22 Done.\15\12", ) , ) == 0x0
 03887   572   NtReadFile  (764, 0, 0, 0, 4096, 0x0, 0, ... ) == STATUS_END_OF_FILE
 03888   572   NtClose  (764, ... ) == 0x0
 03889   572   NtCreateFile  (0x80100080, {24, 0, 0x42, 0, 11790260,  (0x80100080, {24, 0, 0x42, 0, 11790260, "\??\C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\brndlog.txt"}, 0x0, 128, 3, 1, 96, 0, 0, ... 764, {status=0x0, info=1}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 764, {status=0x0, info=1}, ) == 0x0
 03890   572   NtQueryVolumeInformationFile  (764, 11790364, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03891   572   NtReadFile  (764, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=141},  (764, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=141}, "\15\1201/16/2007 10:09:22 Cleaning install stubs; Company GUID is ">{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS"...\15\1201/16/2007 10:09:22 Done.\15\12", ) >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS (764, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=141}, "\15\1201/16/2007 10:09:22 Cleaning install stubs; Company GUID is ">{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS"...\15\1201/16/2007 10:09:22 Done.\15\12", ) , ) == 0x0
 03892   572   NtReadFile  (764, 0, 0, 0, 4096, 0x0, 0, ... ) == STATUS_END_OF_FILE
 03893   572   NtClose  (764, ... ) == 0x0
 03894   572   NtQueryDirectoryFile  (640, 0, 0, 0, 1471304, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03895   572   NtClose  (640, ... ) == 0x0
 03896   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\"}, 3, 16417, ... 640, {status=0x0, info=1}, ) }, 3, 16417, ... 640, {status=0x0, info=1}, ) == 0x0
 03897   572   NtQueryDirectoryFile  (640, 0, 0, 0, 11789812, 616, BothDirectory, 1,  (640, 0, 0, 0, 11789812, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 03898   572   NtQueryDirectoryFile  (640, 0, 0, 0, 1471304, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=196}, ) == 0x0
 03899   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\"}, 3, 16417, ... 764, {status=0x0, info=1}, ) }, 3, 16417, ... 764, {status=0x0, info=1}, ) == 0x0
 03900   572   NtQueryDirectoryFile  (764, 0, 0, 0, 11789192, 616, BothDirectory, 1,  (764, 0, 0, 0, 11789192, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 03901   572   NtQueryDirectoryFile  (764, 0, 0, 0, 1486320, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=420}, ) == 0x0
 03902   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\"}, 3, 16417, ... 768, {status=0x0, info=1}, ) }, 3, 16417, ... 768, {status=0x0, info=1}, ) == 0x0
 03903   572   NtQueryDirectoryFile  (768, 0, 0, 0, 11788572, 616, BothDirectory, 1,  (768, 0, 0, 0, 11788572, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 03904   572   NtQueryDirectoryFile  (768, 0, 0, 0, 1490520, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=98}, ) == 0x0
 03905   572   NtQueryDirectoryFile  (768, 0, 0, 0, 1490520, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03906   572   NtClose  (768, ... ) == 0x0
 03907   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\"}, 3, 16417, ... 768, {status=0x0, info=1}, ) }, 3, 16417, ... 768, {status=0x0, info=1}, ) == 0x0
 03908   572   NtQueryDirectoryFile  (768, 0, 0, 0, 11788572, 616, BothDirectory, 1,  (768, 0, 0, 0, 11788572, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 03909   572   NtQueryDirectoryFile  (768, 0, 0, 0, 1490520, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=98}, ) == 0x0
 03910   572   NtQueryDirectoryFile  (768, 0, 0, 0, 1490520, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03911   572   NtClose  (768, ... ) == 0x0
 03912   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\"}, 3, 16417, ... 768, {status=0x0, info=1}, ) }, 3, 16417, ... 768, {status=0x0, info=1}, ) == 0x0
 03913   572   NtQueryDirectoryFile  (768, 0, 0, 0, 11788572, 616, BothDirectory, 1,  (768, 0, 0, 0, 11788572, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 03914   572   NtQueryDirectoryFile  (768, 0, 0, 0, 1490520, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=98}, ) == 0x0
 03915   572   NtQueryDirectoryFile  (768, 0, 0, 0, 1490520, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03916   572   NtClose  (768, ... ) == 0x0
 03917   572   NtQueryDirectoryFile  (764, 0, 0, 0, 1486320, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03918   572   NtClose  (764, ... ) == 0x0
 03919   572   NtQueryDirectoryFile  (640, 0, 0, 0, 1471304, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03920   572   NtClose  (640, ... ) == 0x0
 03921   572   NtQueryDirectoryFile  (636, 0, 0, 0, 1467200, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03922   572   NtClose  (636, ... ) == 0x0
 03923   572   NtQueryDirectoryFile  (624, 0, 0, 0, 1413720, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03924   572   NtClose  (624, ... ) == 0x0
 03925   572   NtQueryDirectoryFile  (452, 0, 0, 0, 1409616, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03926   572   NtClose  (452, ... ) == 0x0
 03927   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03928   572   NtClose  (448, ... ) == 0x0
 03929   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\drivers\"}, 3, 16417, ... 448, {status=0x0, info=1}, ) }, 3, 16417, ... 448, {status=0x0, info=1}, ) == 0x0
 03930   572   NtQueryDirectoryFile  (448, 0, 0, 0, 11792292, 616, BothDirectory, 1,  (448, 0, 0, 0, 11792292, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 03931   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4038}, ) == 0x0
 03932   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\drivers\etc\"}, 3, 16417, ... 452, {status=0x0, info=1}, ) }, 3, 16417, ... 452, {status=0x0, info=1}, ) == 0x0
 03933   572   NtQueryDirectoryFile  (452, 0, 0, 0, 11791672, 616, BothDirectory, 1,  (452, 0, 0, 0, 11791672, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 03934   572   NtQueryDirectoryFile  (452, 0, 0, 0, 1486320, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=662}, ) == 0x0
 03935   572   NtQueryDirectoryFile  (452, 0, 0, 0, 1486320, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03936   572   NtClose  (452, ... ) == 0x0
 03937   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\drivers\disdn\"}, 3, 16417, ... 452, {status=0x0, info=1}, ) }, 3, 16417, ... 452, {status=0x0, info=1}, ) == 0x0
 03938   572   NtQueryDirectoryFile  (452, 0, 0, 0, 11791672, 616, BothDirectory, 1,  (452, 0, 0, 0, 11791672, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 03939   572   NtQueryDirectoryFile  (452, 0, 0, 0, 1486320, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=98}, ) == 0x0
 03940   572   NtQueryDirectoryFile  (452, 0, 0, 0, 1486320, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03941   572   NtClose  (452, ... ) == 0x0
 03942   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4092}, ) == 0x0
 03943   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=3996}, ) == 0x0
 03944   572   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 03945   572   NtCreateFile  (0x80100080, {24, 0, 0x42, 0, 11792740,  (0x80100080, {24, 0, 0x42, 0, 11792740, "\??\C:\WINDOWS\system32\drivers\gmreadme.txt"}, 0x0, 128, 3, 1, 96, 0, 0, ... 452, {status=0x0, info=1}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 452, {status=0x0, info=1}, ) == 0x0
 03946   572   NtQueryVolumeInformationFile  (452, 11792844, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03947   572   NtReadFile  (452, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=646},  (452, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=646}, "-------------------------------------------------------------------------\15\12GMREADME.TXT\15\12Copyright (c) 1998-2000 Microsoft Corporation.  All Rights Reserved.\15\12------------\15\12\15\12The GM.DLS file contains the Roland SoundCanvas Sound Set which is \15\12protected under the following copyright: \15\12Roland GS Sound Set/Microsoft (P) 1996 Roland Corporation U.S.  \15\12The Roland SoundCanvas Sound Set is licensed under Microsoft's \15\12End User License Agreement for use with Microsoft operating \15\12system products only", ) , ) == 0x0
 03948   572   NtReadFile  (452, 0, 0, 0, 4096, 0x0, 0, ... ) == STATUS_END_OF_FILE
 03949   572   NtClose  (452, ... ) == 0x0
 03950   572   NtCreateFile  (0x80100080, {24, 0, 0x42, 0, 11792740,  (0x80100080, {24, 0, 0x42, 0, 11792740, "\??\C:\WINDOWS\system32\drivers\gmreadme.txt"}, 0x0, 128, 3, 1, 96, 0, 0, ... 452, {status=0x0, info=1}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 452, {status=0x0, info=1}, ) == 0x0
 03951   572   NtQueryVolumeInformationFile  (452, 11792844, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 03952   572   NtReadFile  (452, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=646},  (452, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=646}, "-------------------------------------------------------------------------\15\12GMREADME.TXT\15\12Copyright (c) 1998-2000 Microsoft Corporation.  All Rights Reserved.\15\12------------\15\12\15\12The GM.DLS file contains the Roland SoundCanvas Sound Set which is \15\12protected under the following copyright: \15\12Roland GS Sound Set/Microsoft (P) 1996 Roland Corporation U.S.  \15\12The Roland SoundCanvas Sound Set is licensed under Microsoft's \15\12End User License Agreement for use with Microsoft operating \15\12system products only", ) , ) == 0x0
 03953   572   NtReadFile  (452, 0, 0, 0, 4096, 0x0, 0, ... ) == STATUS_END_OF_FILE
 03954   572   NtClose  (452, ... ) == 0x0
 03955   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4026}, ) == 0x0
 03956   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=2222}, ) == 0x0
 03957   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03958   572   NtClose  (448, ... ) == 0x0
 03959   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ras\"}, 3, 16417, ... 448, {status=0x0, info=1}, ) }, 3, 16417, ... 448, {status=0x0, info=1}, ) == 0x0
 03960   572   NtQueryDirectoryFile  (448, 0, 0, 0, 11792292, 616, BothDirectory, 1,  (448, 0, 0, 0, 11792292, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 03961   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=794}, ) == 0x0
 03962   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03963   572   NtClose  (448, ... ) == 0x0
 03964   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\spool\"}, 3, 16417, ... 448, {status=0x0, info=1}, ) }, 3, 16417, ... 448, {status=0x0, info=1}, ) == 0x0
 03965   572   NtQueryDirectoryFile  (448, 0, 0, 0, 11792292, 616, BothDirectory, 1,  (448, 0, 0, 0, 11792292, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 03966   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=438}, ) == 0x0
 03967   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\spool\drivers\"}, 3, 16417, ... 452, {status=0x0, info=1}, ) }, 3, 16417, ... 452, {status=0x0, info=1}, ) == 0x0
 03968   572   NtQueryDirectoryFile  (452, 0, 0, 0, 11791672, 616, BothDirectory, 1,  (452, 0, 0, 0, 11791672, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 03969   572   NtQueryDirectoryFile  (452, 0, 0, 0, 1486320, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=320}, ) == 0x0
 03970   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\spool\drivers\w32x86\"}, 3, 16417, ... 624, {status=0x0, info=1}, ) }, 3, 16417, ... 624, {status=0x0, info=1}, ) == 0x0
 03971   572   NtQueryDirectoryFile  (624, 0, 0, 0, 11791052, 616, BothDirectory, 1,  (624, 0, 0, 0, 11791052, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 03972   572   NtQueryDirectoryFile  (624, 0, 0, 0, 1409616, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=200}, ) == 0x0
 03973   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\spool\drivers\w32x86\3\"}, 3, 16417, ... 636, {status=0x0, info=1}, ) }, 3, 16417, ... 636, {status=0x0, info=1}, ) == 0x0
 03974   572   NtQueryDirectoryFile  (636, 0, 0, 0, 11790432, 616, BothDirectory, 1,  (636, 0, 0, 0, 11790432, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 03975   572   NtQueryDirectoryFile  (636, 0, 0, 0, 1413720, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=98}, ) == 0x0
 03976   572   NtQueryDirectoryFile  (636, 0, 0, 0, 1413720, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03977   572   NtClose  (636, ... ) == 0x0
 03978   572   NtQueryDirectoryFile  (624, 0, 0, 0, 1409616, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03979   572   NtClose  (624, ... ) == 0x0
 03980   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\spool\drivers\color\"}, 3, 16417, ... 624, {status=0x0, info=1}, ) }, 3, 16417, ... 624, {status=0x0, info=1}, ) == 0x0
 03981   572   NtQueryDirectoryFile  (624, 0, 0, 0, 11791052, 616, BothDirectory, 1,  (624, 0, 0, 0, 11791052, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 03982   572   NtQueryDirectoryFile  (624, 0, 0, 0, 1409616, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=1360}, ) == 0x0
 03983   572   NtQueryDirectoryFile  (624, 0, 0, 0, 1409616, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03984   572   NtClose  (624, ... ) == 0x0
 03985   572   NtQueryDirectoryFile  (452, 0, 0, 0, 1486320, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03986   572   NtClose  (452, ... ) == 0x0
 03987   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\spool\prtprocs\"}, 3, 16417, ... 452, {status=0x0, info=1}, ) }, 3, 16417, ... 452, {status=0x0, info=1}, ) == 0x0
 03988   572   NtQueryDirectoryFile  (452, 0, 0, 0, 11791672, 616, BothDirectory, 1,  (452, 0, 0, 0, 11791672, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 03989   572   NtQueryDirectoryFile  (452, 0, 0, 0, 1486320, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=210}, ) == 0x0
 03990   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\spool\prtprocs\w32x86\"}, 3, 16417, ... 624, {status=0x0, info=1}, ) }, 3, 16417, ... 624, {status=0x0, info=1}, ) == 0x0
 03991   572   NtQueryDirectoryFile  (624, 0, 0, 0, 11791052, 616, BothDirectory, 1,  (624, 0, 0, 0, 11791052, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 03992   572   NtQueryDirectoryFile  (624, 0, 0, 0, 1409616, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=98}, ) == 0x0
 03993   572   NtQueryDirectoryFile  (624, 0, 0, 0, 1409616, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03994   572   NtClose  (624, ... ) == 0x0
 03995   572   NtQueryDirectoryFile  (452, 0, 0, 0, 1486320, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 03996   572   NtClose  (452, ... ) == 0x0
 03997   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\spool\PRINTERS\"}, 3, 16417, ... 452, {status=0x0, info=1}, ) }, 3, 16417, ... 452, {status=0x0, info=1}, ) == 0x0
 03998   572   NtQueryDirectoryFile  (452, 0, 0, 0, 11791672, 616, BothDirectory, 1,  (452, 0, 0, 0, 11791672, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 03999   572   NtQueryDirectoryFile  (452, 0, 0, 0, 1486320, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=98}, ) == 0x0
 04000   572   NtQueryDirectoryFile  (452, 0, 0, 0, 1486320, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 04001   572   NtClose  (452, ... ) == 0x0
 04002   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 04003   572   NtClose  (448, ... ) == 0x0
 04004   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wins\"}, 3, 16417, ... 448, {status=0x0, info=1}, ) }, 3, 16417, ... 448, {status=0x0, info=1}, ) == 0x0
 04005   572   NtQueryDirectoryFile  (448, 0, 0, 0, 11792292, 616, BothDirectory, 1,  (448, 0, 0, 0, 11792292, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 04006   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=98}, ) == 0x0
 04007   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 04008   572   NtClose  (448, ... ) == 0x0
 04009   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dhcp\"}, 3, 16417, ... 448, {status=0x0, info=1}, ) }, 3, 16417, ... 448, {status=0x0, info=1}, ) == 0x0
 04010   572   NtQueryDirectoryFile  (448, 0, 0, 0, 11792292, 616, BothDirectory, 1,  (448, 0, 0, 0, 11792292, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 04011   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=98}, ) == 0x0
 04012   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 04013   572   NtClose  (448, ... ) == 0x0
 04014   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ShellExt\"}, 3, 16417, ... 448, {status=0x0, info=1}, ) }, 3, 16417, ... 448, {status=0x0, info=1}, ) == 0x0
 04015   572   NtQueryDirectoryFile  (448, 0, 0, 0, 11792292, 616, BothDirectory, 1,  (448, 0, 0, 0, 11792292, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 04016   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=98}, ) == 0x0
 04017   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 04018   572   NtClose  (448, ... ) == 0x0
 04019   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Setup\"}, 3, 16417, ... 448, {status=0x0, info=1}, ) }, 3, 16417, ... 448, {status=0x0, info=1}, ) == 0x0
 04020   572   NtQueryDirectoryFile  (448, 0, 0, 0, 11792292, 616, BothDirectory, 1,  (448, 0, 0, 0, 11792292, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 04021   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=1972}, ) == 0x0
 04022   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 04023   572   NtClose  (448, ... ) == 0x0
 04024   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wbem\"}, 3, 16417, ... 448, {status=0x0, info=1}, ) }, 3, 16417, ... 448, {status=0x0, info=1}, ) == 0x0
 04025   572   NtQueryDirectoryFile  (448, 0, 0, 0, 11792292, 616, BothDirectory, 1,  (448, 0, 0, 0, 11792292, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 04026   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=3984}, ) == 0x0
 04027   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wbem\mof\"}, 3, 16417, ... 452, {status=0x0, info=1}, ) }, 3, 16417, ... 452, {status=0x0, info=1}, ) == 0x0
 04028   572   NtQueryDirectoryFile  (452, 0, 0, 0, 11791672, 616, BothDirectory, 1,  (452, 0, 0, 0, 11791672, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 04029   572   NtQueryDirectoryFile  (452, 0, 0, 0, 1486320, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=308}, ) == 0x0
 04030   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wbem\mof\good\"}, 3, 16417, ... 624, {status=0x0, info=1}, ) }, 3, 16417, ... 624, {status=0x0, info=1}, ) == 0x0
 04031   572   NtQueryDirectoryFile  (624, 0, 0, 0, 11791052, 616, BothDirectory, 1,  (624, 0, 0, 0, 11791052, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 04032   572   NtQueryDirectoryFile  (624, 0, 0, 0, 1409616, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=98}, ) == 0x0
 04033   572   NtQueryDirectoryFile  (624, 0, 0, 0, 1409616, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 04034   572   NtClose  (624, ... ) == 0x0
 04035   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wbem\mof\bad\"}, 3, 16417, ... 624, {status=0x0, info=1}, ) }, 3, 16417, ... 624, {status=0x0, info=1}, ) == 0x0
 04036   572   NtQueryDirectoryFile  (624, 0, 0, 0, 11791052, 616, BothDirectory, 1,  (624, 0, 0, 0, 11791052, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 04037   572   NtQueryDirectoryFile  (624, 0, 0, 0, 1409616, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=98}, ) == 0x0
 04038   572   NtQueryDirectoryFile  (624, 0, 0, 0, 1409616, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 04039   572   NtClose  (624, ... ) == 0x0
 04040   572   NtQueryDirectoryFile  (452, 0, 0, 0, 1486320, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 04041   572   NtClose  (452, ... ) == 0x0
 04042   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wbem\xml\"}, 3, 16417, ... 452, {status=0x0, info=1}, ) }, 3, 16417, ... 452, {status=0x0, info=1}, ) == 0x0
 04043   572   NtQueryDirectoryFile  (452, 0, 0, 0, 11791672, 616, BothDirectory, 1,  (452, 0, 0, 0, 11791672, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 04044   572   NtQueryDirectoryFile  (452, 0, 0, 0, 1486320, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=444}, ) == 0x0
 04045   572   NtQueryDirectoryFile  (452, 0, 0, 0, 1486320, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 04046   572   NtClose  (452, ... ) == 0x0
 04047   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4046}, ) == 0x0
 04048   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=3988}, ) == 0x0
 04049   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wbem\snmp\"}, 3, 16417, ... 452, {status=0x0, info=1}, ) }, 3, 16417, ... 452, {status=0x0, info=1}, ) == 0x0
 04050   572   NtQueryDirectoryFile  (452, 0, 0, 0, 11791672, 616, BothDirectory, 1,  (452, 0, 0, 0, 11791672, 616, BothDirectory, 1, "*", 0, ... , 0, ...
 03620   584   NtDelayExecution  ... ) == 0x0
 04051   584   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 25493504, 1048576, ) == 0x0
 04052   584   NtAllocateVirtualMemory  (-1, 26533888, 0, 8192, 4096, 4, ... 26533888, 8192, ) == 0x0
 04053   584   NtProtectVirtualMemory  (-1, (0x194e000), 4096, 260, ... (0x194e000), 4096, 4, ) == 0x0
 04054   584   NtCreateThread  (0x1f03ff, 0x0, -1, 13892716, 13893432, 1, ... 624, {316, 880}, ) == 0x0
 04055   584   NtQueryInformationThread  (624, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=316,Tid=880,}, 0x0, ) == 0x0
 04056   584   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 316, 584, 1569, 0}  (24, {28, 56, new_msg, 0, 316, 584, 1569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\274\373\323\0p\2\0\0<\1\0\0p\3\0\0" ... {28, 56, reply, 0, 316, 584, 1577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\274\373\323\0p\2\0\0<\1\0\0p\3\0\0" )  ... {28, 56, reply, 0, 316, 584, 1577, 0}  (24, {28, 56, new_msg, 0, 316, 584, 1569, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\274\373\323\0p\2\0\0<\1\0\0p\3\0\0" ... {28, 56, reply, 0, 316, 584, 1577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\274\373\323\0p\2\0\0<\1\0\0p\3\0\0" )  ) == 0x0
 04057   584   NtResumeThread  (624, ... 1, ) == 0x0
 04058   584   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 26542080, 1048576, ) == 0x0
 04059   584   NtAllocateVirtualMemory  (-1, 27582464, 0, 8192, 4096, 4, ... 27582464, 8192, ) == 0x0
 04060   880   NtTestAlert  (... ) == 0x0
 04061   880   NtContinue  (26541360, 1, ...
 04062   880   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 04063   880   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 636, ) == 0x0
 04064   880   NtWaitForSingleObject  (232, 0, {0, 0}, ... ) == 0x102
 04065   880   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 04066   584   NtProtectVirtualMemory  (-1, (0x1a4e000), 4096, 260, ... (0x1a4e000), 4096, 4, ) == 0x0
 04067   584   NtCreateThread  (0x1f03ff, 0x0, -1, 13892716, 13893432, 1, ... 640, {316, 884}, ) == 0x0
 04068   584   NtQueryInformationThread  (640, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=316,Tid=884,}, 0x0, ) == 0x0
 04069   584   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 316, 584, 1577, 0}  (24, {28, 56, new_msg, 0, 316, 584, 1577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\274\373\323\0\200\2\0\0<\1\0\0t\3\0\0" ... {28, 56, reply, 0, 316, 584, 1578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\274\373\323\0\200\2\0\0<\1\0\0t\3\0\0" )  ... {28, 56, reply, 0, 316, 584, 1578, 0}  (24, {28, 56, new_msg, 0, 316, 584, 1577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\274\373\323\0\200\2\0\0<\1\0\0t\3\0\0" ... {28, 56, reply, 0, 316, 584, 1578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\274\373\323\0\200\2\0\0<\1\0\0t\3\0\0" )  ) == 0x0
 04070   584   NtResumeThread  (640, ... 1, ) == 0x0
 04071   584   NtDelayExecution  (0, {-500000, -1}, ...
 04065   880   NtCreateEvent  ... 764, ) == 0x0
 04072   884   NtTestAlert  (...
 04073   880   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 26541300, 67, ... }, 0x0, 0, 3, 3, 0, 26541300, 67, ...
 04072   884   NtTestAlert  ... ) == 0x0
 04073   880   NtCreateFile  ... 768, {status=0x0, info=0}, ) == 0x0
 04074   884   NtContinue  (27589936, 1, ...
 04075   880   NtDeviceIoControlFile  (768, 764, 0x0, 0x0, 0x12047,  (768, 764, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\330\17\26\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\04\255\26\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0biz\0\3\250\2\0\0\0\0\0\300\0\0\0\0\0\0F\2\0\0\0\21\0\0\0\2\0\0\0\6\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 04076   884   NtRegisterThreadTerminatePort  (24, ...
 04075   880   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 04076   884   NtRegisterThreadTerminatePort  ... ) == 0x0
 04077   880   NtWaitForSingleObject  (232, 0, {0, 0}, ...
 04078   884   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 772, ) == 0x0
 04079   884   NtWaitForSingleObject  (292, 0, {0, 0}, ... ) == 0x102
 04080   884   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 776, ) == 0x0
 04081   884   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 780, ) == 0x0
 04082   884   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 784, ) == 0x0
 04083   884   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 04077   880   NtWaitForSingleObject  ... ) == 0x102
 04084   880   NtDeviceIoControlFile  (768, 764, 0x0, 0x0, 0x1203b,  (768, 764, 0x0, 0x0, 0x1203b, "\2\0\0\0`\30\25\0\1\0\0\0\0\0\0\0", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 04085   880   NtDeviceIoControlFile  (768, 764, 0x0, 0x0, 0x12003,  (768, 764, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=788}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\23\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=788},  (768, 764, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=788}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\23\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 04086   880   NtDeviceIoControlFile  (768, 764, 0x0, 0x0, 0x12047,  (768, 764, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\360\255\26\0\2\0\4\23\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\04\255\26\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0biz\0\3\250\2\0\0\0\0\0\300\0\0\0\0\0\0F\2\0\0\0\21\0\0\0\2\0\0\0\6\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 04087   880   NtDeviceIoControlFile  (524, 0, 0x0, 0x16bce8, 0x12007,  (524, 0, 0x0, 0x16bce8, 0x12007, "\0\0\0\0\16\0\2\0\0\3\0\0\1\0\0\0\16\0\2\0\1\275\33WQ\30\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03752   732   NtRemoveIoCompletion  ... 1906658213, 1490152, {status=0xc000023d, info=0}, ) == 0x0
 04088   732   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 792, ) == 0x0
 04089   732   NtWaitForSingleObject  (792, 0, 0x0, ...
 04087   880   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 04090   880   NtSetEventBoostPriority  (792, ...
 04089   732   NtWaitForSingleObject  ... ) == 0x0
 04091   732   NtDeviceIoControlFile  (768, 512, 0x0, 0x0, 0x12037,  (768, 512, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (768, 512, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 04092   732   NtRemoveIoCompletion  (508, {1294967296, -1}, ...
 04090   880   NtSetEventBoostPriority  ... ) == 0x0
 04083   884   NtCreateEvent  ... 796, ) == 0x0
 04093   884   NtRequestWaitReplyPort  (548, {64, 88, new_msg, 0, 0, 0, 0, 0}  (548, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 316, 884, 1579, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\300;\11\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 316, 884, 1579, 0}  (548, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 316, 884, 1579, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\300;\11\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 04094   884   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 800, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 800, 2, ) , 0, ... 800, 2, ) == 0x0
 04095   884   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 804, ) }, ... 804, ) == 0x0
 04096   884   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04097   884   NtQueryValueKey  (800,  (800, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (800, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 04098   880   NtDeviceIoControlFile  (768, 764, 0x0, 0x0, 0x12024,  (768, 764, 0x0, 0x0, 0x12024, "\0yl\374\377\377\377\377\1\0\0\0\0\0\0\0\0\3\0\0\4\0\0\0\364\374\224\1", 28, 28, ... , 28, 28, ...
 04050   572   NtQueryDirectoryFile  ... {status=0x0, info=96}, ) == 0x0
 04098   880   NtDeviceIoControlFile  ... {status=0x71a561a7, info=0}, "", ) == 0x103
 04099   884   NtQueryValueKey  (800,  (800, "Hostname", Partial, 144, ... , Partial, 144, ...
 04100   880   NtWaitForSingleObject  (764, 1, {-5000000, -1}, ...
 04099   884   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 04101   884   NtClose  (800, ... ) == 0x0
 04102   884   NtClose  (804, ... ) == 0x0
 04103   884   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 804, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 804, 2, ) , 0, ... 804, 2, ) == 0x0
 04104   884   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 800, ) }, ... 800, ) == 0x0
 04105   884   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04106   572   NtQueryDirectoryFile  (452, 0, 0, 0, 1409616, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=98}, ) == 0x0
 04107   572   NtQueryDirectoryFile  (452, 0, 0, 0, 1409616, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 04108   572   NtClose  (452, ... ) == 0x0
 04109   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wbem\Logs\"}, 3, 16417, ... 452, {status=0x0, info=1}, ) }, 3, 16417, ... 452, {status=0x0, info=1}, ) == 0x0
 04110   572   NtQueryDirectoryFile  (452, 0, 0, 0, 11791672, 616, BothDirectory, 1,  (452, 0, 0, 0, 11791672, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 04111   572   NtQueryDirectoryFile  (452, 0, 0, 0, 1409616, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=1164}, ) == 0x0
 04112   884   NtQueryValueKey  (804,  (804, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (804, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 04113   884   NtQueryValueKey  (804,  (804, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (804, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 04114   884   NtClose  (804, ... ) == 0x0
 04115   884   NtClose  (800, ... ) == 0x0
 04116   884   NtWaitForSingleObject  (292, 0, {0, 0}, ... ) == 0x102
 04117   884   NtRequestWaitReplyPort  (548, {64, 88, new_msg, 0, 316, 884, 1579, 0}  (548, {64, 88, new_msg, 0, 316, 884, 1579, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 04118   572   NtQueryDirectoryFile  (452, 0, 0, 0, 1409616, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 04119   572   NtClose  (452, ... ) == 0x0
 04120   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wbem\Performance\"}, 3, 16417, ... 452, {status=0x0, info=1}, ) }, 3, 16417, ... 452, {status=0x0, info=1}, ) == 0x0
 04121   572   NtQueryDirectoryFile  (452, 0, 0, 0, 11791672, 616, BothDirectory, 1,  (452, 0, 0, 0, 11791672, 616, BothDirectory, 1, "*", 0, ... , 0, ...
 04117   884   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 316, 884, 1581, 0}  ... {52, 76, reply, 0, 316, 884, 1581, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\300;\11\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 04122   884   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 800, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 800, 2, ) , 0, ... 800, 2, ) == 0x0
 04123   884   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 804, ) }, ... 804, ) == 0x0
 04124   884   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04125   884   NtQueryValueKey  (800,  (800, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (800, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 04126   884   NtQueryValueKey  (800,  (800, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (800, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 04127   884   NtClose  (800, ... ) == 0x0
 04128   884   NtClose  (804, ... ) == 0x0
 04129   884   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 804, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 804, 2, ) , 0, ... 804, 2, ) == 0x0
 04130   884   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 800, ) }, ... 800, ) == 0x0
 04131   884   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04132   884   NtQueryValueKey  (804,  (804, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (804, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 04121   572   NtQueryDirectoryFile  ... {status=0x0, info=96}, ) == 0x0
 04133   572   NtQueryDirectoryFile  (452, 0, 0, 0, 1409616, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=330}, ) == 0x0
 04134   572   NtQueryDirectoryFile  (452, 0, 0, 0, 1409616, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 04135   572   NtClose  (452, ... ) == 0x0
 04136   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4084}, ) == 0x0
 04137   884   NtQueryValueKey  (804,  (804, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (804, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 04138   884   NtClose  (804, ... ) == 0x0
 04139   884   NtClose  (800, ... ) == 0x0
 04140   884   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 800, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 800, {status=0x0, info=0}, ) == 0x0
 04141   884   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 804, ) == 0x0
 04142   884   NtDeviceIoControlFile  (800, 804, 0x0, 0x0, 0xf14014,  (800, 804, 0x0, 0x0, 0xf14014, "\3\0\0\0MYWORLD\0\231%\362v\2\0\0\200\330\304\362v\0\0\0\0<\367\244\1O\345\367w{\30\335w\0\0\0\0\300.\24\0\0\0\24\0 C\26\0\0\0\0\0L\370\244\1\277\37\365w\0\0\24\0\203 \365w\10\6\24\0\215\26\365w\0\0\0\0h\270\26\0X\222\25\0\24\232\347w\313\270\27\0\330\253\26\0\346\253\26\0\314\270\26\0\377\377\0\0\0\0\0\0\314\270\26\0\7\0\0\0\330\253\26\0\370\367\244\1\177;\245q\0\0\0\0\0\0\0\0\330\253\26\0\0\0\0\0\314\270\26\0\377\377\0\0\1\0\0\0\210\253\26\0(C\26\0\314\270\26\0\270\253\26\0\210\1\24\0 C\26\0\0\0\0\0\0\0\0\0\0\0\0\0\365<\245q\300\270\26\0\254\270\26\0\2\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0X\222\1\1\0\0\24\0\220\367\244\1p\374\244\1\334\377\244\1\2$\370w\370T\367wa/\245q\2642\250q\0\0\0\0\0\0\0\0:/\245qX\222\25\0\300y\25\0@\16\26\0X\16\26\0\330\253\26\0\346\253\26\0\314\270\26\0\377\377\0\0\0\0\0\0\314\270\26\0\7\0\0\0\330\253\26\0\300\370\244\1\177;\245q\0\0\0\0\0\0\0\0\330\253\26\0\0\0\0\0\314\270\26\0\377\377\0\0\1\0\0\0\210\253\26\0\0\251\26\0\4\0\0\0\0\0\0\0\210\1\24\0\370\250\26\0\0\0\0\0\0\0\0\0\0\0\0\0\365<\245q\300\270\26\0\254\270\26\0\2\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0(-\1\1\0\0\24\0X\370\244\18\375\244\1\334\377\244\1\2$\370w\370T\367wa/\245q\2642\250q\0\0\0\0\0\0\0\0:/\245q(-\25\0\300y\25\0@\16\26\0", 1552, 0, ... {status=0x0, info=0}, 0x0, ) , 1552, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 04143   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=2120}, ) == 0x0
 04144   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wbem\Repository\"}, 3, 16417, ... 452, {status=0x0, info=1}, ) }, 3, 16417, ... 452, {status=0x0, info=1}, ) == 0x0
 04145   572   NtQueryDirectoryFile  (452, 0, 0, 0, 11791672, 616, BothDirectory, 1,  (452, 0, 0, 0, 11791672, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 04146   572   NtQueryDirectoryFile  (452, 0, 0, 0, 1409616, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=320}, ) == 0x0
 04147   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wbem\Repository\FS\"}, 3, 16417, ... 808, {status=0x0, info=1}, ) }, 3, 16417, ... 808, {status=0x0, info=1}, ) == 0x0
 04148   572   NtQueryDirectoryFile  (808, 0, 0, 0, 11791052, 616, BothDirectory, 1,  (808, 0, 0, 0, 11791052, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 04149   884   NtClose  (804, ... ) == 0x0
 04150   884   NtClose  (800, ... ) == 0x0
 04151   884   NtWaitForSingleObject  (232, 0, {0, 0}, ... ) == 0x102
 04152   884   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 27589864, 67, ... 800, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 27589864, 67, ... 800, {status=0x0, info=0}, ) == 0x0
 04153   884   NtDeviceIoControlFile  (800, 776, 0x0, 0x0, 0x12047,  (800, 776, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\250\177\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\04\223\25\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0RLD\0\3\250\2\0\0\0\0\0\300\0\0\0\0\0\0F\2\0\0\0\21\0\0\0\2\0\0\0\6\0\0\0\253\204\307\1", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 04154   884   NtWaitForSingleObject  (232, 0, {0, 0}, ...
 04155   572   NtQueryDirectoryFile  (808, 0, 0, 0, 1467200, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=560}, ) == 0x0
 04156   572   NtQueryDirectoryFile  (808, 0, 0, 0, 1467200, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 04157   572   NtClose  (808, ... ) == 0x0
 04158   572   NtQueryDirectoryFile  (452, 0, 0, 0, 1409616, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 04159   572   NtClose  (452, ... ) == 0x0
 04160   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 04154   884   NtWaitForSingleObject  ... ) == 0x102
 04161   884   NtDeviceIoControlFile  (800, 776, 0x0, 0x0, 0x1203b,  (800, 776, 0x0, 0x0, 0x1203b, "\2\0\0\0`\30\25\0\1\0\0\0\0\0\0\0", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 04162   884   NtDeviceIoControlFile  (800, 776, 0x0, 0x0, 0x12003,  (800, 776, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=452}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\24\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=452},  (800, 776, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=452}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\24\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 04163   884   NtDeviceIoControlFile  (800, 776, 0x0, 0x0, 0x12047,  (800, 776, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\08\272\26\0\2\0\4\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\04\223\25\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0RLD\0\3\250\2\0\0\0\0\0\300\0\0\0\0\0\0F\2\0\0\0\21\0\0\0\2\0\0\0\6\0\0\0\253\204\307\1", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 04164   884   NtDeviceIoControlFile  (524, 0, 0x0, 0x16bce8, 0x12007,  (524, 0, 0x0, 0x16bce8, 0x12007, "\0\0\0\0\16\0\2\0 \3\0\0\1\0\0\0\16\0\2\0\1\275\300\250\33Wh\376\244\1MYWO", 34, 8, ... , 34, 8, ...
 04092   732   NtRemoveIoCompletion  ... 1906658213, 1490152, {status=0xc000023d, info=0}, ) == 0x0
 04165   732   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 808, ) == 0x0
 04166   732   NtWaitForSingleObject  (808, 0, 0x0, ...
 04164   884   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 04167   884   NtSetEventBoostPriority  (808, ...
 04166   732   NtWaitForSingleObject  ... ) == 0x0
 04168   732   NtDeviceIoControlFile  (800, 512, 0x0, 0x0, 0x12037,  (800, 512, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (800, 512, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 04169   732   NtRemoveIoCompletion  (508, {1294967296, -1}, ...
 04167   884   NtSetEventBoostPriority  ... ) == 0x0
 04170   572   NtClose  (448, ... ) == 0x0
 04171   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\npp\"}, 3, 16417, ... 448, {status=0x0, info=1}, ) }, 3, 16417, ... 448, {status=0x0, info=1}, ) == 0x0
 04172   572   NtQueryDirectoryFile  (448, 0, 0, 0, 11792292, 616, BothDirectory, 1,  (448, 0, 0, 0, 11792292, 616, BothDirectory, 1, "*", 0, ... , 0, ...
 04173   884   NtDeviceIoControlFile  (800, 776, 0x0, 0x0, 0x12024,  (800, 776, 0x0, 0x0, 0x12024, "\0yl\374\377\377\377\377\1\0\0\0\0\0\0\0 \3\0\0\4\0\0\0\350\374\244\1", 28, 28, ... {status=0x71a561a7, info=0}, "", ) , 28, 28, ... {status=0x71a561a7, info=0}, "", ) == 0x103
 04174   884   NtWaitForSingleObject  (776, 1, {-5000000, -1}, ...
 04172   572   NtQueryDirectoryFile  ... {status=0x0, info=96}, ) == 0x0
 04175   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=342}, ) == 0x0
 04176   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 04177   572   NtClose  (448, ... ) == 0x0
 04178   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ias\"}, 3, 16417, ... 448, {status=0x0, info=1}, ) }, 3, 16417, ... 448, {status=0x0, info=1}, ) == 0x0
 04179   572   NtQueryDirectoryFile  (448, 0, 0, 0, 11792292, 616, BothDirectory, 1,  (448, 0, 0, 0, 11792292, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 04180   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=324}, ) == 0x0
 04181   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 04182   572   NtClose  (448, ... ) == 0x0
 04183   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\dllcache\"}, 3, 16417, ... 448, {status=0x0, info=1}, ) }, 3, 16417, ... 448, {status=0x0, info=1}, ) == 0x0
 04184   572   NtQueryDirectoryFile  (448, 0, 0, 0, 11792292, 616, BothDirectory, 1,  (448, 0, 0, 0, 11792292, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 04185   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4020}, ) == 0x0
 04186   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4022}, ) == 0x0
 04187   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4022}, ) == 0x0
 04188   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4058}, ) == 0x0
 04189   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4042}, ) == 0x0
 04190   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4084}, ) == 0x0
 04191   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4070}, ) == 0x0
 04192   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4074}, ) == 0x0
 04193   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4038}, ) == 0x0
 04194   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4050}, ) == 0x0
 04195   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4002}, ) == 0x0
 04196   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4046}, ) == 0x0
 04197   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4022}, ) == 0x0
 04198   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4044}, ) == 0x0
 04199   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4038}, ) == 0x0
 04200   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4030}, ) == 0x0
 04201   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4046}, ) == 0x0
 04202   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4026}, ) == 0x0
 04203   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4038}, ) == 0x0
 04204   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4014}, ) == 0x0
 04205   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4026}, ) == 0x0
 04206   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4018}, ) == 0x0
 04207   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4028}, ) == 0x0
 04208   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4034}, ) == 0x0
 04209   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4028}, ) == 0x0
 04210   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4046}, ) == 0x0
 04211   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4024}, ) == 0x0
 04212   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=3978}, ) == 0x0
 04213   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4088}, ) == 0x0
 04214   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4030}, ) == 0x0
 04215   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4030}, ) == 0x0
 04216   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4080}, ) == 0x0
 04217   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4004}, ) == 0x0
 04218   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4006}, ) == 0x0
 04219   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=3998}, ) == 0x0
 04220   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4016}, ) == 0x0
 04221   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4028}, ) == 0x0
 04222   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4052}, ) == 0x0
 04223   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4046}, ) == 0x0
 04224   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4028}, ) == 0x0
 04225   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4012}, ) == 0x0
 04226   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4014}, ) == 0x0
 04227   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4030}, ) == 0x0
 04228   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4026}, ) == 0x0
 04229   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4046}, ) == 0x0
 04230   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=3998}, ) == 0x0
 04231   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4056}, ) == 0x0
 04232   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4006}, ) == 0x0
 04233   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4018}, ) == 0x0
 04234   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4042}, ) == 0x0
 04235   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4008}, ) == 0x0
 04236   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4062}, ) == 0x0
 04237   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4036}, ) == 0x0
 04238   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4024}, ) == 0x0
 04239   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4056}, ) == 0x0
 04240   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4002}, ) == 0x0
 04241   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4022}, ) == 0x0
 04242   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4028}, ) == 0x0
 04243   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4014}, ) == 0x0
 04244   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4038}, ) == 0x0
 04245   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4038}, ) == 0x0
 04246   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4006}, ) == 0x0
 04247   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4028}, ) == 0x0
 04248   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4056}, ) == 0x0
 04249   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=2852}, ) == 0x0
 04250   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 04251   572   NtClose  (448, ... ) == 0x0
 04252   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\export\"}, 3, 16417, ... 448, {status=0x0, info=1}, ) }, 3, 16417, ... 448, {status=0x0, info=1}, ) == 0x0
 04253   572   NtQueryDirectoryFile  (448, 0, 0, 0, 11792292, 616, BothDirectory, 1,  (448, 0, 0, 0, 11792292, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 04254   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=98}, ) == 0x0
 04255   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 04256   572   NtClose  (448, ... ) == 0x0
 04257   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\icsxml\"}, 3, 16417, ... 448, {status=0x0, info=1}, ) }, 3, 16417, ... 448, {status=0x0, info=1}, ) == 0x0
 04258   572   NtQueryDirectoryFile  (448, 0, 0, 0, 11792292, 616, BothDirectory, 1,  (448, 0, 0, 0, 11792292, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 04259   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=690}, ) == 0x0
 04260   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 04261   572   NtClose  (448, ... ) == 0x0
 04262   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mui\"}, 3, 16417, ... 448, {status=0x0, info=1}, ) }, 3, 16417, ... 448, {status=0x0, info=1}, ) == 0x0
 04263   572   NtQueryDirectoryFile  (448, 0, 0, 0, 11792292, 616, BothDirectory, 1,  (448, 0, 0, 0, 11792292, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 04264   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=318}, ) == 0x0
 04265   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mui\0009\"}, 3, 16417, ... 804, {status=0x0, info=1}, ) }, 3, 16417, ... 804, {status=0x0, info=1}, ) == 0x0
 04266   572   NtQueryDirectoryFile  (804, 0, 0, 0, 11791672, 616, BothDirectory, 1,  (804, 0, 0, 0, 11791672, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 04267   572   NtQueryDirectoryFile  (804, 0, 0, 0, 1409616, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=222}, ) == 0x0
 04268   572   NtQueryDirectoryFile  (804, 0, 0, 0, 1409616, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 04269   572   NtClose  (804, ... ) == 0x0
 04270   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mui\dispspec\"}, 3, 16417, ... 804, {status=0x0, info=1}, ) }, 3, 16417, ... 804, {status=0x0, info=1}, ) == 0x0
 04271   572   NtQueryDirectoryFile  (804, 0, 0, 0, 11791672, 616, BothDirectory, 1,  (804, 0, 0, 0, 11791672, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 04272   572   NtQueryDirectoryFile  (804, 0, 0, 0, 1409616, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=98}, ) == 0x0
 04273   572   NtQueryDirectoryFile  (804, 0, 0, 0, 1409616, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 04274   572   NtClose  (804, ... ) == 0x0
 04275   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 04276   572   NtClose  (448, ... ) == 0x0
 04277   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\oobe\"}, 3, 16417, ... 448, {status=0x0, info=1}, ) }, 3, 16417, ... 448, {status=0x0, info=1}, ) == 0x0
 04278   572   NtQueryDirectoryFile  (448, 0, 0, 0, 11792292, 616, BothDirectory, 1,  (448, 0, 0, 0, 11792292, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 04279   572   NtQueryDirectoryFile  (448, 0, 0, 0, 1432048, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=4068}, ) == 0x0
 04280   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\oobe\html\"}, 3, 16417, ... 804, {status=0x0, info=1}, ) }, 3, 16417, ... 804, {status=0x0, info=1}, ) == 0x0
 04281   572   NtQueryDirectoryFile  (804, 0, 0, 0, 11791672, 616, BothDirectory, 1,  (804, 0, 0, 0, 11791672, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 04282   572   NtQueryDirectoryFile  (804, 0, 0, 0, 1409616, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=1094}, ) == 0x0
 04283   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\oobe\html\ispsgnup\"}, 3, 16417, ... 812, {status=0x0, info=1}, ) }, 3, 16417, ... 812, {status=0x0, info=1}, ) == 0x0
 04284   572   NtQueryDirectoryFile  (812, 0, 0, 0, 11791052, 616, BothDirectory, 1,  (812, 0, 0, 0, 11791052, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 04285   572   NtQueryDirectoryFile  (812, 0, 0, 0, 1467200, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=98}, ) == 0x0
 04286   572   NtQueryDirectoryFile  (812, 0, 0, 0, 1467200, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 04287   572   NtClose  (812, ... ) == 0x0
 04288   572   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\oobe\html\mouse\"}, 3, 16417, ... 812, {status=0x0, info=1}, ) }, 3, 16417, ... 812, {status=0x0, info=1}, ) == 0x0
 04289   572   NtQueryDirectoryFile  (812, 0, 0, 0, 11791052, 616, BothDirectory, 1,  (812, 0, 0, 0, 11791052, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=96}, ) , 0, ... {status=0x0, info=96}, ) == 0x0
 04290   572   NtQueryDirectoryFile  (812, 0, 0, 0, 1467200, 4096, BothDirectory, 0, 0x0, 0, ... {status=0x0, info=1642}, ) == 0x0
 04291   572   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 04292   572   NtCreateFile  (0x80100080, {24, 0, 0x42, 0, 11791500,  (0x80100080, {24, 0, 0x42, 0, 11791500, "\??\C:\WINDOWS\system32\oobe\html\mouse\mouse.htm"}, 0x0, 128, 3, 1, 96, 0, 0, ... 816, {status=0x0, info=1}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 816, {status=0x0, info=1}, ) == 0x0
 04293   572   NtQueryVolumeInformationFile  (816, 11791604, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 04294   572   NtReadFile  (816, 0, 0, 0, 4096, 0x0, 0, ...
 04071   584   NtDelayExecution  ... ) == 0x0
 04295   584   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 27590656, 1048576, ) == 0x0
 04296   584   NtAllocateVirtualMemory  (-1, 28631040, 0, 8192, 4096, 4, ... 28631040, 8192, ) == 0x0
 04297   584   NtProtectVirtualMemory  (-1, (0x1b4e000), 4096, 260, ... (0x1b4e000), 4096, 4, ) == 0x0
 04298   584   NtCreateThread  (0x1f03ff, 0x0, -1, 13892716, 13893432, 1, ... 820, {316, 892}, ) == 0x0
 04299   584   NtQueryInformationThread  (820, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=316,Tid=892,}, 0x0, ) == 0x0
 04300   584   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 316, 584, 1578, 0}  (24, {28, 56, new_msg, 0, 316, 584, 1578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\274\373\323\04\3\0\0<\1\0\0|\3\0\0" ... {28, 56, reply, 0, 316, 584, 1582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\274\373\323\04\3\0\0<\1\0\0|\3\0\0" )  ... {28, 56, reply, 0, 316, 584, 1582, 0}  (24, {28, 56, new_msg, 0, 316, 584, 1578, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\274\373\323\04\3\0\0<\1\0\0|\3\0\0" ... {28, 56, reply, 0, 316, 584, 1582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\274\373\323\04\3\0\0<\1\0\0|\3\0\0" )  ) == 0x0
 04301   584   NtResumeThread  (820, ... 1, ) == 0x0
 04302   584   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 04303   892   NtTestAlert  (... ) == 0x0
 04304   892   NtContinue  (28638512, 1, ...
 04305   892   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 04306   892   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 824, ) == 0x0
 04307   892   NtWaitForSingleObject  (232, 0, {0, 0}, ... ) == 0x102
 04308   892   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 04302   584   NtAllocateVirtualMemory  ... 28639232, 1048576, ) == 0x0
 04309   584   NtAllocateVirtualMemory  (-1, 29679616, 0, 8192, 4096, 4, ... 29679616, 8192, ) == 0x0
 04310   584   NtProtectVirtualMemory  (-1, (0x1c4e000), 4096, 260, ... (0x1c4e000), 4096, 4, ) == 0x0
 04311   584   NtCreateThread  (0x1f03ff, 0x0, -1, 13892716, 13893432, 1, ... 828, {316, 908}, ) == 0x0
 04312   584   NtQueryInformationThread  (828, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=316,Tid=908,}, 0x0, ) == 0x0
 04313   584   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 316, 584, 1582, 0}  (24, {28, 56, new_msg, 0, 316, 584, 1582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\274\373\323\0<\3\0\0<\1\0\0\214\3\0\0" ... {28, 56, reply, 0, 316, 584, 1583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\274\373\323\0<\3\0\0<\1\0\0\214\3\0\0" )  ... {28, 56, reply, 0, 316, 584, 1583, 0}  (24, {28, 56, new_msg, 0, 316, 584, 1582, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\274\373\323\0<\3\0\0<\1\0\0\214\3\0\0" ... {28, 56, reply, 0, 316, 584, 1583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\274\373\323\0<\3\0\0<\1\0\0\214\3\0\0" )  ) == 0x0
 04308   892   NtCreateEvent  ... 832, ) == 0x0
 04314   892   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 28638452, 67, ... 836, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 28638452, 67, ... 836, {status=0x0, info=0}, ) == 0x0
 04315   892   NtDeviceIoControlFile  (836, 832, 0x0, 0x0, 0x12047,  (836, 832, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\350\223\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 04316   892   NtWaitForSingleObject  (232, 0, {0, 0}, ... ) == 0x102
 04317   892   NtDeviceIoControlFile  (836, 832, 0x0, 0x0, 0x1203b,  (836, 832, 0x0, 0x0, 0x1203b, "\2\0\0\0\220\30\25\0\1\0\0\0\0\0\0\0", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 04318   892   NtDeviceIoControlFile  (836, 832, 0x0, 0x0, 0x12003,  (836, 832, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=840}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\25\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=840},  (836, 832, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=840}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\25\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 04319   584   NtResumeThread  (828, ... 1, ) == 0x0
 04320   584   NtDelayExecution  (0, {-500000, -1}, ...
 04321   892   NtDeviceIoControlFile  (836, 832, 0x0, 0x0, 0x12047,  (836, 832, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\300\225\25\0\2\0\4\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 04322   892   NtDeviceIoControlFile  (524, 0, 0x0, 0x16bce8, 0x12007,  (524, 0, 0x0, 0x16bce8, 0x12007, "\0\0\0\0\16\0\2\0D\3\0\0\1\0\0\0\16\0\2\0\1\275\351J\300\17\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 04169   732   NtRemoveIoCompletion  ... 1906658213, 1490152, {status=0xc0000207, info=0}, ) == 0x0
 04323   732   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 844, ) == 0x0
 04324   732   NtWaitForSingleObject  (844, 0, 0x0, ...
 04322   892   NtDeviceIoControlFile  ... {status=0xc0000207, info=0}, "", ) == 0x103
 04325   892   NtSetEventBoostPriority  (844, ...
 04324   732   NtWaitForSingleObject  ... ) == 0x0
 04326   732   NtDeviceIoControlFile  (836, 512, 0x0, 0x0, 0x12037,  (836, 512, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (836, 512, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 04327   732   NtRemoveIoCompletion  (508, {1294967296, -1}, ...
 04325   892   NtSetEventBoostPriority  ... ) == 0x0
 04328   908   NtTestAlert  (... ) == 0x0
 04329   908   NtContinue  (29687088, 1, ...
 04330   908   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 04331   908   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 848, ) == 0x0
 04332   908   NtWaitForSingleObject  (292, 0, {0, 0}, ... ) == 0x102
 04333   908   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 04334   892   NtDeviceIoControlFile  (836, 832, 0x0, 0x0, 0x12024,  (836, 832, 0x0, 0x0, 0x12024, "\0yl\374\377\377\377\377\1\0\0\0\0\0\0\0D\3\0\0\4\0\0\0\364\374\264\1", 28, 28, ... {status=0x71a561a7, info=0}, "", ) , 28, 28, ... {status=0x71a561a7, info=0}, "", ) == 0x103
 04335   892   NtWaitForSingleObject  (832, 1, {-5000000, -1}, ...
 04333   908   NtCreateEvent  ... 852, ) == 0x0
 04336   908   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 856, ) == 0x0
 04337   908   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 860, ) == 0x0
 04338   908   NtRequestWaitReplyPort  (548, {64, 88, new_msg, 0, 4391026, 7667820, 7602291, 7471205}  (548, {64, 88, new_msg, 0, 4391026, 7667820, 7602291, 7471205} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 316, 908, 1584, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\300;\11\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 316, 908, 1584, 0}  (548, {64, 88, new_msg, 0, 4391026, 7667820, 7602291, 7471205} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 316, 908, 1584, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\300;\11\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 04339   908   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 864, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 864, 2, ) , 0, ... 864, 2, ) == 0x0
 04340   908   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 868, ) }, ... 868, ) == 0x0
 04341   908   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04342   908   NtQueryValueKey  (864,  (864, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (864, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 04343   908   NtQueryValueKey  (864,  (864, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (864, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 04344   908   NtClose  (864, ... ) == 0x0
 04345   908   NtClose  (868, ... ) == 0x0
 04346   908   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 868, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 868, 2, ) , 0, ... 868, 2, ) == 0x0
 04347   908   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 864, ) }, ... 864, ) == 0x0
 04348   908   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04349   908   NtQueryValueKey  (868,  (868, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (868, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 04350   908   NtQueryValueKey  (868,  (868, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (868, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 04351   908   NtClose  (868, ... ) == 0x0
 04352   908   NtClose  (864, ... ) == 0x0
 04353   908   NtWaitForSingleObject  (292, 0, {0, 0}, ... ) == 0x102
 04354   908   NtRequestWaitReplyPort  (548, {64, 88, new_msg, 0, 316, 908, 1584, 0}  (548, {64, 88, new_msg, 0, 316, 908, 1584, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 316, 908, 1585, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\300;\11\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 316, 908, 1585, 0}  (548, {64, 88, new_msg, 0, 316, 908, 1584, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 316, 908, 1585, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\300;\11\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 04355   908   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 864, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 864, 2, ) , 0, ... 864, 2, ) == 0x0
 04356   908   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 868, ) }, ... 868, ) == 0x0
 04357   908   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04358   908   NtQueryValueKey  (864,  (864, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (864, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 04359   908   NtQueryValueKey  (864,  (864, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (864, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 04360   908   NtClose  (864, ... ) == 0x0
 04361   908   NtClose  (868, ... ) == 0x0
 04362   908   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 868, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 868, 2, ) , 0, ... 868, 2, ) == 0x0
 04363   908   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 864, ) }, ... 864, ) == 0x0
 04364   908   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04365   908   NtQueryValueKey  (868,  (868, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (868, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 04366   908   NtQueryValueKey  (868,  (868, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (868, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 04367   908   NtClose  (868, ... ) == 0x0
 04368   908   NtClose  (864, ... ) == 0x0
 04369   908   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 864, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 864, {status=0x0, info=0}, ) == 0x0
 04370   908   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 868, ) == 0x0
 04371   908   NtDeviceIoControlFile  (864, 868, 0x0, 0x0, 0xf14014,  (864, 868, 0x0, 0x0, 0xf14014, "\3\0\0\0MYWORLD\0\231%\362v\2\0\0\200\330\304\362v\0\0\0\0<\367\304\1O\345\367w{\30\335w\0\0\0\0\300.\24\0\0\0\24\0\200\253\26\0\0\0\0\0L\370\304\1\277\37\365w\0\0\24\0\203 \365w\10\6\24\0\215\26\365w\0\0\0\0h\270\26\08\224\25\0\24\232\347w\313\270\27\0\330\253\26\0\346\253\26\0\314\270\26\0\377\377\0\0\0\0\0\0\314\270\26\0\7\0\0\0\330\253\26\0\370\367\304\1\177;\245q\0\0\0\0\0\0\0\0\330\253\26\0\0\0\0\0\314\270\26\0\377\377\0\0\1\0\0\0\0\251\26\0\210\253\26\0\314\270\26\0\270\253\26\0\210\1\24\0\200\253\26\0\0\0\0\0\0\0\0\0\0\0\0\0\365<\245q\300\270\26\0\254\270\26\0\2\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\20\0\0\08\224\1\1\0\0\24\0\220\367\304\1p\374\304\1\334\377\304\1\2$\370w\370T\367wa/\245q\2642\250q\0\0\0\0\0\0\0\0:/\245q8\224\25\0\300y\25\0@\16\26\0X\16\26\0\330\253\26\0\346\253\26\0\314\270\26\0\377\377\0\0\0\0\0\0\314\270\26\0\7\0\0\0\330\253\26\0\300\370\304\1\177;\245q\0\0\0\0\0\0\0\0\330\253\26\0\0\0\0\0\314\270\26\0\377\377\0\0\1\0\0\0\0\251\26\0\230\253\26\0\4\0\0\0\0\0\0\0\210\1\24\0\220\253\26\0\0\0\0\0\0\0\0\0\0\0\0\0\365<\245q\300\270\26\0\254\270\26\0\2\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0(-\1\1\0\0\24\0X\370\304\18\375\304\1\334\377\304\1\2$\370w\370T\367wa/\245q\2642\250q\0\0\0\0\0\0\0\0:/\245q(-\25\0\300y\25\0@\16\26\0", 1552, 0, ... {status=0x0, info=0}, 0x0, ) , 1552, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 04372   908   NtClose  (868, ... ) == 0x0
 04373   908   NtClose  (864, ... ) == 0x0
 04374   908   NtWaitForSingleObject  (232, 0, {0, 0}, ... ) == 0x102
 04375   908   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 29687016, 67, ... 864, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 29687016, 67, ... 864, {status=0x0, info=0}, ) == 0x0
 04376   908   NtDeviceIoControlFile  (864, 852, 0x0, 0x0, 0x12047,  (864, 852, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0x\227\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\254t\26\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0RLD\0\3\250\2\0\0\0\0\0\300\0\0\0\0\0\0F\2\0\0\0\21\0\0\0\2\0\0\0\6\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 04377   908   NtWaitForSingleObject  (232, 0, {0, 0}, ... ) == 0x102
 04378   908   NtDeviceIoControlFile  (864, 852, 0x0, 0x0, 0x1203b,  (864, 852, 0x0, 0x0, 0x1203b, "\2\0\0\0`\30\25\0\1\0\0\0\0\0\0\0", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 04379   908   NtDeviceIoControlFile  (864, 852, 0x0, 0x0, 0x12003,  (864, 852, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=868}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\26\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=868},  (864, 852, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=868}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\26\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 04380   908   NtDeviceIoControlFile  (864, 852, 0x0, 0x0, 0x12047,  (864, 852, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\310\240\25\0\2\0\4\26\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\254t\26\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0RLD\0\3\250\2\0\0\0\0\0\300\0\0\0\0\0\0F\2\0\0\0\21\0\0\0\2\0\0\0\6\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 04381   908   NtDeviceIoControlFile  (524, 0, 0x0, 0x16bce8, 0x12007,  (524, 0, 0x0, 0x16bce8, 0x12007, "\0\0\0\0\16\0\2\0`\3\0\0\1\0\0\0\16\0\2\0\1\275\300\250\351Jh\376\304\1MYWO", 34, 8, ... , 34, 8, ...
 04327   732   NtRemoveIoCompletion  ... 1906658213, 1490152, {status=0xc000023d, info=0}, ) == 0x0
 04382   732   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 872, ) == 0x0
 04383   732   NtWaitForSingleObject  (872, 0, 0x0, ...
 04381   908   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 04384   908   NtSetEventBoostPriority  (872, ...
 04383   732   NtWaitForSingleObject  ... ) == 0x0
 04385   732   NtDeviceIoControlFile  (864, 512, 0x0, 0x0, 0x12037,  (864, 512, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (864, 512, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 04386   732   NtRemoveIoCompletion  (508, {1294967296, -1}, ...
 04384   908   NtSetEventBoostPriority  ... ) == 0x0
 04387   908   NtDeviceIoControlFile  (864, 852, 0x0, 0x0, 0x12024,  (864, 852, 0x0, 0x0, 0x12024, "\0yl\374\377\377\377\377\1\0\0\0\0\0\0\0`\3\0\0\4\0\0\0\350\374\304\1", 28, 28, ... {status=0x71a561a7, info=0}, "", ) , 28, 28, ... {status=0x71a561a7, info=0}, "", ) == 0x103
 04388   908   NtWaitForSingleObject  (852, 1, {-5000000, -1}, ...
 04294   572   NtReadFile  ... {status=0x0, info=3972},  ... {status=0x0, info=3972}, "\15\12-//W3C//DTD HTML 4.0 Transitional//EN">\15\12\15\12\15\12\15\12    out of box experience\15\12    \15\12
NtAccessCheck(>)	1	NtGdiHfontCreate(>)	2	NtEnumerateKey(>)	12	NtDuplicateObject(>)	38
NtAddAtom(>)	1	NtOpenDirectoryObject(>)	2	NtConnectPort(>)	14	NtProtectVirtualMemory(>)	41
NtCallbackReturn(>)	1	NtQueryInstallUILanguage(>)	2	NtQueryDefaultUILanguage(>)	14	NtQueryDefaultLocale(>)	41
NtCancelTimer(>)	1	NtQuerySecurityObject(>)	2	NtUserCallOneParam(>)	14	NtReadFile(>)	43
NtCreateTimer(>)	1	NtUserCreateWindowEx(>)	2	NtOpenProcessTokenEx(>)	15	NtSetInformationFile(>)	45
NtGdiCreateBitmap(>)	1	NtUserGetProcessWindowStation(>)	2	NtOpenThreadTokenEx(>)	15	NtUserFindExistingCursorIcon(>)	48
NtGdiCreatePatternBrushInternal(>)	1	NtUserMessageCall(>)	2	NtSetInformationThread(>)	18	NtCreateSection(>)	51
NtGdiInit(>)	1	NtGdiCreateCompatibleDC(>)	3	NtSetInformationProcess(>)	20	NtQueryInformationFile(>)	55
NtGdiQueryFontAssocInfo(>)	1	NtUserGetObjectInformation(>)	3	NtContinue(>)	21	NtOpenSection(>)	57
NtGdiSelectBitmap(>)	1	NtCreateIoCompletion(>)	4	NtUnmapViewOfSection(>)	22	NtUserRegisterClassExWOW(>)	64
NtOpenKeyedEvent(>)	1	NtNotifyChangeKey(>)	4	NtDelayExecution(>)	23	NtReleaseMutant(>)	69
NtOpenProcess(>)	1	NtReleaseSemaphore(>)	4	NtOpenThreadToken(>)	24	NtCreateKey(>)	77
NtOpenSymbolicLinkObject(>)	1	NtUserRegisterWindowMessage(>)	4	NtQueryInformationThread(>)	24	NtMapViewOfSection(>)	80
NtQueryEvent(>)	1	NtClearEvent(>)	5	NtQueryInformationProcess(>)	25	NtRequestWaitReplyPort(>)	89
NtQueryObject(>)	1	NtDeleteValueKey(>)	5	NtRemoveIoCompletion(>)	26	NtCreateFile(>)	92
NtQuerySymbolicLinkObject(>)	1	NtGdiGetStockObject(>)	5	NtResumeThread(>)	26	NtEnumerateValueKey(>)	103
NtQuerySystemTime(>)	1	NtOpenProcessToken(>)	6	NtCreateThread(>)	27	NtQueryVirtualMemory(>)	110
NtQueryTimerResolution(>)	1	NtOpenEvent(>)	7	NtFsControlFile(>)	27	NtCreateEvent(>)	129
NtSecureConnectPort(>)	1	NtSetEvent(>)	7	NtFreeVirtualMemory(>)	28	NtQueryAttributesFile(>)	142
NtSetIoCompletion(>)	1	NtUserCallNoParam(>)	7	NtQueryVolumeInformationFile(>)	28	NtAllocateVirtualMemory(>)	175
NtSetTimer(>)	1	NtFlushInstructionCache(>)	8	NtSetEventBoostPriority(>)	28	NtOpenFile(>)	182
NtUserGetClassName(>)	1	NtCreateMutant(>)	9	NtQueryInformationToken(>)	29	NtWaitForSingleObject(>)	222
NtUserGetDC(>)	1	NtOpenMutant(>)	9	NtTestAlert(>)	31	NtDeviceIoControlFile(>)	231
NtUserGetGUIThreadInfo(>)	1	NtQueryKey(>)	9	NtRegisterThreadTerminatePort(>)	32	NtOpenKey(>)	358
NtUserGetThreadDesktop(>)	1	NtSetInformationObject(>)	9	NtSetValueKey(>)	32	NtQueryDirectoryFile(>)	361
NtUserSetProp(>)	1	NtUserGetWindowDC(>)	10	NtQuerySection(>)	34	NtQueryValueKey(>)	517
NtWaitForMultipleObjects(>)	1	NtWriteFile(>)	10	NtQuerySystemInformation(>)	34	NtClose(>)	669
NtDuplicateToken(>)	2	NtCreateSemaphore(>)	11	NtQueryDebugFilterState(>)	36
NtGdiCreateSolidBrush(>)	2	NtUserSystemParametersInfo(>)	11