Summary:


NtAccessCheck(>) 
 1 
NtQuerySecurityObject(>) 
 2 
NtReadFile(>) 
 10 
NtCreateKey(>) 
 31 

NtAddAtom(>) 
 1 
NtQuerySystemTime(>) 
 2 
NtUserSystemParametersInfo(>) 
 10 
NtSetInformationFile(>) 
 33 

NtCallbackReturn(>) 
 1 
NtSetEvent(>) 
 2 
NtConnectPort(>) 
 11 
NtQueryDefaultLocale(>) 
 36 

NtClearEvent(>) 
 1 
NtDeleteValueKey(>) 
 3 
NtFlushInstructionCache(>) 
 13 
NtUserGetClassInfo(>) 
 37 

NtGdiCreateBitmap(>) 
 1 
NtFreeVirtualMemory(>) 
 3 
NtQueryInformationFile(>) 
 13 
NtOpenSection(>) 
 40 

NtGdiInit(>) 
 1 
NtGdiCreateCompatibleDC(>) 
 3 
NtContinue(>) 
 14 
NtProtectVirtualMemory(>) 
 47 

NtGdiQueryFontAssocInfo(>) 
 1 
NtWaitForMultipleObjects(>) 
 3 
NtUnmapViewOfSection(>) 
 14 
NtUserFindExistingCursorIcon(>) 
 48 

NtGdiSelectBitmap(>) 
 1 
NtCreateIoCompletion(>) 
 4 
NtReleaseMutant(>) 
 15 
NtRequestWaitReplyPort(>) 
 53 

NtOpenKeyedEvent(>) 
 1 
NtEnumerateKey(>) 
 4 
NtQuerySection(>) 
 18 
NtMapViewOfSection(>) 
 54 

NtOpenProcess(>) 
 1 
NtNotifyChangeKey(>) 
 4 
NtSetInformationThread(>) 
 19 
NtQueryVirtualMemory(>) 
 60 

NtOpenSymbolicLinkObject(>) 
 1 
NtReleaseSemaphore(>) 
 4 
NtSetInformationProcess(>) 
 20 
NtOpenFile(>) 
 61 

NtQueryEvent(>) 
 1 
NtUserRegisterWindowMessage(>) 
 4 
NtCreateThread(>) 
 21 
NtUserRegisterClassExWOW(>) 
 63 

NtQueryObject(>) 
 1 
NtCreateMutant(>) 
 5 
NtQueryDebugFilterState(>) 
 22 
NtQueryAttributesFile(>) 
 88 

NtQuerySymbolicLinkObject(>) 
 1 
NtGdiGetStockObject(>) 
 5 
NtQuerySystemInformation(>) 
 22 
NtEnumerateValueKey(>) 
 93 

NtQueryTimerResolution(>) 
 1 
NtOpenProcessToken(>) 
 6 
NtSetValueKey(>) 
 22 
NtAllocateVirtualMemory(>) 
 97 

NtSecureConnectPort(>) 
 1 
NtOpenEvent(>) 
 7 
NtQueryInformationProcess(>) 
 23 
NtCreateFile(>) 
 149 

NtUserCallNoParam(>) 
 1 
NtQueryVolumeInformationFile(>) 
 7 
NtQueryInformationThread(>) 
 23 
NtCreateEvent(>) 
 186 

NtUserCallOneParam(>) 
 1 
NtSetInformationObject(>) 
 8 
NtQueryInformationToken(>) 
 23 
NtOpenKey(>) 
 187 

NtUserGetDC(>) 
 1 
NtWriteFile(>) 
 8 
NtResumeThread(>) 
 23 
NtRemoveIoCompletion(>) 
 187 

NtUserGetThreadDesktop(>) 
 1 
NtCreateSemaphore(>) 
 9 
NtOpenThreadToken(>) 
 24 
NtDelayExecution(>) 
 197 

NtDuplicateToken(>) 
 2 
NtOpenMutant(>) 
 9 
NtRegisterThreadTerminatePort(>) 
 25 
NtClose(>) 
 371 

NtGdiCreateSolidBrush(>) 
 2 
NtOpenProcessTokenEx(>) 
 9 
NtTestAlert(>) 
 25 
NtSetEventBoostPriority(>) 
 382 

NtOpenDirectoryObject(>) 
 2 
NtOpenThreadTokenEx(>) 
 9 
NtDuplicateObject(>) 
 27 
NtQueryValueKey(>) 
 396 

NtQueryInstallUILanguage(>) 
 2 
NtQueryDefaultUILanguage(>) 
 10 
NtFsControlFile(>) 
 27 
NtWaitForSingleObject(>) 
 659 

NtQueryKey(>) 
 2 
NtQueryDirectoryFile(>) 
 10 
NtCreateSection(>) 
 29 
NtDeviceIoControlFile(>) 
 782 


Trace:
 00001   420   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   420   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 2359296, 1048576, ) == 0x0
 00005   420   NtAllocateVirtualMemory  (-1, 2359296, 0, 4096, 4096, 4, ... 2359296, 4096, ) == 0x0
 00006   420   NtAllocateVirtualMemory  (-1, 2363392, 0, 8192, 4096, 4, ... 2363392, 8192, ) == 0x0
 00007   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3407872, 65536, ) == 0x0
 00009   420   NtAllocateVirtualMemory  (-1, 3407872, 0, 24576, 4096, 4, ... 3407872, 24576, ) == 0x0
 00010   420   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   420   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   420   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   420   NtClose  (12, ... ) == 0x0
 00014   420   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   420   NtQueryVolumeInformationFile  (12, 2292424, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   420   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 2292408, ... ) }, 2292408, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   420   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   420   NtClose  (16, ... ) == 0x0
 00021   420   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   420   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   420   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 2368312, {12, 0, 0}, 2290592, 44, ... 24, {24, 16, 0, 65536, 3473408, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 2368312, {12, 0, 0}, 2290592, 44, ... 24, {24, 16, 0, 65536, 3473408, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   420   NtClose  (16, ... ) == 0x0
 00026   420   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   420   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   420   NtQueryVirtualMemory  (-1, 0x350000, Basic, 28, ... {BaseAddress=0x350000,AllocationBase=0x350000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   420   NtAllocateVirtualMemory  (-1, 3473408, 0, 4096, 4096, 4, ... 3473408, 4096, ) == 0x0
 00031   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 412, 420, 1477, 0} "\0n\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 412, 420, 1477, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 412, 420, 1477, 0} "\0n\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   420   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   420   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   420   NtClose  (16, ... ) == 0x0
 00036   420   NtAllocateVirtualMemory  (-1, 2281472, 0, 4096, 4096, 260, ... 2281472, 4096, ) == 0x0
 00037   420   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   420   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x360000), 0x0, 90112, ) == 0x0
 00040   420   NtClose  (28, ... ) == 0x0
 00041   420   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   420   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x380000), 0x0, 212992, ) == 0x0
 00044   420   NtClose  (28, ... ) == 0x0
 00045   420   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x410000), 0x0, 266240, ) == 0x0
 00047   420   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   420   NtClose  (28, ... ) == 0x0
 00049   420   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x3c0000), 0x0, 24576, ) == 0x0
 00051   420   NtClose  (28, ... ) == 0x0
 00052   420   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   420   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   420   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 412, 420, 1480, 0} "\340\243\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 412, 420, 1480, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 412, 420, 1480, 0} "\340\243\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   420   NtProtectVirtualMemory  (-1, (0x408000), 4096, 4, ... (0x408000), 4096, 8, ) == 0x0
 00057   420   NtProtectVirtualMemory  (-1, (0x408000), 4096, 8, ... (0x408000), 4096, 4, ) == 0x0
 00058   420   NtFlushInstructionCache  (-1, 4227072, 4096, ... ) == 0x0
 00059   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "advapi32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00061   420   NtClose  (28, ... ) == 0x0
 00062   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00064   420   NtClose  (28, ... ) == 0x0
 00065   420   NtProtectVirtualMemory  (-1, (0x408000), 4096, 4, ... (0x408000), 4096, 4, ) == 0x0
 00066   420   NtProtectVirtualMemory  (-1, (0x408000), 4096, 4, ... (0x408000), 4096, 4, ) == 0x0
 00067   420   NtFlushInstructionCache  (-1, 4227072, 4096, ... ) == 0x0
 00068   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00070   420   NtClose  (28, ... ) == 0x0
 00071   420   NtProtectVirtualMemory  (-1, (0x408000), 4096, 4, ... (0x408000), 4096, 4, ) == 0x0
 00072   420   NtProtectVirtualMemory  (-1, (0x408000), 4096, 4, ... (0x408000), 4096, 4, ) == 0x0
 00073   420   NtFlushInstructionCache  (-1, 4227072, 4096, ... ) == 0x0
 00074   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00075   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00076   420   NtClose  (28, ... ) == 0x0
 00077   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00078   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00079   420   NtClose  (28, ... ) == 0x0
 00080   420   NtProtectVirtualMemory  (-1, (0x408000), 4096, 4, ... (0x408000), 4096, 4, ) == 0x0
 00081   420   NtProtectVirtualMemory  (-1, (0x408000), 4096, 4, ... (0x408000), 4096, 4, ) == 0x0
 00082   420   NtFlushInstructionCache  (-1, 4227072, 4096, ... ) == 0x0
 00083   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wininet.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00084   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00085   420   NtClose  (28, ... ) == 0x0
 00086   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00087   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00088   420   NtClose  (28, ... ) == 0x0
 00089   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00090   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00091   420   NtClose  (28, ... ) == 0x0
 00092   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00093   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00094   420   NtClose  (28, ... ) == 0x0
 00095   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00096   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00097   420   NtClose  (28, ... ) == 0x0
 00098   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 28, ) }, ... 28, ) == 0x0
 00099   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00100   420   NtClose  (28, ... ) == 0x0
 00101   420   NtProtectVirtualMemory  (-1, (0x408000), 4096, 4, ... (0x408000), 4096, 4, ) == 0x0
 00102   420   NtProtectVirtualMemory  (-1, (0x408000), 4096, 4, ... (0x408000), 4096, 4, ) == 0x0
 00103   420   NtFlushInstructionCache  (-1, 4227072, 4096, ... ) == 0x0
 00104   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wsock32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00105   420   NtAllocateVirtualMemory  (-1, 2371584, 0, 4096, 4096, 4, ... 2371584, 4096, ) == 0x0
 00106   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wsock32.dll"}, 2291200, ... ) }, 2291200, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00107   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "wsock32.dll"}, 2291200, ... ) }, 2291200, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00108   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wsock32.dll"}, 2291200, ... ) }, 2291200, ... ) == 0x0
 00109   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wsock32.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00110   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00111   420   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00112   420   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00113   420   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00114   420   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00115   420   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00116   420   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00117   420   NtClose  (40, ... ) == 0x0
 00118   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00119   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00120   420   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00121   420   NtClose  (40, ... ) == 0x0
 00122   420   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00123   420   NtClose  (36, ... ) == 0x0
 00124   420   NtClose  (28, ... ) == 0x0
 00125   420   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ad0000), 0x0, 32768, ) == 0x0
 00126   420   NtClose  (32, ... ) == 0x0
 00127   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00128   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 2290396, ... ) }, 2290396, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00129   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 2290396, ... ) }, 2290396, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00130   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 2290396, ... ) }, 2290396, ... ) == 0x0
 00131   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00132   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 28, ) == 0x0
 00133   420   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00134   420   NtClose  (32, ... ) == 0x0
 00135   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00136   420   NtClose  (28, ... ) == 0x0
 00137   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00138   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 2289592, ... ) }, 2289592, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00139   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 2289592, ... ) }, 2289592, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00140   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 2289592, ... ) }, 2289592, ... ) == 0x0
 00141   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00142   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00143   420   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00144   420   NtClose  (28, ... ) == 0x0
 00145   420   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00146   420   NtClose  (32, ... ) == 0x0
 00147   420   NtProtectVirtualMemory  (-1, (0x408000), 4096, 4, ... (0x408000), 4096, 4, ) == 0x0
 00148   420   NtProtectVirtualMemory  (-1, (0x408000), 4096, 4, ... (0x408000), 4096, 4, ) == 0x0
 00149   420   NtFlushInstructionCache  (-1, 4227072, 4096, ... ) == 0x0
 00150   420   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00151   420   NtQueryInformationToken  (32, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00152   420   NtClose  (32, ... ) == 0x0
 00153   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 32, ) }, ... 32, ) == 0x0
 00154   420   NtQueryValueKey  (32,  (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00155   420   NtClose  (32, ... ) == 0x0
 00156   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 32, ) }, ... 32, ) == 0x0
 00157   420   NtQueryValueKey  (32,  (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00158   420   NtQueryValueKey  (32,  (32, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00159   420   NtClose  (32, ... ) == 0x0
 00160   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 32, ) }, ... 32, ) == 0x0
 00161   420   NtQueryValueKey  (32,  (32, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00162   420   NtClose  (32, ... ) == 0x0
 00163   420   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 32, ) }, ... 32, ) == 0x0
 00164   420   NtSetInformationObject  (32, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00165   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00166   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00167   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3997696, 65536, ) == 0x0
 00168   420   NtAllocateVirtualMemory  (-1, 3997696, 0, 4096, 4096, 4, ... 3997696, 4096, ) == 0x0
 00169   420   NtAllocateVirtualMemory  (-1, 4001792, 0, 8192, 4096, 4, ... 4001792, 8192, ) == 0x0
 00170   420   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 28, ) }, ... 28, ) == 0x0
 00171   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x3e0000), 0x0, 12288, ) == 0x0
 00172   420   NtClose  (28, ... ) == 0x0
 00173   420   NtAllocateVirtualMemory  (-1, 4009984, 0, 4096, 4096, 4, ... 4009984, 4096, ) == 0x0
 00174   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00175   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2291696, 256, 2291440, 256}  (24, {28, 56, new_msg, 0, 2291696, 256, 2291440, 256} "\210\6\31\1\0\0\0\0\1\0\0\0\360\367"\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 412, 420, 1492, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367"\0\3\0\0\0\234\6\31\1$\1\0\0" ) \0\3\0\0\0\234\6\31\1$\1\0\0 (24, {28, 56, new_msg, 0, 2291696, 256, 2291440, 256} "\210\6\31\1\0\0\0\0\1\0\0\0\360\367"\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 412, 420, 1492, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367"\0\3\0\0\0\234\6\31\1$\1\0\0" ) XQ\26\0\0\0\0\0\0\0\0\0\360\367 (24, {28, 56, new_msg, 0, 2291696, 256, 2291440, 256} "\210\6\31\1\0\0\0\0\1\0\0\0\360\367"\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 412, 420, 1492, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367"\0\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00176   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00177   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x530000), 0x0, 1060864, ) == 0x0
 00178   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00179   420   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00180   420   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482208, ) == 0x0
 00181   420   NtQueryInformationToken  (-2147482208, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00182   420   NtQueryInformationToken  (-2147482208, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00183   420   NtClose  (-2147482208, ... ) == 0x0
 00184   420   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00185   420   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00186   420   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00187   420   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00188   420   NtQueryValueKey  (-2147482208,  (-2147482208, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00189   420   NtClose  (-2147482208, ... ) == 0x0
 00190   420   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00191   420   NtQueryValueKey  (-2147482208,  (-2147482208, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00192   420   NtClose  (-2147482208, ... ) == 0x0
 00193   420   NtQueryDefaultLocale  (0, -135165428, ... ) == 0x0
 00194   420   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00195   420   NtUserCallNoParam  (24, ... ) == 0x0
 00196   420   NtGdiCreateCompatibleDC  (0, ...
 00197   420   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00196   420   NtGdiCreateCompatibleDC  ... ) == 0x100103d3
 00198   420   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00199   420   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00200   420   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x3505040b
 00201   420   NtGdiCreateSolidBrush  (0, 0, ...
 00202   420   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 9699328, 4096, ) == 0x0
 00201   420   NtGdiCreateSolidBrush  ... ) == 0x19100400
 00203   420   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00204   420   NtGdiCreateCompatibleDC  (0, ... ) == 0x1d0103ff
 00205   420   NtGdiSelectBitmap  (486605823, 889521163, ... ) == 0x185000f
 00206   420   NtUserGetThreadDesktop  (420, 0, ... ) == 0x2c
 00207   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00208   420   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00209   420   NtClose  (52, ... ) == 0x0
 00210   420   NtUserFindExistingCursorIcon  (2289780, 2289796, 2290364, ... ) == 0x10011
 00211   420   NtUserRegisterClassExWOW  (2290300, 2290380, 2290364, 2290396, 673, 128, 0, ... ) == 0x810dc017
 00212   420   NtUserFindExistingCursorIcon  (2289780, 2289796, 2290364, ... ) == 0x10011
 00213   420   NtUserRegisterClassExWOW  (2290300, 2290380, 2290364, 2290396, 674, 128, 0, ... ) == 0x810dc01c
 00214   420   NtUserFindExistingCursorIcon  (2289780, 2289796, 2290364, ... ) == 0x10011
 00215   420   NtUserRegisterClassExWOW  (2290300, 2290380, 2290364, 2290396, 675, 128, 0, ... ) == 0x810dc01e
 00216   420   NtUserFindExistingCursorIcon  (2289780, 2289796, 2290364, ... ) == 0x10011
 00217   420   NtUserRegisterClassExWOW  (2290300, 2290380, 2290364, 2290396, 676, 128, 0, ... ) == 0x810d8002
 00218   420   NtUserFindExistingCursorIcon  (2289780, 2289796, 2290364, ... ) == 0x10013
 00219   420   NtUserRegisterClassExWOW  (2290300, 2290380, 2290364, 2290396, 677, 128, 0, ... ) == 0x810dc018
 00220   420   NtUserFindExistingCursorIcon  (2289780, 2289796, 2290364, ... ) == 0x10011
 00221   420   NtUserRegisterClassExWOW  (2290300, 2290380, 2290364, 2290396, 678, 128, 0, ... ) == 0x810dc01a
 00222   420   NtUserFindExistingCursorIcon  (2289780, 2289796, 2290364, ... ) == 0x10011
 00223   420   NtUserRegisterClassExWOW  (2290300, 2290380, 2290364, 2290396, 679, 128, 0, ... ) == 0x810dc01d
 00224   420   NtUserFindExistingCursorIcon  (2289780, 2289796, 2290364, ... ) == 0x10011
 00225   420   NtUserRegisterClassExWOW  (2290300, 2290380, 2290364, 2290396, 681, 128, 0, ... ) == 0x810dc026
 00226   420   NtUserFindExistingCursorIcon  (2289780, 2289796, 2290364, ... ) == 0x10011
 00227   420   NtUserRegisterClassExWOW  (2290300, 2290380, 2290364, 2290396, 680, 128, 0, ... ) == 0x810dc019
 00228   420   NtUserRegisterClassExWOW  (2290252, 2290332, 2290316, 2290348, 0, 128, 0, ...
 00229   420   NtAllocateVirtualMemory  (-1, 6647808, 0, 4096, 4096, 32, ... 6647808, 4096, ) == 0x0
 00228   420   NtUserRegisterClassExWOW  ... ) == 0x810dc020
 00230   420   NtUserRegisterClassExWOW  (2290252, 2290328, 2290344, 2290316, 0, 130, 0, ... ) == 0x810dc022
 00231   420   NtUserRegisterClassExWOW  (2290252, 2290332, 2290316, 2290348, 0, 128, 0, ... ) == 0x810dc023
 00232   420   NtUserRegisterClassExWOW  (2290252, 2290328, 2290344, 2290316, 0, 130, 0, ... ) == 0x810dc024
 00233   420   NtUserRegisterClassExWOW  (2290252, 2290332, 2290316, 2290348, 0, 128, 0, ... ) == 0x810dc025
 00234   420   NtCallbackReturn  (0, 0, 0, ...
 00235   420   NtGdiInit  (... ) == 0x1
 00236   420   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00237   420   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00238   420   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00239   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00240   420   NtAllocateVirtualMemory  (-1, 2375680, 0, 4096, 4096, 4, ... 2375680, 4096, ) == 0x0
 00241   420   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00242   420   NtQueryValueKey  (52,  (52, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00243   420   NtClose  (52, ... ) == 0x0
 00244   420   NtAllocateVirtualMemory  (-1, 2379776, 0, 4096, 4096, 4, ... 2379776, 4096, ) == 0x0
 00245   420   NtAllocateVirtualMemory  (-1, 2383872, 0, 4096, 4096, 4, ... 2383872, 4096, ) == 0x0
 00246   420   NtAllocateVirtualMemory  (-1, 2387968, 0, 4096, 4096, 4, ... 2387968, 4096, ) == 0x0
 00247   420   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00248   420   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 2292108, 0,  (0x1f0003, {24, 52, 0x80, 2292108, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00249   420   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 56, ) }, ... 56, ) == 0x0
 00250   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00251   420   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00252   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 60, ) }, ... 60, ) == 0x0
 00253   420   NtQueryValueKey  (60,  (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00254   420   NtClose  (60, ... ) == 0x0
 00255   420   NtAllocateVirtualMemory  (-1, 2392064, 0, 4096, 4096, 4, ... 2392064, 4096, ) == 0x0
 00256   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00257   420   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00258   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00259   420   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00260   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 60, ) }, ... 60, ) == 0x0
 00261   420   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00262   420   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00263   420   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00264   420   NtClose  (60, ... ) == 0x0
 00265   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 60, ) }, ... 60, ) == 0x0
 00266   420   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00267   420   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00268   420   NtClose  (60, ... ) == 0x0
 00269   420   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00270   420   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00271   420   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00272   420   NtOpenKey  (0x9, {24, 32, 0x40, 0, 0,  (0x9, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00273   420   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00274   420   NtAllocateVirtualMemory  (-1, 2396160, 0, 8192, 4096, 4, ... 2396160, 8192, ) == 0x0
 00275   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00276   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 60, ) == 0x0
 00277   420   NtQueryInformationToken  (60, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00278   420   NtClose  (60, ... ) == 0x0
 00279   420   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 60, ) }, ... 60, ) == 0x0
 00280   420   NtSetInformationObject  (60, Handle, {Inherit=0,ProtectFromClose=1,}, 2228480, ... ) == 0x0
 00281   420   NtCreateKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 64, 2, ) }, 0, 0x0, 0, ... 64, 2, ) == 0x0
 00282   420   NtQueryDefaultUILanguage  (2290344, ...
 00283   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00284   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00285   420   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00286   420   NtClose  (-2147482208, ... ) == 0x0
 00287   420   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00288   420   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00289   420   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00290   420   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00291   420   NtClose  (-2147482196, ... ) == 0x0
 00292   420   NtClose  (-2147482208, ... ) == 0x0
 00282   420   NtQueryDefaultUILanguage  ... ) == 0x0
 00293   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00294   420   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00295   420   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00296   420   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 72, ) == 0x0
 00297   420   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x950000), 0x0, 593920, ) == 0x0
 00298   420   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00299   420   NtQueryDefaultUILanguage  (2013024600, ...
 00300   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00301   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00302   420   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00303   420   NtClose  (-2147482208, ... ) == 0x0
 00304   420   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00305   420   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00306   420   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00307   420   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00308   420   NtClose  (-2147482196, ... ) == 0x0
 00309   420   NtClose  (-2147482208, ... ) == 0x0
 00299   420   NtQueryDefaultUILanguage  ... ) == 0x0
 00310   420   NtAllocateVirtualMemory  (-1, 2277376, 0, 4096, 4096, 260, ... 2277376, 4096, ) == 0x0
 00311   420   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00312   420   NtQueryDefaultLocale  (1, 2288380, ... ) == 0x0
 00313   420   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00314   420   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2289236, 1, 96, 0}  (24, {128, 156, new_msg, 0, 2289236, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\234\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365"\0\0\0\0\0" ... {128, 156, reply, 0, 412, 420, 1493, 0} " S\26\0\33\0\1\0\0\0\0\0\1\361"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\234\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365"\0\0\0\0\0" ) \0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\234\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365 (24, {128, 156, new_msg, 0, 2289236, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\234\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365"\0\0\0\0\0" ... {128, 156, reply, 0, 412, 420, 1493, 0} " S\26\0\33\0\1\0\0\0\0\0\1\361"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\234\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365"\0\0\0\0\0" )  ... {128, 156, reply, 0, 412, 420, 1493, 0}  (24, {128, 156, new_msg, 0, 2289236, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\234\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365"\0\0\0\0\0" ... {128, 156, reply, 0, 412, 420, 1493, 0} " S\26\0\33\0\1\0\0\0\0\0\1\361"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\234\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365"\0\0\0\0\0" ) \0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\234\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365 (24, {128, 156, new_msg, 0, 2289236, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\234\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365"\0\0\0\0\0" ... {128, 156, reply, 0, 412, 420, 1493, 0} " S\26\0\33\0\1\0\0\0\0\0\1\361"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\234\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365"\0\0\0\0\0" )  ) == 0x0
 00315   420   NtClose  (68, ... ) == 0x0
 00316   420   NtClose  (72, ... ) == 0x0
 00317   420   NtUnmapViewOfSection  (-1, 0x950000, ... ) == 0x0
 00318   420   NtUnmapViewOfSection  (-1, 0x22f554, ... ) == STATUS_NOT_MAPPED_VIEW
 00319   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00320   420   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00321   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00322   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00323   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 2286920, ... ) }, 2286920, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00324   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00325   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00326   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00327   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 2287512, ... ) }, 2287512, ... ) == 0x0
 00328   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 72, {status=0x0, info=1}, ) }, 3, 33, ... 72, {status=0x0, info=1}, ) == 0x0
 00329   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00330   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00331   420   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00332   420   NtClose  (68, ... ) == 0x0
 00333   420   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa00000), 0x0, 921600, ) == 0x0
 00334   420   NtClose  (76, ... ) == 0x0
 00335   420   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 00336   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 00337   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 76, ... 68, ) == 0x0
 00338   420   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00339   420   NtClose  (76, ... ) == 0x0
 00340   420   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00341   420   NtClose  (68, ... ) == 0x0
 00342   420   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00343   420   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00344   420   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00345   420   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00346   420   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00347   420   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00348   420   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00349   420   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00350   420   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00351   420   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00352   420   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00353   420   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00354   420   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00355   420   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00356   420   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00357   420   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00358   420   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00359   420   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00360   420   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00361   420   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00362   420   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00363   420   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 2288696, ... ) , 42, 2288696, ... ) == 0x0
 00364   420   NtQueryDefaultUILanguage  (2287412, ...
 00365   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00366   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00367   420   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00368   420   NtClose  (-2147482208, ... ) == 0x0
 00369   420   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00370   420   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00371   420   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00372   420   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00373   420   NtClose  (-2147482196, ... ) == 0x0
 00374   420   NtClose  (-2147482208, ... ) == 0x0
 00364   420   NtQueryDefaultUILanguage  ... ) == 0x0
 00375   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00376   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 2286264, ... ) }, 2286264, ... ) == 0x0
 00377   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00378   420   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00379   420   NtClose  (68, ... ) == 0x0
 00380   420   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x950000), 0x0, 4096, ) == 0x0
 00381   420   NtClose  (76, ... ) == 0x0
 00382   420   NtUnmapViewOfSection  (-1, 0x950000, ... ) == 0x0
 00383   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 2285904, ... ) }, 2285904, ... ) == 0x0
 00384   420   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 2286604,  (0x80100080, {24, 0, 0x40, 0, 2286604, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) == 0x0
 00385   420   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 76, ... 68, ) == 0x0
 00386   420   NtClose  (76, ... ) == 0x0
 00387   420   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x950000), {0, 0}, 4096, ) == 0x0
 00388   420   NtClose  (68, ... ) == 0x0
 00389   420   NtUnmapViewOfSection  (-1, 0x950000, ... ) == 0x0
 00390   420   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00391   420   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 76, ) == 0x0
 00392   420   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x950000), 0x0, 4096, ) == 0x0
 00393   420   NtQueryInformationFile  (68, 2286224, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00394   420   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00395   420   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2286304, 1, 96, 0}  (24, {128, 156, new_msg, 0, 2286304, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\340\351"\0\0\0\0\0" ... {128, 156, reply, 0, 412, 420, 1494, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\340\351"\0\0\0\0\0" ) \0\0\0\0\0 (24, {128, 156, new_msg, 0, 2286304, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\340\351"\0\0\0\0\0" ... {128, 156, reply, 0, 412, 420, 1494, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\340\351"\0\0\0\0\0" ) h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\340\351 (24, {128, 156, new_msg, 0, 2286304, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\340\351"\0\0\0\0\0" ... {128, 156, reply, 0, 412, 420, 1494, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\340\351"\0\0\0\0\0" )  ) == 0x0
 00396   420   NtClose  (68, ... ) == 0x0
 00397   420   NtClose  (76, ... ) == 0x0
 00398   420   NtUnmapViewOfSection  (-1, 0x950000, ... ) == 0x0
 00399   420   NtUnmapViewOfSection  (-1, 0x22e9e0, ... ) == STATUS_NOT_MAPPED_VIEW
 00400   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00401   420   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00402   420   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00403   420   NtUserGetDC  (0, ... ) == 0x1010052
 00404   420   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00405   420   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00406   420   NtUserSystemParametersInfo  (66, 12, 2288716, 0, ... ) == 0x1
 00407   420   NtOpenProcessToken  (-1, 0x8, ... 76, ) == 0x0
 00408   420   NtAccessCheck  (2393000, 76, 0x1, 2288120, 2288064, 56, 2288148, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00409   420   NtClose  (76, ... ) == 0x0
 00410   420   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 76, ) }, ... 76, ) == 0x0
 00411   420   NtQueryValueKey  (76,  (76, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00412   420   NtClose  (76, ... ) == 0x0
 00413   420   NtUserSystemParametersInfo  (41, 500, 2288216, 0, ... ) == 0x1
 00414   420   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 76, ) }, ... 76, ) == 0x0
 00415   420   NtQueryValueKey  (76,  (76, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00416   420   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 68, ) }, ... 68, ) == 0x0
 00417   420   NtQueryValueKey  (68,  (68, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00418   420   NtClose  (68, ... ) == 0x0
 00419   420   NtClose  (76, ... ) == 0x0
 00420   420   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00421   420   NtUserSystemParametersInfo  (4130, 0, 2288740, 0, ... ) == 0x1
 00422   420   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 76, ) }, ... 76, ) == 0x0
 00423   420   NtEnumerateValueKey  (76, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00424   420   NtClose  (76, ... ) == 0x0
 00425   420   NtUserFindExistingCursorIcon  (2288024, 2288040, 2288608, ... ) == 0x10011
 00426   420   NtUserRegisterClassExWOW  (2288476, 2288556, 2288540, 2288572, 0, 384, 0, ... ) == 0x810dc03b
 00427   420   NtUserRegisterClassExWOW  (2288476, 2288556, 2288540, 2288572, 0, 384, 0, ... ) == 0x810dc03d
 00428   420   NtUserFindExistingCursorIcon  (2288020, 2288036, 2288604, ... ) == 0x10011
 00429   420   NtUserRegisterClassExWOW  (2288472, 2288552, 2288536, 2288568, 0, 384, 0, ... ) == 0x810dc03f
 00430   420   NtUserFindExistingCursorIcon  (2288024, 2288040, 2288608, ... ) == 0x10011
 00431   420   NtUserRegisterClassExWOW  (2288476, 2288556, 2288540, 2288572, 0, 384, 0, ... ) == 0x810dc041
 00432   420   NtUserFindExistingCursorIcon  (2288024, 2288040, 2288608, ... ) == 0x10011
 00433   420   NtUserRegisterClassExWOW  (2288476, 2288556, 2288540, 2288572, 0, 384, 0, ... ) == 0x810dc043
 00434   420   NtUserRegisterClassExWOW  (2288476, 2288556, 2288540, 2288572, 0, 384, 0, ... ) == 0x810dc045
 00435   420   NtUserFindExistingCursorIcon  (2288024, 2288040, 2288608, ... ) == 0x10011
 00436   420   NtUserRegisterClassExWOW  (2288476, 2288556, 2288540, 2288572, 0, 384, 0, ... ) == 0x810dc047
 00437   420   NtUserFindExistingCursorIcon  (2288020, 2288036, 2288604, ... ) == 0x10011
 00438   420   NtUserRegisterClassExWOW  (2288472, 2288552, 2288536, 2288568, 0, 384, 0, ... ) == 0x810dc049
 00439   420   NtUserGetClassInfo  (1905590272, 2288636, 2288588, 2288664, 0, ... ) == 0xc049
 00440   420   NtUserFindExistingCursorIcon  (2288024, 2288040, 2288608, ... ) == 0x10011
 00441   420   NtUserRegisterClassExWOW  (2288476, 2288556, 2288540, 2288572, 0, 384, 0, ... ) == 0x810dc04b
 00442   420   NtUserFindExistingCursorIcon  (2288024, 2288040, 2288608, ... ) == 0x10011
 00443   420   NtUserRegisterClassExWOW  (2288476, 2288556, 2288540, 2288572, 0, 384, 0, ... ) == 0x810dc04d
 00444   420   NtUserFindExistingCursorIcon  (2288024, 2288040, 2288608, ... ) == 0x10011
 00445   420   NtUserRegisterClassExWOW  (2288476, 2288556, 2288540, 2288572, 0, 384, 0, ... ) == 0x810dc04f
 00446   420   NtUserRegisterClassExWOW  (2288476, 2288556, 2288540, 2288572, 0, 384, 0, ... ) == 0x810dc051
 00447   420   NtUserFindExistingCursorIcon  (2288024, 2288040, 2288608, ... ) == 0x10011
 00448   420   NtUserRegisterClassExWOW  (2288476, 2288556, 2288540, 2288572, 0, 384, 0, ... ) == 0x810dc053
 00449   420   NtUserFindExistingCursorIcon  (2288020, 2288036, 2288604, ... ) == 0x10011
 00450   420   NtUserRegisterClassExWOW  (2288472, 2288552, 2288536, 2288568, 0, 384, 0, ... ) == 0x810dc055
 00451   420   NtUserRegisterClassExWOW  (2288472, 2288552, 2288536, 2288568, 0, 384, 0, ... ) == 0x810dc057
 00452   420   NtUserFindExistingCursorIcon  (2288024, 2288040, 2288608, ... ) == 0x10011
 00453   420   NtUserRegisterClassExWOW  (2288476, 2288556, 2288540, 2288572, 0, 384, 0, ... ) == 0x810dc059
 00454   420   NtUserFindExistingCursorIcon  (2288024, 2288040, 2288608, ... ) == 0x10013
 00455   420   NtUserRegisterClassExWOW  (2288476, 2288556, 2288540, 2288572, 0, 384, 0, ... ) == 0x810dc05b
 00456   420   NtUserFindExistingCursorIcon  (2288024, 2288040, 2288608, ... ) == 0x10011
 00457   420   NtUserRegisterClassExWOW  (2288476, 2288556, 2288540, 2288572, 0, 384, 0, ... ) == 0x810dc05d
 00458   420   NtUserFindExistingCursorIcon  (2288024, 2288040, 2288608, ... ) == 0x10011
 00459   420   NtUserRegisterClassExWOW  (2288476, 2288556, 2288540, 2288572, 0, 384, 0, ... ) == 0x810dc05f
 00460   420   NtUserFindExistingCursorIcon  (2288020, 2288036, 2288604, ... ) == 0x10011
 00461   420   NtUserRegisterClassExWOW  (2288472, 2288552, 2288536, 2288568, 0, 384, 0, ... ) == 0x810dc017
 00462   420   NtUserFindExistingCursorIcon  (2288020, 2288036, 2288604, ... ) == 0x10011
 00463   420   NtUserRegisterClassExWOW  (2288472, 2288552, 2288536, 2288568, 0, 384, 0, ... ) == 0x810dc019
 00464   420   NtUserFindExistingCursorIcon  (2288020, 2288036, 2288604, ... ) == 0x10013
 00465   420   NtUserRegisterClassExWOW  (2288472, 2288552, 2288536, 2288568, 0, 384, 0, ... ) == 0x810dc018
 00466   420   NtUserFindExistingCursorIcon  (2288024, 2288040, 2288608, ... ) == 0x10011
 00467   420   NtUserRegisterClassExWOW  (2288476, 2288556, 2288540, 2288572, 0, 384, 0, ... ) == 0x810dc01a
 00468   420   NtUserFindExistingCursorIcon  (2288020, 2288036, 2288604, ... ) == 0x10011
 00469   420   NtUserRegisterClassExWOW  (2288472, 2288552, 2288536, 2288568, 0, 384, 0, ...
 00470   420   NtAllocateVirtualMemory  (-1, 6651904, 0, 4096, 4096, 32, ... 6651904, 4096, ) == 0x0
 00469   420   NtUserRegisterClassExWOW  ... ) == 0x810dc01c
 00471   420   NtUserFindExistingCursorIcon  (2288024, 2288040, 2288608, ... ) == 0x10011
 00472   420   NtUserRegisterClassExWOW  (2288476, 2288556, 2288540, 2288572, 0, 384, 0, ... ) == 0x810dc01e
 00473   420   NtUserFindExistingCursorIcon  (2288020, 2288036, 2288604, ... ) == 0x10011
 00474   420   NtUserRegisterClassExWOW  (2288532, 2288612, 2288596, 2288628, 0, 384, 0, ... ) == 0x810dc01b
 00475   420   NtUserFindExistingCursorIcon  (2288016, 2288032, 2288600, ... ) == 0x10011
 00476   420   NtUserRegisterClassExWOW  (2288528, 2288608, 2288592, 2288624, 0, 384, 0, ... ) == 0x810dc068
 00477   420   NtUserFindExistingCursorIcon  (2288024, 2288040, 2288608, ... ) == 0x10011
 00478   420   NtUserRegisterClassExWOW  (2288476, 2288556, 2288540, 2288572, 0, 384, 0, ... ) == 0x810dc06a
 00479   420   NtCreateKey  (0x2001f, {24, 60, 0x40, 0, 0,  (0x2001f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 76, 2, ) }, 0, 0x0, 0, ... 76, 2, ) == 0x0
 00480   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00481   420   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00482   420   NtTestAlert  (... ) == 0x0
 00483   420   NtContinue  (2293040, 1, ...
 00484   420   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x406eb0,}, 4, ... ) == 0x0
 00485   420   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "Hiberium"}, 1, ... 68, ) }, 1, ... 68, ) == 0x0
 00486   420   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 80, ) }, ... 80, ) == 0x0
 00487   420   NtQueryValueKey  (80,  (80, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00488   420   NtQueryValueKey  (80,  (80, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00489   420   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 84, ) == 0x0
 00490   420   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Protocol_Catalog9"}, ... 88, ) }, ... 88, ) == 0x0
 00491   420   NtQueryValueKey  (88,  (88, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00492   420   NtNotifyChangeKey  (88, 84, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00493   420   NtQueryValueKey  (88,  (88, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00494   420   NtOpenKey  (0x2000000, {24, 88, 0x40, 0, 0,  (0x2000000, {24, 88, 0x40, 0, 0, "00000019"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00495   420   NtQueryValueKey  (88,  (88, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) }, 16, ) == 0x0
 00496   420   NtQueryValueKey  (88,  (88, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (88, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00497   420   NtOpenKey  (0x2000000, {24, 88, 0x40, 0, 0,  (0x2000000, {24, 88, 0x40, 0, 0, "Catalog_Entries"}, ... 92, ) }, ... 92, ) == 0x0
 00498   420   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000001"}, ... 96, ) }, ... 96, ) == 0x0
 00499   420   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00500   420   NtAllocateVirtualMemory  (-1, 2404352, 0, 4096, 4096, 4, ... 2404352, 4096, ) == 0x0
 00501   420   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00502   420   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\367\1\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\367\1\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\370\1\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\244\376"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\370\1\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\371\1\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\371\1\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\372\1\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\367\1\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\367\1\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\370\1\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\244\376"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\370\1\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\371\1\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\371\1\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\372\1\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\370\1\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\371\1\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0 (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\367\1\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\367\1\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\370\1\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\244\376"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\370\1\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\371\1\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\371\1\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\372\1\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00503   420   NtClose  (96, ... ) == 0x0
 00504   420   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000002"}, ... 96, ) }, ... 96, ) == 0x0
 00505   420   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00506   420   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00507   420   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\374\1\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\374\1\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\375\1\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\244\376"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\375\1\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\376\1\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\376\1\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\377\1\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\374\1\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\374\1\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\375\1\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\244\376"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\375\1\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\376\1\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\376\1\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\377\1\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\375\1\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\376\1\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0 (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\374\1\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\374\1\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\375\1\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\244\376"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\375\1\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\376\1\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\376\1\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\377\1\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00508   420   NtClose  (96, ... ) == 0x0
 00509   420   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000003"}, ... 96, ) }, ... 96, ) == 0x0
 00510   420   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00511   420   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00512   420   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\1\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\1\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\2\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\244\376"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\2\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\3\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\3\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\4\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\1\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\1\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\2\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\244\376"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\2\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\3\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\3\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\4\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\2\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\3\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0 (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\1\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\1\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\2\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\244\376"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\2\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\3\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\3\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\4\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00513   420   NtClose  (96, ... ) == 0x0
 00514   420   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000004"}, ... 96, ) }, ... 96, ) == 0x0
 00515   420   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00516   420   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00517   420   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\6\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\6\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\7\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\244\376"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\7\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\10\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\10\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\11\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\6\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\6\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\7\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\244\376"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\7\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\10\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\10\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\11\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\7\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\10\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0 (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\6\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\6\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\7\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\244\376"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\7\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\10\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\10\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\11\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00518   420   NtClose  (96, ... ) == 0x0
 00519   420   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000005"}, ... 96, ) }, ... 96, ) == 0x0
 00520   420   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00521   420   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00522   420   NtAllocateVirtualMemory  (-1, 2408448, 0, 4096, 4096, 4, ... 2408448, 4096, ) == 0x0
 00523   420   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\14\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\14\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\15\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\244\376"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\15\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\16\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\16\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\17\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\14\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\14\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\15\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\244\376"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\15\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\16\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\16\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\17\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\15\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\16\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0 (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\14\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\14\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\15\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\244\376"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\15\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\16\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\16\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\17\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00524   420   NtClose  (96, ... ) == 0x0
 00525   420   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000006"}, ... 96, ) }, ... 96, ) == 0x0
 00526   420   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00527   420   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00528   420   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\21\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\21\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\22\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\244\376"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\22\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\23\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\23\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\24\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\21\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\21\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\22\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\244\376"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\22\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\23\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\23\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\24\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\22\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\23\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0 (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\21\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\21\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\22\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\244\376"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\22\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\23\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\23\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\24\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00529   420   NtClose  (96, ... ) == 0x0
 00530   420   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000007"}, ... 96, ) }, ... 96, ) == 0x0
 00531   420   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00532   420   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00533   420   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\26\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\26\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\27\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\244\376"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\27\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\30\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\30\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\31\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\26\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\26\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\27\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\244\376"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\27\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\30\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\30\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\31\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\27\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\30\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0 (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\26\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\26\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\27\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\244\376"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\27\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\30\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\30\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\31\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00534   420   NtClose  (96, ... ) == 0x0
 00535   420   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000008"}, ... 96, ) }, ... 96, ) == 0x0
 00536   420   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00537   420   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00538   420   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\33\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\33\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\34\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\244\376"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\34\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\35\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\35\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\36\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\33\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\33\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\34\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\244\376"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\34\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\35\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\35\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\36\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\34\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\35\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0 (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\33\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0\33\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\34\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\244\376"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\34\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0\35\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0\35\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\36\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00539   420   NtClose  (96, ... ) == 0x0
 00540   420   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000009"}, ... 96, ) }, ... 96, ) == 0x0
 00541   420   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00542   420   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00543   420   NtAllocateVirtualMemory  (-1, 2412544, 0, 4096, 4096, 4, ... 2412544, 4096, ) == 0x0
 00544   420   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0!\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0!\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0"\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\244\376"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0"\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0#\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0#\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0$\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0!\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0!\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0"\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\244\376"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0"\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0#\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0#\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0$\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\244\376 (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0!\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0!\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0"\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\244\376"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0"\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0#\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0#\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0$\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0#\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0 (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0!\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0!\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0"\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\244\376"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0"\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0#\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0#\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0$\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00545   420   NtClose  (96, ... ) == 0x0
 00546   420   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000010"}, ... 96, ) }, ... 96, ) == 0x0
 00547   420   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00548   420   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00549   420   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0&\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0&\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0'\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\244\376"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0'\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0(\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0(\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0)\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0&\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0&\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0'\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\244\376"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0'\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0(\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0(\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0)\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0'\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0(\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0 (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0&\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0&\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0'\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\\0\0\0\244\376"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\230\241$\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0'\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0`\0\0\0(\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0$\0\2\0\0\0\220\0\0\0(\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0)\2\0\0\234\1\0\0\244\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0`\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) == 0x0
 00550   420   NtClose  (96, ... ) == 0x0
 00551   420   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "000000000011"}, ... 96, ) }, ... 96, ) == 0x0
 00552   420   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00553   420   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00554   420   NtQueryValueKey  (96,  (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0+\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0+\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0,\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\\0\0\0,\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0-\2\0\0\234\1\0\0\244\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0T\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0-\2\0\0\234\1\0\0\244\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0.\2\0\0\234\1\0\0\244\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0.\2\0\0\234\1\0\0\244\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\\0\0\0/\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0P\0\0\0\300\376"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0H\241$\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (96, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0+\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0`\0\0\0+\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0,\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\\0\0\0,\2\0\0\234\1\0\0\244\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0-\2\0\0\234\1\0\0\244\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0T\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0-\2\0\0\234\1\0\0\244\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0.\2\0\0\234\1\0\0\244\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0.\2\0\0\234\1\0\0\244\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\\0\0\0/\2\0\0\234\1\0\0\244\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0P\0\0\0\300\376"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0H\241$\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0H\241$\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 00555   420   NtClose  (96, ... ) == 0x0
 00556   420   NtClose  (92, ... ) == 0x0
 00557   420   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 00558   420   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 92, ) == 0x0
 00559   420   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 96, ) }, ... 96, ) == 0x0
 00560   420   NtQueryValueKey  (96,  (96, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00561   420   NtNotifyChangeKey  (96, 92, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00562   420   NtQueryValueKey  (96,  (96, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00563   420   NtOpenKey  (0x2000000, {24, 96, 0x40, 0, 0,  (0x2000000, {24, 96, 0x40, 0, 0, "00000004"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00564   420   NtQueryValueKey  (96,  (96, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 00565   420   NtOpenKey  (0x2000000, {24, 96, 0x40, 0, 0,  (0x2000000, {24, 96, 0x40, 0, 0, "Catalog_Entries"}, ... 100, ) }, ... 100, ) == 0x0
 00566   420   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000001"}, ... 104, ) }, ... 104, ) == 0x0
 00567   420   NtQueryValueKey  (104,  (104, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00568   420   NtQueryValueKey  (104,  (104, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00569   420   NtQueryValueKey  (104,  (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00570   420   NtQueryValueKey  (104,  (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00571   420   NtQueryValueKey  (104,  (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00572   420   NtQueryValueKey  (104,  (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00573   420   NtQueryValueKey  (104,  (104, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (104, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00574   420   NtQueryValueKey  (104,  (104, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00575   420   NtQueryValueKey  (104,  (104, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00576   420   NtQueryValueKey  (104,  (104, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00577   420   NtQueryValueKey  (104,  (104, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00578   420   NtQueryValueKey  (104,  (104, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00579   420   NtClose  (104, ... ) == 0x0
 00580   420   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000002"}, ... 104, ) }, ... 104, ) == 0x0
 00581   420   NtQueryValueKey  (104,  (104, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00582   420   NtQueryValueKey  (104,  (104, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00583   420   NtQueryValueKey  (104,  (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00584   420   NtQueryValueKey  (104,  (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00585   420   NtQueryValueKey  (104,  (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00586   420   NtQueryValueKey  (104,  (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00587   420   NtQueryValueKey  (104,  (104, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (104, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 00588   420   NtQueryValueKey  (104,  (104, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00589   420   NtQueryValueKey  (104,  (104, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 00590   420   NtQueryValueKey  (104,  (104, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00591   420   NtQueryValueKey  (104,  (104, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00592   420   NtQueryValueKey  (104,  (104, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00593   420   NtClose  (104, ... ) == 0x0
 00594   420   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "000000000003"}, ... 104, ) }, ... 104, ) == 0x0
 00595   420   NtQueryValueKey  (104,  (104, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00596   420   NtQueryValueKey  (104,  (104, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00597   420   NtQueryValueKey  (104,  (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00598   420   NtQueryValueKey  (104,  (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00599   420   NtQueryValueKey  (104,  (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00600   420   NtQueryValueKey  (104,  (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00601   420   NtQueryValueKey  (104,  (104, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (104, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 00602   420   NtQueryValueKey  (104,  (104, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00603   420   NtQueryValueKey  (104,  (104, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 00604   420   NtQueryValueKey  (104,  (104, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00605   420   NtQueryValueKey  (104,  (104, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00606   420   NtQueryValueKey  (104,  (104, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00607   420   NtClose  (104, ... ) == 0x0
 00608   420   NtClose  (100, ... ) == 0x0
 00609   420   NtWaitForSingleObject  (92, 0, {0, 0}, ... ) == 0x102
 00610   420   NtClose  (80, ... ) == 0x0
 00611   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00612   420   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00613   420   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 80, ) }, ... 80, ) == 0x0
 00614   420   NtQueryValueKey  (80,  (80, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00615   420   NtClose  (80, ... ) == 0x0
 00616   420   NtAllocateVirtualMemory  (-1, 2416640, 0, 4096, 4096, 4, ... 2416640, 4096, ) == 0x0
 00617   420   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 80, ) == 0x0
 00618   420   NtCreateMutant  (0x1f0001, 0x0, 0, ... 100, ) == 0x0
 00619   420   NtOpenKey  (0x20006, {24, 32, 0x40, 0, 0,  (0x20006, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 104, ) }, ... 104, ) == 0x0
 00620   420   NtSetValueKey  (104,  (104, "MSPRO32", 0, 1, ""\0u\0:\0\\0w\0o\0r\0k\0\\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0\0\0", 42, ... , 0, 1, " (104, "MSPRO32", 0, 1, ""\0u\0:\0\\0w\0o\0r\0k\0\\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0"\0\0\0", 42, ... \0\0\0", 42, ...
 00621   420   NtSetInformationFile  (-2147482808, -135166156, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00622   420   NtSetInformationFile  (-2147482808, -135166248, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00623   420   NtSetInformationFile  (-2147482808, -135166556, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00620   420   NtSetValueKey  ... ) == 0x0
 00624   420   NtClose  (104, ... ) == 0x0
 00625   420   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 10485760, 2097152, ) == 0x0
 00626   420   NtAllocateVirtualMemory  (-1, 12574720, 0, 8192, 4096, 4, ... 12574720, 8192, ) == 0x0
 00627   420   NtProtectVirtualMemory  (-1, (0xbfe000), 4096, 260, ... (0xbfe000), 4096, 4, ) == 0x0
 00628   420   NtCreateThread  (0x1f03ff, 0x0, -1, 2292856, 2293572, 1, ... 104, {412, 568}, ) == 0x0
 00629   420   NtQueryInformationThread  (104, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=412,Tid=568,}, 0x0, ) == 0x0
 00630   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2293112, 2012750850, 2012697888, -1}  (24, {28, 56, new_msg, 0, 2293112, 2012750850, 2012697888, -1} "\0\0\0\0\1\0\1\0\13\30\365w\4\1\0\0h\0\0\0\234\1\0\08\2\0\0" ... {28, 56, reply, 0, 412, 420, 1495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\4\1\0\0h\0\0\0\234\1\0\08\2\0\0" )  ... {28, 56, reply, 0, 412, 420, 1495, 0}  (24, {28, 56, new_msg, 0, 2293112, 2012750850, 2012697888, -1} "\0\0\0\0\1\0\1\0\13\30\365w\4\1\0\0h\0\0\0\234\1\0\08\2\0\0" ... {28, 56, reply, 0, 412, 420, 1495, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\4\1\0\0h\0\0\0\234\1\0\08\2\0\0" )  ) == 0x0
 00631   420   NtResumeThread  (104, ... 1, ) == 0x0
 00632   420   NtClose  (104, ...
 00633   568   NtTestAlert  (... ) == 0x0
 00634   568   NtContinue  (12582192, 1, ...
 00635   568   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00636   568   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 12582716,  (0x80100080, {24, 0, 0x40, 0, 12582716, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 96, 0, 0, ... }, 0x0, 0, 1, 1, 96, 0, 0, ...
 00632   420   NtClose  ... ) == 0x0
 00637   420   NtDelayExecution  (0, {-50000000, -1}, ...
 00636   568   NtCreateFile  ... 104, {status=0x0, info=1}, ) == 0x0
 00638   568   NtQueryInformationFile  (104, 12582752, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00639   568   NtCreateSection  (0xf0005, 0x0, {6144, 0}, 2, 134217728, 104, ... 108, ) == 0x0
 00640   568   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x950000), {0, 0}, 8192, ) == 0x0
 00641   568   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 112, ) == 0x0
 00642   568   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 00643   568   NtAllocateVirtualMemory  (-1, 12570624, 0, 4096, 4096, 260, ... 12570624, 4096, ) == 0x0
 00644   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 12579404, ... ) }, 12579404, ... ) == 0x0
 00645   568   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 116, {status=0x0, info=1}, ) }, 5, 96, ... 116, {status=0x0, info=1}, ) == 0x0
 00646   568   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 116, ... 120, ) == 0x0
 00647   568   NtClose  (116, ... ) == 0x0
 00648   568   NtMapViewOfSection  (120, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x970000), 0x0, 229376, ) == 0x0
 00649   568   NtClose  (120, ... ) == 0x0
 00650   568   NtUnmapViewOfSection  (-1, 0x970000, ... ) == 0x0
 00651   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 12579720, ... ) }, 12579720, ... ) == 0x0
 00652   568   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 120, {status=0x0, info=1}, ) }, 5, 96, ... 120, {status=0x0, info=1}, ) == 0x0
 00653   568   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 120, ... 116, ) == 0x0
 00654   568   NtQuerySection  (116, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00655   568   NtClose  (120, ... ) == 0x0
 00656   568   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 241664, ) == 0x0
 00657   568   NtClose  (116, ... ) == 0x0
 00658   568   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00659   568   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00660   568   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 116, ) == 0x0
 00661   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 12579048, ... ) }, 12579048, ... ) == 0x0
 00662   568   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... 120, ) }, ... 120, ) == 0x0
 00663   568   NtQueryValueKey  (120,  (120, "Transports", Partial, 144, ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=7, Data= (120, "Transports", Partial, 144, ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) }, 42, ) == 0x0
 00664   568   NtQueryValueKey  (120,  (120, "Transports", Partial, 144, ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=7, Data= (120, "Transports", Partial, 144, ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) }, 42, ) == 0x0
 00665   568   NtClose  (120, ... ) == 0x0
 00666   568   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... 120, ) }, ... 120, ) == 0x0
 00667   568   NtQueryValueKey  (120,  (120, "Mapping", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00668   568   NtQueryValueKey  (120,  (120, "Mapping", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00669   568   NtQueryValueKey  (120,  (120, "Mapping", Partial, 152, ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) , Partial, 152, ... TitleIdx=0, Type=3, Data= (120, "Mapping", Partial, 152, ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 00670   568   NtClose  (120, ... ) == 0x0
 00671   568   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... 120, ) }, ... 120, ) == 0x0
 00672   568   NtQueryValueKey  (120,  (120, "MinSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (120, "MinSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 00673   568   NtQueryValueKey  (120,  (120, "MaxSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (120, "MaxSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 00674   568   NtQueryValueKey  (120,  (120, "UseDelayedAcceptance", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (120, "UseDelayedAcceptance", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00675   568   NtQueryValueKey  (120,  (120, "HelperDllName", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (120, "HelperDllName", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 00676   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 12579968, ... ) }, 12579968, ... ) == 0x0
 00677   568   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 124, {status=0x0, info=1}, ) }, 5, 96, ... 124, {status=0x0, info=1}, ) == 0x0
 00678   568   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 124, ... 128, ) == 0x0
 00679   568   NtClose  (124, ... ) == 0x0
 00680   568   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x970000), 0x0, 20480, ) == 0x0
 00681   568   NtClose  (128, ... ) == 0x0
 00682   568   NtUnmapViewOfSection  (-1, 0x970000, ... ) == 0x0
 00683   568   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 12580284, ... ) }, 12580284, ... ) == 0x0
 00684   568   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 00685   568   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 128, ... 124, ) == 0x0
 00686   568   NtQuerySection  (124, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00687   568   NtClose  (128, ... ) == 0x0
 00688   568   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a90000), 0x0, 32768, ) == 0x0
 00689   568   NtClose  (124, ... ) == 0x0
 00690   568   NtClose  (120, ... ) == 0x0
 00691   568   NtAllocateVirtualMemory  (-1, 2420736, 0, 4096, 4096, 4, ... 2420736, 4096, ) == 0x0
 00692   568   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 12582484, 67, ... 120, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 12582484, 67, ... 120, {status=0x0, info=0}, ) == 0x0
 00693   568   NtDeviceIoControlFile  (120, 116, 0x0, 0x0, 0x1207b,  (120, 116, 0x0, 0x0, 0x1207b, "\7\0\0\0\340\0\0\0\330\351$\0\17\346\367w", 16, 16, ... {status=0x0, info=16}, "\7\0\0\0B\0\0\0\0 \0\0\250\323\14\201", ) , 16, 16, ... {status=0x0, info=16},  (120, 116, 0x0, 0x0, 0x1207b, "\7\0\0\0\340\0\0\0\330\351$\0\17\346\367w", 16, 16, ... {status=0x0, info=16}, "\7\0\0\0B\0\0\0\0 \0\0\250\323\14\201", ) , ) == 0x0
 00694   568   NtDeviceIoControlFile  (120, 116, 0x0, 0x0, 0x1207b,  (120, 116, 0x0, 0x0, 0x1207b, "\6\0\0\0B\0\0\0\0 \0\0\250\323\14\201", 16, 16, ... {status=0x0, info=16}, "\6\0\0\0B\0\0\0\0 \0\0\250\323\14\201", ) , 16, 16, ... {status=0x0, info=16},  (120, 116, 0x0, 0x0, 0x1207b, "\6\0\0\0B\0\0\0\0 \0\0\250\323\14\201", 16, 16, ... {status=0x0, info=16}, "\6\0\0\0B\0\0\0\0 \0\0\250\323\14\201", ) , ) == 0x0
 00695   568   NtDeviceIoControlFile  (120, 116, 0x0, 0x0, 0x12047,  (120, 116, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\330\351$\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 00696   568   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 00697   568   NtDeviceIoControlFile  (120, 116, 0x0, 0x0, 0x12003,  (120, 116, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=124}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\13\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=124},  (120, 116, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=124}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\13\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00698   568   NtDeviceIoControlFile  (120, 116, 0x0, 0x0, 0x12047,  (120, 116, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\0*\0\2\0\4\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00699   568   NtDeviceIoControlFile  (120, 116, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ... {status=0x0, info=26},  (120, 116, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ... {status=0x0, info=26}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\13\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00700   568   NtDeviceIoControlFile  (120, 116, 0x0, 0x0, 0x1200b,  (120, 116, 0x0, 0x0, 0x1200b, "\0\21\252q\377\377\377\177\0\0\0\0", 12, 0, ... {status=0x0, info=0}, 0x0, ) , 12, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00701   568   NtDeviceIoControlFile  (120, 116, 0x0, 0x0, 0x12047,  (120, 116, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\1\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\0\1\0\0\2\0\4\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00702   568   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 00703   568   NtDeviceIoControlFile  (120, 116, 0x0, 0x0, 0x1200c, 0x0, 0, 26, ... {status=0x0, info=0}, "", ) == 0x103
 00704   568   NtWaitForSingleObject  (116, 1, {-5000000, -1}, ... ) == 0x102
 00705   568   NtQuerySystemTime  (... {-620926528, 29868092}, ) == 0x0
 00706   568   NtWaitForSingleObject  (116, 1, {-1, 2147483647}, ...
 00637   420   NtDelayExecution  ... ) == 0x0
 00707   420   NtQueryValueKey  (76,  (76, "FromCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00708   420   NtQueryValueKey  (76,  (76, "SecureProtocols", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00709   420   NtQueryValueKey  (76,  (76, "CertificateRevocation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00710   420   NtQueryValueKey  (76,  (76, "DisableKeepAlive", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00711   420   NtQueryValueKey  (76,  (76, "DisablePassport", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00712   420   NtQueryValueKey  (76,  (76, "CacheMode", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00713   420   NtQueryValueKey  (76,  (76, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00714   420   NtQueryValueKey  (76,  (76, "ProxyHttp1.1", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00715   420   NtQueryValueKey  (76,  (76, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00716   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00717   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\Secur32.dll"}, 2290300, ... ) }, 2290300, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00718   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "Secur32.dll"}, 2290300, ... ) }, 2290300, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00719   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 2290300, ... ) }, 2290300, ... ) == 0x0
 00720   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 00721   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 128, ... 132, ) == 0x0
 00722   420   NtQuerySection  (132, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00723   420   NtClose  (128, ... ) == 0x0
 00724   420   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f90000), 0x0, 65536, ) == 0x0
 00725   420   NtClose  (132, ... ) == 0x0
 00726   420   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 132, ) == 0x0
 00727   420   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 128, ) == 0x0
 00728   420   NtOpenEvent  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\SECURITY\LSA_AUTHENTICATION_INITIALIZED"}, ... 136, ) }, ... 136, ) == 0x0
 00729   420   NtQueryEvent  (136, Basic, 8, ... {EventType=0,SignalState=1,}, 0x0, ) == 0x0
 00730   420   NtClose  (136, ... ) == 0x0
 00731   420   NtConnectPort  ( ("\LsaAuthenticationPort", {12, 2, 1, 0}, 0x0, 0x0, 2291784, 140, ... 136, 0x0, 0x0, 256, 140, ) , {12, 2, 1, 0}, 0x0, 0x0, 2291784, 140, ... 136, 0x0, 0x0, 256, 140, ) == 0x0
 00732   420   NtRequestWaitReplyPort  (136, {28, 52, new_msg, 0, 0, 0, 0, 0}  (136, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\20\353$\0" ... {176, 200, reply, 0, 412, 420, 1554, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ... {176, 200, reply, 0, 412, 420, 1554, 0}  (136, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\20\353$\0" ... {176, 200, reply, 0, 412, 420, 1554, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ) == 0x0
 00733   420   NtQueryValueKey  (76,  (76, "SyncMode5", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00734   420   NtOpenKey  (0xf, {24, 32, 0x40, 0, 0,  (0xf, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache"}, ... 140, ) }, ... 140, ) == 0x0
 00735   420   NtQueryValueKey  (140,  (140, "FixupKey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00736   420   NtClose  (140, ... ) == 0x0
 00737   420   NtOpenKey  (0xf, {24, 32, 0x40, 0, 0,  (0xf, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 140, ) }, ... 140, ) == 0x0
 00738   420   NtQueryValueKey  (140,  (140, "SessionStartTimeDefaultDeltaSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00739   420   NtClose  (140, ... ) == 0x0
 00740   420   NtOpenKey  (0xf, {24, 32, 0x40, 0, 0,  (0xf, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 140, ) }, ... 140, ) == 0x0
 00741   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\Setup"}, ... 144, ) }, ... 144, ) == 0x0
 00742   420   NtQueryValueKey  (144,  (144, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (144, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00743   420   NtClose  (144, ... ) == 0x0
 00744   420   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 144, ) }, ... 144, ) == 0x0
 00745   420   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 148, ) }, ... 148, ) == 0x0
 00746   420   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 152, ) }, ... 152, ) == 0x0
 00747   420   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 156, ) }, ... 156, ) == 0x0
 00748   420   NtQueryValueKey  (156,  (156, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 00749   420   NtQueryValueKey  (156,  (156, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 00750   420   NtClose  (156, ... ) == 0x0
 00751   420   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 156, ) }, ... 156, ) == 0x0
 00752   420   NtQueryValueKey  (156,  (156, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (156, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 00753   420   NtQueryValueKey  (156,  (156, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (156, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 00754   420   NtQueryValueKey  (156,  (156, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (156, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 00755   420   NtQueryValueKey  (156,  (156, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (156, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 00756   420   NtQueryValueKey  (156,  (156, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (156, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 00757   420   NtQueryValueKey  (156,  (156, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (156, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 00758   420   NtClose  (156, ... ) == 0x0
 00759   420   NtOpenKey  (0xf, {24, 148, 0x40, 0, 0,  (0xf, {24, 148, 0x40, 0, 0, "Content"}, ... 156, ) }, ... 156, ) == 0x0
 00760   420   NtQueryValueKey  (156,  (156, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00761   420   NtClose  (156, ... ) == 0x0
 00762   420   NtOpenKey  (0xf, {24, 148, 0x40, 0, 0,  (0xf, {24, 148, 0x40, 0, 0, "Content"}, ... 156, ) }, ... 156, ) == 0x0
 00763   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "shell32.dll"}, ... 160, ) }, ... 160, ) == 0x0
 00764   420   NtMapViewOfSection  (160, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00765   420   NtClose  (160, ... ) == 0x0
 00766   420   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SYSTEM\Setup"}, ... 160, ) }, ... 160, ) == 0x0
 00767   420   NtQueryValueKey  (160,  (160, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (160, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00768   420   NtClose  (160, ... ) == 0x0
 00769   420   NtQueryDefaultUILanguage  (2286752, ...
 00770   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00771   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482164, ) == 0x0
 00772   420   NtQueryInformationToken  (-2147482164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00773   420   NtClose  (-2147482164, ... ) == 0x0
 00774   420   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482164, ) }, ... -2147482164, ) == 0x0
 00775   420   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00776   420   NtOpenKey  (0x80000000, {24, -2147482164, 0x640, 0, 0,  (0x80000000, {24, -2147482164, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482160, ) }, ... -2147482160, ) == 0x0
 00777   420   NtQueryValueKey  (-2147482160,  (-2147482160, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00778   420   NtClose  (-2147482160, ... ) == 0x0
 00779   420   NtClose  (-2147482164, ... ) == 0x0
 00769   420   NtQueryDefaultUILanguage  ... ) == 0x0
 00780   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00781   420   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll"}, 1, 96, ... 160, {status=0x0, info=1}, ) }, 1, 96, ... 160, {status=0x0, info=1}, ) == 0x0
 00782   420   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 160, ... 164, ) == 0x0
 00783   420   NtMapViewOfSection  (164, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xc00000), 0x0, 8323072, ) == 0x0
 00784   420   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00785   420   NtAllocateVirtualMemory  (-1, 2273280, 0, 4096, 4096, 260, ... 2273280, 4096, ) == 0x0
 00786   420   NtQueryDefaultLocale  (1, 2284788, ... ) == 0x0
 00787   420   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00788   420   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2285644, 1, 96, 0}  (24, {128, 156, new_msg, 0, 2285644, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\343"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\240\0\0\0\377\377\377\377\0\0\0\0\20\311\367\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0L\347"\0\0\0\0\0" ... {128, 156, reply, 0, 412, 420, 1555, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\343"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\240\0\0\0\377\377\377\377\0\0\0\0\20\311\367\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0L\347"\0\0\0\0\0" ) \0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\240\0\0\0\377\377\377\377\0\0\0\0\20\311\367\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0L\347 (24, {128, 156, new_msg, 0, 2285644, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\343"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\240\0\0\0\377\377\377\377\0\0\0\0\20\311\367\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0L\347"\0\0\0\0\0" ... {128, 156, reply, 0, 412, 420, 1555, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\343"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\240\0\0\0\377\377\377\377\0\0\0\0\20\311\367\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0L\347"\0\0\0\0\0" )  ... {128, 156, reply, 0, 412, 420, 1555, 0}  (24, {128, 156, new_msg, 0, 2285644, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\343"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\240\0\0\0\377\377\377\377\0\0\0\0\20\311\367\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0L\347"\0\0\0\0\0" ... {128, 156, reply, 0, 412, 420, 1555, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\343"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\240\0\0\0\377\377\377\377\0\0\0\0\20\311\367\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0L\347"\0\0\0\0\0" ) \0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\240\0\0\0\377\377\377\377\0\0\0\0\20\311\367\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0L\347 (24, {128, 156, new_msg, 0, 2285644, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\343"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\240\0\0\0\377\377\377\377\0\0\0\0\20\311\367\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0L\347"\0\0\0\0\0" ... {128, 156, reply, 0, 412, 420, 1555, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\343"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1\240\0\0\0\377\377\377\377\0\0\0\0\20\311\367\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0L\347"\0\0\0\0\0" )  ) == 0x0
 00789   420   NtClose  (160, ... ) == 0x0
 00790   420   NtClose  (164, ... ) == 0x0
 00791   420   NtUnmapViewOfSection  (-1, 0xc00000, ... ) == 0x0
 00792   420   NtUnmapViewOfSection  (-1, 0x22e74c, ... ) == STATUS_NOT_MAPPED_VIEW
 00793   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00794   420   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00795   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00796   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00797   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 2283872, ... ) }, 2283872, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00798   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00799   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00800   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00801   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 2284464, ... ) }, 2284464, ... ) == 0x0
 00802   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 164, {status=0x0, info=1}, ) }, 3, 33, ... 164, {status=0x0, info=1}, ) == 0x0
 00803   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00804   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 160, ) }, ... 160, ) == 0x0
 00805   420   NtMapViewOfSection  (160, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00806   420   NtClose  (160, ... ) == 0x0
 00807   420   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {412, 0}, ... 160, ) == 0x0
 00808   420   NtQueryInformationProcess  (160, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00809   420   NtClose  (160, ... ) == 0x0
 00810   420   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00811   420   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00812   420   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00813   420   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 160, ) }, ... 160, ) == 0x0
 00814   420   NtQueryValueKey  (160,  (160, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00815   420   NtClose  (160, ... ) == 0x0
 00816   420   NtUserSystemParametersInfo  (41, 500, 2286328, 0, ... ) == 0x1
 00817   420   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00818   420   NtUserGetClassInfo  (1999896576, 2286736, 2286688, 2286764, 0, ... ) == 0x0
 00819   420   NtUserFindExistingCursorIcon  (2286120, 2286136, 2286704, ... ) == 0x10011
 00820   420   NtUserRegisterClassExWOW  (2286572, 2286652, 2286636, 2286668, 0, 384, 0, ... ) == 0x810dc03b
 00821   420   NtUserGetClassInfo  (1999896576, 2286736, 2286688, 2286764, 0, ... ) == 0x0
 00822   420   NtUserRegisterClassExWOW  (2286572, 2286652, 2286636, 2286668, 0, 384, 0, ... ) == 0x810dc03d
 00823   420   NtUserGetClassInfo  (1999896576, 2286736, 2286688, 2286764, 0, ... ) == 0x0
 00824   420   NtUserFindExistingCursorIcon  (2286120, 2286136, 2286704, ... ) == 0x10011
 00825   420   NtUserRegisterClassExWOW  (2286572, 2286652, 2286636, 2286668, 0, 384, 0, ... ) == 0x810dc03f
 00826   420   NtUserGetClassInfo  (1999896576, 2286736, 2286688, 2286764, 0, ... ) == 0x0
 00827   420   NtUserFindExistingCursorIcon  (2286120, 2286136, 2286704, ... ) == 0x10011
 00828   420   NtUserRegisterClassExWOW  (2286572, 2286652, 2286636, 2286668, 0, 384, 0, ... ) == 0x810dc041
 00829   420   NtUserGetClassInfo  (1999896576, 2286736, 2286688, 2286764, 0, ... ) == 0x0
 00830   420   NtUserFindExistingCursorIcon  (2286120, 2286136, 2286704, ... ) == 0x10011
 00831   420   NtUserRegisterClassExWOW  (2286572, 2286652, 2286636, 2286668, 0, 384, 0, ... ) == 0x810dc043
 00832   420   NtUserGetClassInfo  (1999896576, 2286736, 2286688, 2286764, 0, ... ) == 0x0
 00833   420   NtUserRegisterClassExWOW  (2286572, 2286652, 2286636, 2286668, 0, 384, 0, ... ) == 0x810dc045
 00834   420   NtUserGetClassInfo  (1999896576, 2286736, 2286688, 2286764, 0, ... ) == 0x0
 00835   420   NtUserFindExistingCursorIcon  (2286120, 2286136, 2286704, ... ) == 0x10011
 00836   420   NtUserRegisterClassExWOW  (2286572, 2286652, 2286636, 2286668, 0, 384, 0, ... ) == 0x810dc047
 00837   420   NtUserGetClassInfo  (1999896576, 2286736, 2286688, 2286764, 0, ... ) == 0x0
 00838   420   NtUserFindExistingCursorIcon  (2286116, 2286132, 2286700, ... ) == 0x10011
 00839   420   NtUserRegisterClassExWOW  (2286568, 2286648, 2286632, 2286664, 0, 384, 0, ... ) == 0x810dc049
 00840   420   NtUserGetClassInfo  (1999896576, 2286736, 2286688, 2286764, 0, ... ) == 0x0
 00841   420   NtUserFindExistingCursorIcon  (2286120, 2286136, 2286704, ... ) == 0x10011
 00842   420   NtUserRegisterClassExWOW  (2286572, 2286652, 2286636, 2286668, 0, 384, 0, ... ) == 0x810dc04b
 00843   420   NtUserGetClassInfo  (1999896576, 2286736, 2286688, 2286764, 0, ... ) == 0x0
 00844   420   NtUserFindExistingCursorIcon  (2286120, 2286136, 2286704, ... ) == 0x10011
 00845   420   NtUserRegisterClassExWOW  (2286572, 2286652, 2286636, 2286668, 0, 384, 0, ... ) == 0x810dc04d
 00846   420   NtUserGetClassInfo  (1999896576, 2286736, 2286688, 2286764, 0, ... ) == 0x0
 00847   420   NtUserFindExistingCursorIcon  (2286120, 2286136, 2286704, ... ) == 0x10011
 00848   420   NtUserRegisterClassExWOW  (2286572, 2286652, 2286636, 2286668, 0, 384, 0, ... ) == 0x810dc04f
 00849   420   NtUserGetClassInfo  (1999896576, 2286740, 2286692, 2286768, 0, ... ) == 0x0
 00850   420   NtUserRegisterClassExWOW  (2286576, 2286656, 2286640, 2286672, 0, 384, 0, ... ) == 0x810dc051
 00851   420   NtUserGetClassInfo  (1999896576, 2286736, 2286688, 2286764, 0, ... ) == 0x0
 00852   420   NtUserFindExistingCursorIcon  (2286120, 2286136, 2286704, ... ) == 0x10011
 00853   420   NtUserRegisterClassExWOW  (2286572, 2286652, 2286636, 2286668, 0, 384, 0, ... ) == 0x810dc053
 00854   420   NtUserGetClassInfo  (1999896576, 2286736, 2286688, 2286764, 0, ... ) == 0x0
 00855   420   NtUserFindExistingCursorIcon  (2286120, 2286136, 2286704, ... ) == 0x10011
 00856   420   NtUserRegisterClassExWOW  (2286572, 2286652, 2286636, 2286668, 0, 384, 0, ... ) == 0x810dc055
 00857   420   NtUserRegisterClassExWOW  (2286572, 2286652, 2286636, 2286668, 0, 384, 0, ... ) == 0x810dc057
 00858   420   NtUserGetClassInfo  (1999896576, 2286736, 2286688, 2286764, 0, ... ) == 0x0
 00859   420   NtUserFindExistingCursorIcon  (2286120, 2286136, 2286704, ... ) == 0x10011
 00860   420   NtUserRegisterClassExWOW  (2286572, 2286652, 2286636, 2286668, 0, 384, 0, ... ) == 0x810dc059
 00861   420   NtUserGetClassInfo  (1999896576, 2286736, 2286688, 2286764, 0, ... ) == 0x0
 00862   420   NtUserFindExistingCursorIcon  (2286120, 2286136, 2286704, ... ) == 0x10013
 00863   420   NtUserRegisterClassExWOW  (2286572, 2286652, 2286636, 2286668, 0, 384, 0, ... ) == 0x810dc05b
 00864   420   NtUserGetClassInfo  (1999896576, 2286736, 2286688, 2286764, 0, ... ) == 0x0
 00865   420   NtUserFindExistingCursorIcon  (2286120, 2286136, 2286704, ... ) == 0x10011
 00866   420   NtUserRegisterClassExWOW  (2286572, 2286652, 2286636, 2286668, 0, 384, 0, ... ) == 0x810dc05d
 00867   420   NtUserGetClassInfo  (1999896576, 2286736, 2286688, 2286764, 0, ... ) == 0x0
 00868   420   NtUserFindExistingCursorIcon  (2286120, 2286136, 2286704, ... ) == 0x10011
 00869   420   NtUserRegisterClassExWOW  (2286572, 2286652, 2286636, 2286668, 0, 384, 0, ... ) == 0x810dc05f
 00870   420   NtUserGetClassInfo  (1999896576, 2288488, 2288440, 2288516, 0, ... ) == 0xc03b
 00871   420   NtUserGetClassInfo  (1999896576, 2288488, 2288440, 2288516, 0, ... ) == 0xc03d
 00872   420   NtUserGetClassInfo  (1999896576, 2288488, 2288440, 2288516, 0, ... ) == 0xc03f
 00873   420   NtUserGetClassInfo  (1999896576, 2288488, 2288440, 2288516, 0, ... ) == 0xc041
 00874   420   NtUserGetClassInfo  (1999896576, 2288488, 2288440, 2288516, 0, ... ) == 0xc043
 00875   420   NtUserGetClassInfo  (1999896576, 2288488, 2288440, 2288516, 0, ... ) == 0xc045
 00876   420   NtUserGetClassInfo  (1999896576, 2288488, 2288440, 2288516, 0, ... ) == 0xc047
 00877   420   NtUserGetClassInfo  (1999896576, 2288488, 2288440, 2288516, 0, ... ) == 0xc049
 00878   420   NtUserGetClassInfo  (1999896576, 2288488, 2288440, 2288516, 0, ... ) == 0xc04b
 00879   420   NtUserGetClassInfo  (1999896576, 2288488, 2288440, 2288516, 0, ... ) == 0xc04d
 00880   420   NtUserGetClassInfo  (1999896576, 2288488, 2288440, 2288516, 0, ... ) == 0xc04f
 00881   420   NtUserGetClassInfo  (1999896576, 2288492, 2288444, 2288520, 0, ... ) == 0xc051
 00882   420   NtUserGetClassInfo  (1999896576, 2288488, 2288440, 2288516, 0, ... ) == 0xc053
 00883   420   NtUserGetClassInfo  (1999896576, 2288488, 2288440, 2288516, 0, ... ) == 0xc055
 00884   420   NtUserGetClassInfo  (1999896576, 2288488, 2288440, 2288516, 0, ... ) == 0xc059
 00885   420   NtUserGetClassInfo  (1999896576, 2288488, 2288440, 2288516, 0, ... ) == 0xc05b
 00886   420   NtUserGetClassInfo  (1999896576, 2288488, 2288440, 2288516, 0, ... ) == 0xc05d
 00887   420   NtUserGetClassInfo  (1999896576, 2288488, 2288440, 2288516, 0, ... ) == 0xc05f
 00888   420   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00889   420   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 2417080, 0,  (0x1f0003, {24, 52, 0x80, 2417080, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 160, ) }, 0, 2147483647, ... 160, ) == STATUS_OBJECT_NAME_EXISTS
 00890   420   NtReleaseSemaphore  (160, 1, ... 0, ) == 0x0
 00891   420   NtWaitForSingleObject  (160, 0, {0, 0}, ... ) == 0x0
 00892   420   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 168, 2, ) }, 0, 0x0, 0, ... 168, 2, ) == 0x0
 00893   420   NtQueryValueKey  (168,  (168, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (168, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 00894   420   NtClose  (168, ... ) == 0x0
 00895   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 2289012, ... ) }, 2289012, ... ) == 0x0
 00896   420   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 168, 2, ) }, 0, 0x0, 0, ... 168, 2, ) == 0x0
 00897   420   NtSetValueKey  (168,  (168, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 150, ... ) , 0, 1,  (168, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 150, ... ) , 150, ... ) == 0x0
 00898   420   NtClose  (168, ... ) == 0x0
 00899   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 2290344, ... ) }, 2290344, ... ) == 0x0
 00900   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 2290076, ... ) }, 2290076, ... ) == 0x0
 00901   420   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 7, 2113568, ... 168, {status=0x0, info=1}, ) }, 7, 2113568, ... 168, {status=0x0, info=1}, ) == 0x0
 00902   420   NtSetInformationFile  (168, 2290052, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00903   420   NtClose  (168, ... ) == 0x0
 00904   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\desktop.ini"}, 2290076, ... ) }, 2290076, ... ) == 0x0
 00905   420   NtQueryValueKey  (156,  (156, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00906   420   NtQueryValueKey  (156,  (156, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00907   420   NtQueryValueKey  (156,  (156, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\251~\1\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\251~\1\0"}, 16, ) }, 16, ) == 0x0
 00908   420   NtOpenKey  (0xf, {24, 32, 0x40, 0, 0,  (0xf, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache"}, ... 168, ) }, ... 168, ) == 0x0
 00909   420   NtOpenKey  (0xf, {24, 168, 0x40, 0, 0,  (0xf, {24, 168, 0x40, 0, 0, "Paths"}, ... 172, ) }, ... 172, ) == 0x0
 00910   420   NtOpenKey  (0xf, {24, 172, 0x40, 0, 0,  (0xf, {24, 172, 0x40, 0, 0, "Path1"}, ... 176, ) }, ... 176, ) == 0x0
 00911   420   NtOpenKey  (0xf, {24, 172, 0x40, 0, 0,  (0xf, {24, 172, 0x40, 0, 0, "Path2"}, ... 180, ) }, ... 180, ) == 0x0
 00912   420   NtOpenKey  (0xf, {24, 172, 0x40, 0, 0,  (0xf, {24, 172, 0x40, 0, 0, "Path3"}, ... 184, ) }, ... 184, ) == 0x0
 00913   420   NtOpenKey  (0xf, {24, 172, 0x40, 0, 0,  (0xf, {24, 172, 0x40, 0, 0, "Path4"}, ... 188, ) }, ... 188, ) == 0x0
 00914   420   NtOpenKey  (0xf, {24, 168, 0x40, 0, 0,  (0xf, {24, 168, 0x40, 0, 0, "Special Paths"}, ... 192, ) }, ... 192, ) == 0x0
 00915   420   NtSetValueKey  (172,  (172, "Directory", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\0\0", 174, ... ) , 0, 1,  (172, "Directory", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\0\0", 174, ... ) , 174, ... ) == 0x0
 00916   420   NtSetValueKey  (172,  (172, "Paths", 0, 4, "\4\0\0\0", 4, ... ) , 0, 4,  (172, "Paths", 0, 4, "\4\0\0\0", 4, ... ) , 4, ... ) == 0x0
 00917   420   NtSetValueKey  (176,  (176, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\01\0\0\0", 188, ... ) , 0, 1,  (176, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\01\0\0\0", 188, ... ) , 188, ... ) == 0x0
 00918   420   NtSetValueKey  (180,  (180, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\02\0\0\0", 188, ... ) , 0, 1,  (180, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\02\0\0\0", 188, ... ) , 188, ... ) == 0x0
 00919   420   NtSetValueKey  (184,  (184, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\03\0\0\0", 188, ... ) , 0, 1,  (184, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\03\0\0\0", 188, ... ) , 188, ... ) == 0x0
 00920   420   NtSetValueKey  (188,  (188, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\04\0\0\0", 188, ... ) , 0, 1,  (188, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\04\0\0\0", 188, ... ) , 188, ... ) == 0x0
 00921   420   NtSetValueKey  (176,  (176, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (176, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 00922   420   NtSetValueKey  (180,  (180, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (180, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 00923   420   NtSetValueKey  (184,  (184, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (184, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 00924   420   NtSetValueKey  (188,  (188, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (188, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 00925   420   NtClose  (188, ... ) == 0x0
 00926   420   NtClose  (184, ... ) == 0x0
 00927   420   NtClose  (180, ... ) == 0x0
 00928   420   NtClose  (176, ... ) == 0x0
 00929   420   NtClose  (172, ... ) == 0x0
 00930   420   NtClose  (192, ... ) == 0x0
 00931   420   NtClose  (168, ... ) == 0x0
 00932   420   NtOpenKey  (0xf, {24, 148, 0x40, 0, 0,  (0xf, {24, 148, 0x40, 0, 0, "Cookies"}, ... 168, ) }, ... 168, ) == 0x0
 00933   420   NtQueryValueKey  (168,  (168, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00934   420   NtClose  (168, ... ) == 0x0
 00935   420   NtClose  (156, ... ) == 0x0
 00936   420   NtOpenKey  (0xf, {24, 148, 0x40, 0, 0,  (0xf, {24, 148, 0x40, 0, 0, "Cookies"}, ... 156, ) }, ... 156, ) == 0x0
 00937   420   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00938   420   NtReleaseSemaphore  (160, 1, ... 0, ) == 0x0
 00939   420   NtWaitForSingleObject  (160, 0, {0, 0}, ... ) == 0x0
 00940   420   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 168, 2, ) }, 0, 0x0, 0, ... 168, 2, ) == 0x0
 00941   420   NtQueryValueKey  (168,  (168, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (168, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 00942   420   NtClose  (168, ... ) == 0x0
 00943   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies"}, 2289012, ... ) }, 2289012, ... ) == 0x0
 00944   420   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 168, 2, ) }, 0, 0x0, 0, ... 168, 2, ) == 0x0
 00945   420   NtSetValueKey  (168,  (168, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 86, ... ) , 0, 1,  (168, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 86, ... ) , 86, ... ) == 0x0
 00946   420   NtClose  (168, ... ) == 0x0
 00947   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies"}, 2290344, ... ) }, 2290344, ... ) == 0x0
 00948   420   NtQueryValueKey  (156,  (156, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 00949   420   NtQueryValueKey  (156,  (156, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 00950   420   NtQueryValueKey  (156,  (156, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 00951   420   NtOpenKey  (0xf, {24, 148, 0x40, 0, 0,  (0xf, {24, 148, 0x40, 0, 0, "History"}, ... 168, ) }, ... 168, ) == 0x0
 00952   420   NtQueryValueKey  (168,  (168, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00953   420   NtClose  (168, ... ) == 0x0
 00954   420   NtClose  (156, ... ) == 0x0
 00955   420   NtOpenKey  (0xf, {24, 148, 0x40, 0, 0,  (0xf, {24, 148, 0x40, 0, 0, "History"}, ... 156, ) }, ... 156, ) == 0x0
 00956   420   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00957   420   NtReleaseSemaphore  (160, 1, ... 0, ) == 0x0
 00958   420   NtWaitForSingleObject  (160, 0, {0, 0}, ... ) == 0x0
 00959   420   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 168, 2, ) }, 0, 0x0, 0, ... 168, 2, ) == 0x0
 00960   420   NtQueryValueKey  (168,  (168, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (168, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 00961   420   NtClose  (168, ... ) == 0x0
 00962   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 2289012, ... ) }, 2289012, ... ) == 0x0
 00963   420   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 168, 2, ) }, 0, 0x0, 0, ... 168, 2, ) == 0x0
 00964   420   NtSetValueKey  (168,  (168, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 116, ... ) , 0, 1,  (168, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 116, ... ) , 116, ... ) == 0x0
 00965   420   NtClose  (168, ... ) == 0x0
 00966   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 2290344, ... ) }, 2290344, ... ) == 0x0
 00967   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 2290076, ... ) }, 2290076, ... ) == 0x0
 00968   420   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 7, 2113568, ... 168, {status=0x0, info=1}, ) }, 7, 2113568, ... 168, {status=0x0, info=1}, ) == 0x0
 00969   420   NtSetInformationFile  (168, 2290052, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00970   420   NtClose  (168, ... ) == 0x0
 00971   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\desktop.ini"}, 2290076, ... ) }, 2290076, ... ) == 0x0
 00972   420   NtQueryValueKey  (156,  (156, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 00973   420   NtQueryValueKey  (156,  (156, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 00974   420   NtQueryValueKey  (156,  (156, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 00975   420   NtClose  (156, ... ) == 0x0
 00976   420   NtClose  (152, ... ) == 0x0
 00977   420   NtClose  (144, ... ) == 0x0
 00978   420   NtClose  (148, ... ) == 0x0
 00979   420   NtClose  (140, ... ) == 0x0
 00980   420   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "_!MSFTHISTORY!_"}, ... 140, ) }, ... 140, ) == 0x0
 00981   420   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "c:!documents and settings!sri-user!local settings!temporary internet files!content.ie5!"}, ... 148, ) }, ... 148, ) == 0x0
 00982   420   NtWaitForSingleObject  (148, 0, 0x0, ... ) == 0x0
 00983   420   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 3, 8388641, ... 144, {status=0x0, info=1}, ) }, 3, 8388641, ... 144, {status=0x0, info=1}, ) == 0x0
 00984   420   NtQueryVolumeInformationFile  (144, 2291596, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00985   420   NtClose  (144, ... ) == 0x0
 00986   420   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 144, {status=0x0, info=1}, ) }, 3, 8388641, ... 144, {status=0x0, info=1}, ) == 0x0
 00987   420   NtQueryVolumeInformationFile  (144, 2291620, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00988   420   NtClose  (144, ... ) == 0x0
 00989   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 2291948, ... ) }, 2291948, ... ) == 0x0
 00990   420   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 144, {status=0x0, info=1}, ) }, 7, 2113568, ... 144, {status=0x0, info=1}, ) == 0x0
 00991   420   NtSetInformationFile  (144, 2291924, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00992   420   NtClose  (144, ... ) == 0x0
 00993   420   NtCreateFile  (0xc0100080, {24, 0, 0x40, 2417080, 2291940,  (0xc0100080, {24, 0, 0x40, 2417080, 2291940, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 144, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 144, {status=0x0, info=1}, ) == 0x0
 00994   420   NtSetInformationFile  (144, 2291992, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00995   420   NtQueryInformationFile  (144, 2291992, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00996   420   NtClose  (144, ... ) == 0x0
 00997   420   NtCreateFile  (0xc0100080, {24, 0, 0x40, 2417080, 2291924,  (0xc0100080, {24, 0, 0x40, 2417080, 2291924, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 144, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 144, {status=0x0, info=1}, ) == 0x0
 00998   420   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Local Settings_Temporary Internet Files_Content.IE5_index.dat_32768"}, ... 152, ) }, ... 152, ) == 0x0
 00999   420   NtMapViewOfSection  (152, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x980000), {0, 0}, 32768, ) == 0x0
 01000   420   NtReleaseMutant  (148, ... 0x0, ) == 0x0
 01001   420   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "c:!documents and settings!sri-user!cookies!"}, ... 156, ) }, ... 156, ) == 0x0
 01002   420   NtWaitForSingleObject  (156, 0, 0x0, ... ) == 0x0
 01003   420   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 3, 8388641, ... 168, {status=0x0, info=1}, ) }, 3, 8388641, ... 168, {status=0x0, info=1}, ) == 0x0
 01004   420   NtQueryVolumeInformationFile  (168, 2291596, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01005   420   NtClose  (168, ... ) == 0x0
 01006   420   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 168, {status=0x0, info=1}, ) }, 3, 8388641, ... 168, {status=0x0, info=1}, ) == 0x0
 01007   420   NtQueryVolumeInformationFile  (168, 2291620, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01008   420   NtClose  (168, ... ) == 0x0
 01009   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 2291948, ... ) }, 2291948, ... ) == 0x0
 01010   420   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 7, 2113568, ... 168, {status=0x0, info=1}, ) }, 7, 2113568, ... 168, {status=0x0, info=1}, ) == 0x0
 01011   420   NtSetInformationFile  (168, 2291924, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01012   420   NtClose  (168, ... ) == 0x0
 01013   420   NtCreateFile  (0xc0100080, {24, 0, 0x40, 2417080, 2291940,  (0xc0100080, {24, 0, 0x40, 2417080, 2291940, "\??\C:\Documents and Settings\SRI-user\Cookies\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 168, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 168, {status=0x0, info=1}, ) == 0x0
 01014   420   NtSetInformationFile  (168, 2291992, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01015   420   NtQueryInformationFile  (168, 2291992, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01016   420   NtClose  (168, ... ) == 0x0
 01017   420   NtCreateFile  (0xc0100080, {24, 0, 0x40, 2417080, 2291924,  (0xc0100080, {24, 0, 0x40, 2417080, 2291924, "\??\C:\Documents and Settings\SRI-user\Cookies\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 168, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 168, {status=0x0, info=1}, ) == 0x0
 01018   420   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Cookies_index.dat_16384"}, ... 192, ) }, ... 192, ) == 0x0
 01019   420   NtMapViewOfSection  (192, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x990000), {0, 0}, 16384, ) == 0x0
 01020   420   NtReleaseMutant  (156, ... 0x0, ) == 0x0
 01021   420   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "c:!documents and settings!sri-user!local settings!history!history.ie5!"}, ... 172, ) }, ... 172, ) == 0x0
 01022   420   NtWaitForSingleObject  (172, 0, 0x0, ... ) == 0x0
 01023   420   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 3, 8388641, ... 176, {status=0x0, info=1}, ) }, 3, 8388641, ... 176, {status=0x0, info=1}, ) == 0x0
 01024   420   NtQueryVolumeInformationFile  (176, 2291596, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01025   420   NtClose  (176, ... ) == 0x0
 01026   420   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 176, {status=0x0, info=1}, ) }, 3, 8388641, ... 176, {status=0x0, info=1}, ) == 0x0
 01027   420   NtQueryVolumeInformationFile  (176, 2291620, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 01028   420   NtClose  (176, ... ) == 0x0
 01029   420   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 01030   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 2291948, ... ) }, 2291948, ... ) == 0x0
 01031   420   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 7, 2113568, ... 176, {status=0x0, info=1}, ) }, 7, 2113568, ... 176, {status=0x0, info=1}, ) == 0x0
 01032   420   NtSetInformationFile  (176, 2291924, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01033   420   NtClose  (176, ... ) == 0x0
 01034   420   NtCreateFile  (0xc0100080, {24, 0, 0x40, 2417080, 2291940,  (0xc0100080, {24, 0, 0x40, 2417080, 2291940, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 176, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 176, {status=0x0, info=1}, ) == 0x0
 01035   420   NtSetInformationFile  (176, 2291992, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01036   420   NtQueryInformationFile  (176, 2291992, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01037   420   NtClose  (176, ... ) == 0x0
 01038   420   NtCreateFile  (0xc0100080, {24, 0, 0x40, 2417080, 2291924,  (0xc0100080, {24, 0, 0x40, 2417080, 2291924, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 176, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 176, {status=0x0, info=1}, ) == 0x0
 01039   420   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Local Settings_History_History.IE5_index.dat_32768"}, ... 180, ) }, ... 180, ) == 0x0
 01040   420   NtMapViewOfSection  (180, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x9a0000), {0, 0}, 32768, ) == 0x0
 01041   420   NtReleaseMutant  (172, ... 0x0, ) == 0x0
 01042   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 2292004, ... ) }, 2292004, ... ) == 0x0
 01043   420   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 184, {status=0x0, info=1}, ) }, 7, 2113568, ... 184, {status=0x0, info=1}, ) == 0x0
 01044   420   NtSetInformationFile  (184, 2291980, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01045   420   NtClose  (184, ... ) == 0x0
 01046   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini"}, 2292004, ... ) }, 2292004, ... ) == 0x0
 01047   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 2292004, ... ) }, 2292004, ... ) == 0x0
 01048   420   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 7, 2113568, ... 184, {status=0x0, info=1}, ) }, 7, 2113568, ... 184, {status=0x0, info=1}, ) == 0x0
 01049   420   NtSetInformationFile  (184, 2291980, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01050   420   NtClose  (184, ... ) == 0x0
 01051   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\desktop.ini"}, 2292004, ... ) }, 2292004, ... ) == 0x0
 01052   420   NtWaitForSingleObject  (148, 0, 0x0, ... ) == 0x0
 01053   420   NtQueryInformationFile  (144, 2290388, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01054   420   NtReleaseMutant  (148, ... 0x0, ) == 0x0
 01055   420   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 184, ) }, ... 184, ) == 0x0
 01056   420   NtOpenKey  (0xf, {24, 184, 0x40, 0, 0,  (0xf, {24, 184, 0x40, 0, 0, "Extensible Cache"}, ... 188, ) }, ... 188, ) == 0x0
 01057   420   NtClose  (184, ... ) == 0x0
 01058   420   NtWaitForSingleObject  (140, 0, {-600000000, -1}, ... ) == 0x0
 01059   420   NtEnumerateKey  (188, 0, Basic, 288, ... {LastWrite={0x89210de2,0x1c79d95}, TitleIdx=0, Name= (188, 0, Basic, 288, ... {LastWrite={0x89210de2,0x1c79d95}, TitleIdx=0, Name="MSHist012007051420070521"}, 64, ) }, 64, ) == 0x0
 01060   420   NtOpenKey  (0xf, {24, 188, 0x40, 0, 0,  (0xf, {24, 188, 0x40, 0, 0, "MSHist012007051420070521"}, ... 184, ) }, ... 184, ) == 0x0
 01061   420   NtQueryValueKey  (184,  (184, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01062   420   NtQueryValueKey  (184,  (184, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01063   420   NtQueryValueKey  (184,  (184, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (184, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01064   420   NtQueryValueKey  (184,  (184, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01065   420   NtQueryValueKey  (184,  (184, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (184, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01066   420   NtQueryValueKey  (184,  (184, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01067   420   NtQueryValueKey  (184,  (184, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01068   420   NtQueryValueKey  (184,  (184, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01069   420   NtQueryValueKey  (184,  (184, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 01070   420   NtClose  (184, ... ) == 0x0
 01071   420   NtEnumerateKey  (188, 1, Basic, 288, ... {LastWrite={0xfe4bb184,0x1c7a3a9}, TitleIdx=0, Name= (188, 1, Basic, 288, ... {LastWrite={0xfe4bb184,0x1c7a3a9}, TitleIdx=0, Name="MSHist012007052120070528"}, 64, ) }, 64, ) == 0x0
 01072   420   NtOpenKey  (0xf, {24, 188, 0x40, 0, 0,  (0xf, {24, 188, 0x40, 0, 0, "MSHist012007052120070528"}, ... 184, ) }, ... 184, ) == 0x0
 01073   420   NtQueryValueKey  (184,  (184, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01074   420   NtQueryValueKey  (184,  (184, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01075   420   NtQueryValueKey  (184,  (184, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (184, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01076   420   NtQueryValueKey  (184,  (184, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01077   420   NtQueryValueKey  (184,  (184, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (184, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01078   420   NtQueryValueKey  (184,  (184, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01079   420   NtQueryValueKey  (184,  (184, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01080   420   NtQueryValueKey  (184,  (184, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01081   420   NtQueryValueKey  (184,  (184, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 01082   420   NtClose  (184, ... ) == 0x0
 01083   420   NtEnumerateKey  (188, 2, Basic, 288, ... {LastWrite={0xfe4e13de,0x1c7a3a9}, TitleIdx=0, Name= (188, 2, Basic, 288, ... {LastWrite={0xfe4e13de,0x1c7a3a9}, TitleIdx=0, Name="MSHist012007053120070601"}, 64, ) }, 64, ) == 0x0
 01084   420   NtOpenKey  (0xf, {24, 188, 0x40, 0, 0,  (0xf, {24, 188, 0x40, 0, 0, "MSHist012007053120070601"}, ... 184, ) }, ... 184, ) == 0x0
 01085   420   NtQueryValueKey  (184,  (184, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01086   420   NtQueryValueKey  (184,  (184, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01087   420   NtQueryValueKey  (184,  (184, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (184, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01088   420   NtQueryValueKey  (184,  (184, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01089   420   NtQueryValueKey  (184,  (184, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (184, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 01090   420   NtQueryValueKey  (184,  (184, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01091   420   NtQueryValueKey  (184,  (184, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 01092   420   NtQueryValueKey  (184,  (184, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01093   420   NtQueryValueKey  (184,  (184, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 01094   420   NtClose  (184, ... ) == 0x0
 01095   420   NtEnumerateKey  (188, 3, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 01096   420   NtReleaseMutant  (140, ... 0x0, ) == 0x0
 01097   420   NtClose  (188, ... ) == 0x0
 01098   420   NtWaitForSingleObject  (148, 0, 0x0, ... ) == 0x0
 01099   420   NtQueryInformationFile  (144, 2292316, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01100   420   NtReleaseMutant  (148, ... 0x0, ) == 0x0
 01101   420   NtWaitForSingleObject  (148, 0, 0x0, ... ) == 0x0
 01102   420   NtQueryInformationFile  (144, 2292388, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01103   420   NtReleaseMutant  (148, ... 0x0, ) == 0x0
 01104   420   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01105   420   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01106   420   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01107   420   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01108   420   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01109   420   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 188, ) }, ... 188, ) == 0x0
 01110   420   NtQueryValueKey  (188,  (188, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01111   420   NtClose  (188, ... ) == 0x0
 01112   420   NtQueryValueKey  (76,  (76, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01113   420   NtQueryValueKey  (76,  (76, "DisableReadRange", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01114   420   NtQueryValueKey  (76,  (76, "SocketSendBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01115   420   NtQueryValueKey  (76,  (76, "SocketReceiveBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01116   420   NtQueryValueKey  (76,  (76, "KeepAliveTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01117   420   NtQueryValueKey  (76,  (76, "MaxHttpRedirects", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01118   420   NtQueryValueKey  (76,  (76, "MaxConnectionsPerServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01119   420   NtQueryValueKey  (76,  (76, "MaxConnectionsPer1_0Server", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01120   420   NtQueryValueKey  (76,  (76, "ServerInfoTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01121   420   NtQueryValueKey  (76,  (76, "ReceiveTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01122   420   NtQueryValueKey  (76,  (76, "DisableNTLMPreAuth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01123   420   NtQueryValueKey  (76,  (76, "ScavengeCacheLowerBound", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01124   420   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 188, ) }, ... 188, ) == 0x0
 01125   420   NtQueryValueKey  (188,  (188, "ScavengeCacheFileLifeTime", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01126   420   NtClose  (188, ... ) == 0x0
 01127   420   NtQueryValueKey  (76,  (76, "HttpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01128   420   NtQueryValueKey  (76,  (76, "FtpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01129   420   NtQueryValueKey  (76,  (76, "GopherDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01130   420   NtQueryValueKey  (76,  (76, "DisableCachingOfSSLPages", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01131   420   NtQueryValueKey  (76,  (76, "PerUserCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01132   420   NtQueryValueKey  (76,  (76, "LeashLegacyCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01133   420   NtQueryValueKey  (76,  (76, "DisableNT4RasCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01134   420   NtQueryValueKey  (76,  (76, "DialupUseLanSettings", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01135   420   NtQueryValueKey  (76,  (76, "SendExtraCRLF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01136   420   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 188, ) }, ... 188, ) == 0x0
 01137   420   NtQueryValueKey  (188,  (188, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01138   420   NtClose  (188, ... ) == 0x0
 01139   420   NtQueryValueKey  (76,  (76, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01140   420   NtQueryValueKey  (76,  (76, "NonBlockingClient32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01141   420   NtQueryValueKey  (76,  (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01142   420   NtQueryValueKey  (76,  (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01143   420   NtQueryValueKey  (76,  (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01144   420   NtQueryValueKey  (76,  (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 01145   420   NtQueryValueKey  (76,  (76, "HeaderExclusionListForCache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01146   420   NtQueryValueKey  (76,  (76, "DnsCacheEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01147   420   NtQueryValueKey  (76,  (76, "DnsCacheEntries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01148   420   NtQueryValueKey  (76,  (76, "DnsCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01149   420   NtQueryValueKey  (76,  (76, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01150   420   NtQueryValueKey  (76,  (76, "WarnAlwaysOnPost", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01151   420   NtQueryValueKey  (76,  (76, "WarnOnZoneCrossing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01152   420   NtQueryValueKey  (76,  (76, "WarnOnBadCertSending", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01153   420   NtQueryValueKey  (76,  (76, "WarnOnBadCertRecving", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01154   420   NtQueryValueKey  (76,  (76, "WarnOnPostRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01155   420   NtQueryValueKey  (76,  (76, "AlwaysDrainOnRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01156   420   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "WininetStartupMutex"}, ... 188, ) }, ... 188, ) == 0x0
 01157   420   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 184, ) == 0x0
 01158   420   NtQueryValueKey  (76,  (76, "GlobalUserOffline", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01159   420   NtWaitForSingleObject  (148, 0, 0x0, ... ) == 0x0
 01160   420   NtQueryInformationFile  (144, 2292364, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01161   420   NtReleaseMutant  (148, ... 0x0, ) == 0x0
 01162   420   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "WininetConnectionMutex"}, ... 196, ) }, ... 196, ) == 0x0
 01163   420   NtCreateMutant  (0x1f0001, 0x0, 0, ... 200, ) == 0x0
 01164   420   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "WininetProxyRegistryMutex"}, ... 204, ) }, ... 204, ) == 0x0
 01165   420   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01166   420   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01167   420   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 208, ) }, ... 208, ) == 0x0
 01168   420   NtQueryValueKey  (208,  (208, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 01169   420   NtQueryValueKey  (208,  (208, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 01170   420   NtClose  (208, ... ) == 0x0
 01171   420   NtAllocateVirtualMemory  (-1, 2428928, 0, 4096, 4096, 4, ... 2428928, 4096, ) == 0x0
 01172   420   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 01173   420   NtWaitForSingleObject  (200, 0, 0x0, ... ) == 0x0
 01174   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RASAPI32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01175   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\RASAPI32.DLL"}, 2290752, ... ) }, 2290752, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01176   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "RASAPI32.DLL"}, 2290752, ... ) }, 2290752, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01177   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\RASAPI32.DLL"}, 2290752, ... ) }, 2290752, ... ) == 0x0
 01178   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\RASAPI32.DLL"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 01179   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 208, ... 212, ) == 0x0
 01180   420   NtQuerySection  (212, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01181   420   NtClose  (208, ... ) == 0x0
 01182   420   NtMapViewOfSection  (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76ee0000), 0x0, 225280, ) == 0x0
 01183   420   NtClose  (212, ... ) == 0x0
 01184   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rasman.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01185   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rasman.dll"}, 2289948, ... ) }, 2289948, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01186   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rasman.dll"}, 2289948, ... ) }, 2289948, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01187   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman.dll"}, 2289948, ... ) }, 2289948, ... ) == 0x0
 01188   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman.dll"}, 5, 96, ... 212, {status=0x0, info=1}, ) }, 5, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 01189   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 212, ... 208, ) == 0x0
 01190   420   NtQuerySection  (208, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01191   420   NtClose  (212, ... ) == 0x0
 01192   420   NtMapViewOfSection  (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e90000), 0x0, 69632, ) == 0x0
 01193   420   NtClose  (208, ... ) == 0x0
 01194   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01195   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\NETAPI32.dll"}, 2289144, ... ) }, 2289144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01196   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "NETAPI32.dll"}, 2289144, ... ) }, 2289144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01197   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 2289144, ... ) }, 2289144, ... ) == 0x0
 01198   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 01199   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 208, ... 212, ) == 0x0
 01200   420   NtQuerySection  (212, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01201   420   NtClose  (208, ... ) == 0x0
 01202   420   NtMapViewOfSection  (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 01203   420   NtClose  (212, ... ) == 0x0
 01204   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "TAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01205   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\TAPI32.dll"}, 2289948, ... ) }, 2289948, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01206   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "TAPI32.dll"}, 2289948, ... ) }, 2289948, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01207   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 2289948, ... ) }, 2289948, ... ) == 0x0
 01208   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 5, 96, ... 212, {status=0x0, info=1}, ) }, 5, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 01209   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 212, ... 208, ) == 0x0
 01210   420   NtQuerySection  (208, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01211   420   NtClose  (212, ... ) == 0x0
 01212   420   NtMapViewOfSection  (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76eb0000), 0x0, 172032, ) == 0x0
 01213   420   NtClose  (208, ... ) == 0x0
 01214   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rtutils.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01215   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rtutils.dll"}, 2289144, ... ) }, 2289144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01216   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rtutils.dll"}, 2289144, ... ) }, 2289144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01217   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rtutils.dll"}, 2289144, ... ) }, 2289144, ... ) == 0x0
 01218   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rtutils.dll"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 01219   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 208, ... 212, ) == 0x0
 01220   420   NtQuerySection  (212, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01221   420   NtClose  (208, ... ) == 0x0
 01222   420   NtMapViewOfSection  (212, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e80000), 0x0, 53248, ) == 0x0
 01223   420   NtClose  (212, ... ) == 0x0
 01224   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINMM.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01225   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINMM.dll"}, 2289144, ... ) }, 2289144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01226   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WINMM.dll"}, 2289144, ... ) }, 2289144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01227   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINMM.dll"}, 2289144, ... ) }, 2289144, ... ) == 0x0
 01228   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINMM.dll"}, 5, 96, ... 212, {status=0x0, info=1}, ) }, 5, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 01229   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 212, ... 208, ) == 0x0
 01230   420   NtQuerySection  (208, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01231   420   NtClose  (212, ... ) == 0x0
 01232   420   NtMapViewOfSection  (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b40000), 0x0, 180224, ) == 0x0
 01233   420   NtClose  (208, ... ) == 0x0
 01234   420   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 208, ) == 0x0
 01235   420   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 212, ) == 0x0
 01236   420   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 216, ) == 0x0
 01237   420   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32"}, ... 220, ) }, ... 220, ) == 0x0
 01238   420   NtQueryValueKey  (220,  (220, "wave", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01239   420   NtQueryValueKey  (220,  (220, "wave1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01240   420   NtQueryValueKey  (220,  (220, "wave2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01241   420   NtQueryValueKey  (220,  (220, "wave3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01242   420   NtQueryValueKey  (220,  (220, "wave4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01243   420   NtQueryValueKey  (220,  (220, "wave5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01244   420   NtQueryValueKey  (220,  (220, "wave6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01245   420   NtQueryValueKey  (220,  (220, "wave7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01246   420   NtQueryValueKey  (220,  (220, "wave8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01247   420   NtQueryValueKey  (220,  (220, "wave9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01248   420   NtQueryValueKey  (220,  (220, "midi", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01249   420   NtQueryValueKey  (220,  (220, "midi1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01250   420   NtQueryValueKey  (220,  (220, "midi2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01251   420   NtQueryValueKey  (220,  (220, "midi3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01252   420   NtQueryValueKey  (220,  (220, "midi4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01253   420   NtQueryValueKey  (220,  (220, "midi5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01254   420   NtQueryValueKey  (220,  (220, "midi6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01255   420   NtQueryValueKey  (220,  (220, "midi7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01256   420   NtQueryValueKey  (220,  (220, "midi8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01257   420   NtQueryValueKey  (220,  (220, "midi9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01258   420   NtQueryTimerResolution  (... 156250, 10000, 156250, ) == 0x0
 01259   420   NtQueryValueKey  (220,  (220, "aux", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01260   420   NtQueryValueKey  (220,  (220, "aux1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01261   420   NtQueryValueKey  (220,  (220, "aux2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01262   420   NtQueryValueKey  (220,  (220, "aux3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01263   420   NtQueryValueKey  (220,  (220, "aux4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01264   420   NtQueryValueKey  (220,  (220, "aux5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01265   420   NtQueryValueKey  (220,  (220, "aux6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01266   420   NtQueryValueKey  (220,  (220, "aux7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01267   420   NtQueryValueKey  (220,  (220, "aux8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01268   420   NtQueryValueKey  (220,  (220, "aux9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01269   420   NtUserRegisterWindowMessage  ( ("MSJSTICK_VJOYD_MSGSTR", ... ) , ... ) == 0xc07c
 01270   420   NtOpenKey  (0xf003f, {24, 32, 0x40, 0, 0,  (0xf003f, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm"}, ... 224, ) }, ... 224, ) == 0x0
 01271   420   NtQueryValueKey  (224,  (224, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (224, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01272   420   NtClose  (224, ... ) == 0x0
 01273   420   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 0, 0,  (0x1f0003, {24, 52, 0x80, 0, 0, "DINPUTWINMM"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 01274   420   NtQueryValueKey  (220,  (220, "mixer", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01275   420   NtQueryValueKey  (220,  (220, "mixer1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01276   420   NtQueryValueKey  (220,  (220, "mixer2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01277   420   NtQueryValueKey  (220,  (220, "mixer3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01278   420   NtQueryValueKey  (220,  (220, "mixer4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01279   420   NtQueryValueKey  (220,  (220, "mixer5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01280   420   NtQueryValueKey  (220,  (220, "mixer6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01281   420   NtQueryValueKey  (220,  (220, "mixer7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01282   420   NtQueryValueKey  (220,  (220, "mixer8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01283   420   NtQueryValueKey  (220,  (220, "mixer9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01284   420   NtQueryDefaultUILanguage  (2289144, ...
 01285   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01286   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482164, ) == 0x0
 01287   420   NtQueryInformationToken  (-2147482164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01288   420   NtClose  (-2147482164, ... ) == 0x0
 01289   420   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482164, ) }, ... -2147482164, ) == 0x0
 01290   420   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01291   420   NtOpenKey  (0x80000000, {24, -2147482164, 0x640, 0, 0,  (0x80000000, {24, -2147482164, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482160, ) }, ... -2147482160, ) == 0x0
 01292   420   NtQueryValueKey  (-2147482160,  (-2147482160, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01293   420   NtClose  (-2147482160, ... ) == 0x0
 01294   420   NtClose  (-2147482164, ... ) == 0x0
 01284   420   NtQueryDefaultUILanguage  ... ) == 0x0
 01295   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01296   420   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 1, 96, ... 224, {status=0x0, info=1}, ) }, 1, 96, ... 224, {status=0x0, info=1}, ) == 0x0
 01297   420   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 224, ... 228, ) == 0x0
 01298   420   NtMapViewOfSection  (228, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x9b0000), 0x0, 163840, ) == 0x0
 01299   420   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01300   420   NtQueryDefaultLocale  (1, 2287180, ... ) == 0x0
 01301   420   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01302   420   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2288036, 1, 96, 0}  (24, {128, 156, new_msg, 0, 2288036, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\355"\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\340\0\0\0\377\377\377\377\0\0\0\0\360Z\235\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\244\360"\0\0\0\0\0" ... {128, 156, reply, 0, 412, 420, 1556, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\355"\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\340\0\0\0\377\377\377\377\0\0\0\0\360Z\235\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\244\360"\0\0\0\0\0" ) \0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\340\0\0\0\377\377\377\377\0\0\0\0\360Z\235\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\244\360 (24, {128, 156, new_msg, 0, 2288036, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\355"\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\340\0\0\0\377\377\377\377\0\0\0\0\360Z\235\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\244\360"\0\0\0\0\0" ... {128, 156, reply, 0, 412, 420, 1556, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\355"\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\340\0\0\0\377\377\377\377\0\0\0\0\360Z\235\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\244\360"\0\0\0\0\0" )  ... {128, 156, reply, 0, 412, 420, 1556, 0}  (24, {128, 156, new_msg, 0, 2288036, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\355"\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\340\0\0\0\377\377\377\377\0\0\0\0\360Z\235\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\244\360"\0\0\0\0\0" ... {128, 156, reply, 0, 412, 420, 1556, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\355"\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\340\0\0\0\377\377\377\377\0\0\0\0\360Z\235\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\244\360"\0\0\0\0\0" ) \0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\340\0\0\0\377\377\377\377\0\0\0\0\360Z\235\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\244\360 (24, {128, 156, new_msg, 0, 2288036, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\355"\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\340\0\0\0\377\377\377\377\0\0\0\0\360Z\235\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\244\360"\0\0\0\0\0" ... {128, 156, reply, 0, 412, 420, 1556, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\355"\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\31\1\340\0\0\0\377\377\377\377\0\0\0\0\360Z\235\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\244\360"\0\0\0\0\0" )  ) == 0x0
 01303   420   NtClose  (224, ... ) == 0x0
 01304   420   NtClose  (228, ... ) == 0x0
 01305   420   NtUnmapViewOfSection  (-1, 0x9b0000, ... ) == 0x0
 01306   420   NtUnmapViewOfSection  (-1, 0x22f0a4, ... ) == STATUS_NOT_MAPPED_VIEW
 01307   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01308   420   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01309   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01310   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01311   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 2286264, ... ) }, 2286264, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01312   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01313   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01314   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01315   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 2286856, ... ) }, 2286856, ... ) == 0x0
 01316   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 228, {status=0x0, info=1}, ) }, 3, 33, ... 228, {status=0x0, info=1}, ) == 0x0
 01317   420   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01318   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Telephony"}, ... 224, ) }, ... 224, ) == 0x0
 01319   420   NtQueryValueKey  (224,  (224, "Tapi32MaxNumRequestRetries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01320   420   NtQueryValueKey  (224,  (224, "Tapi32RequestRetryTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01321   420   NtClose  (224, ... ) == 0x0
 01322   420   NtCreateMutant  (0x1f0001, 0x0, 0, ... 224, ) == 0x0
 01323   420   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 2432072, 0,  (0x1f0001, {24, 52, 0x80, 2432072, 0, "RasPbFile"}, 0, ... ) }, 0, ... ) == STATUS_ACCESS_DENIED
 01324   420   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "RasPbFile"}, ... 232, ) }, ... 232, ) == 0x0
 01325   420   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 236, ) == 0x0
 01326   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 240, ) == 0x0
 01327   420   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 244, ) == 0x0
 01328   420   NtAllocateVirtualMemory  (-1, 2433024, 0, 4096, 4096, 4, ... 2433024, 4096, ) == 0x0
 01329   420   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 248, ) == 0x0
 01330   420   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 252, ) == 0x0
 01331   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 256, ) == 0x0
 01332   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 260, ) == 0x0
 01333   420   NtCreateKey  (0xf003f, {24, 32, 0x40, 0, 0,  (0xf003f, {24, 32, 0x40, 0, 0, "Software\Microsoft\Tracing"}, 0, 0x0, 0, ... 264, 2, ) }, 0, 0x0, 0, ... 264, 2, ) == 0x0
 01334   420   NtQueryValueKey  (264,  (264, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (264, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01335   420   NtClose  (264, ... ) == 0x0
 01336   420   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 264, ) == 0x0
 01337   420   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 268, ) == 0x0
 01338   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Tracing\RASAPI32"}, ... 272, ) }, ... 272, ) == 0x0
 01339   420   NtQueryValueKey  (272,  (272, "EnableFileTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "EnableFileTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01340   420   NtQueryValueKey  (272,  (272, "FileTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "FileTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) }, 16, ) == 0x0
 01341   420   NtQueryValueKey  (272,  (272, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01342   420   NtQueryValueKey  (272,  (272, "ConsoleTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "ConsoleTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) }, 16, ) == 0x0
 01343   420   NtQueryValueKey  (272,  (272, "MaxFileSize", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\20\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "MaxFileSize", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\20\0"}, 16, ) }, 16, ) == 0x0
 01344   420   NtQueryValueKey  (272,  (272, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (272, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) }, 46, ) == 0x0
 01345   420   NtQueryValueKey  (272,  (272, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (272, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) }, 46, ) == 0x0
 01346   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 276, ) == 0x0
 01347   420   NtNotifyChangeKey  (272, 276, 0, 0, 2011390432, 14, 0, 0, 0, 1, ... ) == 0x103
 01348   420   NtQueryValueKey  (272,  (272, "EnableFileTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "EnableFileTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01349   420   NtQueryValueKey  (272,  (272, "FileTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "FileTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) }, 16, ) == 0x0
 01350   420   NtQueryValueKey  (272,  (272, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01351   420   NtQueryValueKey  (272,  (272, "ConsoleTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "ConsoleTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) }, 16, ) == 0x0
 01352   420   NtQueryValueKey  (272,  (272, "MaxFileSize", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\20\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "MaxFileSize", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\20\0"}, 16, ) }, 16, ) == 0x0
 01353   420   NtQueryValueKey  (272,  (272, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (272, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) }, 46, ) == 0x0
 01354   420   NtQueryValueKey  (272,  (272, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (272, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) }, 46, ) == 0x0
 01355   420   NtNotifyChangeKey  (272, 276, 0, 0, 2011390432, 14, 0, 0, 0, 1, ... ) == 0x103
 01356   420   NtSetEvent  (260, ... 0x0, ) == 0x0
 01357   420   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 280, ) }, ... 280, ) == 0x0
 01358   420   NtWaitForSingleObject  (280, 0, {-1800000000, -1}, ... ) == 0x0
 01359   420   NtClose  (280, ... ) == 0x0
 01360   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01361   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01362   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 280, ) }, ... 280, ) == 0x0
 01363   420   NtQueryValueKey  (280,  (280, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01364   420   NtClose  (280, ... ) == 0x0
 01365   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01366   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 280, ) == 0x0
 01367   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 284, ) == 0x0
 01368   420   NtQuerySystemTime  (... {-575770278, 29868092}, ) == 0x0
 01369   420   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 288, ) == 0x0
 01370   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01371   420   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01372   420   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01373   420   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01374   420   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 292, ) == 0x0
 01375   420   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 296, ) == 0x0
 01376   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 300, ) }, ... 300, ) == 0x0
 01377   420   NtOpenKey  (0x20019, {24, 300, 0x40, 0, 0,  (0x20019, {24, 300, 0x40, 0, 0, "ActiveComputerName"}, ... 304, ) }, ... 304, ) == 0x0
 01378   420   NtQueryValueKey  (304,  (304, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (304, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (304, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01379   420   NtClose  (304, ... ) == 0x0
 01380   420   NtClose  (300, ... ) == 0x0
 01381   420   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 300, ) == 0x0
 01382   420   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 304, ) == 0x0
 01383   420   NtDuplicateObject  (-1, 300, -1, 0x0, 0, 2, ... 308, ) == 0x0
 01384   420   NtAllocateVirtualMemory  (-1, 2437120, 0, 4096, 4096, 4, ... 2437120, 4096, ) == 0x0
 01385   420   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01386   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 312, ) == 0x0
 01387   420   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01388   420   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01389   420   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 2290912,  (0xc0100080, {24, 0, 0x40, 0, 2290912, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 316, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 316, {status=0x0, info=1}, ) == 0x0
 01390   420   NtSetInformationFile  (316, 2290968, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01391   420   NtSetInformationFile  (316, 2290960, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01392   420   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01393   420   NtWriteFile  (316, 293, 0, 0,  (316, 293, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01394   420   NtAllocateVirtualMemory  (-1, 2441216, 0, 4096, 4096, 4, ... 2441216, 4096, ) == 0x0
 01395   420   NtReadFile  (316, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (316, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\12!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01396   420   NtFsControlFile  (316, 293, 0x0, 0x0, 0x11c017,  (316, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\12!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (316, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\12!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01397   420   NtFsControlFile  (316, 293, 0x0, 0x0, 0x11c017,  (316, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\363\374\370\250,\334\21\261\306\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\363\374\370\250,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , 76, 1024, ... {status=0x103, info=48},  (316, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\363\374\370\250,\334\21\261\306\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\363\374\370\250,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01398   420   NtFsControlFile  (316, 293, 0x0, 0x0, 0x11c017,  (316, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\364\374\370\250,\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\364\374\370\250,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (316, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\364\374\370\250,\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\364\374\370\250,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01399   420   NtFsControlFile  (316, 293, 0x0, 0x0, 0x11c017,  (316, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\364\374\370\250,\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (316, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\364\374\370\250,\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01400   420   NtFsControlFile  (316, 293, 0x0, 0x0, 0x11c017,  (316, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\363\374\370\250,\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (316, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\363\374\370\250,\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01401   420   NtClose  (312, ... ) == 0x0
 01402   420   NtClose  (316, ... ) == 0x0
 01403   420   NtReleaseMutant  (200, ... 0x0, ) == 0x0
 01404   420   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01405   420   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01406   420   NtOpenEvent  (0x100000, {24, 0, 0x0, 0, 0,  (0x100000, {24, 0, 0x0, 0, 0, "\INSTALLATION_SECURITY_HOLD"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01407   420   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01408   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 316, ) == 0x0
 01409   420   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01410   420   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01411   420   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 2288416,  (0xc0100080, {24, 0, 0x40, 0, 2288416, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 312, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 312, {status=0x0, info=1}, ) == 0x0
 01412   420   NtSetInformationFile  (312, 2288472, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01413   420   NtSetInformationFile  (312, 2288464, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01414   420   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01415   420   NtWriteFile  (312, 293, 0, 0,  (312, 293, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0j(\319\14\261\320\21\233\250\0\300O\331.\365\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01416   420   NtReadFile  (312, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (312, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20W\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01417   420   NtFsControlFile  (312, 293, 0x0, 0x0, 0x11c017,  (312, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\32\0\0\0\1\0\0\0\2\0\0\0\0\0\0\0\1\0", 26, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20W\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 26, 1024, ... {status=0x103, info=68},  (312, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\32\0\0\0\1\0\0\0\2\0\0\0\0\0\0\0\1\0", 26, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20W\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01418   420   NtClose  (316, ... ) == 0x0
 01419   420   NtClose  (312, ... ) == 0x0
 01420   420   NtCreateKey  (0x2001d, {24, 32, 0x40, 0, 0,  (0x2001d, {24, 32, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 312, 2, ) }, 0, 0x0, 0, ... 312, 2, ) == 0x0
 01421   420   NtCreateKey  (0x20019, {24, 312, 0x40, 0, 0,  (0x20019, {24, 312, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 316, 2, ) }, 0, 0x0, 0, ... 316, 2, ) == 0x0
 01422   420   NtClose  (312, ... ) == 0x0
 01423   420   NtQueryValueKey  (316,  (316, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01424   420   NtClose  (316, ... ) == 0x0
 01425   420   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 316, ) }, ... 316, ) == 0x0
 01426   420   NtWaitForSingleObject  (316, 0, {-1800000000, -1}, ... ) == 0x0
 01427   420   NtClose  (316, ... ) == 0x0
 01428   420   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01429   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 316, ) == 0x0
 01430   420   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01431   420   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01432   420   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 2290500,  (0xc0100080, {24, 0, 0x40, 0, 2290500, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 312, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 312, {status=0x0, info=1}, ) == 0x0
 01433   420   NtSetInformationFile  (312, 2290556, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01434   420   NtSetInformationFile  (312, 2290548, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01435   420   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01436   420   NtWriteFile  (312, 293, 0, 0,  (312, 293, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01437   420   NtReadFile  (312, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (312, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\13!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01438   420   NtFsControlFile  (312, 293, 0x0, 0x0, 0x11c017,  (312, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\33\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\13!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (312, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\33\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\13!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01439   420   NtFsControlFile  (312, 293, 0x0, 0x0, 0x11c017,  (312, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\2\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\365\374\370\250,\334\21\261\306\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\20\374"\0\0\0\0\0", 64, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\365\374\370\250,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) \0\0\0\0\0 (312, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\2\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\365\374\370\250,\334\21\261\306\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\20\374"\0\0\0\0\0", 64, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\365\374\370\250,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\365\374\370\250,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) == 0x103
 01440   420   NtFsControlFile  (312, 293, 0x0, 0x0, 0x11c017,  (312, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\3\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\365\374\370\250,\334\21\261\306\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\20\374"\02\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\2\0\0\0X\2\0\0\0\0\0\0@\2\0\0.\2\0\0\22\2\0\0 \0\0\0\4\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\2\0\0\340\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\316\1\0\0\240\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\226\1\0\0~\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\1\0\0B\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\1\0\0\32\1\0\0 \0\0\0\4\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\16\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0E\0R\0S\0v\0c\0\0\0DNS Client\0\0i\0e\0n\0t\0\0\0Dnscache\0\0c\0h\0e\0\0\0Logical Disk Manager\0\0k\0 \0M\0a\0n\0a\0g\0e\0r\0\0\0dmserver\0\0v\0e\0r\0\0\0DHCP Client\0l\0i\0e\0n\0t\0\0\0Dhcp\0\0p\0\0\0Cryptographic Services\0\0c\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0CryptSvc\0\0", ) \02\0\0\0 (312, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\3\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\365\374\370\250,\334\21\261\306\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\20\374"\02\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\2\0\0\0X\2\0\0\0\0\0\0@\2\0\0.\2\0\0\22\2\0\0 \0\0\0\4\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\2\0\0\340\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\316\1\0\0\240\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\226\1\0\0~\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\1\0\0B\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\1\0\0\32\1\0\0 \0\0\0\4\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\16\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0E\0R\0S\0v\0c\0\0\0DNS Client\0\0i\0e\0n\0t\0\0\0Dnscache\0\0c\0h\0e\0\0\0Logical Disk Manager\0\0k\0 \0M\0a\0n\0a\0g\0e\0r\0\0\0dmserver\0\0v\0e\0r\0\0\0DHCP Client\0l\0i\0e\0n\0t\0\0\0Dhcp\0\0p\0\0\0Cryptographic Services\0\0c\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0CryptSvc\0\0", ) \5\0\2\3\20\0\0\0p\2\0\0\2\0\0\0X\2\0\0\0\0\0\0@\2\0\0.\2\0\0\22\2\0\0 \0\0\0\4\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\2\0\0\340\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\316\1\0\0\240\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\226\1\0\0~\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\1\0\0B\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\1\0\0\32\1\0\0 \0\0\0\4\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\16\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0E\0R\0S\0v\0c\0\0\0DNS Client\0\0i\0e\0n\0t\0\0\0Dnscache\0\0c\0h\0e\0\0\0Logical Disk Manager\0\0k\0 \0M\0a\0n\0a\0g\0e\0r\0\0\0dmserver\0\0v\0e\0r\0\0\0DHCP Client\0l\0i\0e\0n\0t\0\0\0Dhcp\0\0p\0\0\0Cryptographic Services\0\0c\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0CryptSvc\0\0", ) == 0x103
 01441   420   NtFsControlFile  (312, 293, 0x0, 0x0, 0x11c017,  (312, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\4\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\365\374\370\250,\334\21\261\306\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\20\374"\0>\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\3\0\0\0X\2\0\0\0\0\0\0@\2\0\04\2\0\0\4\2\0\0 \0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\362\1\0\0\336\1\0\0 \0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\306\1\0\0\242\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0d\1\0\0 \1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\1\0\0\356\0\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Help and Support\0\0S\0u\0p\0p\0o\0r\0t\0\0\0helpsvc\0s\0v\0c\0\0\0Fast User Switching Compatibility\0n\0g\0 \0C\0o\0m\0p\0a\0t\0i\0b\0i\0l\0i\0t\0y\0\0\0FastUserSwitchingCompatibility\0\0g\0C\0o\0m\0p\0a\0t\0i\0b\0i\0l\0i\0t\0y\0\0\0COM+ Event System\0t\0 \0S\0y\0s\0t\0e\0m\0\0\0EventSystem\0y\0s\0t\0", ) \0>\0\0\0 (312, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\4\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\365\374\370\250,\334\21\261\306\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\20\374"\0>\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\3\0\0\0X\2\0\0\0\0\0\0@\2\0\04\2\0\0\4\2\0\0 \0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\362\1\0\0\336\1\0\0 \0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\306\1\0\0\242\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0d\1\0\0 \1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\1\0\0\356\0\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Help and Support\0\0S\0u\0p\0p\0o\0r\0t\0\0\0helpsvc\0s\0v\0c\0\0\0Fast User Switching Compatibility\0n\0g\0 \0C\0o\0m\0p\0a\0t\0i\0b\0i\0l\0i\0t\0y\0\0\0FastUserSwitchingCompatibility\0\0g\0C\0o\0m\0p\0a\0t\0i\0b\0i\0l\0i\0t\0y\0\0\0COM+ Event System\0t\0 \0S\0y\0s\0t\0e\0m\0\0\0EventSystem\0y\0s\0t\0", ) \5\0\2\3\20\0\0\0p\2\0\0\3\0\0\0X\2\0\0\0\0\0\0@\2\0\04\2\0\0\4\2\0\0 \0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\362\1\0\0\336\1\0\0 \0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\306\1\0\0\242\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0d\1\0\0 \1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\1\0\0\356\0\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Help and Support\0\0S\0u\0p\0p\0o\0r\0t\0\0\0helpsvc\0s\0v\0c\0\0\0Fast User Switching Compatibility\0n\0g\0 \0C\0o\0m\0p\0a\0t\0i\0b\0i\0l\0i\0t\0y\0\0\0FastUserSwitchingCompatibility\0\0g\0C\0o\0m\0p\0a\0t\0i\0b\0i\0l\0i\0t\0y\0\0\0COM+ Event System\0t\0 \0S\0y\0s\0t\0e\0m\0\0\0EventSystem\0y\0s\0t\0", ) == 0x103
 01442   420   NtFsControlFile  (312, 293, 0x0, 0x0, 0x11c017,  (312, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\5\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\365\374\370\250,\334\21\261\306\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\20\374"\0p\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\4\0\0\0X\2\0\0\0\0\0\0@\2\0\0&\2\0\0\30\2\0\0 \0\0\0\4\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\364\1\0\0\334\1\0\0 \0\0\0\4\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\314\1\0\0\240\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\214\1\0\0x\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0j\1\0\0B\1\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\1\0\0\370\0\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Network Location Awareness (NLA)\0\0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0\0\0Nla\0a\0\0\0Network Connections\0n\0n\0e\0c\0t\0i\0o\0n\0s\0\0\0Netman\0\0a\0n\0\0\0Messenger\0n\0g\0e\0r\0\0\0Messenger\0n\0g\0e\0r\0\0\0TCP/IP NetBIOS Helper\0I\0O\0S\0 \0H\0e\0l\0p\0e\0r\0\0\0LmHosts\0s\0t\0", ) \0p\0\0\0 (312, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\5\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\365\374\370\250,\334\21\261\306\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\20\374"\0p\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\4\0\0\0X\2\0\0\0\0\0\0@\2\0\0&\2\0\0\30\2\0\0 \0\0\0\4\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\364\1\0\0\334\1\0\0 \0\0\0\4\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\314\1\0\0\240\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\214\1\0\0x\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0j\1\0\0B\1\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\1\0\0\370\0\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Network Location Awareness (NLA)\0\0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0\0\0Nla\0a\0\0\0Network Connections\0n\0n\0e\0c\0t\0i\0o\0n\0s\0\0\0Netman\0\0a\0n\0\0\0Messenger\0n\0g\0e\0r\0\0\0Messenger\0n\0g\0e\0r\0\0\0TCP/IP NetBIOS Helper\0I\0O\0S\0 \0H\0e\0l\0p\0e\0r\0\0\0LmHosts\0s\0t\0", ) \5\0\2\3\20\0\0\0p\2\0\0\4\0\0\0X\2\0\0\0\0\0\0@\2\0\0&\2\0\0\30\2\0\0 \0\0\0\4\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\364\1\0\0\334\1\0\0 \0\0\0\4\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\314\1\0\0\240\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\214\1\0\0x\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0j\1\0\0B\1\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\1\0\0\370\0\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Network Location Awareness (NLA)\0\0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0\0\0Nla\0a\0\0\0Network Connections\0n\0n\0e\0c\0t\0i\0o\0n\0s\0\0\0Netman\0\0a\0n\0\0\0Messenger\0n\0g\0e\0r\0\0\0Messenger\0n\0g\0e\0r\0\0\0TCP/IP NetBIOS Helper\0I\0O\0S\0 \0H\0e\0l\0p\0e\0r\0\0\0LmHosts\0s\0t\0", ) == 0x103
 01443   420   NtFsControlFile  (312, 293, 0x0, 0x0, 0x11c017,  (312, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\6\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\365\374\370\250,\334\21\261\306\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\20\374"\0\242\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\5\0\0\0X\2\0\0\0\0\0\0@\2\0\0.\2\0\0\22\2\0\0 \0\0\0\4\0\0\0\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\372\1\0\0\334\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\272\1\0\0\226\1\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\0\0X\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0L\1\0\0\24\1\0\0 \0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0a\0m\0S\0s\0\0\0Remote Procedure Call (RPC)\0r\0e\0 \0C\0a\0l\0l\0 \0(\0R\0P\0C\0)\0\0\0RpcSs\0S\0s\0\0\0Remote Registry\0e\0g\0i\0s\0t\0r\0y\0\0\0RemoteRegistry\0\0g\0i\0s\0t\0r\0y\0\0\0Protected Storage\0 \0S\0t\0o\0r\0a\0g\0e\0\0\0ProtectedStorage\0\0S\0t\0o\0r\0a\0g\0", ) \0\242\0\0\0 (312, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\6\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\365\374\370\250,\334\21\261\306\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\20\374"\0\242\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\5\0\0\0X\2\0\0\0\0\0\0@\2\0\0.\2\0\0\22\2\0\0 \0\0\0\4\0\0\0\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\372\1\0\0\334\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\272\1\0\0\226\1\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\0\0X\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0L\1\0\0\24\1\0\0 \0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0a\0m\0S\0s\0\0\0Remote Procedure Call (RPC)\0r\0e\0 \0C\0a\0l\0l\0 \0(\0R\0P\0C\0)\0\0\0RpcSs\0S\0s\0\0\0Remote Registry\0e\0g\0i\0s\0t\0r\0y\0\0\0RemoteRegistry\0\0g\0i\0s\0t\0r\0y\0\0\0Protected Storage\0 \0S\0t\0o\0r\0a\0g\0e\0\0\0ProtectedStorage\0\0S\0t\0o\0r\0a\0g\0", ) \5\0\2\3\20\0\0\0p\2\0\0\5\0\0\0X\2\0\0\0\0\0\0@\2\0\0.\2\0\0\22\2\0\0 \0\0\0\4\0\0\0\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\372\1\0\0\334\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\272\1\0\0\226\1\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\0\0X\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0L\1\0\0\24\1\0\0 \0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0a\0m\0S\0s\0\0\0Remote Procedure Call (RPC)\0r\0e\0 \0C\0a\0l\0l\0 \0(\0R\0P\0C\0)\0\0\0RpcSs\0S\0s\0\0\0Remote Registry\0e\0g\0i\0s\0t\0r\0y\0\0\0RemoteRegistry\0\0g\0i\0s\0t\0r\0y\0\0\0Protected Storage\0 \0S\0t\0o\0r\0a\0g\0e\0\0\0ProtectedStorage\0\0S\0t\0o\0r\0a\0g\0", ) == 0x103
 01444   420   NtFsControlFile  (312, 293, 0x0, 0x0, 0x11c017,  (312, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\7\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\365\374\370\250,\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\6\0\0\0X\2\0\0\0\0\0\0@\2\0\04\2\0\0\0\2\0\0 \0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\356\1\0\0\320\1\0\0 \1\0\0\4\0\0\0G\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\276\1\0\0\236\1\0\0 \1\0\0\4\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\1\0\0`\1\0\0 \0\0\0\4\0\0\0A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0>\1\0\0\14\1\0\0 \0\0\0\4\0\0\0\207\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\374\0\0\0\340\0\0\0\20\1\0\0\4\0\0\0E\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Print Spooler\0p\0o\0o\0l\0e\0r\0\0\0Spooler\0l\0e\0r\0\0\0Shell Hardware Detection\0\0e\0 \0D\0e\0t\0e\0c\0t\0i\0o\0n\0\0\0ShellHWDetection\0\0t\0e\0c\0t\0i\0o\0n\0\0\0System Event Notification\0N\0o\0t\0i\0f\0i\0c\0a\0t\0i\0o\0n\0\0\0SENS\0\0S\0\0\0Secondary Logon\0y\0 \0L\0o\0g\0o\0n\0\0\0seclogon\0\0g\0o\0n\0\0\0Task Sch", ) , 44, 1024, ... {status=0x103, info=624},  (312, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\7\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\365\374\370\250,\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\6\0\0\0X\2\0\0\0\0\0\0@\2\0\04\2\0\0\0\2\0\0 \0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\356\1\0\0\320\1\0\0 \1\0\0\4\0\0\0G\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\276\1\0\0\236\1\0\0 \1\0\0\4\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\1\0\0`\1\0\0 \0\0\0\4\0\0\0A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0>\1\0\0\14\1\0\0 \0\0\0\4\0\0\0\207\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\374\0\0\0\340\0\0\0\20\1\0\0\4\0\0\0E\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Print Spooler\0p\0o\0o\0l\0e\0r\0\0\0Spooler\0l\0e\0r\0\0\0Shell Hardware Detection\0\0e\0 \0D\0e\0t\0e\0c\0t\0i\0o\0n\0\0\0ShellHWDetection\0\0t\0e\0c\0t\0i\0o\0n\0\0\0System Event Notification\0N\0o\0t\0i\0f\0i\0c\0a\0t\0i\0o\0n\0\0\0SENS\0\0S\0\0\0Secondary Logon\0y\0 \0L\0o\0g\0o\0n\0\0\0seclogon\0\0g\0o\0n\0\0\0Task Sch", ) , ) == 0x103
 01445   420   NtClose  (316, ... ) == 0x0
 01446   420   NtClose  (312, ... ) == 0x0
 01447   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "sensapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01448   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\sensapi.dll"}, 2290760, ... ) }, 2290760, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01449   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "sensapi.dll"}, 2290760, ... ) }, 2290760, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01450   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sensapi.dll"}, 2290760, ... ) }, 2290760, ... ) == 0x0
 01451   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sensapi.dll"}, 5, 96, ... 312, {status=0x0, info=1}, ) }, 5, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 01452   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 312, ... 316, ) == 0x0
 01453   420   NtQuerySection  (316, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01454   420   NtClose  (312, ... ) == 0x0
 01455   420   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x722b0000), 0x0, 20480, ) == 0x0
 01456   420   NtClose  (316, ... ) == 0x0
 01457   420   NtOpenSection  (0x4, {24, 52, 0x0, 0, 0,  (0x4, {24, 52, 0x0, 0, 0, "SENS Information Cache"}, ... 316, ) }, ... 316, ) == 0x0
 01458   420   NtMapViewOfSection  (316, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x9b0000), {0, 0}, 4096, ) == 0x0
 01459   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 312, ) == 0x0
 01460   420   NtConnectPort  ( ("\RPC Control\senssvc", {12, 2, 1, 1}, 0x0, 0x0, 2291224, 112, ... 320, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 2291224, 112, ... 320, 0x0, 0x0, 0x0, 112, ) == 0x0
 01461   420   NtRequestWaitReplyPort  (320, {128, 152, new_msg, 0, 127980, 2359296, 2290988, 2012750850}  (320, {128, 152, new_msg, 0, 127980, 2359296, 2290988, 2012750850} "\0\373"\0\2$\370w\370T\367w$\344\373c) \321\21\215\270\0\252\0J\275^\1\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\20\374$\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1$\0x\1$\087%\0\240\1$\0\2708%\0(@%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\0\0\0\0=\1\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 420, 1558, 0} "\7\373"\0\2$\370w\370T\367w$\344\373c) \321\21\215\270\0\252\0J\275^\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1$\0x\1$\087%\0\240\1$\0\2708%\0(@%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\0\0\0\0=\1\0\0\5\0\0\0" ) \0\2$\370w\370T\367w$\344\373c) \321\21\215\270\0\252\0J\275^\1\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\20\374$\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1$\0x\1$\087%\0\240\1$\0\2708%\0(@%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\0\0\0\0=\1\0\0\5\0\0\0 (320, {128, 152, new_msg, 0, 127980, 2359296, 2290988, 2012750850} "\0\373"\0\2$\370w\370T\367w$\344\373c) \321\21\215\270\0\252\0J\275^\1\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\20\374$\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1$\0x\1$\087%\0\240\1$\0\2708%\0(@%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\0\0\0\0=\1\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 420, 1558, 0} "\7\373"\0\2$\370w\370T\367w$\344\373c) \321\21\215\270\0\252\0J\275^\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1$\0x\1$\087%\0\240\1$\0\2708%\0(@%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\0\0\0\0=\1\0\0\5\0\0\0" ) \7\373 (320, {128, 152, new_msg, 0, 127980, 2359296, 2290988, 2012750850} "\0\373"\0\2$\370w\370T\367w$\344\373c) \321\21\215\270\0\252\0J\275^\1\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\20\374$\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1$\0x\1$\087%\0\240\1$\0\2708%\0(@%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\0\0\0\0=\1\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 420, 1558, 0} "\7\373"\0\2$\370w\370T\367w$\344\373c) \321\21\215\270\0\252\0J\275^\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1$\0x\1$\087%\0\240\1$\0\2708%\0(@%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\0\0\0\0=\1\0\0\5\0\0\0" )  ) == 0x0
 01462   420   NtRequestWaitReplyPort  (320, {32, 56, new_msg, 0, 44, 7, 20, 0}  (320, {32, 56, new_msg, 0, 44, 7, 20, 0} "\1\0\0\0A\2\0\00,\334\21\261\306\0\14)\371\246\3050\0\0\0\377\377\377\377@\2\0\0" ... {124, 148, reply, 0, 412, 420, 1559, 0} "\2\4\0\0\1\0O\200\340\4\0\0P\7\31\201\0\320\371\177\374\70\300\0\0\0\0\340\4\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\210\22\24\201\304\13\26\370\277\6O\200\374\70\300\304\13\26\370X\5O\200\0\320\371\177\0\0\0\0\0\0\0\0\320\301\24\201X\5\31\201\1\6\31\201\0\0\0\0t\376\37\300X\5\31\201\0\0\0\0\0\0\11\1\377\377\10\1\0\0\0\0" )  ... {124, 148, reply, 0, 412, 420, 1559, 0}  (320, {32, 56, new_msg, 0, 44, 7, 20, 0} "\1\0\0\0A\2\0\00,\334\21\261\306\0\14)\371\246\3050\0\0\0\377\377\377\377@\2\0\0" ... {124, 148, reply, 0, 412, 420, 1559, 0} "\2\4\0\0\1\0O\200\340\4\0\0P\7\31\201\0\320\371\177\374\70\300\0\0\0\0\340\4\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\210\22\24\201\304\13\26\370\277\6O\200\374\70\300\304\13\26\370X\5O\200\0\320\371\177\0\0\0\0\0\0\0\0\320\301\24\201X\5\31\201\1\6\31\201\0\0\0\0t\376\37\300X\5\31\201\0\0\0\0\0\0\11\1\377\377\10\1\0\0\0\0" )  ) == 0x0
 01463   420   NtWaitForSingleObject  (148, 0, 0x0, ... ) == 0x0
 01464   420   NtQueryInformationFile  (144, 2292332, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01465   420   NtReleaseMutant  (148, ... 0x0, ) == 0x0
 01466   420   NtRequestWaitReplyPort  (136, {28, 52, new_msg, 0, 0, 0, 0, 0}  (136, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\0\2 F%\0" ... {176, 200, reply, 0, 412, 420, 1560, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\0\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ... {176, 200, reply, 0, 412, 420, 1560, 0}  (136, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\0\2 F%\0" ... {176, 200, reply, 0, 412, 420, 1560, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\0\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ) == 0x0
 01467   420   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01468   420   NtOpenThreadToken  (-2, 0x20008, 1, ... ) == STATUS_NO_TOKEN
 01469   420   NtOpenProcessToken  (-1, 0x20008, ... 324, ) == 0x0
 01470   420   NtQueryInformationToken  (324, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01471   420   NtClose  (324, ... ) == 0x0
 01472   420   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER"}, ... 324, ) }, ... 324, ) == 0x0
 01473   420   NtSetInformationObject  (324, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 01474   420   NtOpenKey  (0x3, {24, 324, 0x40, 0, 0,  (0x3, {24, 324, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 328, ) }, ... 328, ) == 0x0
 01475   420   NtOpenKey  (0x1, {24, 328, 0x40, 0, 0,  (0x1, {24, 328, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, ... 332, ) }, ... 332, ) == 0x0
 01476   420   NtQueryValueKey  (332,  (332, "MigrateProxy", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (332, "MigrateProxy", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01477   420   NtClose  (332, ... ) == 0x0
 01478   420   NtAllocateVirtualMemory  (-1, 2445312, 0, 20480, 4096, 4, ... 2445312, 20480, ) == 0x0
 01479   420   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01480   420   NtOpenProcessToken  (-1, 0xc, ... 332, ) == 0x0
 01481   420   NtReleaseSemaphore  (160, 1, ... 0, ) == 0x0
 01482   420   NtWaitForSingleObject  (160, 0, {0, 0}, ... ) == 0x0
 01483   420   NtCreateKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 336, 2, ) }, 0, 0x0, 0, ... 336, 2, ) == 0x0
 01484   420   NtQueryValueKey  (336,  (336, "Common AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (336, "Common AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 82, ) }, 82, ) == 0x0
 01485   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USERENV.dll"}, ... 340, ) }, ... 340, ) == 0x0
 01486   420   NtMapViewOfSection  (340, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75a70000), 0x0, 667648, ) == 0x0
 01487   420   NtClose  (340, ... ) == 0x0
 01488   420   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 340, ) }, ... 340, ) == 0x0
 01489   420   NtQueryValueKey  (340,  (340, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01490   420   NtClose  (340, ... ) == 0x0
 01491   420   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 340, ) }, ... 340, ) == 0x0
 01492   420   NtQueryValueKey  (340,  (340, "ChkAccDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01493   420   NtClose  (340, ... ) == 0x0
 01494   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Control\ProductOptions"}, ... 340, ) }, ... 340, ) == 0x0
 01495   420   NtQueryValueKey  (340,  (340, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (340, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) }, 24, ) == 0x0
 01496   420   NtClose  (340, ... ) == 0x0
 01497   420   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 2287544, 0,  (0x1f0003, {24, 52, 0x80, 2287544, 0, "Global\userenv:  User Profile setup event"}, 0, 1, ... 340, ) }, 0, 1, ... 340, ) == STATUS_OBJECT_NAME_EXISTS
 01498   420   NtQueryDefaultLocale  (1, 2285380, ... ) == 0x0
 01499   420   NtQueryDefaultLocale  (1, 2285380, ... ) == 0x0
 01500   420   NtQueryDefaultLocale  (1, 2285380, ... ) == 0x0
 01501   420   NtQueryDefaultLocale  (1, 2285380, ... ) == 0x0
 01502   420   NtQueryDefaultLocale  (1, 2285380, ... ) == 0x0
 01503   420   NtQueryDefaultLocale  (1, 2285380, ... ) == 0x0
 01504   420   NtQueryDefaultLocale  (1, 2285380, ... ) == 0x0
 01505   420   NtQueryDefaultLocale  (1, 2285380, ... ) == 0x0
 01506   420   NtQueryDefaultLocale  (1, 2285380, ... ) == 0x0
 01507   420   NtQueryDefaultLocale  (1, 2285380, ... ) == 0x0
 01508   420   NtQueryDefaultLocale  (1, 2285380, ... ) == 0x0
 01509   420   NtQueryDefaultLocale  (1, 2285380, ... ) == 0x0
 01510   420   NtQueryDefaultLocale  (1, 2285380, ... ) == 0x0
 01511   420   NtQueryDefaultLocale  (1, 2285380, ... ) == 0x0
 01512   420   NtQueryDefaultLocale  (1, 2285380, ... ) == 0x0
 01513   420   NtQueryDefaultLocale  (1, 2285380, ... ) == 0x0
 01514   420   NtQueryDefaultLocale  (1, 2285380, ... ) == 0x0
 01515   420   NtQueryDefaultLocale  (1, 2285380, ... ) == 0x0
 01516   420   NtQueryDefaultLocale  (1, 2285380, ... ) == 0x0
 01517   420   NtQueryDefaultLocale  (1, 2285380, ... ) == 0x0
 01518   420   NtQueryDefaultLocale  (1, 2285380, ... ) == 0x0
 01519   420   NtQueryDefaultLocale  (1, 2285380, ... ) == 0x0
 01520   420   NtQueryDefaultLocale  (1, 2285380, ... ) == 0x0
 01521   420   NtQueryDefaultLocale  (1, 2285380, ... ) == 0x0
 01522   420   NtQueryDefaultLocale  (1, 2285380, ... ) == 0x0
 01523   420   NtQueryDefaultLocale  (1, 2285380, ... ) == 0x0
 01524   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01525   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 344, ) == 0x0
 01526   420   NtQueryInformationToken  (344, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01527   420   NtClose  (344, ... ) == 0x0
 01528   420   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 344, ) }, ... 344, ) == 0x0
 01529   420   NtOpenKey  (0x20019, {24, 344, 0x40, 0, 0,  (0x20019, {24, 344, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 348, ) }, ... 348, ) == 0x0
 01530   420   NtQueryValueKey  (348,  (348, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (348, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) }, 66, ) == 0x0
 01531   420   NtQueryDefaultLocale  (1, 2285380, ... ) == 0x0
 01532   420   NtQueryValueKey  (348,  (348, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (348, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) }, 70, ) == 0x0
 01533   420   NtQueryDefaultLocale  (1, 2285380, ... ) == 0x0
 01534   420   NtQueryDefaultLocale  (1, 2285380, ... ) == 0x0
 01535   420   NtQueryDefaultLocale  (1, 2285380, ... ) == 0x0
 01536   420   NtQueryDefaultLocale  (1, 2285380, ... ) == 0x0
 01537   420   NtClose  (348, ... ) == 0x0
 01538   420   NtClose  (344, ... ) == 0x0
 01539   420   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 344, ) }, ... 344, ) == 0x0
 01540   420   NtQueryValueKey  (344,  (344, "RsopDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01541   420   NtClose  (344, ... ) == 0x0
 01542   420   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 344, ) }, ... 344, ) == 0x0
 01543   420   NtQueryValueKey  (344,  (344, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01544   420   NtQueryValueKey  (344,  (344, "RsopLogging", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01545   420   NtClose  (344, ... ) == 0x0
 01546   420   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01547   420   NtAllocateVirtualMemory  (-1, 4014080, 0, 4096, 4096, 4, ... 4014080, 4096, ) == 0x0
 01548   420   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 344, ) }, ... 344, ) == 0x0
 01549   420   NtQueryValueKey  (344,  (344, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01550   420   NtClose  (344, ... ) == 0x0
 01551   420   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01552   420   NtAllocateVirtualMemory  (-1, 0, 0, 1, 4096, 4, ... 10223616, 4096, ) == 0x0
 01553   420   NtAllocateVirtualMemory  (-1, 2465792, 0, 4096, 4096, 4, ... 2465792, 4096, ) == 0x0
 01554   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01555   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01556   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 344, ) }, ... 344, ) == 0x0
 01557   420   NtQueryValueKey  (344,  (344, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (344, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 01558   420   NtClose  (344, ... ) == 0x0
 01559   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 344, ) }, ... 344, ) == 0x0
 01560   420   NtQueryValueKey  (344,  (344, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (344, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) }, 32, ) == 0x0
 01561   420   NtClose  (344, ... ) == 0x0
 01562   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01563   420   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\Environment"}, ... 344, ) }, ... 344, ) == 0x0
 01564   420   NtQueryKey  (344, Full, 176, ... {LastWrite={0x7838d13c,0x1c73999}, TitleIdx=0, Subkeys=0, Values=12, Class=""}, 44, ) == 0x0
 01565   420   NtQuerySecurityObject  (344, 7, 0, ... ) == STATUS_ACCESS_DENIED
 01566   420   NtEnumerateValueKey  (344, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (344, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (344, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 01567   420   NtEnumerateValueKey  (344, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (344, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (344, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 01568   420   NtEnumerateValueKey  (344, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (344, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (344, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 01569   420   NtEnumerateValueKey  (344, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (344, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (344, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 01570   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01571   420   NtEnumerateValueKey  (344, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (344, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (344, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 01572   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01573   420   NtEnumerateValueKey  (344, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (344, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (344, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 01574   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01575   420   NtEnumerateValueKey  (344, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (344, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (344, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 01576   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01577   420   NtEnumerateValueKey  (344, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (344, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (344, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 01578   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01579   420   NtEnumerateValueKey  (344, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (344, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (344, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 01580   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01581   420   NtEnumerateValueKey  (344, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (344, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (344, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 01582   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01583   420   NtEnumerateValueKey  (344, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (344, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (344, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 01584   420   NtEnumerateValueKey  (344, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (344, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (344, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 01585   420   NtEnumerateValueKey  (344, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (344, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (344, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 01586   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01587   420   NtEnumerateValueKey  (344, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (344, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (344, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 01588   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01589   420   NtEnumerateValueKey  (344, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (344, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (344, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 01590   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01591   420   NtEnumerateValueKey  (344, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (344, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (344, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 01592   420   NtEnumerateValueKey  (344, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (344, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (344, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 01593   420   NtEnumerateValueKey  (344, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (344, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (344, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 01594   420   NtEnumerateValueKey  (344, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (344, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (344, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 01595   420   NtEnumerateValueKey  (344, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (344, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (344, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 01596   420   NtEnumerateValueKey  (344, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (344, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (344, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 01597   420   NtEnumerateValueKey  (344, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (344, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (344, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 01598   420   NtEnumerateValueKey  (344, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (344, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (344, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 01599   420   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01600   420   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01601   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 2288468, ... ) }, 2288468, ... ) == 0x0
 01602   420   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01603   420   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01604   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01605   420   NtEnumerateValueKey  (344, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (344, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (344, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 01606   420   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01607   420   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01608   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 2288468, ... ) }, 2288468, ... ) == 0x0
 01609   420   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01610   420   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01611   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01612   420   NtClose  (344, ... ) == 0x0
 01613   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 344, ) }, ... 344, ) == 0x0
 01614   420   NtOpenKey  (0x20019, {24, 344, 0x40, 0, 0,  (0x20019, {24, 344, 0x40, 0, 0, "ActiveComputerName"}, ... 348, ) }, ... 348, ) == 0x0
 01615   420   NtQueryValueKey  (348,  (348, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (348, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (348, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01616   420   NtClose  (348, ... ) == 0x0
 01617   420   NtClose  (344, ... ) == 0x0
 01618   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01619   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 344, ) }, ... 344, ) == 0x0
 01620   420   NtQueryValueKey  (344,  (344, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (344, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 01621   420   NtClose  (344, ... ) == 0x0
 01622   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 344, ) }, ... 344, ) == 0x0
 01623   420   NtQueryValueKey  (344,  (344, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (344, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) }, 38, ) == 0x0
 01624   420   NtClose  (344, ... ) == 0x0
 01625   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01626   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 344, ) }, ... 344, ) == 0x0
 01627   420   NtQueryValueKey  (344,  (344, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (344, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 01628   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01629   420   NtQueryValueKey  (344,  (344, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (344, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) }, 72, ) == 0x0
 01630   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01631   420   NtClose  (344, ... ) == 0x0
 01632   420   NtQueryInformationToken  (332, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 01633   420   NtOpenKey  (0x20019, {24, 324, 0x40, 0, 0,  (0x20019, {24, 324, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 344, ) }, ... 344, ) == 0x0
 01634   420   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 01635   420   NtQueryInformationToken  (332, Type, 4, ... {token info, class 8, size 4}, 4, ) == 0x0
 01636   420   NtDuplicateToken  (332, 0xc, {24, 0, 0x0, 0, 2289852, 0x0}, 0, 2, ... ) == STATUS_ACCESS_DENIED
 01637   420   NtQueryInformationToken  (332, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 01638   420   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01639   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 348, ) == 0x0
 01640   420   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01641   420   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01642   420   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 2288056,  (0xc0100080, {24, 0, 0x40, 0, 2288056, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 352, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 352, {status=0x0, info=1}, ) == 0x0
 01643   420   NtSetInformationFile  (352, 2288112, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01644   420   NtSetInformationFile  (352, 2288104, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01645   420   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01646   420   NtWriteFile  (352, 293, 0, 0,  (352, 293, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01647   420   NtReadFile  (352, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (352, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20X\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01648   420   NtFsControlFile  (352, 293, 0x0, 0x0, 0x11c017,  (352, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\360"\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20X\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\14\0\0\0\2\0\1\0\0\10\0\0 (352, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\360"\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20X\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20X\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x103
 01649   420   NtFsControlFile  (352, 293, 0x0, 0x0, 0x11c017,  (352, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\14\263\215\250,\334\21\261\306\0\14)\371\246\305\1\0\0\0\244\360"\0\1\0\0\0\230\240%\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\14\263\215\250,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) \0\1\0\0\0\230\240%\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 (352, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\14\263\215\250,\334\21\261\306\0\14)\371\246\305\1\0\0\0\244\360"\0\1\0\0\0\230\240%\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\14\263\215\250,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\14\263\215\250,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) == 0x103
 01650   420   NtFsControlFile  (352, 293, 0x0, 0x0, 0x11c017,  (352, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\14\263\215\250,\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\300\240%\0\1\0\0\0\314\240%\0 \0\0\0\1\0\0\0\16\0\20\0\330\240%\0\350\240%\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0x\243%\0\1\0\0\0\1\0\0\0\20\0\22\0\214\243%\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (352, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\14\263\215\250,\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\300\240%\0\1\0\0\0\314\240%\0 \0\0\0\1\0\0\0\16\0\20\0\330\240%\0\350\240%\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0x\243%\0\1\0\0\0\1\0\0\0\20\0\22\0\214\243%\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01651   420   NtClose  (348, ... ) == 0x0
 01652   420   NtClose  (352, ... ) == 0x0
 01653   420   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01654   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 352, ) == 0x0
 01655   420   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01656   420   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01657   420   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 2288052,  (0xc0100080, {24, 0, 0x40, 0, 2288052, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 348, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 348, {status=0x0, info=1}, ) == 0x0
 01658   420   NtSetInformationFile  (348, 2288108, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01659   420   NtSetInformationFile  (348, 2288100, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01660   420   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01661   420   NtWriteFile  (348, 293, 0, 0,  (348, 293, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01662   420   NtReadFile  (348, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (348, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20Y\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01663   420   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\360"\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20Y\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\14\0\0\0\2\0\1\0\0\10\0\0 (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\360"\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20Y\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20Y\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x103
 01664   420   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\15\263\215\250,\334\21\261\306\0\14)\371\246\305\1\0\0\0\240\360"\0\1\0\0\0\230\240%\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\15\263\215\250,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) \0\1\0\0\0\230\240%\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\15\263\215\250,\334\21\261\306\0\14)\371\246\305\1\0\0\0\240\360"\0\1\0\0\0\230\240%\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\15\263\215\250,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\15\263\215\250,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) == 0x103
 01665   420   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\15\263\215\250,\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\300\240%\0\1\0\0\0\314\240%\0 \0\0\0\1\0\0\0\16\0\20\0\330\240%\0\350\240%\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0x\243%\0\1\0\0\0\1\0\0\0\20\0\22\0\214\243%\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\15\263\215\250,\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\300\240%\0\1\0\0\0\314\240%\0 \0\0\0\1\0\0\0\16\0\20\0\330\240%\0\350\240%\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0x\243%\0\1\0\0\0\1\0\0\0\20\0\22\0\214\243%\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01666   420   NtClose  (352, ... ) == 0x0
 01667   420   NtClose  (348, ... ) == 0x0
 01668   420   NtOpenEvent  (0x100000, {24, 0, 0x0, 0, 0,  (0x100000, {24, 0, 0x0, 0, 0, "\INSTALLATION_SECURITY_HOLD"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01669   420   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01670   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 348, ) == 0x0
 01671   420   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01672   420   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01673   420   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 2287684,  (0xc0100080, {24, 0, 0x40, 0, 2287684, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 352, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 352, {status=0x0, info=1}, ) == 0x0
 01674   420   NtSetInformationFile  (352, 2287740, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01675   420   NtSetInformationFile  (352, 2287732, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01676   420   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01677   420   NtWriteFile  (352, 293, 0, 0,  (352, 293, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0j(\319\14\261\320\21\233\250\0\300O\331.\365\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01678   420   NtReadFile  (352, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (352, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20Z\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01679   420   NtFsControlFile  (352, 293, 0x0, 0x0, 0x11c017,  (352, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\32\0\0\0\1\0\0\0\2\0\0\0\0\0\0\0\1\0", 26, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20Z\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 26, 1024, ... {status=0x103, info=68},  (352, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\32\0\0\0\1\0\0\0\2\0\0\0\0\0\0\0\1\0", 26, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20Z\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01680   420   NtClose  (348, ... ) == 0x0
 01681   420   NtClose  (352, ... ) == 0x0
 01682   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01683   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01684   420   NtQueryInformationToken  (332, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 01685   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 352, ) }, ... 352, ) == 0x0
 01686   420   NtQueryValueKey  (352,  (352, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (352, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) }, 104, ) == 0x0
 01687   420   NtClose  (352, ... ) == 0x0
 01688   420   NtCreateKey  (0x2001f, {24, 344, 0x40, 0, 0,  (0x2001f, {24, 344, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Winlogon"}, 0, 0x0, 0, ... 352, 2, ) }, 0, 0x0, 0, ... 352, 2, ) == 0x0
 01689   420   NtQueryValueKey  (352,  (352, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01690   420   NtClose  (352, ... ) == 0x0
 01691   420   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01692   420   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01693   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\c:\autoexec.bat"}, 2289756, ... ) }, 2289756, ... ) == 0x0
 01694   420   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 2289764,  (0x80100080, {24, 0, 0x40, 0, 2289764, "\??\c:\autoexec.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 352, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 352, {status=0x0, info=1}, ) == 0x0
 01695   420   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01696   420   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01697   420   NtQueryInformationFile  (352, 2289780, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01698   420   NtReadFile  (352, 0, 0, 0, 0, 0x0, 0, ... {status=0x0, info=0}, "", ) == 0x0
 01699   420   NtClose  (352, ... ) == 0x0
 01700   420   NtOpenKey  (0x20019, {24, 344, 0x40, 0, 0,  (0x20019, {24, 344, 0x40, 0, 0, "Environment"}, ... 352, ) }, ... 352, ) == 0x0
 01701   420   NtAllocateVirtualMemory  (-1, 2469888, 0, 12288, 4096, 4, ... 2469888, 12288, ) == 0x0
 01702   420   NtEnumerateValueKey  (352, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (352, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (352, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 01703   420   NtEnumerateValueKey  (352, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (352, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (352, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 01704   420   NtEnumerateValueKey  (352, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01705   420   NtEnumerateValueKey  (352, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (352, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (352, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 01706   420   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01707   420   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01708   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 2288496, ... ) }, 2288496, ... ) == 0x0
 01709   420   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 348, {status=0x0, info=1}, ) }, 3, 16417, ... 348, {status=0x0, info=1}, ) == 0x0
 01710   420   NtQueryDirectoryFile  (348, 0, 0, 0, 2287856, 616, BothDirectory, 1,  (348, 0, 0, 0, 2287856, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01711   420   NtClose  (348, ... ) == 0x0
 01712   420   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 348, {status=0x0, info=1}, ) }, 3, 16417, ... 348, {status=0x0, info=1}, ) == 0x0
 01713   420   NtQueryDirectoryFile  (348, 0, 0, 0, 2287856, 616, BothDirectory, 1,  (348, 0, 0, 0, 2287856, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 01714   420   NtClose  (348, ... ) == 0x0
 01715   420   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01716   420   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01717   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01718   420   NtEnumerateValueKey  (352, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (352, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (352, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 01719   420   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01720   420   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01721   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 2288496, ... ) }, 2288496, ... ) == 0x0
 01722   420   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 348, {status=0x0, info=1}, ) }, 3, 16417, ... 348, {status=0x0, info=1}, ) == 0x0
 01723   420   NtQueryDirectoryFile  (348, 0, 0, 0, 2287856, 616, BothDirectory, 1,  (348, 0, 0, 0, 2287856, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01724   420   NtClose  (348, ... ) == 0x0
 01725   420   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 348, {status=0x0, info=1}, ) }, 3, 16417, ... 348, {status=0x0, info=1}, ) == 0x0
 01726   420   NtQueryDirectoryFile  (348, 0, 0, 0, 2287856, 616, BothDirectory, 1,  (348, 0, 0, 0, 2287856, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 01727   420   NtClose  (348, ... ) == 0x0
 01728   420   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01729   420   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01730   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01731   420   NtEnumerateValueKey  (352, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01732   420   NtClose  (352, ... ) == 0x0
 01733   420   NtOpenKey  (0x20019, {24, 344, 0x40, 0, 0,  (0x20019, {24, 344, 0x40, 0, 0, "Volatile Environment"}, ... 352, ) }, ... 352, ) == 0x0
 01734   420   NtEnumerateValueKey  (352, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (352, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 01735   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01736   420   NtEnumerateValueKey  (352, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (352, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 01737   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01738   420   NtEnumerateValueKey  (352, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (352, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 01739   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01740   420   NtEnumerateValueKey  (352, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (352, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 01741   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01742   420   NtEnumerateValueKey  (352, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (352, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 01743   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01744   420   NtEnumerateValueKey  (352, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (352, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 01745   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01746   420   NtEnumerateValueKey  (352, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (352, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 01747   420   NtEnumerateValueKey  (352, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01748   420   NtEnumerateValueKey  (352, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (352, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 01749   420   NtEnumerateValueKey  (352, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (352, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 01750   420   NtEnumerateValueKey  (352, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (352, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 01751   420   NtEnumerateValueKey  (352, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (352, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 01752   420   NtEnumerateValueKey  (352, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (352, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 01753   420   NtEnumerateValueKey  (352, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (352, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 01754   420   NtEnumerateValueKey  (352, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (352, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 01755   420   NtEnumerateValueKey  (352, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01756   420   NtClose  (352, ... ) == 0x0
 01757   420   NtClose  (344, ... ) == 0x0
 01758   420   NtFreeVirtualMemory  (-1, (0x9c0000), 0, 32768, ... (0x9c0000), 4096, ) == 0x0
 01759   420   NtClose  (336, ... ) == 0x0
 01760   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Application Data"}, 2290420, ... ) }, 2290420, ... ) == 0x0
 01761   420   NtCreateKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 336, 2, ) }, 0, 0x0, 0, ... 336, 2, ) == 0x0
 01762   420   NtSetValueKey  (336,  (336, "Common AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 106, ... ) , 0, 1,  (336, "Common AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 106, ... ) , 106, ... ) == 0x0
 01763   420   NtClose  (336, ... ) == 0x0
 01764   420   NtClose  (332, ... ) == 0x0
 01765   420   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\"}, 3, 16417, ... 332, {status=0x0, info=1}, ) }, 3, 16417, ... 332, {status=0x0, info=1}, ) == 0x0
 01766   420   NtQueryDirectoryFile  (332, 0, 0, 0, 2289396, 616, BothDirectory, 1,  (332, 0, 0, 0, 2289396, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 01767   420   NtClose  (332, ... ) == 0x0
 01768   420   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Ras\"}, 3, 16417, ... 332, {status=0x0, info=1}, ) }, 3, 16417, ... 332, {status=0x0, info=1}, ) == 0x0
 01769   420   NtQueryDirectoryFile  (332, 0, 0, 0, 2289396, 616, BothDirectory, 1,  (332, 0, 0, 0, 2289396, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 01770   420   NtClose  (332, ... ) == 0x0
 01771   420   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01772   420   NtOpenProcessToken  (-1, 0xc, ... 332, ) == 0x0
 01773   420   NtQueryInformationToken  (332, User, 64, ... {token info, class 1, size 36}, 36, ) == 0x0
 01774   420   NtOpenKey  (0x2001f, {24, 324, 0x40, 0, 0,  (0x2001f, {24, 324, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 336, ) }, ... 336, ) == 0x0
 01775   420   NtCreateKey  (0x2000000, {24, 336, 0x40, 0, 0,  (0x2000000, {24, 336, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 344, 2, ) }, 0, 0x0, 0, ... 344, 2, ) == 0x0
 01776   420   NtClose  (336, ... ) == 0x0
 01777   420   NtQueryValueKey  (344,  (344, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (344, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) }, 74, ) == 0x0
 01778   420   NtAllocateVirtualMemory  (-1, 0, 0, 1, 4096, 4, ... 10223616, 4096, ) == 0x0
 01779   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01780   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01781   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 336, ) }, ... 336, ) == 0x0
 01782   420   NtQueryValueKey  (336,  (336, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (336, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 01783   420   NtClose  (336, ... ) == 0x0
 01784   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 336, ) }, ... 336, ) == 0x0
 01785   420   NtQueryValueKey  (336,  (336, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (336, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) }, 32, ) == 0x0
 01786   420   NtClose  (336, ... ) == 0x0
 01787   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01788   420   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\Environment"}, ... 336, ) }, ... 336, ) == 0x0
 01789   420   NtQueryKey  (336, Full, 176, ... {LastWrite={0x7838d13c,0x1c73999}, TitleIdx=0, Subkeys=0, Values=12, Class=""}, 44, ) == 0x0
 01790   420   NtQuerySecurityObject  (336, 7, 0, ... ) == STATUS_ACCESS_DENIED
 01791   420   NtEnumerateValueKey  (336, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (336, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (336, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 01792   420   NtEnumerateValueKey  (336, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (336, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (336, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 01793   420   NtEnumerateValueKey  (336, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (336, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (336, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 01794   420   NtEnumerateValueKey  (336, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (336, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 01795   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01796   420   NtEnumerateValueKey  (336, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (336, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 01797   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01798   420   NtEnumerateValueKey  (336, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (336, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 01799   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01800   420   NtEnumerateValueKey  (336, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (336, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 01801   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01802   420   NtEnumerateValueKey  (336, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (336, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 01803   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01804   420   NtEnumerateValueKey  (336, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (336, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 01805   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01806   420   NtEnumerateValueKey  (336, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (336, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 01807   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01808   420   NtEnumerateValueKey  (336, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (336, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (336, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 01809   420   NtEnumerateValueKey  (336, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (336, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (336, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 01810   420   NtEnumerateValueKey  (336, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (336, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (336, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 01811   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01812   420   NtEnumerateValueKey  (336, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (336, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (336, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 01813   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01814   420   NtEnumerateValueKey  (336, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (336, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (336, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 01815   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01816   420   NtEnumerateValueKey  (336, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (336, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 01817   420   NtEnumerateValueKey  (336, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (336, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 01818   420   NtEnumerateValueKey  (336, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (336, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 01819   420   NtEnumerateValueKey  (336, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (336, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 01820   420   NtEnumerateValueKey  (336, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (336, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 01821   420   NtEnumerateValueKey  (336, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (336, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 01822   420   NtEnumerateValueKey  (336, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (336, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (336, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 01823   420   NtEnumerateValueKey  (336, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (336, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (336, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 01824   420   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01825   420   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01826   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 2288468, ... ) }, 2288468, ... ) == 0x0
 01827   420   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01828   420   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01829   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01830   420   NtEnumerateValueKey  (336, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (336, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (336, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 01831   420   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01832   420   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01833   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 2288468, ... ) }, 2288468, ... ) == 0x0
 01834   420   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01835   420   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01836   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01837   420   NtClose  (336, ... ) == 0x0
 01838   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 336, ) }, ... 336, ) == 0x0
 01839   420   NtOpenKey  (0x20019, {24, 336, 0x40, 0, 0,  (0x20019, {24, 336, 0x40, 0, 0, "ActiveComputerName"}, ... 352, ) }, ... 352, ) == 0x0
 01840   420   NtQueryValueKey  (352,  (352, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (352, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (352, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01841   420   NtClose  (352, ... ) == 0x0
 01842   420   NtClose  (336, ... ) == 0x0
 01843   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01844   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 336, ) }, ... 336, ) == 0x0
 01845   420   NtQueryValueKey  (336,  (336, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (336, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 01846   420   NtClose  (336, ... ) == 0x0
 01847   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 336, ) }, ... 336, ) == 0x0
 01848   420   NtQueryValueKey  (336,  (336, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (336, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) }, 38, ) == 0x0
 01849   420   NtClose  (336, ... ) == 0x0
 01850   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01851   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 336, ) }, ... 336, ) == 0x0
 01852   420   NtQueryValueKey  (336,  (336, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (336, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 01853   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01854   420   NtQueryValueKey  (336,  (336, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (336, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) }, 72, ) == 0x0
 01855   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01856   420   NtClose  (336, ... ) == 0x0
 01857   420   NtQueryInformationToken  (332, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 01858   420   NtOpenKey  (0x20019, {24, 324, 0x40, 0, 0,  (0x20019, {24, 324, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 336, ) }, ... 336, ) == 0x0
 01859   420   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 01860   420   NtQueryInformationToken  (332, Type, 4, ... {token info, class 8, size 4}, 4, ) == 0x0
 01861   420   NtDuplicateToken  (332, 0xc, {24, 0, 0x0, 0, 2289852, 0x0}, 0, 2, ... ) == STATUS_ACCESS_DENIED
 01862   420   NtQueryInformationToken  (332, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 01863   420   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01864   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 352, ) == 0x0
 01865   420   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01866   420   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01867   420   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 2288056,  (0xc0100080, {24, 0, 0x40, 0, 2288056, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 348, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 348, {status=0x0, info=1}, ) == 0x0
 01868   420   NtSetInformationFile  (348, 2288112, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01869   420   NtSetInformationFile  (348, 2288104, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01870   420   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01871   420   NtWriteFile  (348, 293, 0, 0,  (348, 293, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01872   420   NtReadFile  (348, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (348, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20[\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01873   420   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\360"\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20[\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\14\0\0\0\2\0\1\0\0\10\0\0 (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\360"\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20[\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20[\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x103
 01874   420   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\16\263\215\250,\334\21\261\306\0\14)\371\246\305\1\0\0\0\244\360"\0\1\0\0\0(\241%\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\16\263\215\250,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) \0\1\0\0\0(\241%\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\16\263\215\250,\334\21\261\306\0\14)\371\246\305\1\0\0\0\244\360"\0\1\0\0\0(\241%\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\16\263\215\250,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\16\263\215\250,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) == 0x103
 01875   420   NtFsControlFile  (348, 293, 0x0, 0x0, 0x11c017,  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\16\263\215\250,\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0X\324%\0\1\0\0\0d\324%\0 \0\0\0\1\0\0\0\16\0\20\0p\324%\0\200\324%\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0x\243%\0\1\0\0\0\1\0\0\0\20\0\22\0\214\243%\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (348, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\16\263\215\250,\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0X\324%\0\1\0\0\0d\324%\0 \0\0\0\1\0\0\0\16\0\20\0p\324%\0\200\324%\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0x\243%\0\1\0\0\0\1\0\0\0\20\0\22\0\214\243%\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01876   420   NtClose  (352, ... ) == 0x0
 01877   420   NtClose  (348, ... ) == 0x0
 01878   420   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01879   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 348, ) == 0x0
 01880   420   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01881   420   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01882   420   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 2288052,  (0xc0100080, {24, 0, 0x40, 0, 2288052, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 352, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 352, {status=0x0, info=1}, ) == 0x0
 01883   420   NtSetInformationFile  (352, 2288108, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01884   420   NtSetInformationFile  (352, 2288100, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01885   420   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01886   420   NtWriteFile  (352, 293, 0, 0,  (352, 293, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01887   420   NtReadFile  (352, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (352, 293, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01888   420   NtFsControlFile  (352, 293, 0x0, 0x0, 0x11c017,  (352, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\360"\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\14\0\0\0\2\0\1\0\0\10\0\0 (352, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\360"\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x103
 01889   420   NtFsControlFile  (352, 293, 0x0, 0x0, 0x11c017,  (352, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\17\263\215\250,\334\21\261\306\0\14)\371\246\305\1\0\0\0\240\360"\0\1\0\0\0(\241%\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\17\263\215\250,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) \0\1\0\0\0(\241%\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 (352, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\17\263\215\250,\334\21\261\306\0\14)\371\246\305\1\0\0\0\240\360"\0\1\0\0\0(\241%\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\17\263\215\250,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\17\263\215\250,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) == 0x103
 01890   420   NtFsControlFile  (352, 293, 0x0, 0x0, 0x11c017,  (352, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\17\263\215\250,\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0X\324%\0\1\0\0\0d\324%\0 \0\0\0\1\0\0\0\16\0\20\0p\324%\0\200\324%\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0x\243%\0\1\0\0\0\1\0\0\0\20\0\22\0\214\243%\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (352, 293, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\17\263\215\250,\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0X\324%\0\1\0\0\0d\324%\0 \0\0\0\1\0\0\0\16\0\20\0p\324%\0\200\324%\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0x\243%\0\1\0\0\0\1\0\0\0\20\0\22\0\214\243%\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01891   420   NtClose  (348, ... ) == 0x0
 01892   420   NtClose  (352, ... ) == 0x0
 01893   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01894   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01895   420   NtQueryInformationToken  (332, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 01896   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 352, ) }, ... 352, ) == 0x0
 01897   420   NtQueryValueKey  (352,  (352, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (352, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) }, 104, ) == 0x0
 01898   420   NtClose  (352, ... ) == 0x0
 01899   420   NtCreateKey  (0x2001f, {24, 336, 0x40, 0, 0,  (0x2001f, {24, 336, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Winlogon"}, 0, 0x0, 0, ... 352, 2, ) }, 0, 0x0, 0, ... 352, 2, ) == 0x0
 01900   420   NtQueryValueKey  (352,  (352, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01901   420   NtClose  (352, ... ) == 0x0
 01902   420   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01903   420   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01904   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\c:\autoexec.bat"}, 2289756, ... ) }, 2289756, ... ) == 0x0
 01905   420   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 2289764,  (0x80100080, {24, 0, 0x40, 0, 2289764, "\??\c:\autoexec.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 352, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 352, {status=0x0, info=1}, ) == 0x0
 01906   420   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01907   420   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01908   420   NtQueryInformationFile  (352, 2289780, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01909   420   NtReadFile  (352, 0, 0, 0, 0, 0x0, 0, ... {status=0x0, info=0}, "", ) == 0x0
 01910   420   NtClose  (352, ... ) == 0x0
 01911   420   NtOpenKey  (0x20019, {24, 336, 0x40, 0, 0,  (0x20019, {24, 336, 0x40, 0, 0, "Environment"}, ... 352, ) }, ... 352, ) == 0x0
 01912   420   NtEnumerateValueKey  (352, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (352, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (352, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 01913   420   NtEnumerateValueKey  (352, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (352, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (352, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 01914   420   NtEnumerateValueKey  (352, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01915   420   NtEnumerateValueKey  (352, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (352, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (352, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 01916   420   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01917   420   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01918   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 2288496, ... ) }, 2288496, ... ) == 0x0
 01919   420   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 348, {status=0x0, info=1}, ) }, 3, 16417, ... 348, {status=0x0, info=1}, ) == 0x0
 01920   420   NtQueryDirectoryFile  (348, 0, 0, 0, 2287856, 616, BothDirectory, 1,  (348, 0, 0, 0, 2287856, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01921   420   NtClose  (348, ... ) == 0x0
 01922   420   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 348, {status=0x0, info=1}, ) }, 3, 16417, ... 348, {status=0x0, info=1}, ) == 0x0
 01923   420   NtQueryDirectoryFile  (348, 0, 0, 0, 2287856, 616, BothDirectory, 1,  (348, 0, 0, 0, 2287856, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 01924   420   NtClose  (348, ... ) == 0x0
 01925   420   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01926   420   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01927   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01928   420   NtEnumerateValueKey  (352, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (352, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (352, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 01929   420   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01930   420   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01931   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 2288496, ... ) }, 2288496, ... ) == 0x0
 01932   420   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 348, {status=0x0, info=1}, ) }, 3, 16417, ... 348, {status=0x0, info=1}, ) == 0x0
 01933   420   NtQueryDirectoryFile  (348, 0, 0, 0, 2287856, 616, BothDirectory, 1,  (348, 0, 0, 0, 2287856, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01934   420   NtClose  (348, ... ) == 0x0
 01935   420   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 348, {status=0x0, info=1}, ) }, 3, 16417, ... 348, {status=0x0, info=1}, ) == 0x0
 01936   420   NtQueryDirectoryFile  (348, 0, 0, 0, 2287856, 616, BothDirectory, 1,  (348, 0, 0, 0, 2287856, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 01937   420   NtClose  (348, ... ) == 0x0
 01938   420   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01939   420   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01940   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01941   420   NtEnumerateValueKey  (352, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01942   420   NtClose  (352, ... ) == 0x0
 01943   420   NtOpenKey  (0x20019, {24, 336, 0x40, 0, 0,  (0x20019, {24, 336, 0x40, 0, 0, "Volatile Environment"}, ... 352, ) }, ... 352, ) == 0x0
 01944   420   NtEnumerateValueKey  (352, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (352, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 01945   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01946   420   NtEnumerateValueKey  (352, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (352, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 01947   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01948   420   NtEnumerateValueKey  (352, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (352, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 01949   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01950   420   NtEnumerateValueKey  (352, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (352, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 01951   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01952   420   NtEnumerateValueKey  (352, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (352, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 01953   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01954   420   NtEnumerateValueKey  (352, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (352, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 01955   420   NtQueryVirtualMemory  (-1, 0x9c0000, Basic, 28, ... {BaseAddress=0x9c0000,AllocationBase=0x9c0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 01956   420   NtEnumerateValueKey  (352, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (352, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 01957   420   NtEnumerateValueKey  (352, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01958   420   NtEnumerateValueKey  (352, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (352, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 01959   420   NtEnumerateValueKey  (352, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (352, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 01960   420   NtEnumerateValueKey  (352, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (352, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 01961   420   NtEnumerateValueKey  (352, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (352, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 01962   420   NtEnumerateValueKey  (352, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (352, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 01963   420   NtEnumerateValueKey  (352, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (352, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 01964   420   NtEnumerateValueKey  (352, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (352, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (352, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 01965   420   NtEnumerateValueKey  (352, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01966   420   NtClose  (352, ... ) == 0x0
 01967   420   NtClose  (336, ... ) == 0x0
 01968   420   NtFreeVirtualMemory  (-1, (0x9c0000), 0, 32768, ... (0x9c0000), 4096, ) == 0x0
 01969   420   NtClose  (344, ... ) == 0x0
 01970   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data"}, 2290420, ... ) }, 2290420, ... ) == 0x0
 01971   420   NtQueryInformationToken  (332, User, 64, ... {token info, class 1, size 36}, 36, ) == 0x0
 01972   420   NtOpenKey  (0x2001f, {24, 324, 0x40, 0, 0,  (0x2001f, {24, 324, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 344, ) }, ... 344, ) == 0x0
 01973   420   NtCreateKey  (0x2000000, {24, 344, 0x40, 0, 0,  (0x2000000, {24, 344, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 336, 2, ) }, 0, 0x0, 0, ... 336, 2, ) == 0x0
 01974   420   NtClose  (344, ... ) == 0x0
 01975   420   NtSetValueKey  (336,  (336, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 0, 1,  (336, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 104, ... ) == 0x0
 01976   420   NtClose  (336, ... ) == 0x0
 01977   420   NtClose  (332, ... ) == 0x0
 01978   420   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data\Microsoft\Network\Connections\Pbk\"}, 3, 16417, ... ) }, 3, 16417, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 01979   420   NtCreateKey  (0x2, {24, 328, 0x40, 0, 0,  (0x2, {24, 328, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, 0, "", 0, ... 332, 2, ) }, 0, "", 0, ... 332, 2, ) == 0x0
 01980   420   NtSetValueKey  (332,  (332, "MigrateProxy", 0, 4, "\1\0\0\0", 4, ... ) , 0, 4,  (332, "MigrateProxy", 0, 4, "\1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 01981   420   NtClose  (332, ... ) == 0x0
 01982   420   NtOpenKey  (0x20019, {24, 328, 0x40, 0, 0,  (0x20019, {24, 328, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, ... 332, ) }, ... 332, ) == 0x0
 01983   420   NtQueryValueKey  (332,  (332, "ProxyEnable", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (332, "ProxyEnable", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01984   420   NtQueryValueKey  (332,  (332, "ProxyServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01985   420   NtQueryValueKey  (332,  (332, "ProxyOverride", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01986   420   NtQueryValueKey  (332,  (332, "AutoConfigURL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01987   420   NtClose  (332, ... ) == 0x0
 01988   420   NtWaitForSingleObject  (204, 0, 0x0, ... ) == 0x0
 01989   420   NtCreateKey  (0x1, {24, 328, 0x40, 0, 0,  (0x1, {24, 328, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections"}, 0, "", 0, ... 332, 2, ) }, 0, "", 0, ... 332, 2, ) == 0x0
 01990   420   NtQueryValueKey  (332,  (332, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (332, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 01991   420   NtQueryValueKey  (332,  (332, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (332, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 01992   420   NtReleaseMutant  (204, ... 0x0, ) == 0x0
 01993   420   NtClose  (332, ... ) == 0x0
 01994   420   NtWaitForSingleObject  (204, 0, 0x0, ... ) == 0x0
 01995   420   NtCreateKey  (0x1, {24, 328, 0x40, 0, 0,  (0x1, {24, 328, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections"}, 0, "", 0, ... 332, 2, ) }, 0, "", 0, ... 332, 2, ) == 0x0
 01996   420   NtQueryValueKey  (332,  (332, "DefaultConnectionSettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\3\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (332, "DefaultConnectionSettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\3\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 01997   420   NtQueryValueKey  (332,  (332, "DefaultConnectionSettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\3\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (332, "DefaultConnectionSettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\3\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 01998   420   NtReleaseMutant  (204, ... 0x0, ) == 0x0
 01999   420   NtClose  (332, ... ) == 0x0
 02000   420   NtWaitForSingleObject  (184, 0, 0x0, ... ) == 0x0
 02001   420   NtClearEvent  (184, ... ) == 0x0
 02002   420   NtSetEvent  (184, ... 0x0, ) == 0x0
 02003   420   NtCreateKey  (0x20006, {24, 328, 0x40, 0, 0,  (0x20006, {24, 328, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, 0, "", 0, ... 332, 2, ) }, 0, "", 0, ... 332, 2, ) == 0x0
 02004   420   NtSetValueKey  (332,  (332, "ProxyEnable", 0, 4, "\0\0\0\0", 4, ... ) , 0, 4,  (332, "ProxyEnable", 0, 4, "\0\0\0\0", 4, ... ) , 4, ... ) == 0x0
 02005   420   NtDeleteValueKey  (332,  (332, "ProxyServer", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02006   420   NtDeleteValueKey  (332,  (332, "ProxyOverride", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02007   420   NtDeleteValueKey  (332,  (332, "AutoConfigURL", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02008   420   NtClose  (332, ... ) == 0x0
 02009   420   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT"}, ... 332, ) }, ... 332, ) == 0x0
 02010   420   NtCreateKey  (0x2, {24, 332, 0x40, 0, 0,  (0x2, {24, 332, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, 0, "", 0, ... 336, 2, ) }, 0, "", 0, ... 336, 2, ) == 0x0
 02011   420   NtSetValueKey  (336,  (336, "ProxyEnable", 0, 4, "\0\0\0\0", 4, ... ) , 0, 4,  (336, "ProxyEnable", 0, 4, "\0\0\0\0", 4, ... ) , 4, ... ) == 0x0
 02012   420   NtClose  (336, ... ) == 0x0
 02013   420   NtWaitForSingleObject  (204, 0, 0x0, ... ) == 0x0
 02014   420   NtCreateKey  (0x1, {24, 328, 0x40, 0, 0,  (0x1, {24, 328, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections"}, 0, "", 0, ... 336, 2, ) }, 0, "", 0, ... 336, 2, ) == 0x0
 02015   420   NtQueryValueKey  (336,  (336, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (336, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 02016   420   NtQueryValueKey  (336,  (336, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (336, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 02017   420   NtCreateKey  (0x2, {24, 328, 0x40, 0, 0,  (0x2, {24, 328, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections"}, 0, "", 0, ... 344, 2, ) }, 0, "", 0, ... 344, 2, ) == 0x0
 02018   420   NtReleaseMutant  (204, ... 0x0, ) == 0x0
 02019   420   NtClose  (336, ... ) == 0x0
 02020   420   NtSetValueKey  (344,  (344, "SavedLegacySettings", 0, 3, "<\0\0\0\27\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0", 56, ... , 0, 3,  (344, "SavedLegacySettings", 0, 3, "<\0\0\0\27\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0", 56, ... , 56, ...
 02021   420   NtSetInformationFile  (-2147482716, -135166156, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02022   420   NtSetInformationFile  (-2147482716, -135166256, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02020   420   NtSetValueKey  ... ) == 0x0
 02023   420   NtClose  (344, ... ) == 0x0
 02024   420   NtWaitForSingleObject  (148, 0, 0x0, ... ) == 0x0
 02025   420   NtQueryInformationFile  (144, 2292488, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02026   420   NtReleaseMutant  (148, ... 0x0, ) == 0x0
 02027   420   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 02028   420   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02029   420   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 344, ) == 0x0
 02030   420   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 2293336, 67, ... 336, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 2293336, 67, ... 336, {status=0x0, info=0}, ) == 0x0
 02031   420   NtDeviceIoControlFile  (336, 344, 0x0, 0x0, 0x12047,  (336, 344, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\352\3\0\0\11\6\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\310\241%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 02032   420   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02033   420   NtDeviceIoControlFile  (336, 344, 0x0, 0x0, 0x12003,  (336, 344, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=352}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\14\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=352},  (336, 344, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=352}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\14\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02034   420   NtDeviceIoControlFile  (336, 344, 0x0, 0x0, 0x12037,  (336, 344, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (336, 344, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02035   420   NtDeviceIoControlFile  (336, 344, 0x0, 0x0, 0x12047,  (336, 344, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\352\3\0\0\11\6\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\2367\347w\2\0\4\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02036   420   NtDeviceIoControlFile  (336, 344, 0x0, 0x0, 0x12007,  (336, 344, 0x0, 0x0, 0x12007, "\0\0\0\0\16\0\2\0\4\14\0\0\1\0\0\0\16\0\2\0"\21R7\317\276\0\0\0\0\0\0\0\0", 34, 0, ... {status=0xc000023d, info=0}, 0x0, ) \21R7\317\276\0\0\0\0\0\0\0\0", 34, 0, ... {status=0xc000023d, info=0}, 0x0, ) == 0x103
 02037   420   NtWaitForSingleObject  (344, 1, {-5000000, -1}, ... ) == 0x0
 02038   420   NtDeviceIoControlFile  (336, 344, 0x0, 0x0, 0x12037,  (336, 344, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (336, 344, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02039   420   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 348, ) }, ... 348, ) == 0x0
 02040   420   NtQueryValueKey  (348,  (348, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 02041   420   NtQueryValueKey  (348,  (348, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 02042   420   NtQueryValueKey  (348,  (348, "AutodialDLL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02043   420   NtClose  (348, ... ) == 0x0
 02044   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rasadhlp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02045   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rasadhlp.dll"}, 2291552, ... ) }, 2291552, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02046   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rasadhlp.dll"}, 2291552, ... ) }, 2291552, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02047   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasadhlp.dll"}, 2291552, ... ) }, 2291552, ... ) == 0x0
 02048   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasadhlp.dll"}, 5, 96, ... 348, {status=0x0, info=1}, ) }, 5, 96, ... 348, {status=0x0, info=1}, ) == 0x0
 02049   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 348, ... 356, ) == 0x0
 02050   420   NtQuerySection  (356, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02051   420   NtClose  (348, ... ) == 0x0
 02052   420   NtMapViewOfSection  (356, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fc0000), 0x0, 20480, ) == 0x0
 02053   420   NtClose  (356, ... ) == 0x0
 02054   420   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 356, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 356, {status=0x0, info=0}, ) == 0x0
 02055   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 348, ) == 0x0
 02056   420   NtDeviceIoControlFile  (356, 348, 0x0, 0x0, 0xf14014,  (356, 348, 0x0, 0x0, 0xf14014, "\0\0\0\0R7\317\276\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 02057   420   NtClose  (348, ... ) == 0x0
 02058   420   NtClose  (356, ... ) == 0x0
 02059   420   NtDeviceIoControlFile  (336, 344, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ... {status=0x0, info=26},  (336, 344, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ... {status=0x0, info=26}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\14\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02060   420   NtDeviceIoControlFile  (336, 344, 0x0, 0x0, 0x12037,  (336, 344, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (336, 344, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02061   420   NtClose  (352, ... ) == 0x0
 02062   420   NtClose  (336, ... ) == 0x0
 02063   420   NtWaitForSingleObject  (92, 0, {0, 0}, ... ) == 0x102
 02064   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 2289832, ... ) }, 2289832, ... ) == 0x0
 02065   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02066   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 2289948, ... ) }, 2289948, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02067   420   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DNSAPI.dll"}, 2289948, ... ) }, 2289948, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02068   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 2289948, ... ) }, 2289948, ... ) == 0x0
 02069   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 5, 96, ... 336, {status=0x0, info=1}, ) }, 5, 96, ... 336, {status=0x0, info=1}, ) == 0x0
 02070   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 336, ... 352, ) == 0x0
 02071   420   NtQuerySection  (352, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02072   420   NtClose  (336, ... ) == 0x0
 02073   420   NtMapViewOfSection  (352, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 151552, ) == 0x0
 02074   420   NtClose  (352, ... ) == 0x0
 02075   420   NtCreateKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 352, 2, ) }, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 352, 2, ) , 0, ... 352, 2, ) == 0x0
 02076   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 336, ) }, ... 336, ) == 0x0
 02077   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02078   420   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DNS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02079   420   NtQueryValueKey  (336,  (336, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02080   420   NtQueryValueKey  (352,  (352, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02081   420   NtQueryValueKey  (336,  (336, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02082   420   NtQueryValueKey  (352,  (352, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02083   420   NtQueryValueKey  (336,  (336, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02084   420   NtQueryValueKey  (352,  (352, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02085   420   NtQueryValueKey  (336,  (336, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02086   420   NtQueryValueKey  (352,  (352, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02087   420   NtQueryValueKey  (336,  (336, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02088   420   NtQueryValueKey  (336,  (336, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02089   420   NtQueryValueKey  (336,  (336, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02090   420   NtQueryValueKey  (336,  (336, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02091   420   NtQueryValueKey  (336,  (336, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02092   420   NtQueryValueKey  (336,  (336, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02093   420   NtQueryValueKey  (336,  (336, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02094   420   NtQueryValueKey  (352,  (352, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02095   420   NtQueryValueKey  (336,  (336, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02096   420   NtQueryValueKey  (336,  (336, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02097   420   NtQueryValueKey  (352,  (352, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02098   420   NtQueryValueKey  (336,  (336, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02099   420   NtQueryValueKey  (352,  (352, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02100   420   NtQueryValueKey  (336,  (336, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02101   420   NtQueryValueKey  (352,  (352, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02102   420   NtQueryValueKey  (336,  (336, "RegistrationOverwritesInConflict", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02103   420   NtQueryValueKey  (352,  (352, "DisableReplaceAddressesInConflicts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02104   420   NtQueryValueKey  (336,  (336, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02105   420   NtQueryValueKey  (352,  (352, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02106   420   NtQueryValueKey  (336,  (336, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02107   420   NtQueryValueKey  (352,  (352, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02108   420   NtQueryValueKey  (336,  (336, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02109   420   NtQueryValueKey  (352,  (352, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02110   420   NtQueryValueKey  (336,  (336, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02111   420   NtQueryValueKey  (352,  (352, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02112   420   NtQueryValueKey  (336,  (336, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02113   420   NtQueryValueKey  (336,  (336, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02114   420   NtQueryValueKey  (336,  (336, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02115   420   NtQueryValueKey  (336,  (336, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02116   420   NtQueryValueKey  (336,  (336, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02117   420   NtQueryValueKey  (336,  (336, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02118   420   NtQueryValueKey  (336,  (336, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02119   420   NtQueryValueKey  (336,  (336, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02120   420   NtQueryValueKey  (336,  (336, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02121   420   NtQueryValueKey  (336,  (336, "UseMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02122   420   NtQueryValueKey  (336,  (336, "MulticastOnNameError", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02123   420   NtQueryValueKey  (336,  (336, "UseDotLocalDomain", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02124   420   NtQueryValueKey  (336,  (336, "ListenOnMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02125   420   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\Setup"}, ... 356, ) }, ... 356, ) == 0x0
 02126   420   NtQueryValueKey  (356,  (356, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (356, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02127   420   NtClose  (356, ... ) == 0x0
 02128   420   NtClose  (352, ... ) == 0x0
 02129   420   NtClose  (336, ... ) == 0x0
 02130   420   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 336, ) }, ... 336, ) == 0x0
 02131   420   NtQueryValueKey  (336,  (336, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02132   420   NtQueryValueKey  (336,  (336, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02133   420   NtQueryValueKey  (336,  (336, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02134   420   NtClose  (336, ... ) == 0x0
 02135   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 336, ) == 0x0
 02136   420   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 2290424, 112, ... 352, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 2290424, 112, ... 352, 0x0, 0x0, 0x0, 112, ) == 0x0
 02137   420   NtRequestWaitReplyPort  (352, {128, 152, new_msg, 0, 127180, 2359296, 2290188, 2012750850}  (352, {128, 152, new_msg, 0, 127180, 2359296, 2290188, 2012750850} "\0\370"\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\3\0H\336%\0 \326%\0\0\0\0\0\30\326%\0`\327%\0\320\330%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1$\0\0\0\0\0\177\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 420, 1562, 0} "\7\370"\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\3\0H\336%\0 \326%\0\0\0\0\0\30\326%\0`\327%\0\320\330%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1$\0\0\0\0\0\177\0\0\0\5\0\0\0" ) \0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\3\0H\336%\0 \326%\0\0\0\0\0\30\326%\0`\327%\0\320\330%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1$\0\0\0\0\0\177\0\0\0\5\0\0\0 (352, {128, 152, new_msg, 0, 127180, 2359296, 2290188, 2012750850} "\0\370"\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\3\0H\336%\0 \326%\0\0\0\0\0\30\326%\0`\327%\0\320\330%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1$\0\0\0\0\0\177\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 420, 1562, 0} "\7\370"\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\3\0H\336%\0 \326%\0\0\0\0\0\30\326%\0`\327%\0\320\330%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1$\0\0\0\0\0\177\0\0\0\5\0\0\0" ) \7\370 (352, {128, 152, new_msg, 0, 127180, 2359296, 2290188, 2012750850} "\0\370"\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\3\0H\336%\0 \326%\0\0\0\0\0\30\326%\0`\327%\0\320\330%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1$\0\0\0\0\0\177\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 420, 1562, 0} "\7\370"\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\3\0H\336%\0 \326%\0\0\0\0\0\30\326%\0`\327%\0\320\330%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1$\0\0\0\0\0\177\0\0\0\5\0\0\0" )  ) == 0x0
 02138   420   NtRequestWaitReplyPort  (352, {64, 88, new_msg, 0, 44, 3, 20, 0}  (352, {64, 88, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\10\00,\334\21\261\306\0\14)\371\246\305\1\0\0\0\377\377\377\377\1\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0\3757B@\335\350\344\34C\27\122" ... {52, 76, reply, 0, 412, 420, 1563, 0} "\2\240\372\177\1\00\300\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00X\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 412, 420, 1563, 0}  (352, {64, 88, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\10\00,\334\21\261\306\0\14)\371\246\305\1\0\0\0\377\377\377\377\1\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0\3757B@\335\350\344\34C\27\122" ... {52, 76, reply, 0, 412, 420, 1563, 0} "\2\240\372\177\1\00\300\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00X\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 02139   420   NtClose  (336, ... ) == 0x0
 02140   420   NtClose  (352, ... ) == 0x0
 02141   420   NtCreateKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 352, 2, ) }, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 352, 2, ) , 0, ... 352, 2, ) == 0x0
 02142   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 336, ) }, ... 336, ) == 0x0
 02143   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02144   420   NtQueryValueKey  (352,  (352, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02145   420   NtQueryValueKey  (352,  (352, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02146   420   NtClose  (352, ... ) == 0x0
 02147   420   NtClose  (336, ... ) == 0x0
 02148   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 336, ) == 0x0
 02149   420   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 2290288, 112, ... 352, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 2290288, 112, ... 352, 0x0, 0x0, 0x0, 112, ) == 0x0
 02150   420   NtRequestWaitReplyPort  (352, {128, 152, new_msg, 0, 127044, 2359296, 2290052, 2012750850}  (352, {128, 152, new_msg, 0, 127044, 2359296, 2290052, 2012750850} "\0\370"\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\4\0H\336%\0h\327%\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0"\0p\363"\0\0\0\0\0\263\26\365w\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 420, 1566, 0} "\7\370"\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\4\0H\336%\0h\327%\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0"\0p\363"\0\0\0\0\0\263\26\365w\0\0\0\0\5\0\0\0\5\0\0\0" ) \0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\4\0H\336%\0h\327%\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0 (352, {128, 152, new_msg, 0, 127044, 2359296, 2290052, 2012750850} "\0\370"\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\4\0H\336%\0h\327%\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0"\0p\363"\0\0\0\0\0\263\26\365w\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 420, 1566, 0} "\7\370"\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\4\0H\336%\0h\327%\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0"\0p\363"\0\0\0\0\0\263\26\365w\0\0\0\0\5\0\0\0\5\0\0\0" ) \0\0\0\0\0\263\26\365w\0\0\0\0\5\0\0\0\5\0\0\0 (352, {128, 152, new_msg, 0, 127044, 2359296, 2290052, 2012750850} "\0\370"\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\4\0H\336%\0h\327%\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0"\0p\363"\0\0\0\0\0\263\26\365w\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 420, 1566, 0} "\7\370"\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\4\0H\336%\0h\327%\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0"\0p\363"\0\0\0\0\0\263\26\365w\0\0\0\0\5\0\0\0\5\0\0\0" ) \7\370 (352, {128, 152, new_msg, 0, 127044, 2359296, 2290052, 2012750850} "\0\370"\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\4\0H\336%\0h\327%\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0"\0p\363"\0\0\0\0\0\263\26\365w\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 420, 1566, 0} "\7\370"\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\4\0H\336%\0h\327%\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0"\0p\363"\0\0\0\0\0\263\26\365w\0\0\0\0\5\0\0\0\5\0\0\0" ) \0p\363 (352, {128, 152, new_msg, 0, 127044, 2359296, 2290052, 2012750850} "\0\370"\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\4\0H\336%\0h\327%\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0"\0p\363"\0\0\0\0\0\263\26\365w\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 420, 1566, 0} "\7\370"\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\4\0H\336%\0h\327%\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0"\0p\363"\0\0\0\0\0\263\26\365w\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 02151   420   NtRequestWaitReplyPort  (352, {44, 68, new_msg, 0, 412, 420, 1563, 0}  (352, {44, 68, new_msg, 0, 412, 420, 1563, 0} "\1\240\0\0A\2\4\0\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0" ... {40, 64, reply, 0, 412, 420, 1567, 0} "\2\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\1\0\0\240,\11\0" )  ... {40, 64, reply, 0, 412, 420, 1567, 0}  (352, {44, 68, new_msg, 0, 412, 420, 1563, 0} "\1\240\0\0A\2\4\0\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0" ... {40, 64, reply, 0, 412, 420, 1567, 0} "\2\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\1\0\0\240,\11\0" )  ) == 0x0
 02152   420   NtRequestWaitReplyPort  (352, {64, 88, new_msg, 56, 0, 1, 0, 0}  (352, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\364"\0@\0\314w\340\335%\08\364"\0\240\364"\0\0\267\362v\240\364"\0\340\335%\0\1\0\0\0\0\331%\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {64, 88, reply, 56, 412, 420, 1568, 0} "\10\364"\0@\0\314w\340\335%\08\364"\0\240\364"\0\0\267\362v\240\364"\0\340\335%\0\1\0\0\0\0\331%\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ) \0@\0\314w\340\335%\08\364 (352, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\364"\0@\0\314w\340\335%\08\364"\0\240\364"\0\0\267\362v\240\364"\0\340\335%\0\1\0\0\0\0\331%\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {64, 88, reply, 56, 412, 420, 1568, 0} "\10\364"\0@\0\314w\340\335%\08\364"\0\240\364"\0\0\267\362v\240\364"\0\340\335%\0\1\0\0\0\0\331%\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ) \0\0\267\362v\240\364 (352, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\364"\0@\0\314w\340\335%\08\364"\0\240\364"\0\0\267\362v\240\364"\0\340\335%\0\1\0\0\0\0\331%\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {64, 88, reply, 56, 412, 420, 1568, 0} "\10\364"\0@\0\314w\340\335%\08\364"\0\240\364"\0\0\267\362v\240\364"\0\340\335%\0\1\0\0\0\0\331%\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {64, 88, reply, 56, 412, 420, 1568, 0}  (352, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\364"\0@\0\314w\340\335%\08\364"\0\240\364"\0\0\267\362v\240\364"\0\340\335%\0\1\0\0\0\0\331%\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {64, 88, reply, 56, 412, 420, 1568, 0} "\10\364"\0@\0\314w\340\335%\08\364"\0\240\364"\0\0\267\362v\240\364"\0\340\335%\0\1\0\0\0\0\331%\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ) \0@\0\314w\340\335%\08\364 (352, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\364"\0@\0\314w\340\335%\08\364"\0\240\364"\0\0\267\362v\240\364"\0\340\335%\0\1\0\0\0\0\331%\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {64, 88, reply, 56, 412, 420, 1568, 0} "\10\364"\0@\0\314w\340\335%\08\364"\0\240\364"\0\0\267\362v\240\364"\0\340\335%\0\1\0\0\0\0\331%\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ) \0\0\267\362v\240\364 (352, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\364"\0@\0\314w\340\335%\08\364"\0\240\364"\0\0\267\362v\240\364"\0\340\335%\0\1\0\0\0\0\331%\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {64, 88, reply, 56, 412, 420, 1568, 0} "\10\364"\0@\0\314w\340\335%\08\364"\0\240\364"\0\0\267\362v\240\364"\0\340\335%\0\1\0\0\0\0\331%\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02153   420   NtClose  (336, ... ) == 0x0
 02154   420   NtClose  (352, ... ) == 0x0
 02155   420   NtCreateKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 352, 2, ) }, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 352, 2, ) , 0, ... 352, 2, ) == 0x0
 02156   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 336, ) }, ... 336, ) == 0x0
 02157   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02158   420   NtQueryValueKey  (352,  (352, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02159   420   NtQueryValueKey  (352,  (352, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02160   420   NtClose  (352, ... ) == 0x0
 02161   420   NtClose  (336, ... ) == 0x0
 02162   420   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 336, ) }, ... 336, ) == 0x0
 02163   420   NtQueryValueKey  (336,  (336, "DnsNbtLookupOrder", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02164   420   NtClose  (336, ... ) == 0x0
 02165   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 2289832, ... ) }, 2289832, ... ) == 0x0
 02166   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 336, {status=0x0, info=1}, ) }, 5, 96, ... 336, {status=0x0, info=1}, ) == 0x0
 02167   420   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 336, ... 352, ) == 0x0
 02168   420   NtClose  (336, ... ) == 0x0
 02169   420   NtMapViewOfSection  (352, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x9c0000), 0x0, 16384, ) == 0x0
 02170   420   NtClose  (352, ... ) == 0x0
 02171   420   NtUnmapViewOfSection  (-1, 0x9c0000, ... ) == 0x0
 02172   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 2290148, ... ) }, 2290148, ... ) == 0x0
 02173   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 352, {status=0x0, info=1}, ) }, 5, 96, ... 352, {status=0x0, info=1}, ) == 0x0
 02174   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 352, ... 336, ) == 0x0
 02175   420   NtQuerySection  (336, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02176   420   NtClose  (352, ... ) == 0x0
 02177   420   NtMapViewOfSection  (336, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fb0000), 0x0, 28672, ) == 0x0
 02178   420   NtClose  (336, ... ) == 0x0
 02179   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... 336, ) }, ... 336, ) == 0x0
 02180   420   NtMapViewOfSection  (336, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 02181   420   NtClose  (336, ... ) == 0x0
 02182   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 336, ) == 0x0
 02183   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 352, ) }, ... 352, ) == 0x0
 02184   420   NtQueryValueKey  (352,  (352, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02185   420   NtClose  (352, ... ) == 0x0
 02186   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 2289832, ... ) }, 2289832, ... ) == 0x0
 02187   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02188   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10223616, 65536, ) == 0x0
 02189   420   NtAllocateVirtualMemory  (-1, 10223616, 0, 4096, 4096, 4, ... 10223616, 4096, ) == 0x0
 02190   420   NtAllocateVirtualMemory  (-1, 10227712, 0, 8192, 4096, 4, ... 10227712, 8192, ) == 0x0
 02191   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 352, ) == 0x0
 02192   420   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 2290108, 112, ... 356, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 2290108, 112, ... 356, 0x0, 0x0, 0x0, 112, ) == 0x0
 02193   420   NtRequestWaitReplyPort  (356, {128, 152, new_msg, 0, 2359296, 126864, 2359296, 2289872}  (356, {128, 152, new_msg, 0, 2359296, 126864, 2359296, 2289872} "\0$\370w\200\367"\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\210C%\0\4\0\0\0\210C%\0\20\344\314w\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\5\0H\336%\0\330\231%\0\0\0\0\0\320\231%\0\370\231%\0h\233%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0X\0\0\0" ... {128, 152, reply, 0, 412, 420, 1571, 0} "\7$\370w\200\367"\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\210C%\0\377\377\377\377\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\5\0H\336%\0\330\231%\0\0\0\0\0\320\231%\0\370\231%\0h\233%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0X\0\0\0" ) \0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\210C%\0\4\0\0\0\210C%\0\20\344\314w\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\5\0H\336%\0\330\231%\0\0\0\0\0\320\231%\0\370\231%\0h\233%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0X\0\0\0 (356, {128, 152, new_msg, 0, 2359296, 126864, 2359296, 2289872} "\0$\370w\200\367"\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\210C%\0\4\0\0\0\210C%\0\20\344\314w\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\5\0H\336%\0\330\231%\0\0\0\0\0\320\231%\0\370\231%\0h\233%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0X\0\0\0" ... {128, 152, reply, 0, 412, 420, 1571, 0} "\7$\370w\200\367"\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\210C%\0\377\377\377\377\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\5\0H\336%\0\330\231%\0\0\0\0\0\320\231%\0\370\231%\0h\233%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0X\0\0\0" ) \7$\370w\200\367 (356, {128, 152, new_msg, 0, 2359296, 126864, 2359296, 2289872} "\0$\370w\200\367"\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\210C%\0\4\0\0\0\210C%\0\20\344\314w\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\5\0H\336%\0\330\231%\0\0\0\0\0\320\231%\0\370\231%\0h\233%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0X\0\0\0" ... {128, 152, reply, 0, 412, 420, 1571, 0} "\7$\370w\200\367"\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\210C%\0\377\377\377\377\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\5\0H\336%\0\330\231%\0\0\0\0\0\320\231%\0\370\231%\0h\233%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0X\0\0\0" )  ) == 0x0
 02194   420   NtRequestWaitReplyPort  (356, {108, 132, new_msg, 0, 412, 420, 1567, 0}  (356, {108, 132, new_msg, 0, 412, 420, 1567, 0} "\1\0\0\0A\2\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\364\230%\0\23\0\0\0\0\0\0\0\23\0\0\0s\0t\0r\0t\0t\0.\0i\0n\0t\0e\0r\0f\0r\0e\0e\0.\0i\0t\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 412, 420, 1572, 0} "\2\240\372\177\1\00\300\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ... {44, 68, reply, 0, 412, 420, 1572, 0}  (356, {108, 132, new_msg, 0, 412, 420, 1567, 0} "\1\0\0\0A\2\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\364\230%\0\23\0\0\0\0\0\0\0\23\0\0\0s\0t\0r\0t\0t\0.\0i\0n\0t\0e\0r\0f\0r\0e\0e\0.\0i\0t\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 412, 420, 1572, 0} "\2\240\372\177\1\00\300\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 02195   420   NtClose  (352, ... ) == 0x0
 02196   420   NtClose  (356, ... ) == 0x0
 02197   420   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 356, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 356, {status=0x0, info=0}, ) == 0x0
 02198   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 352, ) == 0x0
 02199   420   NtDeviceIoControlFile  (356, 352, 0x0, 0x0, 0xf14014,  (356, 352, 0x0, 0x0, 0xf14014, "\3\0\0\0strtt.interfree.it\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 02200   420   NtClose  (352, ... ) == 0x0
 02201   420   NtClose  (356, ... ) == 0x0
 02202   420   NtWaitForSingleObject  (92, 0, {0, 0}, ... ) == 0x102
 02203   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 356, ) == 0x0
 02204   420   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 2290108, 112, ... 352, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 2290108, 112, ... 352, 0x0, 0x0, 0x0, 112, ) == 0x0
 02205   420   NtRequestWaitReplyPort  (352, {128, 152, new_msg, 0, 2359296, 126864, 2359296, 2289872}  (352, {128, 152, new_msg, 0, 2359296, 126864, 2359296, 2289872} "\0$\370w\200\367"\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\210C%\0\4\0\0\0\210C%\0\20\344\314w\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\6\0 \0\0\0\0\0\0\0\240\1$\0\240\1$\0\0\0\0\0\300\241%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\326%\0\5\0\0\0" ... {128, 152, reply, 0, 412, 420, 1575, 0} "\7$\370w\200\367"\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\210C%\0\377\377\377\377\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\6\0 \0\0\0\0\0\0\0\240\1$\0\240\1$\0\0\0\0\0\300\241%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\326%\0\5\0\0\0" ) \0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\210C%\0\4\0\0\0\210C%\0\20\344\314w\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\6\0 \0\0\0\0\0\0\0\240\1$\0\240\1$\0\0\0\0\0\300\241%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\326%\0\5\0\0\0 (352, {128, 152, new_msg, 0, 2359296, 126864, 2359296, 2289872} "\0$\370w\200\367"\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\210C%\0\4\0\0\0\210C%\0\20\344\314w\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\6\0 \0\0\0\0\0\0\0\240\1$\0\240\1$\0\0\0\0\0\300\241%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\326%\0\5\0\0\0" ... {128, 152, reply, 0, 412, 420, 1575, 0} "\7$\370w\200\367"\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\210C%\0\377\377\377\377\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\6\0 \0\0\0\0\0\0\0\240\1$\0\240\1$\0\0\0\0\0\300\241%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\326%\0\5\0\0\0" ) \7$\370w\200\367 (352, {128, 152, new_msg, 0, 2359296, 126864, 2359296, 2289872} "\0$\370w\200\367"\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\210C%\0\4\0\0\0\210C%\0\20\344\314w\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\6\0 \0\0\0\0\0\0\0\240\1$\0\240\1$\0\0\0\0\0\300\241%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\326%\0\5\0\0\0" ... {128, 152, reply, 0, 412, 420, 1575, 0} "\7$\370w\200\367"\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\210C%\0\377\377\377\377\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\6\0 \0\0\0\0\0\0\0\240\1$\0\240\1$\0\0\0\0\0\300\241%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\326%\0\5\0\0\0" )  ) == 0x0
 02206   420   NtRequestWaitReplyPort  (352, {108, 132, new_msg, 0, 412, 420, 1572, 0}  (352, {108, 132, new_msg, 0, 412, 420, 1572, 0} "\1\240\0\0A\2\11\0\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\364\230%\0\23\0\0\0\0\0\0\0\23\0\0\0s\0t\0r\0t\0t\0.\0i\0n\0t\0e\0r\0f\0r\0e\0e\0.\0i\0t\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 412, 420, 1576, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ... {44, 68, reply, 0, 412, 420, 1576, 0}  (352, {108, 132, new_msg, 0, 412, 420, 1572, 0} "\1\240\0\0A\2\11\0\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\364\230%\0\23\0\0\0\0\0\0\0\23\0\0\0s\0t\0r\0t\0t\0.\0i\0n\0t\0e\0r\0f\0r\0e\0e\0.\0i\0t\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 412, 420, 1576, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 02207   420   NtClose  (356, ... ) == 0x0
 02208   420   NtClose  (352, ... ) == 0x0
 02209   420   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 352, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 352, {status=0x0, info=0}, ) == 0x0
 02210   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 356, ) == 0x0
 02211   420   NtDeviceIoControlFile  (352, 356, 0x0, 0x0, 0xf14014,  (352, 356, 0x0, 0x0, 0xf14014, "\3\0\0\0strtt.interfree.it\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 02212   420   NtClose  (356, ... ) == 0x0
 02213   420   NtClose  (352, ... ) == 0x0
 02214   420   NtWaitForSingleObject  (92, 0, {0, 0}, ... ) == 0x102
 02215   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 352, ) == 0x0
 02216   420   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 2290108, 112, ... 356, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 2290108, 112, ... 356, 0x0, 0x0, 0x0, 112, ) == 0x0
 02217   420   NtRequestWaitReplyPort  (356, {128, 152, new_msg, 0, 2359296, 126864, 2359296, 2289872}  (356, {128, 152, new_msg, 0, 2359296, 126864, 2359296, 2289872} "\0$\370w\200\367"\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\210C%\0\4\0\0\0\210C%\0\20\344\314w\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\7\0 \0\0\0\0\0\0\0\240\1$\0\240\1$\0\0\0\0\0\320\231%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\326%\0\5\0\0\0" ... {128, 152, reply, 0, 412, 420, 1579, 0} "\7$\370w\200\367"\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\210C%\0\377\377\377\377\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\7\0 \0\0\0\0\0\0\0\240\1$\0\240\1$\0\0\0\0\0\320\231%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\326%\0\5\0\0\0" ) \0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\210C%\0\4\0\0\0\210C%\0\20\344\314w\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\7\0 \0\0\0\0\0\0\0\240\1$\0\240\1$\0\0\0\0\0\320\231%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\326%\0\5\0\0\0 (356, {128, 152, new_msg, 0, 2359296, 126864, 2359296, 2289872} "\0$\370w\200\367"\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\210C%\0\4\0\0\0\210C%\0\20\344\314w\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\7\0 \0\0\0\0\0\0\0\240\1$\0\240\1$\0\0\0\0\0\320\231%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\326%\0\5\0\0\0" ... {128, 152, reply, 0, 412, 420, 1579, 0} "\7$\370w\200\367"\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\210C%\0\377\377\377\377\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\7\0 \0\0\0\0\0\0\0\240\1$\0\240\1$\0\0\0\0\0\320\231%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\326%\0\5\0\0\0" ) \7$\370w\200\367 (356, {128, 152, new_msg, 0, 2359296, 126864, 2359296, 2289872} "\0$\370w\200\367"\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\210C%\0\4\0\0\0\210C%\0\20\344\314w\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\7\0 \0\0\0\0\0\0\0\240\1$\0\240\1$\0\0\0\0\0\320\231%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\326%\0\5\0\0\0" ... {128, 152, reply, 0, 412, 420, 1579, 0} "\7$\370w\200\367"\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\210C%\0\377\377\377\377\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\7\0 \0\0\0\0\0\0\0\240\1$\0\240\1$\0\0\0\0\0\320\231%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\326%\0\5\0\0\0" )  ) == 0x0
 02218   420   NtRequestWaitReplyPort  (356, {100, 124, new_msg, 0, 412, 420, 1576, 0}  (356, {100, 124, new_msg, 0, 412, 420, 1576, 0} "\1\0\0\0A\2\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0|\364$\0\20\0\0\0\0\0\0\0\20\0\0\0u\0t\0e\0n\0t\0i\0.\0l\0y\0c\0o\0s\0.\0i\0t\0\0\0\1\0t\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 412, 420, 1580, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ... {44, 68, reply, 0, 412, 420, 1580, 0}  (356, {100, 124, new_msg, 0, 412, 420, 1576, 0} "\1\0\0\0A\2\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0|\364$\0\20\0\0\0\0\0\0\0\20\0\0\0u\0t\0e\0n\0t\0i\0.\0l\0y\0c\0o\0s\0.\0i\0t\0\0\0\1\0t\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 412, 420, 1580, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 02219   420   NtClose  (352, ... ) == 0x0
 02220   420   NtClose  (356, ... ) == 0x0
 02221   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Linkage"}, ... 356, ) }, ... 356, ) == 0x0
 02222   420   NtQueryValueKey  (356,  (356, "Export", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02223   420   NtQueryValueKey  (356,  (356, "Export", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02224   420   NtQueryValueKey  (356,  (356, "Export", Partial, 368, ... TitleIdx=0, Type=7, Data="\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\01\01\0C\0-\0C\09\02\0D\0B\08\01\03\08\07\0E\00\0}\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0E\07\0D\0-\04\01\04\07\06\0D\04\0C\0C\0F\01\04\0}\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\03\00\07\0-\05\0C\00\0D\00\03\06\08\0D\0E\01\0A\0}\0\0\0\0\0"}, 368, ) , Partial, 368, ... TitleIdx=0, Type=7, Data= (356, "Export", Partial, 368, ... TitleIdx=0, Type=7, Data="\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\01\01\0C\0-\0C\09\02\0D\0B\08\01\03\08\07\0E\00\0}\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0E\07\0D\0-\04\01\04\07\06\0D\04\0C\0C\0F\01\04\0}\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\03\00\07\0-\05\0C\00\0D\00\03\06\08\0D\0E\01\0A\0}\0\0\0\0\0"}, 368, ) }, 368, ) == 0x0
 02225   420   NtCreateFile  (0x20100000, {24, 0, 0x40, 0, 0,  (0x20100000, {24, 0, 0x40, 0, 0, "\Device\NetBT_Tcpip_{4FE57D7B-03A5-48B2-811C-C92DB81387E0}"}, 0x0, 0, 3, 3, 0, 0, 0, ... 352, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 0, 0, ... 352, {status=0x0, info=0}, ) == 0x0
 02226   420   NtCreateFile  (0x20100000, {24, 0, 0x40, 0, 0,  (0x20100000, {24, 0, 0x40, 0, 0, "\Device\NetBT_Tcpip_{ABE7E06F-620F-4EAA-AE7D-41476D4CCF14}"}, 0x0, 0, 3, 3, 0, 0, 0, ... ) }, 0x0, 0, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02227   420   NtCreateFile  (0x20100000, {24, 0, 0x40, 0, 0,  (0x20100000, {24, 0, 0x40, 0, 0, "\Device\NetBT_Tcpip_{D19DF882-A9CB-4144-8307-5C0D0368DE1A}"}, 0x0, 0, 3, 3, 0, 0, 0, ... ) }, 0x0, 0, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02228   420   NtClose  (356, ... ) == 0x0
 02229   420   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 356, ) == 0x0
 02230   420   NtDeviceIoControlFile  (352, 356, 0x0, 0x0, 0x210096,  (352, 356, 0x0, 0x0, 0x210096, "\0\0\0\0\0\0\0\0UTENTI.LYCOS.IT\0", 24, 1160, ... {status=0x254b40, info=2359672}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 24, 1160, ... {status=0x254b40, info=2359672},  (352, 356, 0x0, 0x0, 0x210096, "\0\0\0\0\0\0\0\0UTENTI.LYCOS.IT\0", 24, 1160, ... {status=0x254b40, info=2359672}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02231   420   NtWaitForMultipleObjects  (1, (356, ), 1, 0, 0x0, ... ) == 0x0
 02232   420   NtClose  (356, ... ) == 0x0
 02233   420   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 356, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 356, {status=0x0, info=0}, ) == 0x0
 02234   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 348, ) == 0x0
 02235   420   NtDeviceIoControlFile  (356, 348, 0x0, 0x0, 0xf14014,  (356, 348, 0x0, 0x0, 0xf14014, "\3\0\0\0utenti.lycos.it\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 02236   420   NtClose  (348, ... ) == 0x0
 02237   420   NtClose  (356, ... ) == 0x0
 02238   420   NtWaitForSingleObject  (92, 0, {0, 0}, ... ) == 0x102
 02239   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 356, ) == 0x0
 02240   420   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 2290108, 112, ... 348, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 2290108, 112, ... 348, 0x0, 0x0, 0x0, 112, ) == 0x0
 02241   420   NtRequestWaitReplyPort  (348, {128, 152, new_msg, 0, 2359296, 126864, 2359296, 2289872}  (348, {128, 152, new_msg, 0, 2359296, 126864, 2359296, 2289872} "\0$\370w\200\367"\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\210C%\0\4\0\0\0\210C%\0\20\344\314w\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\10\0H\336%\0\330\231%\0\0\0\0\0\0\0\0\0\0\0\0\08\245%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\326%\0\5\0\0\0" ... {128, 152, reply, 0, 412, 420, 1583, 0} "\7$\370w\200\367"\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\210C%\0\377\377\377\377\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\10\0H\336%\0\330\231%\0\0\0\0\0\0\0\0\0\0\0\0\08\245%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\326%\0\5\0\0\0" ) \0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\210C%\0\4\0\0\0\210C%\0\20\344\314w\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\10\0H\336%\0\330\231%\0\0\0\0\0\0\0\0\0\0\0\0\08\245%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\326%\0\5\0\0\0 (348, {128, 152, new_msg, 0, 2359296, 126864, 2359296, 2289872} "\0$\370w\200\367"\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\210C%\0\4\0\0\0\210C%\0\20\344\314w\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\10\0H\336%\0\330\231%\0\0\0\0\0\0\0\0\0\0\0\0\08\245%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\326%\0\5\0\0\0" ... {128, 152, reply, 0, 412, 420, 1583, 0} "\7$\370w\200\367"\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\210C%\0\377\377\377\377\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\10\0H\336%\0\330\231%\0\0\0\0\0\0\0\0\0\0\0\0\08\245%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\326%\0\5\0\0\0" ) \7$\370w\200\367 (348, {128, 152, new_msg, 0, 2359296, 126864, 2359296, 2289872} "\0$\370w\200\367"\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\210C%\0\4\0\0\0\210C%\0\20\344\314w\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\10\0H\336%\0\330\231%\0\0\0\0\0\0\0\0\0\0\0\0\08\245%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\326%\0\5\0\0\0" ... {128, 152, reply, 0, 412, 420, 1583, 0} "\7$\370w\200\367"\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\210C%\0\377\377\377\377\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\10\0H\336%\0\330\231%\0\0\0\0\0\0\0\0\0\0\0\0\08\245%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\326%\0\5\0\0\0" )  ) == 0x0
 02242   420   NtRequestWaitReplyPort  (348, {100, 124, new_msg, 0, 412, 420, 1580, 0}  (348, {100, 124, new_msg, 0, 412, 420, 1580, 0} "\1\0\0\0A\2\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0|\364$\0\20\0\0\0\0\0\0\0\20\0\0\0u\0t\0e\0n\0t\0i\0.\0l\0y\0c\0o\0s\0.\0i\0t\0\0\0\1\0t\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 412, 420, 1584, 0} "\2\240\372\177\1\00\300\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ... {44, 68, reply, 0, 412, 420, 1584, 0}  (348, {100, 124, new_msg, 0, 412, 420, 1580, 0} "\1\0\0\0A\2\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0|\364$\0\20\0\0\0\0\0\0\0\20\0\0\0u\0t\0e\0n\0t\0i\0.\0l\0y\0c\0o\0s\0.\0i\0t\0\0\0\1\0t\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 412, 420, 1584, 0} "\2\240\372\177\1\00\300\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 02243   420   NtClose  (356, ... ) == 0x0
 02244   420   NtClose  (348, ... ) == 0x0
 02245   420   NtCreateFile  (0x20100000, {24, 0, 0x40, 0, 0,  (0x20100000, {24, 0, 0x40, 0, 0, "\Device\NetBT_Tcpip_{ABE7E06F-620F-4EAA-AE7D-41476D4CCF14}"}, 0x0, 0, 3, 3, 0, 0, 0, ... ) }, 0x0, 0, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02246   420   NtCreateFile  (0x20100000, {24, 0, 0x40, 0, 0,  (0x20100000, {24, 0, 0x40, 0, 0, "\Device\NetBT_Tcpip_{D19DF882-A9CB-4144-8307-5C0D0368DE1A}"}, 0x0, 0, 3, 3, 0, 0, 0, ... ) }, 0x0, 0, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02247   420   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 348, ) == 0x0
 02248   420   NtDeviceIoControlFile  (352, 348, 0x0, 0x0, 0x210096,  (352, 348, 0x0, 0x0, 0x210096, "\0\0\0\0\0\0\0\0UTENTI.LYCOS.IT\0", 24, 1160, ... {status=0x254b40, info=2359672}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 24, 1160, ... {status=0x254b40, info=2359672},  (352, 348, 0x0, 0x0, 0x210096, "\0\0\0\0\0\0\0\0UTENTI.LYCOS.IT\0", 24, 1160, ... {status=0x254b40, info=2359672}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02249   420   NtWaitForMultipleObjects  (1, (348, ), 1, 0, 0x0, ... ) == 0x0
 02250   420   NtClose  (348, ... ) == 0x0
 02251   420   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 348, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 348, {status=0x0, info=0}, ) == 0x0
 02252   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 356, ) == 0x0
 02253   420   NtDeviceIoControlFile  (348, 356, 0x0, 0x0, 0xf14014,  (348, 356, 0x0, 0x0, 0xf14014, "\3\0\0\0utenti.lycos.it\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 02254   420   NtClose  (356, ... ) == 0x0
 02255   420   NtClose  (348, ... ) == 0x0
 02256   420   NtWaitForSingleObject  (92, 0, {0, 0}, ... ) == 0x102
 02257   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 348, ) == 0x0
 02258   420   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 2289828, 112, ... 356, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 2289828, 112, ... 356, 0x0, 0x0, 0x0, 112, ) == 0x0
 02259   420   NtRequestWaitReplyPort  (356, {128, 152, new_msg, 0, 2359296, 126584, 2359296, 2289592}  (356, {128, 152, new_msg, 0, 2359296, 126584, 2359296, 2289592} "\0$\370wh\366"\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\210C%\0\4\0\0\0\210C%\0\20\344\314w\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\0 \0\0\0\0\0\0\0\240\1$\0\240\1$\0\263\26\365\0h\233%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 420, 1594, 0} "\7$\370wh\366"\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\210C%\0\377\377\377\377\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\0 \0\0\0\0\0\0\0\240\1$\0\240\1$\0\263\26\365\0h\233%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0" ) \0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\210C%\0\4\0\0\0\210C%\0\20\344\314w\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\0 \0\0\0\0\0\0\0\240\1$\0\240\1$\0\263\26\365\0h\233%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0 (356, {128, 152, new_msg, 0, 2359296, 126584, 2359296, 2289592} "\0$\370wh\366"\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\210C%\0\4\0\0\0\210C%\0\20\344\314w\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\0 \0\0\0\0\0\0\0\240\1$\0\240\1$\0\263\26\365\0h\233%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 420, 1594, 0} "\7$\370wh\366"\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\210C%\0\377\377\377\377\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\0 \0\0\0\0\0\0\0\240\1$\0\240\1$\0\263\26\365\0h\233%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0" ) \7$\370wh\366 (356, {128, 152, new_msg, 0, 2359296, 126584, 2359296, 2289592} "\0$\370wh\366"\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\210C%\0\4\0\0\0\210C%\0\20\344\314w\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\0 \0\0\0\0\0\0\0\240\1$\0\240\1$\0\263\26\365\0h\233%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 420, 1594, 0} "\7$\370wh\366"\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\210C%\0\377\377\377\377\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\0 \0\0\0\0\0\0\0\240\1$\0\240\1$\0\263\26\365\0h\233%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0" )  ) == 0x0
 02260   420   NtRequestWaitReplyPort  (356, {64, 88, new_msg, 0, 412, 420, 1584, 0}  (356, {64, 88, new_msg, 0, 412, 420, 1584, 0} "\1\240\0\0A\2\10\0\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0u\0t\0e\0n\0t\0i\0" ... {52, 76, reply, 0, 412, 420, 1595, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\23\13\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 412, 420, 1595, 0}  (356, {64, 88, new_msg, 0, 412, 420, 1584, 0} "\1\240\0\0A\2\10\0\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0u\0t\0e\0n\0t\0i\0" ... {52, 76, reply, 0, 412, 420, 1595, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\23\13\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 02261   420   NtClose  (348, ... ) == 0x0
 02262   420   NtClose  (356, ... ) == 0x0
 02263   420   NtCreateKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 356, 2, ) }, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 356, 2, ) , 0, ... 356, 2, ) == 0x0
 02264   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 348, ) }, ... 348, ) == 0x0
 02265   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02266   420   NtQueryValueKey  (356,  (356, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (356, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02267   420   NtQueryValueKey  (356,  (356, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (356, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02268   420   NtClose  (356, ... ) == 0x0
 02269   420   NtClose  (348, ... ) == 0x0
 02270   420   NtCreateKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 348, 2, ) }, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 348, 2, ) , 0, ... 348, 2, ) == 0x0
 02271   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 356, ) }, ... 356, ) == 0x0
 02272   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02273   420   NtQueryValueKey  (348,  (348, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02274   420   NtQueryValueKey  (348,  (348, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02275   420   NtClose  (348, ... ) == 0x0
 02276   420   NtClose  (356, ... ) == 0x0
 02277   420   NtWaitForSingleObject  (92, 0, {0, 0}, ... ) == 0x102
 02278   420   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 356, ) == 0x0
 02279   420   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 2290168, 112, ... 348, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 2290168, 112, ... 348, 0x0, 0x0, 0x0, 112, ) == 0x0
 02280   420   NtRequestWaitReplyPort  (348, {128, 152, new_msg, 0, 126924, 2359296, 2289932, 2012750850}  (348, {128, 152, new_msg, 0, 126924, 2359296, 2289932, 2012750850} "\0\367"\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\12\0\0\0\0\0\240\1$\0\240\1$\0\340\335%\0\320\231%\0\260\247%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 420, 1598, 0} "\7\367"\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\12\0\0\0\0\0\240\1$\0\240\1$\0\340\335%\0\320\231%\0\260\247%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ) \0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\12\0\0\0\0\0\240\1$\0\240\1$\0\340\335%\0\320\231%\0\260\247%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0 (348, {128, 152, new_msg, 0, 126924, 2359296, 2289932, 2012750850} "\0\367"\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\12\0\0\0\0\0\240\1$\0\240\1$\0\340\335%\0\320\231%\0\260\247%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 420, 1598, 0} "\7\367"\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\12\0\0\0\0\0\240\1$\0\240\1$\0\340\335%\0\320\231%\0\260\247%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ) \7\367 (348, {128, 152, new_msg, 0, 126924, 2359296, 2289932, 2012750850} "\0\367"\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\12\0\0\0\0\0\240\1$\0\240\1$\0\340\335%\0\320\231%\0\260\247%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 420, 1598, 0} "\7\367"\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\12\0\0\0\0\0\240\1$\0\240\1$\0\340\335%\0\320\231%\0\260\247%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 02281   420   NtRequestWaitReplyPort  (348, {64, 88, new_msg, 0, 412, 420, 1595, 0}  (348, {64, 88, new_msg, 0, 412, 420, 1595, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0u\0t\0e\0n\0t\0i\0" ... {52, 76, reply, 0, 412, 420, 1599, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\23\13\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 412, 420, 1599, 0}  (348, {64, 88, new_msg, 0, 412, 420, 1595, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0u\0t\0e\0n\0t\0i\0" ... {52, 76, reply, 0, 412, 420, 1599, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\23\13\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 02282   420   NtClose  (356, ... ) == 0x0
 02283   420   NtClose  (348, ... ) == 0x0
 02284   420   NtCreateKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 348, 2, ) }, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 348, 2, ) , 0, ... 348, 2, ) == 0x0
 02285   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 356, ) }, ... 356, ) == 0x0
 02286   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02287   420   NtQueryValueKey  (348,  (348, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02288   420   NtQueryValueKey  (348,  (348, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (348, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02289   420   NtClose  (348, ... ) == 0x0
 02290   420   NtClose  (356, ... ) == 0x0
 02291   420   NtCreateKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 356, 2, ) }, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 356, 2, ) , 0, ... 356, 2, ) == 0x0
 02292   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 348, ) }, ... 348, ) == 0x0
 02293   420   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02294   420   NtQueryValueKey  (356,  (356, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (356, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02295   420   NtQueryValueKey  (356,  (356, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (356, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02296   420   NtClose  (356, ... ) == 0x0
 02297   420   NtClose  (348, ... ) == 0x0
 02298   420   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 12582912, 2097152, ) == 0x0
 02299   420   NtAllocateVirtualMemory  (-1, 14671872, 0, 8192, 4096, 4, ... 14671872, 8192, ) == 0x0
 02300   420   NtProtectVirtualMemory  (-1, (0xdfe000), 4096, 260, ... (0xdfe000), 4096, 4, ) == 0x0
 02301   420   NtCreateThread  (0x1f03ff, 0x0, -1, 2292852, 2293568, 1, ... 348, {412, 1308}, ) == 0x0
 02302   420   NtQueryInformationThread  (348, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=412,Tid=1308,}, 0x0, ) == 0x0
 02303   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2360840, 2012550797, 2466680, 2436484}  (24, {28, 56, new_msg, 0, 2360840, 2012550797, 2466680, 2436484} "\0\0\0\0\1\0\1\04\335%\04\335%\0\\1\0\0\234\1\0\0\34\5\0\0" ... {28, 56, reply, 0, 412, 420, 1601, 0} "\0\0\0\0\1\0\1\0\0\0\0\04\335%\0\\1\0\0\234\1\0\0\34\5\0\0" )  ... {28, 56, reply, 0, 412, 420, 1601, 0}  (24, {28, 56, new_msg, 0, 2360840, 2012550797, 2466680, 2436484} "\0\0\0\0\1\0\1\04\335%\04\335%\0\\1\0\0\234\1\0\0\34\5\0\0" ... {28, 56, reply, 0, 412, 420, 1601, 0} "\0\0\0\0\1\0\1\0\0\0\0\04\335%\0\\1\0\0\234\1\0\0\34\5\0\0" )  ) == 0x0
 02304   420   NtResumeThread  (348, ... 1, ) == 0x0
 02305   420   NtClose  (348, ... ) == 0x0
 02306   420   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02307  1308   NtTestAlert  (... ) == 0x0
 02308  1308   NtContinue  (14679344, 1, ...
 02309  1308   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 02310  1308   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 348, ) == 0x0
 02311  1308   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02312  1308   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02306   420   NtAllocateVirtualMemory  ... 14680064, 2097152, ) == 0x0
 02313   420   NtAllocateVirtualMemory  (-1, 16769024, 0, 8192, 4096, 4, ... 16769024, 8192, ) == 0x0
 02314   420   NtProtectVirtualMemory  (-1, (0xffe000), 4096, 260, ... (0xffe000), 4096, 4, ) == 0x0
 02315   420   NtCreateThread  (0x1f03ff, 0x0, -1, 2292852, 2293568, 1, ... 356, {412, 1324}, ) == 0x0
 02316   420   NtQueryInformationThread  (356, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=412,Tid=1324,}, 0x0, ) == 0x0
 02317   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1601, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1601, 0} "\0\0\0\0\1\0\1\0\0\0\0\04\335%\0d\1\0\0\234\1\0\0,\5\0\0" ... {28, 56, reply, 0, 412, 420, 1602, 0} "\0\0\0\0\1\0\1\0\0\0\0\04\335%\0d\1\0\0\234\1\0\0,\5\0\0" )  ... {28, 56, reply, 0, 412, 420, 1602, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1601, 0} "\0\0\0\0\1\0\1\0\0\0\0\04\335%\0d\1\0\0\234\1\0\0,\5\0\0" ... {28, 56, reply, 0, 412, 420, 1602, 0} "\0\0\0\0\1\0\1\0\0\0\0\04\335%\0d\1\0\0\234\1\0\0,\5\0\0" )  ) == 0x0
 02312  1308   NtCreateEvent  ... 360, ) == 0x0
 02318  1308   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 14679608, 67, ... 364, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 14679608, 67, ... 364, {status=0x0, info=0}, ) == 0x0
 02319  1308   NtDeviceIoControlFile  (364, 360, 0x0, 0x0, 0x12047,  (364, 360, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\330\231%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\304\335%\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0RLD\0\3\250\2\0\0\0\0\0\300\0\0\0\0\0\0F\2\0\0\0\21\0\0\0\2\0\0\0\6\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 02320  1308   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02321  1308   NtDeviceIoControlFile  (364, 360, 0x0, 0x0, 0x1203b,  (364, 360, 0x0, 0x0, 0x1203b, "\2\0\0\0\250\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02322  1308   NtDeviceIoControlFile  (364, 360, 0x0, 0x0, 0x12003,  (364, 360, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=368}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\15\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=368},  (364, 360, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=368}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\15\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02323   420   NtResumeThread  (356, ... 1, ) == 0x0
 02324   420   NtClose  (356, ... ) == 0x0
 02325   420   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 16777216, 2097152, ) == 0x0
 02326   420   NtAllocateVirtualMemory  (-1, 18866176, 0, 8192, 4096, 4, ... 18866176, 8192, ) == 0x0
 02327   420   NtProtectVirtualMemory  (-1, (0x11fe000), 4096, 260, ... (0x11fe000), 4096, 4, ) == 0x0
 02328   420   NtCreateThread  (0x1f03ff, 0x0, -1, 2292852, 2293568, 1, ... 356, {412, 1332}, ) == 0x0
 02329  1308   NtDeviceIoControlFile  (364, 360, 0x0, 0x0, 0x12047,  (364, 360, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\340\335%\0\2\0\4\15\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\304\335%\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0RLD\0\3\250\2\0\0\0\0\0\300\0\0\0\0\0\0F\2\0\0\0\21\0\0\0\2\0\0\0\6\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 02330  1324   NtTestAlert  (...
 02329  1308   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02330  1324   NtTestAlert  ... ) == 0x0
 02331  1308   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ...
 02332  1324   NtContinue  (16776496, 1, ...
 02331  1308   NtCreateIoCompletion  ... 372, ) == 0x0
 02333  1324   NtRegisterThreadTerminatePort  (24, ...
 02334  1308   NtSetInformationObject  (372, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ...
 02333  1324   NtRegisterThreadTerminatePort  ... ) == 0x0
 02334  1308   NtSetInformationObject  ... ) == 0x0
 02335   420   NtQueryInformationThread  (356, Basic, 28, ...
 02336  1324   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02335   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=412,Tid=1332,}, 0x0, ) == 0x0
 02336  1324   NtDuplicateObject  ... 376, ) == 0x0
 02337   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1602, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1602, 0} "\0\0\0\0\1\0\1\0\0\0\0\04\335%\0d\1\0\0\234\1\0\04\5\0\0" ...  ...
 02338  1324   NtWaitForSingleObject  (84, 0, {0, 0}, ...
 02337   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1603, 0}  ... {28, 56, reply, 0, 412, 420, 1603, 0} "\0\0\0\0\1\0\1\0\0\0\0\04\335%\0d\1\0\0\234\1\0\04\5\0\0" )  ) == 0x0
 02338  1324   NtWaitForSingleObject  ... ) == 0x102
 02339   420   NtResumeThread  (356, ...
 02340  1324   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02341  1308   NtAllocateVirtualMemory  (-1, 14667776, 0, 4096, 4096, 260, ...
 02339   420   NtResumeThread  ... 1, ) == 0x0
 02341  1308   NtAllocateVirtualMemory  ... 14667776, 4096, ) == 0x0
 02342   420   NtClose  (356, ...
 02343  1308   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 14676924, ... }, 14676924, ...
 02342   420   NtClose  ... ) == 0x0
 02343  1308   NtQueryAttributesFile  ... ) == 0x0
 02344   420   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02345  1308   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02344   420   NtAllocateVirtualMemory  ... 18874368, 2097152, ) == 0x0
 02345  1308   NtCreateEvent  ... 356, ) == 0x0
 02346   420   NtAllocateVirtualMemory  (-1, 20963328, 0, 8192, 4096, 4, ...
 02340  1324   NtCreateEvent  ... 380, ) == 0x0
 02347  1332   NtTestAlert  (...
 02348  1308   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02349  1324   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 02347  1332   NtTestAlert  ... ) == 0x0
 02348  1308   NtAllocateVirtualMemory  ... 20971520, 2097152, ) == 0x0
 02349  1324   NtCreateEvent  ... 384, ) == 0x0
 02350  1332   NtContinue  (18873648, 1, ...
 02351  1308   NtAllocateVirtualMemory  (-1, 23060480, 0, 8192, 4096, 4, ...
 02352  1324   NtWaitForSingleObject  (384, 0, 0x0, ...
 02353  1332   NtRegisterThreadTerminatePort  (24, ...
 02351  1308   NtAllocateVirtualMemory  ... 23060480, 8192, ) == 0x0
 02353  1332   NtRegisterThreadTerminatePort  ... ) == 0x0
 02354  1308   NtProtectVirtualMemory  (-1, (0x15fe000), 4096, 260, ...
 02346   420   NtAllocateVirtualMemory  ... 20963328, 8192, ) == 0x0
 02354  1308   NtProtectVirtualMemory  ... (0x15fe000), 4096, 4, ) == 0x0
 02355   420   NtProtectVirtualMemory  (-1, (0x13fe000), 4096, 260, ...
 02356  1332   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02355   420   NtProtectVirtualMemory  ... (0x13fe000), 4096, 4, ) == 0x0
 02356  1332   NtDuplicateObject  ... 388, ) == 0x0
 02357   420   NtCreateThread  (0x1f03ff, 0x0, -1, 2292852, 2293568, 1, ...
 02358  1332   NtWaitForSingleObject  (84, 0, {0, 0}, ...
 02357   420   NtCreateThread  ... 392, {412, 1328}, ) == 0x0
 02358  1332   NtWaitForSingleObject  ... ) == 0x102
 02359   420   NtQueryInformationThread  (392, Basic, 28, ...
 02360  1332   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02361  1308   NtCreateThread  (0x1f03ff, 0x0, -1, 14678424, 14679140, 1, ...
 02359   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=412,Tid=1328,}, 0x0, ) == 0x0
 02361  1308   NtCreateThread  ... 396, {412, 1336}, ) == 0x0
 02362   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1603, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1603, 0} "\0\0\0\0\1\0\1\0\0\0\0\04\335%\0\210\1\0\0\234\1\0\00\5\0\0" ...  ...
 02363  1308   NtQueryInformationThread  (396, Basic, 28, ...
 02362   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1604, 0}  ... {28, 56, reply, 0, 412, 420, 1604, 0} "\0\0\0\0\1\0\1\0\0\0\0\04\335%\0\210\1\0\0\234\1\0\00\5\0\0" )  ) == 0x0
 02363  1308   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=412,Tid=1336,}, 0x0, ) == 0x0
 02364   420   NtResumeThread  (392, ...
 02365  1308   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\214\1\0\0\234\1\0\08\5\0\0" ...  ...
 02364   420   NtResumeThread  ... 1, ) == 0x0
 02365  1308   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 1308, 1605, 0}  ... {28, 56, reply, 0, 412, 1308, 1605, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\214\1\0\0\234\1\0\08\5\0\0" )  ) == 0x0
 02360  1332   NtCreateEvent  ... 400, ) == 0x0
 02366  1328   NtTestAlert  (...
 02367  1308   NtResumeThread  (396, ...
 02368  1332   NtWaitForSingleObject  (384, 0, 0x0, ...
 02366  1328   NtTestAlert  ... ) == 0x0
 02367  1308   NtResumeThread  ... 1, ) == 0x0
 02369  1328   NtContinue  (20970800, 1, ...
 02370  1308   NtClose  (396, ...
 02371  1328   NtRegisterThreadTerminatePort  (24, ...
 02370  1308   NtClose  ... ) == 0x0
 02371  1328   NtRegisterThreadTerminatePort  ... ) == 0x0
 02372  1308   NtSetEventBoostPriority  (384, ...
 02373   420   NtClose  (392, ...
 02374  1336   NtTestAlert  (...
 02375  1328   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02373   420   NtClose  ... ) == 0x0
 02374  1336   NtTestAlert  ... ) == 0x0
 02375  1328   NtDuplicateObject  ... 392, ) == 0x0
 02376   420   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02377  1336   NtContinue  (23067952, 1, ...
 02378  1328   NtWaitForSingleObject  (84, 0, {0, 0}, ...
 02376   420   NtAllocateVirtualMemory  ... 23068672, 2097152, ) == 0x0
 02379  1336   NtRegisterThreadTerminatePort  (24, ...
 02378  1328   NtWaitForSingleObject  ... ) == 0x102
 02380   420   NtAllocateVirtualMemory  (-1, 25157632, 0, 8192, 4096, 4, ...
 02379  1336   NtRegisterThreadTerminatePort  ... ) == 0x0
 02381  1328   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02380   420   NtAllocateVirtualMemory  ... 25157632, 8192, ) == 0x0
 02352  1324   NtWaitForSingleObject  ... ) == 0x0
 02372  1308   NtSetEventBoostPriority  ... ) == 0x0
 02382  1336   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ...
 02381  1328   NtCreateEvent  ... 396, ) == 0x0
 02383  1324   NtSetEventBoostPriority  (384, ...
 02384  1308   NtWaitForSingleObject  (384, 0, 0x0, ...
 02382  1336   NtSetInformationThread  ... ) == 0x0
 02385  1328   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 20971064, 67, ... }, 0x0, 0, 3, 3, 0, 20971064, 67, ...
 02368  1332   NtWaitForSingleObject  ... ) == 0x0
 02383  1324   NtSetEventBoostPriority  ... ) == 0x0
 02386  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 02387  1332   NtSetEventBoostPriority  (384, ...
 02385  1328   NtCreateFile  ... 404, {status=0x0, info=0}, ) == 0x0
 02388   420   NtProtectVirtualMemory  (-1, (0x17fe000), 4096, 260, ...
 02384  1308   NtWaitForSingleObject  ... ) == 0x0
 02387  1332   NtSetEventBoostPriority  ... ) == 0x0
 02389  1328   NtDeviceIoControlFile  (404, 396, 0x0, 0x0, 0x12047,  (404, 396, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\20\253%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 02390  1308   NtDelayExecution  (0, {0, 0}, ...
 02388   420   NtProtectVirtualMemory  ... (0x17fe000), 4096, 4, ) == 0x0
 02391  1324   NtWaitForSingleObject  (384, 0, 0x0, ...
 02389  1328   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 02392   420   NtCreateThread  (0x1f03ff, 0x0, -1, 2292852, 2293568, 1, ...
 02393  1328   NtWaitForSingleObject  (84, 0, {0, 0}, ...
 02392   420   NtCreateThread  ... 408, {412, 1312}, ) == 0x0
 02394  1332   NtWaitForSingleObject  (384, 0, 0x0, ...
 02390  1308   NtDelayExecution  ... ) == 0x0
 02395   420   NtQueryInformationThread  (408, Basic, 28, ...
 02396  1308   NtCreateFile  (0xc0100000, {24, 0, 0x40, 0, 0,  (0xc0100000, {24, 0, 0x40, 0, 0, "\Device\Afd\AsyncConnectHlp"}, 0x0, 0, 3, 3, 0, 0, 0, ... }, 0x0, 0, 3, 3, 0, 0, 0, ...
 02395   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=412,Tid=1312,}, 0x0, ) == 0x0
 02396  1308   NtCreateFile  ... 412, {status=0x0, info=0}, ) == 0x0
 02393  1328   NtWaitForSingleObject  ... ) == 0x102
 02397  1308   NtSetInformationFile  (412, 14679528, 8, Completion, ...
 02398  1328   NtDeviceIoControlFile  (404, 396, 0x0, 0x0, 0x1203b,  (404, 396, 0x0, 0x0, 0x1203b, "\2\0\0\0\10\350$\0\1\0\0\0\2$\370w", 16, 0, ... , 16, 0, ...
 02397  1308   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 02398  1328   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02399  1308   NtSetInformationObject  (412, Handle, {Inherit=0,ProtectFromClose=1,}, 4456704, ...
 02400  1328   NtDeviceIoControlFile  (404, 396, 0x0, 0x0, 0x12003,  (404, 396, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 02401   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1604, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1604, 0} "\0\0\0\0\1\0\1\0\0\0\0\04\335%\0\230\1\0\0\234\1\0\0 \5\0\0" ...  ...
 02400  1328   NtDeviceIoControlFile  ... {status=0x0, info=416},  ... {status=0x0, info=416}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\16\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02401   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1606, 0}  ... {28, 56, reply, 0, 412, 420, 1606, 0} "\0\0\0\0\1\0\1\0\0\0\0\04\335%\0\230\1\0\0\234\1\0\0 \5\0\0" )  ) == 0x0
 02399  1308   NtSetInformationObject  ... ) == 0x0
 02402   420   NtResumeThread  (408, ...
 02403  1308   NtSetEventBoostPriority  (384, ...
 02402   420   NtResumeThread  ... 1, ) == 0x0
 02391  1324   NtWaitForSingleObject  ... ) == 0x0
 02403  1308   NtSetEventBoostPriority  ... ) == 0x0
 02404  1324   NtSetEventBoostPriority  (384, ...
 02405   420   NtClose  (408, ...
 02394  1332   NtWaitForSingleObject  ... ) == 0x0
 02404  1324   NtSetEventBoostPriority  ... ) == 0x0
 02406  1308   NtDeviceIoControlFile  (412, 0, 0x0, 0x2534f8, 0x12007,  (412, 0, 0x0, 0x2534f8, 0x12007, "\0\0\0\0\16\0\2\0l\1\0\0\1\0\0\0\16\0\2\0\1\275\300\250|\202\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 02407  1328   NtDeviceIoControlFile  (404, 396, 0x0, 0x0, 0x12047,  (404, 396, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\00\252%\0\2\0\4\16\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 02408  1312   NtTestAlert  (...
 02409  1332   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 18873912, 67, ... }, 0x0, 0, 3, 3, 0, 18873912, 67, ...
 02410  1324   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 16776760, 67, ... }, 0x0, 0, 3, 3, 0, 16776760, 67, ...
 02406  1308   NtDeviceIoControlFile  ... {status=0x103, info=7629102},  ... {status=0x103, info=7629102}, "\3\1\0\0.it\0", ) , ) == 0x103
 02407  1328   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02409  1332   NtCreateFile  ... 420, {status=0x0, info=0}, ) == 0x0
 02408  1312   NtTestAlert  ... ) == 0x0
 02405   420   NtClose  ... ) == 0x0
 02411  1308   NtDelayExecution  (0, {-10000, -1}, ...
 02412  1332   NtDeviceIoControlFile  (420, 400, 0x0, 0x0, 0x12047,  (420, 400, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\210\256%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 02413  1328   NtDeviceIoControlFile  (412, 0, 0x0, 0x25af60, 0x12007,  (412, 0, 0x0, 0x25af60, 0x12007, "\0\0\0\0\16\0\2\0\224\1\0\0\1\0\0\0\16\0\2\0\1\275^\11o\1\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 02414  1312   NtContinue  (25165104, 1, ...
 02415   420   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02410  1324   NtCreateFile  ... 408, {status=0x0, info=0}, ) == 0x0
 02386  1336   NtRemoveIoCompletion  ... 1906658213, 2469728, {status=0xc000023d, info=0}, ) == 0x0
 02413  1328   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 02416  1312   NtRegisterThreadTerminatePort  (24, ...
 02415   420   NtAllocateVirtualMemory  ... 25165824, 2097152, ) == 0x0
 02417  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 02418  1324   NtDeviceIoControlFile  (408, 380, 0x0, 0x0, 0x12047,  (408, 380, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\210\254%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 02419  1328   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 02416  1312   NtRegisterThreadTerminatePort  ... ) == 0x0
 02417  1336   NtCreateEvent  ... 424, ) == 0x0
 02420   420   NtAllocateVirtualMemory  (-1, 27254784, 0, 8192, 4096, 4, ...
 02418  1324   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 02419  1328   NtCreateEvent  ... 428, ) == 0x0
 02412  1332   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 02421  1336   NtWaitForSingleObject  (424, 0, 0x0, ...
 02420   420   NtAllocateVirtualMemory  ... 27254784, 8192, ) == 0x0
 02422  1324   NtWaitForSingleObject  (84, 0, {0, 0}, ...
 02423  1312   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02424  1332   NtWaitForSingleObject  (84, 0, {0, 0}, ...
 02425   420   NtProtectVirtualMemory  (-1, (0x19fe000), 4096, 260, ...
 02422  1324   NtWaitForSingleObject  ... ) == 0x102
 02423  1312   NtDuplicateObject  ... 432, ) == 0x0
 02424  1332   NtWaitForSingleObject  ... ) == 0x102
 02426  1328   NtClose  (428, ...
 02425   420   NtProtectVirtualMemory  ... (0x19fe000), 4096, 4, ) == 0x0
 02427  1312   NtWaitForSingleObject  (84, 0, {0, 0}, ...
 02428  1332   NtDeviceIoControlFile  (420, 400, 0x0, 0x0, 0x1203b,  (420, 400, 0x0, 0x0, 0x1203b, "\2\0\0\0H\347$\0\1\0\0\0\2$\370w", 16, 0, ... , 16, 0, ...
 02426  1328   NtClose  ... ) == 0x0
 02429   420   NtCreateThread  (0x1f03ff, 0x0, -1, 2292852, 2293568, 1, ...
 02427  1312   NtWaitForSingleObject  ... ) == 0x102
 02428  1332   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02430  1328   NtSetEventBoostPriority  (424, ...
 02429   420   NtCreateThread  ... 428, {412, 1344}, ) == 0x0
 02431  1312   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02432  1324   NtDeviceIoControlFile  (408, 380, 0x0, 0x0, 0x1203b,  (408, 380, 0x0, 0x0, 0x1203b, "\2\0\0\08\350$\0\1\0\0\0\2$\370w", 16, 0, ... , 16, 0, ...
 02421  1336   NtWaitForSingleObject  ... ) == 0x0
 02430  1328   NtSetEventBoostPriority  ... ) == 0x0
 02433   420   NtQueryInformationThread  (428, Basic, 28, ...
 02434  1332   NtDeviceIoControlFile  (420, 400, 0x0, 0x0, 0x12003,  (420, 400, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 02435  1336   NtDeviceIoControlFile  (404, 356, 0x0, 0x0, 0x12037,  (404, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... , 4, 8, ...
 02432  1324   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02436  1328   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 02433   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=412,Tid=1344,}, 0x0, ) == 0x0
 02435  1336   NtDeviceIoControlFile  ... {status=0x0, info=8},  ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02434  1332   NtDeviceIoControlFile  ... {status=0x0, info=436},  ... {status=0x0, info=436}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\17\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02437  1324   NtDeviceIoControlFile  (408, 380, 0x0, 0x0, 0x12003,  (408, 380, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 02436  1328   NtCreateEvent  ... 440, ) == 0x0
 02438  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 02439   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1606, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1606, 0} "\0\0\0\0\1\0\1\0\0\0\0\04\335%\0\254\1\0\0\234\1\0\0@\5\0\0" ...  ...
 02440  1332   NtDeviceIoControlFile  (420, 400, 0x0, 0x0, 0x12047,  (420, 400, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\250\255%\0\2\0\4\17\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 02437  1324   NtDeviceIoControlFile  ... {status=0x0, info=444},  ... {status=0x0, info=444}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\20\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02431  1312   NtCreateEvent  ... 448, ) == 0x0
 02441  1328   NtWaitForSingleObject  (440, 0, 0x0, ...
 02440  1332   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02442  1324   NtDeviceIoControlFile  (408, 380, 0x0, 0x0, 0x12047,  (408, 380, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\250\253%\0\2\0\4\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 02443  1312   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 25165368, 67, ... }, 0x0, 0, 3, 3, 0, 25165368, 67, ...
 02444  1332   NtDeviceIoControlFile  (412, 0, 0x0, 0x25af60, 0x12007,  (412, 0, 0x0, 0x25af60, 0x12007, "\0\0\0\0\16\0\2\0\244\1\0\0\1\0\0\0\16\0\2\0\1\275\226At\1\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 02442  1324   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02443  1312   NtCreateFile  ... 452, {status=0x0, info=0}, ) == 0x0
 02438  1336   NtRemoveIoCompletion  ... 1906658213, 2469728, {status=0xc000023d, info=0}, ) == 0x0
 02444  1332   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 02439   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1607, 0}  ... {28, 56, reply, 0, 412, 420, 1607, 0} "\0\0\0\0\1\0\1\0\0\0\0\04\335%\0\254\1\0\0\234\1\0\0@\5\0\0" )  ) == 0x0
 02445  1312   NtDeviceIoControlFile  (452, 448, 0x0, 0x0, 0x12047,  (452, 448, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\230\262%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 02446  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 02447  1324   NtDeviceIoControlFile  (412, 0, 0x0, 0x25b2c0, 0x12007,  (412, 0, 0x0, 0x25b2c0, 0x12007, "\0\0\0\0\16\0\2\0\230\1\0\0\1\0\0\0\16\0\2\0\1\275\271Z\303\1\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 02448   420   NtResumeThread  (428, ...
 02446  1336   NtCreateEvent  ... 456, ) == 0x0
 02445  1312   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 02447  1324   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 02449  1336   NtWaitForSingleObject  (456, 0, 0x0, ...
 02448   420   NtResumeThread  ... 1, ) == 0x0
 02450  1312   NtWaitForSingleObject  (84, 0, {0, 0}, ...
 02451  1324   NtWaitForSingleObject  (440, 0, 0x0, ...
 02452   420   NtClose  (428, ...
 02453  1332   NtSetEventBoostPriority  (456, ...
 02454  1344   NtTestAlert  (...
 02452   420   NtClose  ... ) == 0x0
 02449  1336   NtWaitForSingleObject  ... ) == 0x0
 02453  1332   NtSetEventBoostPriority  ... ) == 0x0
 02454  1344   NtTestAlert  ... ) == 0x0
 02450  1312   NtWaitForSingleObject  ... ) == 0x102
 02455  1336   NtDeviceIoControlFile  (420, 356, 0x0, 0x0, 0x12037,  (420, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... , 4, 8, ...
 02456  1332   NtWaitForSingleObject  (440, 0, 0x0, ...
 02457  1344   NtContinue  (27262256, 1, ...
 02455  1336   NtDeviceIoControlFile  ... {status=0x0, info=8},  ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02458  1312   NtDeviceIoControlFile  (452, 448, 0x0, 0x0, 0x1203b,  (452, 448, 0x0, 0x0, 0x1203b, "\2\0\0\0H\347$\0\1\0\0\0\2$\370w", 16, 0, ... , 16, 0, ...
 02459  1344   NtRegisterThreadTerminatePort  (24, ...
 02460  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 02458  1312   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02460  1336   NtRemoveIoCompletion  ... 1906658213, 2470592, {status=0xc000023d, info=0}, ) == 0x0
 02459  1344   NtRegisterThreadTerminatePort  ... ) == 0x0
 02461  1336   NtDeviceIoControlFile  (408, 356, 0x0, 0x0, 0x12037,  (408, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... , 4, 8, ...
 02462  1312   NtDeviceIoControlFile  (452, 448, 0x0, 0x0, 0x12003,  (452, 448, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 02463   420   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02461  1336   NtDeviceIoControlFile  ... {status=0x0, info=8},  ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02462  1312   NtDeviceIoControlFile  ... {status=0x0, info=428},  ... {status=0x0, info=428}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\21\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02464  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 02463   420   NtAllocateVirtualMemory  ... 27262976, 2097152, ) == 0x0
 02465  1344   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02466   420   NtAllocateVirtualMemory  (-1, 29351936, 0, 8192, 4096, 4, ...
 02465  1344   NtDuplicateObject  ... 460, ) == 0x0
 02466   420   NtAllocateVirtualMemory  ... 29351936, 8192, ) == 0x0
 02467  1344   NtWaitForSingleObject  (84, 0, {0, 0}, ...
 02468   420   NtProtectVirtualMemory  (-1, (0x1bfe000), 4096, 260, ...
 02467  1344   NtWaitForSingleObject  ... ) == 0x102
 02468   420   NtProtectVirtualMemory  ... (0x1bfe000), 4096, 4, ) == 0x0
 02469  1344   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02470  1312   NtDeviceIoControlFile  (452, 448, 0x0, 0x0, 0x12047,  (452, 448, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\270\261%\0\2\0\4\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 02471   420   NtCreateThread  (0x1f03ff, 0x0, -1, 2292852, 2293568, 1, ...
 02470  1312   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02471   420   NtCreateThread  ... 464, {412, 1320}, ) == 0x0
 02472  1312   NtDeviceIoControlFile  (412, 0, 0x0, 0x25b2c0, 0x12007,  (412, 0, 0x0, 0x25b2c0, 0x12007, "\0\0\0\0\16\0\2\0\304\1\0\0\1\0\0\0\16\0\2\0\1\275$N&\1\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 02473   420   NtQueryInformationThread  (464, Basic, 28, ...
 02464  1336   NtRemoveIoCompletion  ... 1906658213, 2470592, {status=0xc000023d, info=0}, ) == 0x0
 02472  1312   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 02473   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=412,Tid=1320,}, 0x0, ) == 0x0
 02474  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 02475  1312   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 02474  1336   NtCreateEvent  ... 468, ) == 0x0
 02476   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1607, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1607, 0} "\0\0\0\0\1\0\1\0\0\0\0\04\335%\0\320\1\0\0\234\1\0\0(\5\0\0" ...  ...
 02477  1336   NtWaitForSingleObject  (468, 0, 0x0, ...
 02475  1312   NtCreateEvent  ... 472, ) == 0x0
 02476   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1608, 0}  ... {28, 56, reply, 0, 412, 420, 1608, 0} "\0\0\0\0\1\0\1\0\0\0\0\04\335%\0\320\1\0\0\234\1\0\0(\5\0\0" )  ) == 0x0
 02469  1344   NtCreateEvent  ... 476, ) == 0x0
 02478   420   NtResumeThread  (464, ...
 02479  1344   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 27262520, 67, ... }, 0x0, 0, 3, 3, 0, 27262520, 67, ...
 02478   420   NtResumeThread  ... 1, ) == 0x0
 02479  1344   NtCreateFile  ... 480, {status=0x0, info=0}, ) == 0x0
 02480   420   NtClose  (464, ...
 02481  1344   NtDeviceIoControlFile  (480, 476, 0x0, 0x0, 0x12047,  (480, 476, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\00\265%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 02480   420   NtClose  ... ) == 0x0
 02481  1344   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 02482   420   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02483  1344   NtWaitForSingleObject  (84, 0, {0, 0}, ...
 02484  1312   NtClose  (472, ...
 02485  1320   NtTestAlert  (...
 02482   420   NtAllocateVirtualMemory  ... 29360128, 2097152, ) == 0x0
 02484  1312   NtClose  ... ) == 0x0
 02485  1320   NtTestAlert  ... ) == 0x0
 02486   420   NtAllocateVirtualMemory  (-1, 31449088, 0, 8192, 4096, 4, ...
 02487  1312   NtSetEventBoostPriority  (468, ...
 02488  1320   NtContinue  (29359408, 1, ...
 02486   420   NtAllocateVirtualMemory  ... 31449088, 8192, ) == 0x0
 02477  1336   NtWaitForSingleObject  ... ) == 0x0
 02487  1312   NtSetEventBoostPriority  ... ) == 0x0
 02489  1320   NtRegisterThreadTerminatePort  (24, ...
 02490  1336   NtDeviceIoControlFile  (452, 356, 0x0, 0x0, 0x12037,  (452, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... , 4, 8, ...
 02491   420   NtProtectVirtualMemory  (-1, (0x1dfe000), 4096, 260, ...
 02492  1312   NtWaitForSingleObject  (440, 0, 0x0, ...
 02490  1336   NtDeviceIoControlFile  ... {status=0x0, info=8},  ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02489  1320   NtRegisterThreadTerminatePort  ... ) == 0x0
 02491   420   NtProtectVirtualMemory  ... (0x1dfe000), 4096, 4, ) == 0x0
 02493  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 02483  1344   NtWaitForSingleObject  ... ) == 0x102
 02494   420   NtCreateThread  (0x1f03ff, 0x0, -1, 2292852, 2293568, 1, ...
 02495  1344   NtDeviceIoControlFile  (480, 476, 0x0, 0x0, 0x1203b,  (480, 476, 0x0, 0x0, 0x1203b, "\2\0\0\0\30\347$\0\1\0\0\0\2$\370w", 16, 0, ... , 16, 0, ...
 02496  1320   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02495  1344   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02496  1320   NtDuplicateObject  ... 472, ) == 0x0
 02497  1344   NtDeviceIoControlFile  (480, 476, 0x0, 0x0, 0x12003,  (480, 476, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 02498  1320   NtWaitForSingleObject  (84, 0, {0, 0}, ...
 02497  1344   NtDeviceIoControlFile  ... {status=0x0, info=464},  ... {status=0x0, info=464}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\22\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02498  1320   NtWaitForSingleObject  ... ) == 0x102
 02494   420   NtCreateThread  ... 484, {412, 1348}, ) == 0x0
 02499  1320   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02500   420   NtQueryInformationThread  (484, Basic, 28, ...
 02501  1344   NtDeviceIoControlFile  (480, 476, 0x0, 0x0, 0x12047,  (480, 476, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0P\264%\0\2\0\4\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 02500   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=412,Tid=1348,}, 0x0, ) == 0x0
 02501  1344   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02502   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1608, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1608, 0} "\0\0\0\0\1\0\1\0\0\0\0\04\335%\0\344\1\0\0\234\1\0\0D\5\0\0" ...  ...
 02503  1344   NtDeviceIoControlFile  (412, 0, 0x0, 0x25b2c0, 0x12007,  (412, 0, 0x0, 0x25b2c0, 0x12007, "\0\0\0\0\16\0\2\0\340\1\0\0\1\0\0\0\16\0\2\0\1\275\255v\270\1\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 02502   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1609, 0}  ... {28, 56, reply, 0, 412, 420, 1609, 0} "\0\0\0\0\1\0\1\0\0\0\0\04\335%\0\344\1\0\0\234\1\0\0D\5\0\0" )  ) == 0x0
 02493  1336   NtRemoveIoCompletion  ... 1906658213, 2470592, {status=0xc000023d, info=0}, ) == 0x0
 02503  1344   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 02499  1320   NtCreateEvent  ... 488, ) == 0x0
 02504  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 02505  1344   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 02504  1336   NtCreateEvent  ... 492, ) == 0x0
 02506  1320   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 29359672, 67, ... }, 0x0, 0, 3, 3, 0, 29359672, 67, ...
 02507  1336   NtWaitForSingleObject  (492, 0, 0x0, ...
 02505  1344   NtCreateEvent  ... 496, ) == 0x0
 02506  1320   NtCreateFile  ... 500, {status=0x0, info=0}, ) == 0x0
 02508   420   NtResumeThread  (484, ...
 02509  1320   NtDeviceIoControlFile  (500, 488, 0x0, 0x0, 0x12047,  (500, 488, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\220\270%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 02508   420   NtResumeThread  ... 1, ) == 0x0
 02509  1320   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 02510   420   NtClose  (484, ...
 02511  1320   NtWaitForSingleObject  (84, 0, {0, 0}, ...
 02510   420   NtClose  ... ) == 0x0
 02512  1344   NtClose  (496, ...
 02513  1348   NtTestAlert  (...
 02514   420   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02512  1344   NtClose  ... ) == 0x0
 02513  1348   NtTestAlert  ... ) == 0x0
 02514   420   NtAllocateVirtualMemory  ... 31457280, 2097152, ) == 0x0
 02515  1344   NtSetEventBoostPriority  (492, ...
 02516  1348   NtContinue  (31456560, 1, ...
 02511  1320   NtWaitForSingleObject  ... ) == 0x102
 02507  1336   NtWaitForSingleObject  ... ) == 0x0
 02515  1344   NtSetEventBoostPriority  ... ) == 0x0
 02517  1348   NtRegisterThreadTerminatePort  (24, ...
 02518  1336   NtDeviceIoControlFile  (480, 356, 0x0, 0x0, 0x12037,  (480, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... , 4, 8, ...
 02519  1320   NtDeviceIoControlFile  (500, 488, 0x0, 0x0, 0x1203b,  (500, 488, 0x0, 0x0, 0x1203b, "\2\0\0\0\10\350$\0\1\0\0\0\2$\370w", 16, 0, ... , 16, 0, ...
 02520  1344   NtWaitForSingleObject  (440, 0, 0x0, ...
 02518  1336   NtDeviceIoControlFile  ... {status=0x0, info=8},  ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02517  1348   NtRegisterThreadTerminatePort  ... ) == 0x0
 02519  1320   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02521  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 02522   420   NtAllocateVirtualMemory  (-1, 33546240, 0, 8192, 4096, 4, ...
 02523  1320   NtDeviceIoControlFile  (500, 488, 0x0, 0x0, 0x12003,  (500, 488, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 02522   420   NtAllocateVirtualMemory  ... 33546240, 8192, ) == 0x0
 02523  1320   NtDeviceIoControlFile  ... {status=0x0, info=496},  ... {status=0x0, info=496}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\23\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02524   420   NtProtectVirtualMemory  (-1, (0x1ffe000), 4096, 260, ...
 02525  1348   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02524   420   NtProtectVirtualMemory  ... (0x1ffe000), 4096, 4, ) == 0x0
 02525  1348   NtDuplicateObject  ... 484, ) == 0x0
 02526   420   NtCreateThread  (0x1f03ff, 0x0, -1, 2292852, 2293568, 1, ...
 02527  1348   NtWaitForSingleObject  (84, 0, {0, 0}, ...
 02526   420   NtCreateThread  ... 504, {412, 1156}, ) == 0x0
 02527  1348   NtWaitForSingleObject  ... ) == 0x102
 02528  1320   NtDeviceIoControlFile  (500, 488, 0x0, 0x0, 0x12047,  (500, 488, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\260\267%\0\2\0\4\23\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 02529  1348   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02528  1320   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02530   420   NtQueryInformationThread  (504, Basic, 28, ...
 02531  1320   NtDeviceIoControlFile  (412, 0, 0x0, 0x25b2c0, 0x12007,  (412, 0, 0x0, 0x25b2c0, 0x12007, "\0\0\0\0\16\0\2\0\364\1\0\0\1\0\0\0\16\0\2\0\1\275\331\270\15\1\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 02530   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=412,Tid=1156,}, 0x0, ) == 0x0
 02521  1336   NtRemoveIoCompletion  ... 1906658213, 2470592, {status=0xc000023d, info=0}, ) == 0x0
 02531  1320   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 02532  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 02533   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1609, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1609, 0} "\0\0\0\0\1\0\1\0\0\0\0\04\335%\0\370\1\0\0\234\1\0\0\204\4\0\0" ...  ...
 02532  1336   NtCreateEvent  ... 508, ) == 0x0
 02534  1320   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 02535  1336   NtWaitForSingleObject  (508, 0, 0x0, ...
 02533   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1610, 0}  ... {28, 56, reply, 0, 412, 420, 1610, 0} "\0\0\0\0\1\0\1\0\0\0\0\04\335%\0\370\1\0\0\234\1\0\0\204\4\0\0" )  ) == 0x0
 02534  1320   NtCreateEvent  ... 512, ) == 0x0
 02536   420   NtResumeThread  (504, ...
 02529  1348   NtCreateEvent  ... 516, ) == 0x0
 02537  1320   NtClose  (512, ...
 02538  1348   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 31456824, 67, ... }, 0x0, 0, 3, 3, 0, 31456824, 67, ...
 02537  1320   NtClose  ... ) == 0x0
 02538  1348   NtCreateFile  ... 512, {status=0x0, info=0}, ) == 0x0
 02539  1320   NtSetEventBoostPriority  (508, ...
 02540  1348   NtDeviceIoControlFile  (512, 516, 0x0, 0x0, 0x12047,  (512, 516, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\340\272%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 02535  1336   NtWaitForSingleObject  ... ) == 0x0
 02539  1320   NtSetEventBoostPriority  ... ) == 0x0
 02541  1336   NtDeviceIoControlFile  (500, 356, 0x0, 0x0, 0x12037,  (500, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... , 4, 8, ...
 02540  1348   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 02541  1336   NtDeviceIoControlFile  ... {status=0x0, info=8},  ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02542  1320   NtWaitForSingleObject  (440, 0, 0x0, ...
 02543  1348   NtWaitForSingleObject  (84, 0, {0, 0}, ...
 02544  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 02536   420   NtResumeThread  ... 1, ) == 0x0
 02545   420   NtClose  (504, ... ) == 0x0
 02546   420   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 33554432, 2097152, ) == 0x0
 02547   420   NtAllocateVirtualMemory  (-1, 35643392, 0, 8192, 4096, 4, ... 35643392, 8192, ) == 0x0
 02548   420   NtProtectVirtualMemory  (-1, (0x21fe000), 4096, 260, ... (0x21fe000), 4096, 4, ) == 0x0
 02549   420   NtCreateThread  (0x1f03ff, 0x0, -1, 2292852, 2293568, 1, ... 504, {412, 1440}, ) == 0x0
 02550   420   NtQueryInformationThread  (504, Basic, 28, ...
 02543  1348   NtWaitForSingleObject  ... ) == 0x102
 02551  1156   NtTestAlert  (...
 02552  1348   NtDeviceIoControlFile  (512, 516, 0x0, 0x0, 0x1203b,  (512, 516, 0x0, 0x0, 0x1203b, "\2\0\0\0\30\347$\0\1\0\0\0\2$\370w", 16, 0, ... , 16, 0, ...
 02551  1156   NtTestAlert  ... ) == 0x0
 02552  1348   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02553  1156   NtContinue  (33553712, 1, ...
 02554  1348   NtDeviceIoControlFile  (512, 516, 0x0, 0x0, 0x12003,  (512, 516, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 02555  1156   NtRegisterThreadTerminatePort  (24, ...
 02554  1348   NtDeviceIoControlFile  ... {status=0x0, info=520},  ... {status=0x0, info=520}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\24\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02555  1156   NtRegisterThreadTerminatePort  ... ) == 0x0
 02550   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=412,Tid=1440,}, 0x0, ) == 0x0
 02556  1348   NtDeviceIoControlFile  (512, 516, 0x0, 0x0, 0x12047,  (512, 516, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\0\272%\0\2\0\4\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 02557   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1610, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1610, 0} "\0\0\0\0\1\0\1\0\0\0\0\04\335%\0\370\1\0\0\234\1\0\0\240\5\0\0" ...  ...
 02556  1348   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02557   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1611, 0}  ... {28, 56, reply, 0, 412, 420, 1611, 0} "\0\0\0\0\1\0\1\0\0\0\0\04\335%\0\370\1\0\0\234\1\0\0\240\5\0\0" )  ) == 0x0
 02558  1348   NtDeviceIoControlFile  (412, 0, 0x0, 0x25b2c0, 0x12007,  (412, 0, 0x0, 0x25b2c0, 0x12007, "\0\0\0\0\16\0\2\0\0\2\0\0\1\0\0\0\16\0\2\0\1\275rY\224\1\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 02559   420   NtResumeThread  (504, ...
 02544  1336   NtRemoveIoCompletion  ... 1906658213, 2470592, {status=0xc000023d, info=0}, ) == 0x0
 02558  1348   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 02560  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 02559   420   NtResumeThread  ... 1, ) == 0x0
 02560  1336   NtCreateEvent  ... 524, ) == 0x0
 02561  1348   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 02562  1156   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02563  1440   NtTestAlert  (...
 02564  1336   NtWaitForSingleObject  (524, 0, 0x0, ...
 02561  1348   NtCreateEvent  ... 528, ) == 0x0
 02562  1156   NtDuplicateObject  ... 532, ) == 0x0
 02563  1440   NtTestAlert  ... ) == 0x0
 02565   420   NtClose  (504, ...
 02566  1156   NtWaitForSingleObject  (84, 0, {0, 0}, ...
 02567  1440   NtContinue  (35650864, 1, ...
 02565   420   NtClose  ... ) == 0x0
 02566  1156   NtWaitForSingleObject  ... ) == 0x102
 02568  1440   NtRegisterThreadTerminatePort  (24, ...
 02569   420   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ...
 02570  1156   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02568  1440   NtRegisterThreadTerminatePort  ... ) == 0x0
 02569   420   NtAllocateVirtualMemory  ... 35651584, 2097152, ) == 0x0
 02571  1348   NtClose  (528, ...
 02570  1156   NtCreateEvent  ... 504, ) == 0x0
 02572   420   NtAllocateVirtualMemory  (-1, 37740544, 0, 8192, 4096, 4, ...
 02571  1348   NtClose  ... ) == 0x0
 02573  1156   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 33553976, 67, ... }, 0x0, 0, 3, 3, 0, 33553976, 67, ...
 02572   420   NtAllocateVirtualMemory  ... 37740544, 8192, ) == 0x0
 02574  1348   NtSetEventBoostPriority  (524, ...
 02573  1156   NtCreateFile  ... 528, {status=0x0, info=0}, ) == 0x0
 02575  1440   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02564  1336   NtWaitForSingleObject  ... ) == 0x0
 02574  1348   NtSetEventBoostPriority  ... ) == 0x0
 02576  1156   NtDeviceIoControlFile  (528, 504, 0x0, 0x0, 0x12047,  (528, 504, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0X\275%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 02577  1336   NtDeviceIoControlFile  (512, 356, 0x0, 0x0, 0x12037,  (512, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... , 4, 8, ...
 02575  1440   NtDuplicateObject  ... 536, ) == 0x0
 02578  1348   NtWaitForSingleObject  (440, 0, 0x0, ...
 02577  1336   NtDeviceIoControlFile  ... {status=0x0, info=8},  ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02576  1156   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 02579  1440   NtWaitForSingleObject  (84, 0, {0, 0}, ...
 02580  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 02581  1156   NtWaitForSingleObject  (84, 0, {0, 0}, ...
 02579  1440   NtWaitForSingleObject  ... ) == 0x102
 02582   420   NtProtectVirtualMemory  (-1, (0x23fe000), 4096, 260, ...
 02583  1440   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 02582   420   NtProtectVirtualMemory  ... (0x23fe000), 4096, 4, ) == 0x0
 02581  1156   NtWaitForSingleObject  ... ) == 0x102
 02584   420   NtCreateThread  (0x1f03ff, 0x0, -1, 2292852, 2293568, 1, ...
 02585  1156   NtDeviceIoControlFile  (528, 504, 0x0, 0x0, 0x1203b,  (528, 504, 0x0, 0x0, 0x1203b, "\2\0\0\0\324\347$\0\1\0\0\0\2$\370w", 16, 0, ... , 16, 0, ...
 02584   420   NtCreateThread  ... 540, {412, 1228}, ) == 0x0
 02585  1156   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02586   420   NtQueryInformationThread  (540, Basic, 28, ...
 02587  1156   NtDeviceIoControlFile  (528, 504, 0x0, 0x0, 0x12003,  (528, 504, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 02586   420   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=412,Tid=1228,}, 0x0, ) == 0x0
 02587  1156   NtDeviceIoControlFile  ... {status=0x0, info=544},  ... {status=0x0, info=544}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\25\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02583  1440   NtCreateEvent  ... 548, ) == 0x0
 02588   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 412, 420, 1611, 0}  (24, {28, 56, new_msg, 0, 412, 420, 1611, 0} "\0\0\0\0\1\0\1\0\0\0\0\04\335%\0\34\2\0\0\234\1\0\0\314\4\0\0" ...  ...
 02589  1440   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 35651128, 67, ... }, 0x0, 0, 3, 3, 0, 35651128, 67, ...
 02588   420   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 412, 420, 1612, 0}  ... {28, 56, reply, 0, 412, 420, 1612, 0} "\0\0\0\0\1\0\1\0\0\0\0\04\335%\0\34\2\0\0\234\1\0\0\314\4\0\0" )  ) == 0x0
 02589  1440   NtCreateFile  ... 552, {status=0x0, info=0}, ) == 0x0
 02590   420   NtResumeThread  (540, ...
 02591  1440   NtDeviceIoControlFile  (552, 548, 0x0, 0x0, 0x12047,  (552, 548, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\200\277%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 02590   420   NtResumeThread  ... 1, ) == 0x0
 02591  1440   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 02592   420   NtClose  (540, ...
 02593  1440   NtWaitForSingleObject  (84, 0, {0, 0}, ...
 02594  1156   NtDeviceIoControlFile  (528, 504, 0x0, 0x0, 0x12047,  (528, 504, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0x\274%\0\2\0\4\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 02595  1228   NtTestAlert  (...
 02592   420   NtClose  ... ) == 0x0
 02594  1156   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02595  1228   NtTestAlert  ... ) == 0x0
 02596   420   NtDelayExecution  (0, {-50000000, -1}, ...
 02597  1156   NtDeviceIoControlFile  (412, 0, 0x0, 0x25b2c0, 0x12007,  (412, 0, 0x0, 0x25b2c0, 0x12007, "\0\0\0\0\16\0\2\0\20\2\0\0\1\0\0\0\16\0\2\0\1\275|O\376\1\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 02598  1228   NtContinue  (37748016, 1, ...
 02580  1336   NtRemoveIoCompletion  ... 1906658213, 2470592, {status=0xc000023d, info=0}, ) == 0x0
 02597  1156   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 02599  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 02600  1228   NtRegisterThreadTerminatePort  (24, ...
 02599  1336   NtCreateEvent  ... 540, ) == 0x0
 02601  1156   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 02602  1336   NtWaitForSingleObject  (540, 0, 0x0, ...
 02600  1228   NtRegisterThreadTerminatePort  ... ) == 0x0
 02601  1156   NtCreateEvent  ... 556, ) == 0x0
 02593  1440   NtWaitForSingleObject  ... ) == 0x102
 02603  1228   NtWaitForSingleObject  (100, 0, {0, 0}, ...
 02604  1440   NtDeviceIoControlFile  (552, 548, 0x0, 0x0, 0x1203b,  (552, 548, 0x0, 0x0, 0x1203b, "\2\0\0\0x\347$\0\1\0\0\0\2$\370w", 16, 0, ... , 16, 0, ...
 02603  1228   NtWaitForSingleObject  ... ) == 0x0
 02604  1440   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02605  1228   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02606  1440   NtDeviceIoControlFile  (552, 548, 0x0, 0x0, 0x12003,  (552, 548, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 02605  1228   NtDuplicateObject  ... 560, ) == 0x0
 02606  1440   NtDeviceIoControlFile  ... {status=0x0, info=564},  ... {status=0x0, info=564}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\26\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02607  1228   NtWaitForSingleObject  (92, 0, {0, 0}, ...
 02608  1156   NtClose  (556, ...
 02609  1440   NtDeviceIoControlFile  (552, 548, 0x0, 0x0, 0x12047,  (552, 548, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\240\276%\0\2\0\4\26\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 02608  1156   NtClose  ... ) == 0x0
 02609  1440   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 02610  1156   NtSetEventBoostPriority  (540, ...
 02611  1440   NtDeviceIoControlFile  (412, 0, 0x0, 0x25af60, 0x12007,  (412, 0, 0x0, 0x25af60, 0x12007, "\0\0\0\0\16\0\2\0(\2\0\0\1\0\0\0\16\0\2\0\1\275\300\270i\1\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 02602  1336   NtWaitForSingleObject  ... ) == 0x0
 02610  1156   NtSetEventBoostPriority  ... ) == 0x0
 02612  1336   NtDeviceIoControlFile  (528, 356, 0x0, 0x0, 0x12037,  (528, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... , 4, 8, ...
 02611  1440   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 02612  1336   NtDeviceIoControlFile  ... {status=0x0, info=8},  ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02613  1156   NtWaitForSingleObject  (440, 0, 0x0, ...
 02614  1440   NtWaitForSingleObject  (440, 0, 0x0, ...
 02615  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ... 1906658213, 2469728, {status=0xc000023d, info=0}, ) == 0x0
 02616  1336   NtDeviceIoControlFile  (552, 356, 0x0, 0x0, 0x12037,  (552, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (552, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02617  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 02607  1228   NtWaitForSingleObject  ... ) == 0x102
 02618  1228   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 556, ) == 0x0
 02619  1228   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 568, ) == 0x0
 02620  1228   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 572, ) == 0x0
 02621  1228   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 576, ) == 0x0
 02622  1228   NtAllocateVirtualMemory  (-1, 37736448, 0, 4096, 4096, 260, ... 37736448, 4096, ) == 0x0
 02623  1228   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 37745124, 112, ... 580, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 37745124, 112, ... 580, 0x0, 0x0, 0x0, 112, ) == 0x0
 02624  1228   NtRequestWaitReplyPort  (580, {128, 152, new_msg, 0, 2359296, 126904, 2359296, 37744888}  (580, {128, 152, new_msg, 0, 2359296, 126904, 2359296, 37744888} "\0$\370w\250\367?\2\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\210C%\0\4\0\0\0\210C%\0\20\344\314w\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\13\0(\314%\0\240\314%\0\0\0\0\0\230\314%\0\300\314%\0\350\314%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 1228, 1614, 0} "\7$\370w\250\367?\2\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\210C%\0\377\377\377\377\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\13\0(\314%\0\240\314%\0\0\0\0\0\230\314%\0\300\314%\0\350\314%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 412, 1228, 1614, 0}  (580, {128, 152, new_msg, 0, 2359296, 126904, 2359296, 37744888} "\0$\370w\250\367?\2\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\210C%\0\4\0\0\0\210C%\0\20\344\314w\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\13\0(\314%\0\240\314%\0\0\0\0\0\230\314%\0\300\314%\0\350\314%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 412, 1228, 1614, 0} "\7$\370w\250\367?\2\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\210C%\0\377\377\377\377\210C%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\13\0(\314%\0\240\314%\0\0\0\0\0\230\314%\0\300\314%\0\350\314%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0" )  ) == 0x0
 02625  1228   NtRequestWaitReplyPort  (580, {100, 124, new_msg, 0, 5439575, 5439580, 7536761, 6619252}  (580, {100, 124, new_msg, 0, 5439575, 5439580, 7536761, 6619252} "\1\0\0\0A\2\11\0r\0a\0s\0a\0d\0h\0l\0p\0\377\377\377\377l\0l\0\0\0\0\0|\364$\0\17\0\0\0\0\0\0\0\17\0\0\0w\0m\0c\0h\0a\0r\0.\0u\0n\0d\0o\0.\0i\0t\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 412, 1228, 1615, 0} "\2\240\372\177\1\00\300\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ... {44, 68, reply, 0, 412, 1228, 1615, 0}  (580, {100, 124, new_msg, 0, 5439575, 5439580, 7536761, 6619252} "\1\0\0\0A\2\11\0r\0a\0s\0a\0d\0h\0l\0p\0\377\377\377\377l\0l\0\0\0\0\0|\364$\0\17\0\0\0\0\0\0\0\17\0\0\0w\0m\0c\0h\0a\0r\0.\0u\0n\0d\0o\0.\0i\0t\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {44, 68, reply, 0, 412, 1228, 1615, 0} "\2\240\372\177\1\00\300\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 02626  1228   NtClose  (576, ... ) == 0x0
 02627  1228   NtClose  (580, ... ) == 0x0
 02628  1228   NtCreateFile  (0x20100000, {24, 0, 0x40, 0, 0,  (0x20100000, {24, 0, 0x40, 0, 0, "\Device\NetBT_Tcpip_{ABE7E06F-620F-4EAA-AE7D-41476D4CCF14}"}, 0x0, 0, 3, 3, 0, 0, 0, ... ) }, 0x0, 0, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02629  1228   NtCreateFile  (0x20100000, {24, 0, 0x40, 0, 0,  (0x20100000, {24, 0, 0x40, 0, 0, "\Device\NetBT_Tcpip_{D19DF882-A9CB-4144-8307-5C0D0368DE1A}"}, 0x0, 0, 3, 3, 0, 0, 0, ... ) }, 0x0, 0, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02630  1228   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 580, ) == 0x0
 02631  1228   NtDeviceIoControlFile  (352, 580, 0x0, 0x0, 0x210096,  (352, 580, 0x0, 0x0, 0x210096, "\0\0\0\0\0\0\0\0WMCHAR.UNDO.IT \0", 24, 1160, ... {status=0x254b40, info=2359672}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 24, 1160, ... {status=0x254b40, info=2359672},  (352, 580, 0x0, 0x0, 0x210096, "\0\0\0\0\0\0\0\0WMCHAR.UNDO.IT \0", 24, 1160, ... {status=0x254b40, info=2359672}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02632  1228   NtWaitForMultipleObjects  (1, (580, ), 1, 0, 0x0, ...
 02411  1308   NtDelayExecution  ... ) == 0x0
 02633  1308   NtSetEventBoostPriority  (440, ...
 02441  1328   NtWaitForSingleObject  ... ) == 0x0
 02634  1328   NtDelayExecution  (0, {-10000, -1}, ...
 02633  1308   NtSetEventBoostPriority  ... ) == 0x0
 02635  1308   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02636  1308   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 14679604, 67, ... 576, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 14679604, 67, ... 576, {status=0x0, info=0}, ) == 0x0
 02637  1308   NtDeviceIoControlFile  (576, 360, 0x0, 0x0, 0x12047,  (576, 360, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\240\314%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 02638  1308   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02639  1308   NtDeviceIoControlFile  (576, 360, 0x0, 0x0, 0x1203b,  (576, 360, 0x0, 0x0, 0x1203b, "\2\0\0\0\30\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02640  1308   NtDeviceIoControlFile  (576, 360, 0x0, 0x0, 0x12003,  (576, 360, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=584}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\27\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=584},  (576, 360, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=584}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\27\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02641  1308   NtDeviceIoControlFile  (576, 360, 0x0, 0x0, 0x12047,  (576, 360, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\300\313%\0\2\0\4\27\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02642  1308   NtDeviceIoControlFile  (412, 0, 0x0, 0x25b2c0, 0x12007,  (412, 0, 0x0, 0x25b2c0, 0x12007, "\0\0\0\0\16\0\2\0@\2\0\0\1\0\0\0\16\0\2\0\1\275\300\250|\203\0\0\0\0\0\0\0\0", 34, 8, ... {status=0x103, info=0}, "", ) , 34, 8, ... {status=0x103, info=0}, "", ) == 0x103
 02643  1308   NtWaitForSingleObject  (440, 0, 0x0, ...
 02634  1328   NtDelayExecution  ... ) == 0x0
 02644  1328   NtSetEventBoostPriority  (440, ...
 02451  1324   NtWaitForSingleObject  ... ) == 0x0
 02645  1324   NtDelayExecution  (0, {-10000, -1}, ...
 02644  1328   NtSetEventBoostPriority  ... ) == 0x0
 02646  1328   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02647  1328   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 20971060, 67, ... 588, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 20971060, 67, ... 588, {status=0x0, info=0}, ) == 0x0
 02648  1328   NtDeviceIoControlFile  (588, 396, 0x0, 0x0, 0x12047,  (588, 396, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\310\314%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 02649  1328   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02650  1328   NtDeviceIoControlFile  (588, 396, 0x0, 0x0, 0x1203b,  (588, 396, 0x0, 0x0, 0x1203b, "\2\0\0\0\250\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02651  1328   NtDeviceIoControlFile  (588, 396, 0x0, 0x0, 0x12003,  (588, 396, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=592}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\30\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=592},  (588, 396, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=592}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\30\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02652  1328   NtDeviceIoControlFile  (588, 396, 0x0, 0x0, 0x12047,  (588, 396, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\250\322%\0\2\0\4\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02653  1328   NtDeviceIoControlFile  (412, 0, 0x0, 0x254b40, 0x12007,  (412, 0, 0x0, 0x254b40, 0x12007, "\0\0\0\0\16\0\2\0L\2\0\0\1\0\0\0\16\0\2\0\1\275^\11o\2\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 02617  1336   NtRemoveIoCompletion  ... 1906658213, 2444096, {status=0xc000023d, info=0}, ) == 0x0
 02654  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 596, ) == 0x0
 02655  1336   NtWaitForSingleObject  (596, 0, 0x0, ...
 02653  1328   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 02656  1328   NtSetEventBoostPriority  (596, ...
 02655  1336   NtWaitForSingleObject  ... ) == 0x0
 02657  1336   NtDeviceIoControlFile  (588, 356, 0x0, 0x0, 0x12037,  (588, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (588, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02658  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 02656  1328   NtSetEventBoostPriority  ... ) == 0x0
 02659  1328   NtWaitForSingleObject  (440, 0, 0x0, ...
 02645  1324   NtDelayExecution  ... ) == 0x0
 02660  1324   NtSetEventBoostPriority  (440, ...
 02456  1332   NtWaitForSingleObject  ... ) == 0x0
 02661  1332   NtDelayExecution  (0, {-10000, -1}, ...
 02660  1324   NtSetEventBoostPriority  ... ) == 0x0
 02662  1324   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02663  1324   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 16776756, 67, ... 600, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 16776756, 67, ... 600, {status=0x0, info=0}, ) == 0x0
 02664  1324   NtDeviceIoControlFile  (600, 380, 0x0, 0x0, 0x12047,  (600, 380, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\360\314%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 02665  1324   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02666  1324   NtDeviceIoControlFile  (600, 380, 0x0, 0x0, 0x1203b,  (600, 380, 0x0, 0x0, 0x1203b, "\2\0\0\08\350$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02667  1324   NtDeviceIoControlFile  (600, 380, 0x0, 0x0, 0x12003,  (600, 380, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=604}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\31\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=604},  (600, 380, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=604}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\31\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02668  1324   NtDeviceIoControlFile  (600, 380, 0x0, 0x0, 0x12047,  (600, 380, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\370K%\0\2\0\4\31\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02669  1324   NtDeviceIoControlFile  (412, 0, 0x0, 0x254b40, 0x12007,  (412, 0, 0x0, 0x254b40, 0x12007, "\0\0\0\0\16\0\2\0X\2\0\0\1\0\0\0\16\0\2\0\1\275\271Z\303\2\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 02658  1336   NtRemoveIoCompletion  ... 1906658213, 2444096, {status=0xc000023d, info=0}, ) == 0x0
 02670  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 608, ) == 0x0
 02671  1336   NtWaitForSingleObject  (608, 0, 0x0, ...
 02669  1324   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 02672  1324   NtSetEventBoostPriority  (608, ...
 02671  1336   NtWaitForSingleObject  ... ) == 0x0
 02673  1336   NtDeviceIoControlFile  (600, 356, 0x0, 0x0, 0x12037,  (600, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (600, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02674  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 02672  1324   NtSetEventBoostPriority  ... ) == 0x0
 02675  1324   NtWaitForSingleObject  (440, 0, 0x0, ...
 02661  1332   NtDelayExecution  ... ) == 0x0
 02676  1332   NtSetEventBoostPriority  (440, ...
 02492  1312   NtWaitForSingleObject  ... ) == 0x0
 02677  1312   NtDelayExecution  (0, {-10000, -1}, ...
 02676  1332   NtSetEventBoostPriority  ... ) == 0x0
 02678  1332   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02679  1332   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 18873908, 67, ... 612, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 18873908, 67, ... 612, {status=0x0, info=0}, ) == 0x0
 02680  1332   NtDeviceIoControlFile  (612, 400, 0x0, 0x0, 0x12047,  (612, 400, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0x\313%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 02681  1332   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02682  1332   NtDeviceIoControlFile  (612, 400, 0x0, 0x0, 0x1203b,  (612, 400, 0x0, 0x0, 0x1203b, "\2\0\0\0H\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02683  1332   NtDeviceIoControlFile  (612, 400, 0x0, 0x0, 0x12003,  (612, 400, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=616}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\32\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=616},  (612, 400, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=616}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\32\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02684  1332   NtDeviceIoControlFile  (612, 400, 0x0, 0x0, 0x12047,  (612, 400, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0HM%\0\2\0\4\32\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02685  1332   NtDeviceIoControlFile  (412, 0, 0x0, 0x254b40, 0x12007,  (412, 0, 0x0, 0x254b40, 0x12007, "\0\0\0\0\16\0\2\0d\2\0\0\1\0\0\0\16\0\2\0\1\275\226At\2\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 02674  1336   NtRemoveIoCompletion  ... 1906658213, 2444096, {status=0xc000023d, info=0}, ) == 0x0
 02686  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 620, ) == 0x0
 02687  1336   NtWaitForSingleObject  (620, 0, 0x0, ...
 02685  1332   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 02688  1332   NtSetEventBoostPriority  (620, ...
 02687  1336   NtWaitForSingleObject  ... ) == 0x0
 02689  1336   NtDeviceIoControlFile  (612, 356, 0x0, 0x0, 0x12037,  (612, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (612, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02690  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 02688  1332   NtSetEventBoostPriority  ... ) == 0x0
 02691  1332   NtWaitForSingleObject  (440, 0, 0x0, ...
 02677  1312   NtDelayExecution  ... ) == 0x0
 02692  1312   NtSetEventBoostPriority  (440, ...
 02520  1344   NtWaitForSingleObject  ... ) == 0x0
 02693  1344   NtDelayExecution  (0, {-10000, -1}, ...
 02692  1312   NtSetEventBoostPriority  ... ) == 0x0
 02694  1312   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02695  1312   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 25165364, 67, ... 624, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 25165364, 67, ... 624, {status=0x0, info=0}, ) == 0x0
 02696  1312   NtDeviceIoControlFile  (624, 448, 0x0, 0x0, 0x12047,  (624, 448, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\230O%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 02697  1312   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02698  1312   NtDeviceIoControlFile  (624, 448, 0x0, 0x0, 0x1203b,  (624, 448, 0x0, 0x0, 0x1203b, "\2\0\0\0\324\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02699  1312   NtDeviceIoControlFile  (624, 448, 0x0, 0x0, 0x12003,  (624, 448, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=628}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\33\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=628},  (624, 448, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=628}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\33\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02700  1312   NtDeviceIoControlFile  (624, 448, 0x0, 0x0, 0x12047,  (624, 448, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\270N%\0\2\0\4\33\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02701  1312   NtDeviceIoControlFile  (412, 0, 0x0, 0x254b40, 0x12007,  (412, 0, 0x0, 0x254b40, 0x12007, "\0\0\0\0\16\0\2\0p\2\0\0\1\0\0\0\16\0\2\0\1\275$N&\2\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 02690  1336   NtRemoveIoCompletion  ... 1906658213, 2444096, {status=0xc000023d, info=0}, ) == 0x0
 02702  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 632, ) == 0x0
 02703  1336   NtWaitForSingleObject  (632, 0, 0x0, ...
 02701  1312   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 02704  1312   NtSetEventBoostPriority  (632, ...
 02703  1336   NtWaitForSingleObject  ... ) == 0x0
 02705  1336   NtDeviceIoControlFile  (624, 356, 0x0, 0x0, 0x12037,  (624, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (624, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02706  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 02704  1312   NtSetEventBoostPriority  ... ) == 0x0
 02707  1312   NtWaitForSingleObject  (440, 0, 0x0, ...
 02693  1344   NtDelayExecution  ... ) == 0x0
 02708  1344   NtSetEventBoostPriority  (440, ...
 02542  1320   NtWaitForSingleObject  ... ) == 0x0
 02709  1320   NtDelayExecution  (0, {-10000, -1}, ...
 02708  1344   NtSetEventBoostPriority  ... ) == 0x0
 02710  1344   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02711  1344   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 27262516, 67, ... 636, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 27262516, 67, ... 636, {status=0x0, info=0}, ) == 0x0
 02712  1344   NtDeviceIoControlFile  (636, 476, 0x0, 0x0, 0x12047,  (636, 476, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\00Q%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 02713  1344   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02714  1344   NtDeviceIoControlFile  (636, 476, 0x0, 0x0, 0x1203b,  (636, 476, 0x0, 0x0, 0x1203b, "\2\0\0\0h\350$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02715  1344   NtDeviceIoControlFile  (636, 476, 0x0, 0x0, 0x12003,  (636, 476, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=640}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\34\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=640},  (636, 476, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=640}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\34\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02716  1344   NtDeviceIoControlFile  (636, 476, 0x0, 0x0, 0x12047,  (636, 476, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0PP%\0\2\0\4\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02717  1344   NtDeviceIoControlFile  (412, 0, 0x0, 0x254b40, 0x12007,  (412, 0, 0x0, 0x254b40, 0x12007, "\0\0\0\0\16\0\2\0|\2\0\0\1\0\0\0\16\0\2\0\1\275\255v\270\2\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 02706  1336   NtRemoveIoCompletion  ... 1906658213, 2444096, {status=0xc000023d, info=0}, ) == 0x0
 02718  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 644, ) == 0x0
 02719  1336   NtWaitForSingleObject  (644, 0, 0x0, ...
 02717  1344   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 02720  1344   NtSetEventBoostPriority  (644, ...
 02719  1336   NtWaitForSingleObject  ... ) == 0x0
 02721  1336   NtDeviceIoControlFile  (636, 356, 0x0, 0x0, 0x12037,  (636, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (636, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02722  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 02720  1344   NtSetEventBoostPriority  ... ) == 0x0
 02723  1344   NtWaitForSingleObject  (440, 0, 0x0, ...
 02709  1320   NtDelayExecution  ... ) == 0x0
 02724  1320   NtSetEventBoostPriority  (440, ...
 02578  1348   NtWaitForSingleObject  ... ) == 0x0
 02725  1348   NtDelayExecution  (0, {-10000, -1}, ...
 02724  1320   NtSetEventBoostPriority  ... ) == 0x0
 02726  1320   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02727  1320   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 29359668, 67, ... 648, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 29359668, 67, ... 648, {status=0x0, info=0}, ) == 0x0
 02728  1320   NtDeviceIoControlFile  (648, 488, 0x0, 0x0, 0x12047,  (648, 488, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\330S%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 02729  1320   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02730  1320   NtDeviceIoControlFile  (648, 488, 0x0, 0x0, 0x1203b,  (648, 488, 0x0, 0x0, 0x1203b, "\2\0\0\0x\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02731  1320   NtDeviceIoControlFile  (648, 488, 0x0, 0x0, 0x12003,  (648, 488, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=652}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\35\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=652},  (648, 488, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=652}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\35\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02732  1320   NtDeviceIoControlFile  (648, 488, 0x0, 0x0, 0x12047,  (648, 488, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\370R%\0\2\0\4\35\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02733  1320   NtDeviceIoControlFile  (412, 0, 0x0, 0x254b40, 0x12007,  (412, 0, 0x0, 0x254b40, 0x12007, "\0\0\0\0\16\0\2\0\210\2\0\0\1\0\0\0\16\0\2\0\1\275\331\270\15\2\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 02722  1336   NtRemoveIoCompletion  ... 1906658213, 2444096, {status=0xc000023d, info=0}, ) == 0x0
 02734  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 656, ) == 0x0
 02735  1336   NtWaitForSingleObject  (656, 0, 0x0, ...
 02733  1320   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 02736  1320   NtSetEventBoostPriority  (656, ...
 02735  1336   NtWaitForSingleObject  ... ) == 0x0
 02737  1336   NtDeviceIoControlFile  (648, 356, 0x0, 0x0, 0x12037,  (648, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (648, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02738  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 02736  1320   NtSetEventBoostPriority  ... ) == 0x0
 02739  1320   NtWaitForSingleObject  (440, 0, 0x0, ...
 02725  1348   NtDelayExecution  ... ) == 0x0
 02740  1348   NtSetEventBoostPriority  (440, ...
 02613  1156   NtWaitForSingleObject  ... ) == 0x0
 02741  1156   NtDelayExecution  (0, {-10000, -1}, ...
 02740  1348   NtSetEventBoostPriority  ... ) == 0x0
 02742  1348   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02743  1348   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 31456820, 67, ... 660, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 31456820, 67, ... 660, {status=0x0, info=0}, ) == 0x0
 02744  1348   NtDeviceIoControlFile  (660, 516, 0x0, 0x0, 0x12047,  (660, 516, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0pU%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 02745  1348   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02746  1348   NtDeviceIoControlFile  (660, 516, 0x0, 0x0, 0x1203b,  (660, 516, 0x0, 0x0, 0x1203b, "\2\0\0\0\10\350$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02747  1348   NtDeviceIoControlFile  (660, 516, 0x0, 0x0, 0x12003,  (660, 516, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=664}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\36\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=664},  (660, 516, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=664}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\36\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02748  1348   NtDeviceIoControlFile  (660, 516, 0x0, 0x0, 0x12047,  (660, 516, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\220T%\0\2\0\4\36\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02749  1348   NtDeviceIoControlFile  (412, 0, 0x0, 0x254b40, 0x12007,  (412, 0, 0x0, 0x254b40, 0x12007, "\0\0\0\0\16\0\2\0\224\2\0\0\1\0\0\0\16\0\2\0\1\275rY\224\2\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 02738  1336   NtRemoveIoCompletion  ... 1906658213, 2444096, {status=0xc000023d, info=0}, ) == 0x0
 02750  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 668, ) == 0x0
 02751  1336   NtWaitForSingleObject  (668, 0, 0x0, ...
 02749  1348   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 02752  1348   NtSetEventBoostPriority  (668, ...
 02751  1336   NtWaitForSingleObject  ... ) == 0x0
 02753  1336   NtDeviceIoControlFile  (660, 356, 0x0, 0x0, 0x12037,  (660, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (660, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02754  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 02752  1348   NtSetEventBoostPriority  ... ) == 0x0
 02755  1348   NtWaitForSingleObject  (440, 0, 0x0, ...
 02741  1156   NtDelayExecution  ... ) == 0x0
 02756  1156   NtSetEventBoostPriority  (440, ...
 02614  1440   NtWaitForSingleObject  ... ) == 0x0
 02757  1440   NtDelayExecution  (0, {-10000, -1}, ...
 02756  1156   NtSetEventBoostPriority  ... ) == 0x0
 02758  1156   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02759  1156   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 33553972, 67, ... 672, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 33553972, 67, ... 672, {status=0x0, info=0}, ) == 0x0
 02760  1156   NtDeviceIoControlFile  (672, 504, 0x0, 0x0, 0x12047,  (672, 504, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\10W%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 02761  1156   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02762  1156   NtDeviceIoControlFile  (672, 504, 0x0, 0x0, 0x1203b,  (672, 504, 0x0, 0x0, 0x1203b, "\2\0\0\0\30\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02763  1156   NtDeviceIoControlFile  (672, 504, 0x0, 0x0, 0x12003,  (672, 504, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=676}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\37\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=676},  (672, 504, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=676}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\37\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02764  1156   NtDeviceIoControlFile  (672, 504, 0x0, 0x0, 0x12047,  (672, 504, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(V%\0\2\0\4\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02765  1156   NtDeviceIoControlFile  (412, 0, 0x0, 0x254b40, 0x12007,  (412, 0, 0x0, 0x254b40, 0x12007, "\0\0\0\0\16\0\2\0\240\2\0\0\1\0\0\0\16\0\2\0\1\275|O\376\2\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 02754  1336   NtRemoveIoCompletion  ... 1906658213, 2444096, {status=0xc000023d, info=0}, ) == 0x0
 02766  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 680, ) == 0x0
 02767  1336   NtWaitForSingleObject  (680, 0, 0x0, ...
 02765  1156   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 02768  1156   NtSetEventBoostPriority  (680, ...
 02767  1336   NtWaitForSingleObject  ... ) == 0x0
 02769  1336   NtDeviceIoControlFile  (672, 356, 0x0, 0x0, 0x12037,  (672, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (672, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02770  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 02768  1156   NtSetEventBoostPriority  ... ) == 0x0
 02771  1156   NtWaitForSingleObject  (440, 0, 0x0, ...
 02757  1440   NtDelayExecution  ... ) == 0x0
 02772  1440   NtSetEventBoostPriority  (440, ...
 02643  1308   NtWaitForSingleObject  ... ) == 0x0
 02773  1308   NtDelayExecution  (0, {-10000, -1}, ...
 02772  1440   NtSetEventBoostPriority  ... ) == 0x0
 02774  1440   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02775  1440   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 35651124, 67, ... 684, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 35651124, 67, ... 684, {status=0x0, info=0}, ) == 0x0
 02776  1440   NtDeviceIoControlFile  (684, 548, 0x0, 0x0, 0x12047,  (684, 548, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\240X%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 02777  1440   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02778  1440   NtDeviceIoControlFile  (684, 548, 0x0, 0x0, 0x1203b,  (684, 548, 0x0, 0x0, 0x1203b, "\2\0\0\0\250\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02779  1440   NtDeviceIoControlFile  (684, 548, 0x0, 0x0, 0x12003,  (684, 548, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=688}, "\1\0\0\0\1\0\0\0\16\0\2\0\4 \0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=688},  (684, 548, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=688}, "\1\0\0\0\1\0\0\0\16\0\2\0\4 \0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02780  1440   NtDeviceIoControlFile  (684, 548, 0x0, 0x0, 0x12047,  (684, 548, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\300W%\0\2\0\4 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02781  1440   NtDeviceIoControlFile  (412, 0, 0x0, 0x254b40, 0x12007,  (412, 0, 0x0, 0x254b40, 0x12007, "\0\0\0\0\16\0\2\0\254\2\0\0\1\0\0\0\16\0\2\0\1\275\300\270i\2\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 02770  1336   NtRemoveIoCompletion  ... 1906658213, 2444096, {status=0xc000023d, info=0}, ) == 0x0
 02782  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 692, ) == 0x0
 02783  1336   NtWaitForSingleObject  (692, 0, 0x0, ...
 02781  1440   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 02784  1440   NtSetEventBoostPriority  (692, ...
 02783  1336   NtWaitForSingleObject  ... ) == 0x0
 02785  1336   NtDeviceIoControlFile  (684, 356, 0x0, 0x0, 0x12037,  (684, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (684, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02786  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 02784  1440   NtSetEventBoostPriority  ... ) == 0x0
 02787  1440   NtWaitForSingleObject  (440, 0, 0x0, ...
 02773  1308   NtDelayExecution  ... ) == 0x0
 02788  1308   NtSetEventBoostPriority  (440, ...
 02659  1328   NtWaitForSingleObject  ... ) == 0x0
 02789  1328   NtDelayExecution  (0, {-10000, -1}, ...
 02788  1308   NtSetEventBoostPriority  ... ) == 0x0
 02790  1308   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02791  1308   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 14679600, 67, ... 696, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 14679600, 67, ... 696, {status=0x0, info=0}, ) == 0x0
 02792  1308   NtDeviceIoControlFile  (696, 360, 0x0, 0x0, 0x12047,  (696, 360, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\08Z%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 02793  1308   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02794  1308   NtDeviceIoControlFile  (696, 360, 0x0, 0x0, 0x1203b,  (696, 360, 0x0, 0x0, 0x1203b, "\2\0\0\08\350$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02795  1308   NtDeviceIoControlFile  (696, 360, 0x0, 0x0, 0x12003,  (696, 360, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=700}, "\1\0\0\0\1\0\0\0\16\0\2\0\4!\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=700},  (696, 360, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=700}, "\1\0\0\0\1\0\0\0\16\0\2\0\4!\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02796  1308   NtDeviceIoControlFile  (696, 360, 0x0, 0x0, 0x12047,  (696, 360, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0XY%\0\2\0\4!\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02797  1308   NtDeviceIoControlFile  (412, 0, 0x0, 0x254b40, 0x12007,  (412, 0, 0x0, 0x254b40, 0x12007, "\0\0\0\0\16\0\2\0\270\2\0\0\1\0\0\0\16\0\2\0\1\275\300\250|\204\0\0\0\0\0\0\0\0", 34, 8, ... {status=0x103, info=0}, "", ) , 34, 8, ... {status=0x103, info=0}, "", ) == 0x103
 02798  1308   NtWaitForSingleObject  (440, 0, 0x0, ...
 02789  1328   NtDelayExecution  ... ) == 0x0
 02799  1328   NtSetEventBoostPriority  (440, ...
 02675  1324   NtWaitForSingleObject  ... ) == 0x0
 02800  1324   NtDelayExecution  (0, {-10000, -1}, ...
 02799  1328   NtSetEventBoostPriority  ... ) == 0x0
 02801  1328   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02802  1328   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 20971056, 67, ... 704, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 20971056, 67, ... 704, {status=0x0, info=0}, ) == 0x0
 02803  1328   NtDeviceIoControlFile  (704, 396, 0x0, 0x0, 0x12047,  (704, 396, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\320[%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 02804  1328   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02805  1328   NtDeviceIoControlFile  (704, 396, 0x0, 0x0, 0x1203b,  (704, 396, 0x0, 0x0, 0x1203b, "\2\0\0\0\30\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02806  1328   NtDeviceIoControlFile  (704, 396, 0x0, 0x0, 0x12003,  (704, 396, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=708}, "\1\0\0\0\1\0\0\0\16\0\2\0\4"\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=708},  (704, 396, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=708}, "\1\0\0\0\1\0\0\0\16\0\2\0\4"\0\0\0\0\0\0\0\0\0\0\0\0", ) \0\0\0\0\0\0\0\0\0\0\0\0", ) == 0x0
 02807  1328   NtDeviceIoControlFile  (704, 396, 0x0, 0x0, 0x12047,  (704, 396, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\360Z%\0\2\0\4"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02808  1328   NtDeviceIoControlFile  (412, 0, 0x0, 0x255c18, 0x12007,  (412, 0, 0x0, 0x255c18, 0x12007, "\0\0\0\0\16\0\2\0\300\2\0\0\1\0\0\0\16\0\2\0\1\275^\11o\3\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 02786  1336   NtRemoveIoCompletion  ... 1906658213, 2448408, {status=0xc000023d, info=0}, ) == 0x0
 02809  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 712, ) == 0x0
 02810  1336   NtWaitForSingleObject  (712, 0, 0x0, ...
 02808  1328   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 02811  1328   NtSetEventBoostPriority  (712, ...
 02810  1336   NtWaitForSingleObject  ... ) == 0x0
 02812  1336   NtDeviceIoControlFile  (704, 356, 0x0, 0x0, 0x12037,  (704, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (704, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02813  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 02811  1328   NtSetEventBoostPriority  ... ) == 0x0
 02814  1328   NtWaitForSingleObject  (440, 0, 0x0, ...
 02800  1324   NtDelayExecution  ... ) == 0x0
 02815  1324   NtSetEventBoostPriority  (440, ...
 02691  1332   NtWaitForSingleObject  ... ) == 0x0
 02816  1332   NtDelayExecution  (0, {-10000, -1}, ...
 02815  1324   NtSetEventBoostPriority  ... ) == 0x0
 02817  1324   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02818  1324   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 16776752, 67, ... 716, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 16776752, 67, ... 716, {status=0x0, info=0}, ) == 0x0
 02819  1324   NtDeviceIoControlFile  (716, 380, 0x0, 0x0, 0x12047,  (716, 380, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\260]%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 02820  1324   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02821  1324   NtDeviceIoControlFile  (716, 380, 0x0, 0x0, 0x1203b,  (716, 380, 0x0, 0x0, 0x1203b, "\2\0\0\0\250\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02822  1324   NtDeviceIoControlFile  (716, 380, 0x0, 0x0, 0x12003,  (716, 380, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=720}, "\1\0\0\0\1\0\0\0\16\0\2\0\4#\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=720},  (716, 380, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=720}, "\1\0\0\0\1\0\0\0\16\0\2\0\4#\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02823  1324   NtDeviceIoControlFile  (716, 380, 0x0, 0x0, 0x12047,  (716, 380, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\320\%\0\2\0\4#\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02824  1324   NtDeviceIoControlFile  (412, 0, 0x0, 0x255c18, 0x12007,  (412, 0, 0x0, 0x255c18, 0x12007, "\0\0\0\0\16\0\2\0\314\2\0\0\1\0\0\0\16\0\2\0\1\275\271Z\303\3\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 02813  1336   NtRemoveIoCompletion  ... 1906658213, 2448408, {status=0xc000023d, info=0}, ) == 0x0
 02825  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 724, ) == 0x0
 02826  1336   NtWaitForSingleObject  (724, 0, 0x0, ...
 02824  1324   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 02827  1324   NtSetEventBoostPriority  (724, ...
 02826  1336   NtWaitForSingleObject  ... ) == 0x0
 02828  1336   NtDeviceIoControlFile  (716, 356, 0x0, 0x0, 0x12037,  (716, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (716, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02829  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 02827  1324   NtSetEventBoostPriority  ... ) == 0x0
 02830  1324   NtWaitForSingleObject  (440, 0, 0x0, ...
 02816  1332   NtDelayExecution  ... ) == 0x0
 02831  1332   NtSetEventBoostPriority  (440, ...
 02707  1312   NtWaitForSingleObject  ... ) == 0x0
 02832  1312   NtDelayExecution  (0, {-10000, -1}, ...
 02831  1332   NtSetEventBoostPriority  ... ) == 0x0
 02833  1332   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02834  1332   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 18873904, 67, ... 728, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 18873904, 67, ... 728, {status=0x0, info=0}, ) == 0x0
 02835  1332   NtDeviceIoControlFile  (728, 400, 0x0, 0x0, 0x12047,  (728, 400, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0H_%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 02836  1332   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02837  1332   NtDeviceIoControlFile  (728, 400, 0x0, 0x0, 0x1203b,  (728, 400, 0x0, 0x0, 0x1203b, "\2\0\0\08\350$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02838  1332   NtDeviceIoControlFile  (728, 400, 0x0, 0x0, 0x12003,  (728, 400, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=732}, "\1\0\0\0\1\0\0\0\16\0\2\0\4$\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=732},  (728, 400, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=732}, "\1\0\0\0\1\0\0\0\16\0\2\0\4$\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02839  1332   NtDeviceIoControlFile  (728, 400, 0x0, 0x0, 0x12047,  (728, 400, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0h^%\0\2\0\4$\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02840  1332   NtDeviceIoControlFile  (412, 0, 0x0, 0x255c18, 0x12007,  (412, 0, 0x0, 0x255c18, 0x12007, "\0\0\0\0\16\0\2\0\330\2\0\0\1\0\0\0\16\0\2\0\1\275\226At\3\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 02829  1336   NtRemoveIoCompletion  ... 1906658213, 2448408, {status=0xc000023d, info=0}, ) == 0x0
 02841  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 736, ) == 0x0
 02842  1336   NtWaitForSingleObject  (736, 0, 0x0, ...
 02840  1332   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 02843  1332   NtSetEventBoostPriority  (736, ...
 02842  1336   NtWaitForSingleObject  ... ) == 0x0
 02844  1336   NtDeviceIoControlFile  (728, 356, 0x0, 0x0, 0x12037,  (728, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (728, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02845  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 02843  1332   NtSetEventBoostPriority  ... ) == 0x0
 02846  1332   NtWaitForSingleObject  (440, 0, 0x0, ...
 02832  1312   NtDelayExecution  ... ) == 0x0
 02847  1312   NtSetEventBoostPriority  (440, ...
 02723  1344   NtWaitForSingleObject  ... ) == 0x0
 02848  1344   NtDelayExecution  (0, {-10000, -1}, ...
 02847  1312   NtSetEventBoostPriority  ... ) == 0x0
 02849  1312   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02850  1312   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 25165360, 67, ... 740, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 25165360, 67, ... 740, {status=0x0, info=0}, ) == 0x0
 02851  1312   NtDeviceIoControlFile  (740, 448, 0x0, 0x0, 0x12047,  (740, 448, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\340`%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 02852  1312   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02853  1312   NtDeviceIoControlFile  (740, 448, 0x0, 0x0, 0x1203b,  (740, 448, 0x0, 0x0, 0x1203b, "\2\0\0\0H\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02854  1312   NtDeviceIoControlFile  (740, 448, 0x0, 0x0, 0x12003,  (740, 448, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=744}, "\1\0\0\0\1\0\0\0\16\0\2\0\4%\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=744},  (740, 448, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=744}, "\1\0\0\0\1\0\0\0\16\0\2\0\4%\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02855  1312   NtDeviceIoControlFile  (740, 448, 0x0, 0x0, 0x12047,  (740, 448, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\0`%\0\2\0\4%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02856  1312   NtDeviceIoControlFile  (412, 0, 0x0, 0x255c18, 0x12007,  (412, 0, 0x0, 0x255c18, 0x12007, "\0\0\0\0\16\0\2\0\344\2\0\0\1\0\0\0\16\0\2\0\1\275$N&\3\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 02845  1336   NtRemoveIoCompletion  ... 1906658213, 2448408, {status=0xc000023d, info=0}, ) == 0x0
 02857  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 748, ) == 0x0
 02858  1336   NtWaitForSingleObject  (748, 0, 0x0, ...
 02856  1312   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 02859  1312   NtSetEventBoostPriority  (748, ...
 02858  1336   NtWaitForSingleObject  ... ) == 0x0
 02860  1336   NtDeviceIoControlFile  (740, 356, 0x0, 0x0, 0x12037,  (740, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (740, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02861  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 02859  1312   NtSetEventBoostPriority  ... ) == 0x0
 02862  1312   NtWaitForSingleObject  (440, 0, 0x0, ...
 02848  1344   NtDelayExecution  ... ) == 0x0
 02863  1344   NtSetEventBoostPriority  (440, ...
 02739  1320   NtWaitForSingleObject  ... ) == 0x0
 02864  1320   NtDelayExecution  (0, {-10000, -1}, ...
 02863  1344   NtSetEventBoostPriority  ... ) == 0x0
 02865  1344   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02866  1344   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 27262512, 67, ... 752, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 27262512, 67, ... 752, {status=0x0, info=0}, ) == 0x0
 02867  1344   NtDeviceIoControlFile  (752, 476, 0x0, 0x0, 0x12047,  (752, 476, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0xb%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 02868  1344   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02869  1344   NtDeviceIoControlFile  (752, 476, 0x0, 0x0, 0x1203b,  (752, 476, 0x0, 0x0, 0x1203b, "\2\0\0\0\324\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02870  1344   NtDeviceIoControlFile  (752, 476, 0x0, 0x0, 0x12003,  (752, 476, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=756}, "\1\0\0\0\1\0\0\0\16\0\2\0\4&\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=756},  (752, 476, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=756}, "\1\0\0\0\1\0\0\0\16\0\2\0\4&\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02871  1344   NtDeviceIoControlFile  (752, 476, 0x0, 0x0, 0x12047,  (752, 476, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\230a%\0\2\0\4&\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02872  1344   NtDeviceIoControlFile  (412, 0, 0x0, 0x255c18, 0x12007,  (412, 0, 0x0, 0x255c18, 0x12007, "\0\0\0\0\16\0\2\0\360\2\0\0\1\0\0\0\16\0\2\0\1\275\255v\270\3\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 02861  1336   NtRemoveIoCompletion  ... 1906658213, 2448408, {status=0xc000023d, info=0}, ) == 0x0
 02873  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 760, ) == 0x0
 02874  1336   NtWaitForSingleObject  (760, 0, 0x0, ...
 02872  1344   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 02875  1344   NtSetEventBoostPriority  (760, ...
 02874  1336   NtWaitForSingleObject  ... ) == 0x0
 02876  1336   NtDeviceIoControlFile  (752, 356, 0x0, 0x0, 0x12037,  (752, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (752, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02877  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 02875  1344   NtSetEventBoostPriority  ... ) == 0x0
 02878  1344   NtWaitForSingleObject  (440, 0, 0x0, ...
 02864  1320   NtDelayExecution  ... ) == 0x0
 02879  1320   NtSetEventBoostPriority  (440, ...
 02755  1348   NtWaitForSingleObject  ... ) == 0x0
 02880  1348   NtDelayExecution  (0, {-10000, -1}, ...
 02879  1320   NtSetEventBoostPriority  ... ) == 0x0
 02881  1320   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02882  1320   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 29359664, 67, ... 764, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 29359664, 67, ... 764, {status=0x0, info=0}, ) == 0x0
 02883  1320   NtDeviceIoControlFile  (764, 488, 0x0, 0x0, 0x12047,  (764, 488, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\20d%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 02884  1320   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02885  1320   NtDeviceIoControlFile  (764, 488, 0x0, 0x0, 0x1203b,  (764, 488, 0x0, 0x0, 0x1203b, "\2\0\0\0h\350$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02886  1320   NtDeviceIoControlFile  (764, 488, 0x0, 0x0, 0x12003,  (764, 488, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=768}, "\1\0\0\0\1\0\0\0\16\0\2\0\4'\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=768},  (764, 488, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=768}, "\1\0\0\0\1\0\0\0\16\0\2\0\4'\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02887  1320   NtDeviceIoControlFile  (764, 488, 0x0, 0x0, 0x12047,  (764, 488, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\00c%\0\2\0\4'\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02888  1320   NtDeviceIoControlFile  (412, 0, 0x0, 0x255c18, 0x12007,  (412, 0, 0x0, 0x255c18, 0x12007, "\0\0\0\0\16\0\2\0\374\2\0\0\1\0\0\0\16\0\2\0\1\275\331\270\15\3\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 02877  1336   NtRemoveIoCompletion  ... 1906658213, 2448408, {status=0xc000023d, info=0}, ) == 0x0
 02889  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 772, ) == 0x0
 02890  1336   NtWaitForSingleObject  (772, 0, 0x0, ...
 02888  1320   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 02891  1320   NtSetEventBoostPriority  (772, ...
 02890  1336   NtWaitForSingleObject  ... ) == 0x0
 02892  1336   NtDeviceIoControlFile  (764, 356, 0x0, 0x0, 0x12037,  (764, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (764, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02893  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 02891  1320   NtSetEventBoostPriority  ... ) == 0x0
 02894  1320   NtWaitForSingleObject  (440, 0, 0x0, ...
 02880  1348   NtDelayExecution  ... ) == 0x0
 02895  1348   NtSetEventBoostPriority  (440, ...
 02771  1156   NtWaitForSingleObject  ... ) == 0x0
 02896  1156   NtDelayExecution  (0, {-10000, -1}, ...
 02895  1348   NtSetEventBoostPriority  ... ) == 0x0
 02897  1348   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02898  1348   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 31456816, 67, ... 776, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 31456816, 67, ... 776, {status=0x0, info=0}, ) == 0x0
 02899  1348   NtDeviceIoControlFile  (776, 516, 0x0, 0x0, 0x12047,  (776, 516, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\250e%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 02900  1348   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02901  1348   NtDeviceIoControlFile  (776, 516, 0x0, 0x0, 0x1203b,  (776, 516, 0x0, 0x0, 0x1203b, "\2\0\0\0x\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02902  1348   NtDeviceIoControlFile  (776, 516, 0x0, 0x0, 0x12003,  (776, 516, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=780}, "\1\0\0\0\1\0\0\0\16\0\2\0\4(\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=780},  (776, 516, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=780}, "\1\0\0\0\1\0\0\0\16\0\2\0\4(\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02903  1348   NtDeviceIoControlFile  (776, 516, 0x0, 0x0, 0x12047,  (776, 516, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\310d%\0\2\0\4(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02904  1348   NtDeviceIoControlFile  (412, 0, 0x0, 0x255c18, 0x12007,  (412, 0, 0x0, 0x255c18, 0x12007, "\0\0\0\0\16\0\2\0\10\3\0\0\1\0\0\0\16\0\2\0\1\275rY\224\3\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 02893  1336   NtRemoveIoCompletion  ... 1906658213, 2448408, {status=0xc000023d, info=0}, ) == 0x0
 02905  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 784, ) == 0x0
 02906  1336   NtWaitForSingleObject  (784, 0, 0x0, ...
 02904  1348   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 02907  1348   NtSetEventBoostPriority  (784, ...
 02906  1336   NtWaitForSingleObject  ... ) == 0x0
 02908  1336   NtDeviceIoControlFile  (776, 356, 0x0, 0x0, 0x12037,  (776, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (776, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02909  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 02907  1348   NtSetEventBoostPriority  ... ) == 0x0
 02910  1348   NtWaitForSingleObject  (440, 0, 0x0, ...
 02896  1156   NtDelayExecution  ... ) == 0x0
 02911  1156   NtSetEventBoostPriority  (440, ...
 02787  1440   NtWaitForSingleObject  ... ) == 0x0
 02912  1440   NtDelayExecution  (0, {-10000, -1}, ...
 02911  1156   NtSetEventBoostPriority  ... ) == 0x0
 02913  1156   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02914  1156   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 33553968, 67, ... 788, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 33553968, 67, ... 788, {status=0x0, info=0}, ) == 0x0
 02915  1156   NtDeviceIoControlFile  (788, 504, 0x0, 0x0, 0x12047,  (788, 504, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0@g%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 02916  1156   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02917  1156   NtDeviceIoControlFile  (788, 504, 0x0, 0x0, 0x1203b,  (788, 504, 0x0, 0x0, 0x1203b, "\2\0\0\0\10\350$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02918  1156   NtDeviceIoControlFile  (788, 504, 0x0, 0x0, 0x12003,  (788, 504, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=792}, "\1\0\0\0\1\0\0\0\16\0\2\0\4)\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=792},  (788, 504, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=792}, "\1\0\0\0\1\0\0\0\16\0\2\0\4)\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02919  1156   NtDeviceIoControlFile  (788, 504, 0x0, 0x0, 0x12047,  (788, 504, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0`f%\0\2\0\4)\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02920  1156   NtDeviceIoControlFile  (412, 0, 0x0, 0x255c18, 0x12007,  (412, 0, 0x0, 0x255c18, 0x12007, "\0\0\0\0\16\0\2\0\24\3\0\0\1\0\0\0\16\0\2\0\1\275|O\376\3\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 02909  1336   NtRemoveIoCompletion  ... 1906658213, 2448408, {status=0xc000023d, info=0}, ) == 0x0
 02921  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 796, ) == 0x0
 02922  1336   NtWaitForSingleObject  (796, 0, 0x0, ...
 02920  1156   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 02923  1156   NtSetEventBoostPriority  (796, ...
 02922  1336   NtWaitForSingleObject  ... ) == 0x0
 02924  1336   NtDeviceIoControlFile  (788, 356, 0x0, 0x0, 0x12037,  (788, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (788, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02925  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 02923  1156   NtSetEventBoostPriority  ... ) == 0x0
 02926  1156   NtWaitForSingleObject  (440, 0, 0x0, ...
 02912  1440   NtDelayExecution  ... ) == 0x0
 02927  1440   NtSetEventBoostPriority  (440, ...
 02798  1308   NtWaitForSingleObject  ... ) == 0x0
 02928  1308   NtDelayExecution  (0, {-10000, -1}, ...
 02927  1440   NtSetEventBoostPriority  ... ) == 0x0
 02929  1440   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02930  1440   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 35651120, 67, ... 800, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 35651120, 67, ... 800, {status=0x0, info=0}, ) == 0x0
 02931  1440   NtDeviceIoControlFile  (800, 548, 0x0, 0x0, 0x12047,  (800, 548, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\330h%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 02932  1440   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02933  1440   NtDeviceIoControlFile  (800, 548, 0x0, 0x0, 0x1203b,  (800, 548, 0x0, 0x0, 0x1203b, "\2\0\0\0\30\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02934  1440   NtDeviceIoControlFile  (800, 548, 0x0, 0x0, 0x12003,  (800, 548, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=804}, "\1\0\0\0\1\0\0\0\16\0\2\0\4*\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=804},  (800, 548, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=804}, "\1\0\0\0\1\0\0\0\16\0\2\0\4*\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02935  1440   NtDeviceIoControlFile  (800, 548, 0x0, 0x0, 0x12047,  (800, 548, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\370g%\0\2\0\4*\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02936  1440   NtDeviceIoControlFile  (412, 0, 0x0, 0x255c18, 0x12007,  (412, 0, 0x0, 0x255c18, 0x12007, "\0\0\0\0\16\0\2\0 \3\0\0\1\0\0\0\16\0\2\0\1\275\300\270i\3\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 02925  1336   NtRemoveIoCompletion  ... 1906658213, 2448408, {status=0xc000023d, info=0}, ) == 0x0
 02937  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 808, ) == 0x0
 02938  1336   NtWaitForSingleObject  (808, 0, 0x0, ...
 02936  1440   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 02939  1440   NtSetEventBoostPriority  (808, ...
 02938  1336   NtWaitForSingleObject  ... ) == 0x0
 02940  1336   NtDeviceIoControlFile  (800, 356, 0x0, 0x0, 0x12037,  (800, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (800, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02941  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 02939  1440   NtSetEventBoostPriority  ... ) == 0x0
 02942  1440   NtWaitForSingleObject  (440, 0, 0x0, ...
 02928  1308   NtDelayExecution  ... ) == 0x0
 02943  1308   NtSetEventBoostPriority  (440, ...
 02814  1328   NtWaitForSingleObject  ... ) == 0x0
 02944  1328   NtDelayExecution  (0, {-10000, -1}, ...
 02943  1308   NtSetEventBoostPriority  ... ) == 0x0
 02945  1308   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02946  1308   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 14679596, 67, ... 812, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 14679596, 67, ... 812, {status=0x0, info=0}, ) == 0x0
 02947  1308   NtDeviceIoControlFile  (812, 360, 0x0, 0x0, 0x12047,  (812, 360, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0pj%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 02948  1308   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02949  1308   NtDeviceIoControlFile  (812, 360, 0x0, 0x0, 0x1203b,  (812, 360, 0x0, 0x0, 0x1203b, "\2\0\0\0\250\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02950  1308   NtDeviceIoControlFile  (812, 360, 0x0, 0x0, 0x12003,  (812, 360, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=816}, "\1\0\0\0\1\0\0\0\16\0\2\0\4+\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=816},  (812, 360, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=816}, "\1\0\0\0\1\0\0\0\16\0\2\0\4+\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02951  1308   NtDeviceIoControlFile  (812, 360, 0x0, 0x0, 0x12047,  (812, 360, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\220i%\0\2\0\4+\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02952  1308   NtDeviceIoControlFile  (412, 0, 0x0, 0x255c18, 0x12007,  (412, 0, 0x0, 0x255c18, 0x12007, "\0\0\0\0\16\0\2\0,\3\0\0\1\0\0\0\16\0\2\0\1\275\300\250|\205\0\0\0\0\0\0\0\0", 34, 8, ... {status=0x103, info=0}, "", ) , 34, 8, ... {status=0x103, info=0}, "", ) == 0x103
 02953  1308   NtWaitForSingleObject  (440, 0, 0x0, ...
 02944  1328   NtDelayExecution  ... ) == 0x0
 02954  1328   NtSetEventBoostPriority  (440, ...
 02830  1324   NtWaitForSingleObject  ... ) == 0x0
 02955  1324   NtDelayExecution  (0, {-10000, -1}, ...
 02954  1328   NtSetEventBoostPriority  ... ) == 0x0
 02956  1328   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02957  1328   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 20971052, 67, ... 820, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 20971052, 67, ... 820, {status=0x0, info=0}, ) == 0x0
 02958  1328   NtDeviceIoControlFile  (820, 396, 0x0, 0x0, 0x12047,  (820, 396, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\10l%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 02959  1328   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02960  1328   NtDeviceIoControlFile  (820, 396, 0x0, 0x0, 0x1203b,  (820, 396, 0x0, 0x0, 0x1203b, "\2\0\0\0\10\350$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02961  1328   NtDeviceIoControlFile  (820, 396, 0x0, 0x0, 0x12003,  (820, 396, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=824}, "\1\0\0\0\1\0\0\0\16\0\2\0\4,\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=824},  (820, 396, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=824}, "\1\0\0\0\1\0\0\0\16\0\2\0\4,\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02962  1328   NtDeviceIoControlFile  (820, 396, 0x0, 0x0, 0x12047,  (820, 396, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(k%\0\2\0\4,\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02963  1328   NtDeviceIoControlFile  (412, 0, 0x0, 0x256c50, 0x12007,  (412, 0, 0x0, 0x256c50, 0x12007, "\0\0\0\0\16\0\2\04\3\0\0\1\0\0\0\16\0\2\0\1\275^\11o\4\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 02941  1336   NtRemoveIoCompletion  ... 1906658213, 2452560, {status=0xc000023d, info=0}, ) == 0x0
 02964  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 828, ) == 0x0
 02965  1336   NtWaitForSingleObject  (828, 0, 0x0, ...
 02963  1328   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 02966  1328   NtSetEventBoostPriority  (828, ...
 02965  1336   NtWaitForSingleObject  ... ) == 0x0
 02967  1336   NtDeviceIoControlFile  (820, 356, 0x0, 0x0, 0x12037,  (820, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (820, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02968  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 02966  1328   NtSetEventBoostPriority  ... ) == 0x0
 02969  1328   NtWaitForSingleObject  (440, 0, 0x0, ...
 02955  1324   NtDelayExecution  ... ) == 0x0
 02970  1324   NtSetEventBoostPriority  (440, ...
 02846  1332   NtWaitForSingleObject  ... ) == 0x0
 02971  1332   NtDelayExecution  (0, {-10000, -1}, ...
 02970  1324   NtSetEventBoostPriority  ... ) == 0x0
 02972  1324   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02973  1324   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 16776748, 67, ... 832, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 16776748, 67, ... 832, {status=0x0, info=0}, ) == 0x0
 02974  1324   NtDeviceIoControlFile  (832, 380, 0x0, 0x0, 0x12047,  (832, 380, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\350m%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 02975  1324   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02976  1324   NtDeviceIoControlFile  (832, 380, 0x0, 0x0, 0x1203b,  (832, 380, 0x0, 0x0, 0x1203b, "\2\0\0\0\30\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02977  1324   NtDeviceIoControlFile  (832, 380, 0x0, 0x0, 0x12003,  (832, 380, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=836}, "\1\0\0\0\1\0\0\0\16\0\2\0\4-\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=836},  (832, 380, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=836}, "\1\0\0\0\1\0\0\0\16\0\2\0\4-\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02978  1324   NtDeviceIoControlFile  (832, 380, 0x0, 0x0, 0x12047,  (832, 380, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\10m%\0\2\0\4-\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02979  1324   NtDeviceIoControlFile  (412, 0, 0x0, 0x256c50, 0x12007,  (412, 0, 0x0, 0x256c50, 0x12007, "\0\0\0\0\16\0\2\0@\3\0\0\1\0\0\0\16\0\2\0\1\275\271Z\303\4\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 02968  1336   NtRemoveIoCompletion  ... 1906658213, 2452560, {status=0xc000023d, info=0}, ) == 0x0
 02980  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 840, ) == 0x0
 02981  1336   NtWaitForSingleObject  (840, 0, 0x0, ...
 02979  1324   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 02982  1324   NtSetEventBoostPriority  (840, ...
 02981  1336   NtWaitForSingleObject  ... ) == 0x0
 02983  1336   NtDeviceIoControlFile  (832, 356, 0x0, 0x0, 0x12037,  (832, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (832, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02984  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 02982  1324   NtSetEventBoostPriority  ... ) == 0x0
 02985  1324   NtWaitForSingleObject  (440, 0, 0x0, ...
 02971  1332   NtDelayExecution  ... ) == 0x0
 02986  1332   NtSetEventBoostPriority  (440, ...
 02862  1312   NtWaitForSingleObject  ... ) == 0x0
 02987  1312   NtDelayExecution  (0, {-10000, -1}, ...
 02986  1332   NtSetEventBoostPriority  ... ) == 0x0
 02988  1332   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02989  1332   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 18873900, 67, ... 844, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 18873900, 67, ... 844, {status=0x0, info=0}, ) == 0x0
 02990  1332   NtDeviceIoControlFile  (844, 400, 0x0, 0x0, 0x12047,  (844, 400, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\200o%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 02991  1332   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 02992  1332   NtDeviceIoControlFile  (844, 400, 0x0, 0x0, 0x1203b,  (844, 400, 0x0, 0x0, 0x1203b, "\2\0\0\0\250\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02993  1332   NtDeviceIoControlFile  (844, 400, 0x0, 0x0, 0x12003,  (844, 400, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=848}, "\1\0\0\0\1\0\0\0\16\0\2\0\4.\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=848},  (844, 400, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=848}, "\1\0\0\0\1\0\0\0\16\0\2\0\4.\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 02994  1332   NtDeviceIoControlFile  (844, 400, 0x0, 0x0, 0x12047,  (844, 400, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\240n%\0\2\0\4.\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02995  1332   NtDeviceIoControlFile  (412, 0, 0x0, 0x256c50, 0x12007,  (412, 0, 0x0, 0x256c50, 0x12007, "\0\0\0\0\16\0\2\0L\3\0\0\1\0\0\0\16\0\2\0\1\275\226At\4\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 02984  1336   NtRemoveIoCompletion  ... 1906658213, 2452560, {status=0xc000023d, info=0}, ) == 0x0
 02996  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 852, ) == 0x0
 02997  1336   NtWaitForSingleObject  (852, 0, 0x0, ...
 02995  1332   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 02998  1332   NtSetEventBoostPriority  (852, ...
 02997  1336   NtWaitForSingleObject  ... ) == 0x0
 02999  1336   NtDeviceIoControlFile  (844, 356, 0x0, 0x0, 0x12037,  (844, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (844, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03000  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 02998  1332   NtSetEventBoostPriority  ... ) == 0x0
 03001  1332   NtWaitForSingleObject  (440, 0, 0x0, ...
 02987  1312   NtDelayExecution  ... ) == 0x0
 03002  1312   NtSetEventBoostPriority  (440, ...
 02878  1344   NtWaitForSingleObject  ... ) == 0x0
 03003  1344   NtDelayExecution  (0, {-10000, -1}, ...
 03002  1312   NtSetEventBoostPriority  ... ) == 0x0
 03004  1312   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03005  1312   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 25165356, 67, ... 856, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 25165356, 67, ... 856, {status=0x0, info=0}, ) == 0x0
 03006  1312   NtDeviceIoControlFile  (856, 448, 0x0, 0x0, 0x12047,  (856, 448, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\30q%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03007  1312   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03008  1312   NtDeviceIoControlFile  (856, 448, 0x0, 0x0, 0x1203b,  (856, 448, 0x0, 0x0, 0x1203b, "\2\0\0\08\350$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03009  1312   NtDeviceIoControlFile  (856, 448, 0x0, 0x0, 0x12003,  (856, 448, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=860}, "\1\0\0\0\1\0\0\0\16\0\2\0\4/\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=860},  (856, 448, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=860}, "\1\0\0\0\1\0\0\0\16\0\2\0\4/\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03010  1312   NtDeviceIoControlFile  (856, 448, 0x0, 0x0, 0x12047,  (856, 448, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\08p%\0\2\0\4/\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03011  1312   NtDeviceIoControlFile  (412, 0, 0x0, 0x256c50, 0x12007,  (412, 0, 0x0, 0x256c50, 0x12007, "\0\0\0\0\16\0\2\0X\3\0\0\1\0\0\0\16\0\2\0\1\275$N&\4\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03000  1336   NtRemoveIoCompletion  ... 1906658213, 2452560, {status=0xc000023d, info=0}, ) == 0x0
 03012  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 864, ) == 0x0
 03013  1336   NtWaitForSingleObject  (864, 0, 0x0, ...
 03011  1312   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03014  1312   NtSetEventBoostPriority  (864, ...
 03013  1336   NtWaitForSingleObject  ... ) == 0x0
 03015  1336   NtDeviceIoControlFile  (856, 356, 0x0, 0x0, 0x12037,  (856, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (856, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03016  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03014  1312   NtSetEventBoostPriority  ... ) == 0x0
 03017  1312   NtWaitForSingleObject  (440, 0, 0x0, ...
 03003  1344   NtDelayExecution  ... ) == 0x0
 03018  1344   NtSetEventBoostPriority  (440, ...
 02894  1320   NtWaitForSingleObject  ... ) == 0x0
 03019  1320   NtDelayExecution  (0, {-10000, -1}, ...
 03018  1344   NtSetEventBoostPriority  ... ) == 0x0
 03020  1344   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03021  1344   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 27262508, 67, ... 868, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 27262508, 67, ... 868, {status=0x0, info=0}, ) == 0x0
 03022  1344   NtDeviceIoControlFile  (868, 476, 0x0, 0x0, 0x12047,  (868, 476, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\260r%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03023  1344   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03024  1344   NtDeviceIoControlFile  (868, 476, 0x0, 0x0, 0x1203b,  (868, 476, 0x0, 0x0, 0x1203b, "\2\0\0\0H\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03025  1344   NtDeviceIoControlFile  (868, 476, 0x0, 0x0, 0x12003,  (868, 476, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=872}, "\1\0\0\0\1\0\0\0\16\0\2\0\40\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=872},  (868, 476, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=872}, "\1\0\0\0\1\0\0\0\16\0\2\0\40\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03026  1344   NtDeviceIoControlFile  (868, 476, 0x0, 0x0, 0x12047,  (868, 476, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\320q%\0\2\0\40\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03027  1344   NtDeviceIoControlFile  (412, 0, 0x0, 0x256c50, 0x12007,  (412, 0, 0x0, 0x256c50, 0x12007, "\0\0\0\0\16\0\2\0d\3\0\0\1\0\0\0\16\0\2\0\1\275\255v\270\4\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03016  1336   NtRemoveIoCompletion  ... 1906658213, 2452560, {status=0xc000023d, info=0}, ) == 0x0
 03028  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 876, ) == 0x0
 03029  1336   NtWaitForSingleObject  (876, 0, 0x0, ...
 03027  1344   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03030  1344   NtSetEventBoostPriority  (876, ...
 03029  1336   NtWaitForSingleObject  ... ) == 0x0
 03031  1336   NtDeviceIoControlFile  (868, 356, 0x0, 0x0, 0x12037,  (868, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (868, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03032  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03030  1344   NtSetEventBoostPriority  ... ) == 0x0
 03033  1344   NtWaitForSingleObject  (440, 0, 0x0, ...
 03019  1320   NtDelayExecution  ... ) == 0x0
 03034  1320   NtSetEventBoostPriority  (440, ...
 02910  1348   NtWaitForSingleObject  ... ) == 0x0
 03035  1348   NtDelayExecution  (0, {-10000, -1}, ...
 03034  1320   NtSetEventBoostPriority  ... ) == 0x0
 03036  1320   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03037  1320   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 29359660, 67, ... 880, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 29359660, 67, ... 880, {status=0x0, info=0}, ) == 0x0
 03038  1320   NtDeviceIoControlFile  (880, 488, 0x0, 0x0, 0x12047,  (880, 488, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0Ht%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03039  1320   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03040  1320   NtDeviceIoControlFile  (880, 488, 0x0, 0x0, 0x1203b,  (880, 488, 0x0, 0x0, 0x1203b, "\2\0\0\0\324\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03041  1320   NtDeviceIoControlFile  (880, 488, 0x0, 0x0, 0x12003,  (880, 488, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=884}, "\1\0\0\0\1\0\0\0\16\0\2\0\41\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=884},  (880, 488, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=884}, "\1\0\0\0\1\0\0\0\16\0\2\0\41\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03042  1320   NtDeviceIoControlFile  (880, 488, 0x0, 0x0, 0x12047,  (880, 488, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0hs%\0\2\0\41\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03043  1320   NtDeviceIoControlFile  (412, 0, 0x0, 0x256c50, 0x12007,  (412, 0, 0x0, 0x256c50, 0x12007, "\0\0\0\0\16\0\2\0p\3\0\0\1\0\0\0\16\0\2\0\1\275\331\270\15\4\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03032  1336   NtRemoveIoCompletion  ... 1906658213, 2452560, {status=0xc000023d, info=0}, ) == 0x0
 03044  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 888, ) == 0x0
 03045  1336   NtWaitForSingleObject  (888, 0, 0x0, ...
 03043  1320   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03046  1320   NtSetEventBoostPriority  (888, ...
 03045  1336   NtWaitForSingleObject  ... ) == 0x0
 03047  1336   NtDeviceIoControlFile  (880, 356, 0x0, 0x0, 0x12037,  (880, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (880, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03048  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03046  1320   NtSetEventBoostPriority  ... ) == 0x0
 03049  1320   NtWaitForSingleObject  (440, 0, 0x0, ...
 03035  1348   NtDelayExecution  ... ) == 0x0
 03050  1348   NtSetEventBoostPriority  (440, ...
 02926  1156   NtWaitForSingleObject  ... ) == 0x0
 03051  1156   NtDelayExecution  (0, {-10000, -1}, ...
 03050  1348   NtSetEventBoostPriority  ... ) == 0x0
 03052  1348   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03053  1348   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 31456812, 67, ... 892, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 31456812, 67, ... 892, {status=0x0, info=0}, ) == 0x0
 03054  1348   NtDeviceIoControlFile  (892, 516, 0x0, 0x0, 0x12047,  (892, 516, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\340u%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03055  1348   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03056  1348   NtDeviceIoControlFile  (892, 516, 0x0, 0x0, 0x1203b,  (892, 516, 0x0, 0x0, 0x1203b, "\2\0\0\0h\350$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03057  1348   NtDeviceIoControlFile  (892, 516, 0x0, 0x0, 0x12003,  (892, 516, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=896}, "\1\0\0\0\1\0\0\0\16\0\2\0\42\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=896},  (892, 516, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=896}, "\1\0\0\0\1\0\0\0\16\0\2\0\42\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03058  1348   NtDeviceIoControlFile  (892, 516, 0x0, 0x0, 0x12047,  (892, 516, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\0u%\0\2\0\42\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03059  1348   NtDeviceIoControlFile  (412, 0, 0x0, 0x256c50, 0x12007,  (412, 0, 0x0, 0x256c50, 0x12007, "\0\0\0\0\16\0\2\0|\3\0\0\1\0\0\0\16\0\2\0\1\275rY\224\4\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03048  1336   NtRemoveIoCompletion  ... 1906658213, 2452560, {status=0xc000023d, info=0}, ) == 0x0
 03060  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 900, ) == 0x0
 03061  1336   NtWaitForSingleObject  (900, 0, 0x0, ...
 03059  1348   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03062  1348   NtSetEventBoostPriority  (900, ...
 03061  1336   NtWaitForSingleObject  ... ) == 0x0
 03063  1336   NtDeviceIoControlFile  (892, 356, 0x0, 0x0, 0x12037,  (892, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (892, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03064  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03062  1348   NtSetEventBoostPriority  ... ) == 0x0
 03065  1348   NtWaitForSingleObject  (440, 0, 0x0, ...
 03051  1156   NtDelayExecution  ... ) == 0x0
 03066  1156   NtSetEventBoostPriority  (440, ...
 02942  1440   NtWaitForSingleObject  ... ) == 0x0
 03067  1440   NtDelayExecution  (0, {-10000, -1}, ...
 03066  1156   NtSetEventBoostPriority  ... ) == 0x0
 03068  1156   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03069  1156   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 33553964, 67, ... 904, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 33553964, 67, ... 904, {status=0x0, info=0}, ) == 0x0
 03070  1156   NtDeviceIoControlFile  (904, 504, 0x0, 0x0, 0x12047,  (904, 504, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0xw%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03071  1156   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03072  1156   NtDeviceIoControlFile  (904, 504, 0x0, 0x0, 0x1203b,  (904, 504, 0x0, 0x0, 0x1203b, "\2\0\0\0x\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03073  1156   NtDeviceIoControlFile  (904, 504, 0x0, 0x0, 0x12003,  (904, 504, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=908}, "\1\0\0\0\1\0\0\0\16\0\2\0\43\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=908},  (904, 504, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=908}, "\1\0\0\0\1\0\0\0\16\0\2\0\43\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03074  1156   NtDeviceIoControlFile  (904, 504, 0x0, 0x0, 0x12047,  (904, 504, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\230v%\0\2\0\43\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03075  1156   NtDeviceIoControlFile  (412, 0, 0x0, 0x256c50, 0x12007,  (412, 0, 0x0, 0x256c50, 0x12007, "\0\0\0\0\16\0\2\0\210\3\0\0\1\0\0\0\16\0\2\0\1\275|O\376\4\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03064  1336   NtRemoveIoCompletion  ... 1906658213, 2452560, {status=0xc000023d, info=0}, ) == 0x0
 03076  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 912, ) == 0x0
 03077  1336   NtWaitForSingleObject  (912, 0, 0x0, ...
 03075  1156   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03078  1156   NtSetEventBoostPriority  (912, ...
 03077  1336   NtWaitForSingleObject  ... ) == 0x0
 03079  1336   NtDeviceIoControlFile  (904, 356, 0x0, 0x0, 0x12037,  (904, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (904, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03080  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03078  1156   NtSetEventBoostPriority  ... ) == 0x0
 03081  1156   NtWaitForSingleObject  (440, 0, 0x0, ...
 03067  1440   NtDelayExecution  ... ) == 0x0
 03082  1440   NtSetEventBoostPriority  (440, ...
 02953  1308   NtWaitForSingleObject  ... ) == 0x0
 03083  1308   NtDelayExecution  (0, {-10000, -1}, ...
 03082  1440   NtSetEventBoostPriority  ... ) == 0x0
 03084  1440   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03085  1440   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 35651116, 67, ... 916, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 35651116, 67, ... 916, {status=0x0, info=0}, ) == 0x0
 03086  1440   NtDeviceIoControlFile  (916, 548, 0x0, 0x0, 0x12047,  (916, 548, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\20y%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03087  1440   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03088  1440   NtDeviceIoControlFile  (916, 548, 0x0, 0x0, 0x1203b,  (916, 548, 0x0, 0x0, 0x1203b, "\2\0\0\0\10\350$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03089  1440   NtDeviceIoControlFile  (916, 548, 0x0, 0x0, 0x12003,  (916, 548, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=920}, "\1\0\0\0\1\0\0\0\16\0\2\0\44\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=920},  (916, 548, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=920}, "\1\0\0\0\1\0\0\0\16\0\2\0\44\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03090  1440   NtDeviceIoControlFile  (916, 548, 0x0, 0x0, 0x12047,  (916, 548, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\00x%\0\2\0\44\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03091  1440   NtDeviceIoControlFile  (412, 0, 0x0, 0x256c50, 0x12007,  (412, 0, 0x0, 0x256c50, 0x12007, "\0\0\0\0\16\0\2\0\224\3\0\0\1\0\0\0\16\0\2\0\1\275\300\270i\4\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03080  1336   NtRemoveIoCompletion  ... 1906658213, 2452560, {status=0xc000023d, info=0}, ) == 0x0
 03092  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 924, ) == 0x0
 03093  1336   NtWaitForSingleObject  (924, 0, 0x0, ...
 03091  1440   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03094  1440   NtSetEventBoostPriority  (924, ...
 03093  1336   NtWaitForSingleObject  ... ) == 0x0
 03095  1336   NtDeviceIoControlFile  (916, 356, 0x0, 0x0, 0x12037,  (916, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (916, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03096  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03094  1440   NtSetEventBoostPriority  ... ) == 0x0
 03097  1440   NtWaitForSingleObject  (440, 0, 0x0, ...
 03083  1308   NtDelayExecution  ... ) == 0x0
 03098  1308   NtSetEventBoostPriority  (440, ...
 02969  1328   NtWaitForSingleObject  ... ) == 0x0
 03099  1328   NtDelayExecution  (0, {-10000, -1}, ...
 03098  1308   NtSetEventBoostPriority  ... ) == 0x0
 03100  1308   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03101  1308   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 14679592, 67, ... 928, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 14679592, 67, ... 928, {status=0x0, info=0}, ) == 0x0
 03102  1308   NtDeviceIoControlFile  (928, 360, 0x0, 0x0, 0x12047,  (928, 360, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\250z%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03103  1308   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03104  1308   NtDeviceIoControlFile  (928, 360, 0x0, 0x0, 0x1203b,  (928, 360, 0x0, 0x0, 0x1203b, "\2\0\0\0\30\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03105  1308   NtDeviceIoControlFile  (928, 360, 0x0, 0x0, 0x12003,  (928, 360, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=932}, "\1\0\0\0\1\0\0\0\16\0\2\0\45\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=932},  (928, 360, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=932}, "\1\0\0\0\1\0\0\0\16\0\2\0\45\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03106  1308   NtDeviceIoControlFile  (928, 360, 0x0, 0x0, 0x12047,  (928, 360, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\310y%\0\2\0\45\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03107  1308   NtDeviceIoControlFile  (412, 0, 0x0, 0x256c50, 0x12007,  (412, 0, 0x0, 0x256c50, 0x12007, "\0\0\0\0\16\0\2\0\240\3\0\0\1\0\0\0\16\0\2\0\1\275\300\250|\206\0\0\0\0\0\0\0\0", 34, 8, ... {status=0x103, info=0}, "", ) , 34, 8, ... {status=0x103, info=0}, "", ) == 0x103
 03108  1308   NtWaitForSingleObject  (440, 0, 0x0, ...
 03099  1328   NtDelayExecution  ... ) == 0x0
 03109  1328   NtSetEventBoostPriority  (440, ...
 02985  1324   NtWaitForSingleObject  ... ) == 0x0
 03110  1324   NtDelayExecution  (0, {-10000, -1}, ...
 03109  1328   NtSetEventBoostPriority  ... ) == 0x0
 03111  1328   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03112  1328   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 20971048, 67, ... 936, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 20971048, 67, ... 936, {status=0x0, info=0}, ) == 0x0
 03113  1328   NtDeviceIoControlFile  (936, 396, 0x0, 0x0, 0x12047,  (936, 396, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0@|%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03114  1328   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03115  1328   NtDeviceIoControlFile  (936, 396, 0x0, 0x0, 0x1203b,  (936, 396, 0x0, 0x0, 0x1203b, "\2\0\0\0x\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03116  1328   NtDeviceIoControlFile  (936, 396, 0x0, 0x0, 0x12003,  (936, 396, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=940}, "\1\0\0\0\1\0\0\0\16\0\2\0\46\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=940},  (936, 396, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=940}, "\1\0\0\0\1\0\0\0\16\0\2\0\46\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03117  1328   NtDeviceIoControlFile  (936, 396, 0x0, 0x0, 0x12047,  (936, 396, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0`{%\0\2\0\46\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03118  1328   NtDeviceIoControlFile  (412, 0, 0x0, 0x257c88, 0x12007,  (412, 0, 0x0, 0x257c88, 0x12007, "\0\0\0\0\16\0\2\0\250\3\0\0\1\0\0\0\16\0\2\0\1\275^\11o\5\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03096  1336   NtRemoveIoCompletion  ... 1906658213, 2456712, {status=0xc000023d, info=0}, ) == 0x0
 03119  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 944, ) == 0x0
 03120  1336   NtWaitForSingleObject  (944, 0, 0x0, ...
 03118  1328   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03121  1328   NtSetEventBoostPriority  (944, ...
 03120  1336   NtWaitForSingleObject  ... ) == 0x0
 03122  1336   NtDeviceIoControlFile  (936, 356, 0x0, 0x0, 0x12037,  (936, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (936, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03123  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03121  1328   NtSetEventBoostPriority  ... ) == 0x0
 03124  1328   NtWaitForSingleObject  (440, 0, 0x0, ...
 03110  1324   NtDelayExecution  ... ) == 0x0
 03125  1324   NtSetEventBoostPriority  (440, ...
 03001  1332   NtWaitForSingleObject  ... ) == 0x0
 03126  1332   NtDelayExecution  (0, {-10000, -1}, ...
 03125  1324   NtSetEventBoostPriority  ... ) == 0x0
 03127  1324   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03128  1324   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 16776744, 67, ... 948, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 16776744, 67, ... 948, {status=0x0, info=0}, ) == 0x0
 03129  1324   NtDeviceIoControlFile  (948, 380, 0x0, 0x0, 0x12047,  (948, 380, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0 ~%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03130  1324   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03131  1324   NtDeviceIoControlFile  (948, 380, 0x0, 0x0, 0x1203b,  (948, 380, 0x0, 0x0, 0x1203b, "\2\0\0\0\10\350$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03132  1324   NtDeviceIoControlFile  (948, 380, 0x0, 0x0, 0x12003,  (948, 380, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=952}, "\1\0\0\0\1\0\0\0\16\0\2\0\47\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=952},  (948, 380, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=952}, "\1\0\0\0\1\0\0\0\16\0\2\0\47\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03133  1324   NtDeviceIoControlFile  (948, 380, 0x0, 0x0, 0x12047,  (948, 380, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0@}%\0\2\0\47\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03134  1324   NtDeviceIoControlFile  (412, 0, 0x0, 0x257c88, 0x12007,  (412, 0, 0x0, 0x257c88, 0x12007, "\0\0\0\0\16\0\2\0\264\3\0\0\1\0\0\0\16\0\2\0\1\275\271Z\303\5\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03123  1336   NtRemoveIoCompletion  ... 1906658213, 2456712, {status=0xc000023d, info=0}, ) == 0x0
 03135  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 956, ) == 0x0
 03136  1336   NtWaitForSingleObject  (956, 0, 0x0, ...
 03134  1324   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03137  1324   NtSetEventBoostPriority  (956, ...
 03136  1336   NtWaitForSingleObject  ... ) == 0x0
 03138  1336   NtDeviceIoControlFile  (948, 356, 0x0, 0x0, 0x12037,  (948, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (948, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03139  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03137  1324   NtSetEventBoostPriority  ... ) == 0x0
 03140  1324   NtWaitForSingleObject  (440, 0, 0x0, ...
 03126  1332   NtDelayExecution  ... ) == 0x0
 03141  1332   NtSetEventBoostPriority  (440, ...
 03017  1312   NtWaitForSingleObject  ... ) == 0x0
 03142  1312   NtDelayExecution  (0, {-10000, -1}, ...
 03141  1332   NtSetEventBoostPriority  ... ) == 0x0
 03143  1332   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03144  1332   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 18873896, 67, ... 960, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 18873896, 67, ... 960, {status=0x0, info=0}, ) == 0x0
 03145  1332   NtDeviceIoControlFile  (960, 400, 0x0, 0x0, 0x12047,  (960, 400, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\270\177%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03146  1332   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03147  1332   NtDeviceIoControlFile  (960, 400, 0x0, 0x0, 0x1203b,  (960, 400, 0x0, 0x0, 0x1203b, "\2\0\0\0\30\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03148  1332   NtDeviceIoControlFile  (960, 400, 0x0, 0x0, 0x12003,  (960, 400, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=964}, "\1\0\0\0\1\0\0\0\16\0\2\0\48\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=964},  (960, 400, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=964}, "\1\0\0\0\1\0\0\0\16\0\2\0\48\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03149  1332   NtDeviceIoControlFile  (960, 400, 0x0, 0x0, 0x12047,  (960, 400, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\330~%\0\2\0\48\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03150  1332   NtDeviceIoControlFile  (412, 0, 0x0, 0x257c88, 0x12007,  (412, 0, 0x0, 0x257c88, 0x12007, "\0\0\0\0\16\0\2\0\300\3\0\0\1\0\0\0\16\0\2\0\1\275\226At\5\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03139  1336   NtRemoveIoCompletion  ... 1906658213, 2456712, {status=0xc000023d, info=0}, ) == 0x0
 03151  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 968, ) == 0x0
 03152  1336   NtWaitForSingleObject  (968, 0, 0x0, ...
 03150  1332   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03153  1332   NtSetEventBoostPriority  (968, ...
 03152  1336   NtWaitForSingleObject  ... ) == 0x0
 03154  1336   NtDeviceIoControlFile  (960, 356, 0x0, 0x0, 0x12037,  (960, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (960, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03155  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03153  1332   NtSetEventBoostPriority  ... ) == 0x0
 03156  1332   NtWaitForSingleObject  (440, 0, 0x0, ...
 03142  1312   NtDelayExecution  ... ) == 0x0
 03157  1312   NtSetEventBoostPriority  (440, ...
 03033  1344   NtWaitForSingleObject  ... ) == 0x0
 03158  1344   NtDelayExecution  (0, {-10000, -1}, ...
 03157  1312   NtSetEventBoostPriority  ... ) == 0x0
 03159  1312   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03160  1312   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 25165352, 67, ... 972, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 25165352, 67, ... 972, {status=0x0, info=0}, ) == 0x0
 03161  1312   NtDeviceIoControlFile  (972, 448, 0x0, 0x0, 0x12047,  (972, 448, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0P\201%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03162  1312   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03163  1312   NtDeviceIoControlFile  (972, 448, 0x0, 0x0, 0x1203b,  (972, 448, 0x0, 0x0, 0x1203b, "\2\0\0\0\250\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03164  1312   NtDeviceIoControlFile  (972, 448, 0x0, 0x0, 0x12003,  (972, 448, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=976}, "\1\0\0\0\1\0\0\0\16\0\2\0\49\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=976},  (972, 448, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=976}, "\1\0\0\0\1\0\0\0\16\0\2\0\49\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03165  1312   NtDeviceIoControlFile  (972, 448, 0x0, 0x0, 0x12047,  (972, 448, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0p\200%\0\2\0\49\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03166  1312   NtDeviceIoControlFile  (412, 0, 0x0, 0x257c88, 0x12007,  (412, 0, 0x0, 0x257c88, 0x12007, "\0\0\0\0\16\0\2\0\314\3\0\0\1\0\0\0\16\0\2\0\1\275$N&\5\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03155  1336   NtRemoveIoCompletion  ... 1906658213, 2456712, {status=0xc000023d, info=0}, ) == 0x0
 03167  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 980, ) == 0x0
 03168  1336   NtWaitForSingleObject  (980, 0, 0x0, ...
 03166  1312   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03169  1312   NtSetEventBoostPriority  (980, ...
 03168  1336   NtWaitForSingleObject  ... ) == 0x0
 03170  1336   NtDeviceIoControlFile  (972, 356, 0x0, 0x0, 0x12037,  (972, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (972, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03171  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03169  1312   NtSetEventBoostPriority  ... ) == 0x0
 03172  1312   NtWaitForSingleObject  (440, 0, 0x0, ...
 03158  1344   NtDelayExecution  ... ) == 0x0
 03173  1344   NtSetEventBoostPriority  (440, ...
 03049  1320   NtWaitForSingleObject  ... ) == 0x0
 03174  1320   NtDelayExecution  (0, {-10000, -1}, ...
 03173  1344   NtSetEventBoostPriority  ... ) == 0x0
 03175  1344   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03176  1344   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 27262504, 67, ... 984, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 27262504, 67, ... 984, {status=0x0, info=0}, ) == 0x0
 03177  1344   NtDeviceIoControlFile  (984, 476, 0x0, 0x0, 0x12047,  (984, 476, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\350\202%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03178  1344   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03179  1344   NtDeviceIoControlFile  (984, 476, 0x0, 0x0, 0x1203b,  (984, 476, 0x0, 0x0, 0x1203b, "\2\0\0\08\350$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03180  1344   NtDeviceIoControlFile  (984, 476, 0x0, 0x0, 0x12003,  (984, 476, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=988}, "\1\0\0\0\1\0\0\0\16\0\2\0\4:\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=988},  (984, 476, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=988}, "\1\0\0\0\1\0\0\0\16\0\2\0\4:\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03181  1344   NtDeviceIoControlFile  (984, 476, 0x0, 0x0, 0x12047,  (984, 476, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\10\202%\0\2\0\4:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03182  1344   NtDeviceIoControlFile  (412, 0, 0x0, 0x257c88, 0x12007,  (412, 0, 0x0, 0x257c88, 0x12007, "\0\0\0\0\16\0\2\0\330\3\0\0\1\0\0\0\16\0\2\0\1\275\255v\270\5\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03171  1336   NtRemoveIoCompletion  ... 1906658213, 2456712, {status=0xc000023d, info=0}, ) == 0x0
 03183  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 992, ) == 0x0
 03184  1336   NtWaitForSingleObject  (992, 0, 0x0, ...
 03182  1344   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03185  1344   NtSetEventBoostPriority  (992, ...
 03184  1336   NtWaitForSingleObject  ... ) == 0x0
 03186  1336   NtDeviceIoControlFile  (984, 356, 0x0, 0x0, 0x12037,  (984, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (984, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03187  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03185  1344   NtSetEventBoostPriority  ... ) == 0x0
 03188  1344   NtWaitForSingleObject  (440, 0, 0x0, ...
 03174  1320   NtDelayExecution  ... ) == 0x0
 03189  1320   NtSetEventBoostPriority  (440, ...
 03065  1348   NtWaitForSingleObject  ... ) == 0x0
 03190  1348   NtDelayExecution  (0, {-10000, -1}, ...
 03189  1320   NtSetEventBoostPriority  ... ) == 0x0
 03191  1320   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03192  1320   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 29359656, 67, ... 996, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 29359656, 67, ... 996, {status=0x0, info=0}, ) == 0x0
 03193  1320   NtDeviceIoControlFile  (996, 488, 0x0, 0x0, 0x12047,  (996, 488, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\200\204%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03194  1320   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03195  1320   NtDeviceIoControlFile  (996, 488, 0x0, 0x0, 0x1203b,  (996, 488, 0x0, 0x0, 0x1203b, "\2\0\0\0H\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03196  1320   NtDeviceIoControlFile  (996, 488, 0x0, 0x0, 0x12003,  (996, 488, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1000}, "\1\0\0\0\1\0\0\0\16\0\2\0\4;\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1000},  (996, 488, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1000}, "\1\0\0\0\1\0\0\0\16\0\2\0\4;\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03197  1320   NtDeviceIoControlFile  (996, 488, 0x0, 0x0, 0x12047,  (996, 488, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\240\203%\0\2\0\4;\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03198  1320   NtDeviceIoControlFile  (412, 0, 0x0, 0x257c88, 0x12007,  (412, 0, 0x0, 0x257c88, 0x12007, "\0\0\0\0\16\0\2\0\344\3\0\0\1\0\0\0\16\0\2\0\1\275\331\270\15\5\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03187  1336   NtRemoveIoCompletion  ... 1906658213, 2456712, {status=0xc000023d, info=0}, ) == 0x0
 03199  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1004, ) == 0x0
 03200  1336   NtWaitForSingleObject  (1004, 0, 0x0, ...
 03198  1320   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03201  1320   NtSetEventBoostPriority  (1004, ...
 03200  1336   NtWaitForSingleObject  ... ) == 0x0
 03202  1336   NtDeviceIoControlFile  (996, 356, 0x0, 0x0, 0x12037,  (996, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (996, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03203  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03201  1320   NtSetEventBoostPriority  ... ) == 0x0
 03204  1320   NtWaitForSingleObject  (440, 0, 0x0, ...
 03190  1348   NtDelayExecution  ... ) == 0x0
 03205  1348   NtSetEventBoostPriority  (440, ...
 03081  1156   NtWaitForSingleObject  ... ) == 0x0
 03206  1156   NtDelayExecution  (0, {-10000, -1}, ...
 03205  1348   NtSetEventBoostPriority  ... ) == 0x0
 03207  1348   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03208  1348   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 31456808, 67, ... 1008, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 31456808, 67, ... 1008, {status=0x0, info=0}, ) == 0x0
 03209  1348   NtDeviceIoControlFile  (1008, 516, 0x0, 0x0, 0x12047,  (1008, 516, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\30\206%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03210  1348   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03211  1348   NtDeviceIoControlFile  (1008, 516, 0x0, 0x0, 0x1203b,  (1008, 516, 0x0, 0x0, 0x1203b, "\2\0\0\0\324\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03212  1348   NtDeviceIoControlFile  (1008, 516, 0x0, 0x0, 0x12003,  (1008, 516, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1012}, "\1\0\0\0\1\0\0\0\16\0\2\0\4<\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1012},  (1008, 516, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1012}, "\1\0\0\0\1\0\0\0\16\0\2\0\4<\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03213  1348   NtDeviceIoControlFile  (1008, 516, 0x0, 0x0, 0x12047,  (1008, 516, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\08\205%\0\2\0\4<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03214  1348   NtDeviceIoControlFile  (412, 0, 0x0, 0x257c88, 0x12007,  (412, 0, 0x0, 0x257c88, 0x12007, "\0\0\0\0\16\0\2\0\360\3\0\0\1\0\0\0\16\0\2\0\1\275rY\224\5\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03203  1336   NtRemoveIoCompletion  ... 1906658213, 2456712, {status=0xc000023d, info=0}, ) == 0x0
 03215  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1016, ) == 0x0
 03216  1336   NtWaitForSingleObject  (1016, 0, 0x0, ...
 03214  1348   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03217  1348   NtSetEventBoostPriority  (1016, ...
 03216  1336   NtWaitForSingleObject  ... ) == 0x0
 03218  1336   NtDeviceIoControlFile  (1008, 356, 0x0, 0x0, 0x12037,  (1008, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1008, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03219  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03217  1348   NtSetEventBoostPriority  ... ) == 0x0
 03220  1348   NtWaitForSingleObject  (440, 0, 0x0, ...
 03206  1156   NtDelayExecution  ... ) == 0x0
 03221  1156   NtSetEventBoostPriority  (440, ...
 03097  1440   NtWaitForSingleObject  ... ) == 0x0
 03222  1440   NtDelayExecution  (0, {-10000, -1}, ...
 03221  1156   NtSetEventBoostPriority  ... ) == 0x0
 03223  1156   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03224  1156   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 33553960, 67, ... 1020, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 33553960, 67, ... 1020, {status=0x0, info=0}, ) == 0x0
 03225  1156   NtDeviceIoControlFile  (1020, 504, 0x0, 0x0, 0x12047,  (1020, 504, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\260\207%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03226  1156   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03227  1156   NtDeviceIoControlFile  (1020, 504, 0x0, 0x0, 0x1203b,  (1020, 504, 0x0, 0x0, 0x1203b, "\2\0\0\0h\350$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03228  1156   NtDeviceIoControlFile  (1020, 504, 0x0, 0x0, 0x12003,  (1020, 504, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1024}, "\1\0\0\0\1\0\0\0\16\0\2\0\4=\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1024},  (1020, 504, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1024}, "\1\0\0\0\1\0\0\0\16\0\2\0\4=\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03229  1156   NtDeviceIoControlFile  (1020, 504, 0x0, 0x0, 0x12047,  (1020, 504, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\320\206%\0\2\0\4=\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03230  1156   NtDeviceIoControlFile  (412, 0, 0x0, 0x257c88, 0x12007,  (412, 0, 0x0, 0x257c88, 0x12007, "\0\0\0\0\16\0\2\0\374\3\0\0\1\0\0\0\16\0\2\0\1\275|O\376\5\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03219  1336   NtRemoveIoCompletion  ... 1906658213, 2456712, {status=0xc000023d, info=0}, ) == 0x0
 03231  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1028, ) == 0x0
 03232  1336   NtWaitForSingleObject  (1028, 0, 0x0, ...
 03230  1156   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03233  1156   NtSetEventBoostPriority  (1028, ...
 03232  1336   NtWaitForSingleObject  ... ) == 0x0
 03234  1336   NtDeviceIoControlFile  (1020, 356, 0x0, 0x0, 0x12037,  (1020, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1020, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03235  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03233  1156   NtSetEventBoostPriority  ... ) == 0x0
 03236  1156   NtWaitForSingleObject  (440, 0, 0x0, ...
 03222  1440   NtDelayExecution  ... ) == 0x0
 03237  1440   NtSetEventBoostPriority  (440, ...
 03108  1308   NtWaitForSingleObject  ... ) == 0x0
 03238  1308   NtDelayExecution  (0, {-10000, -1}, ...
 03237  1440   NtSetEventBoostPriority  ... ) == 0x0
 03239  1440   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03240  1440   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 35651112, 67, ... 1032, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 35651112, 67, ... 1032, {status=0x0, info=0}, ) == 0x0
 03241  1440   NtDeviceIoControlFile  (1032, 548, 0x0, 0x0, 0x12047,  (1032, 548, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0H\211%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03242  1440   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03243  1440   NtDeviceIoControlFile  (1032, 548, 0x0, 0x0, 0x1203b,  (1032, 548, 0x0, 0x0, 0x1203b, "\2\0\0\0x\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03244  1440   NtDeviceIoControlFile  (1032, 548, 0x0, 0x0, 0x12003,  (1032, 548, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1036}, "\1\0\0\0\1\0\0\0\16\0\2\0\4>\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1036},  (1032, 548, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1036}, "\1\0\0\0\1\0\0\0\16\0\2\0\4>\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03245  1440   NtDeviceIoControlFile  (1032, 548, 0x0, 0x0, 0x12047,  (1032, 548, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0h\210%\0\2\0\4>\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03246  1440   NtDeviceIoControlFile  (412, 0, 0x0, 0x257c88, 0x12007,  (412, 0, 0x0, 0x257c88, 0x12007, "\0\0\0\0\16\0\2\0\10\4\0\0\1\0\0\0\16\0\2\0\1\275\300\270i\5\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03235  1336   NtRemoveIoCompletion  ... 1906658213, 2456712, {status=0xc000023d, info=0}, ) == 0x0
 03247  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1040, ) == 0x0
 03248  1336   NtWaitForSingleObject  (1040, 0, 0x0, ...
 03246  1440   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03249  1440   NtSetEventBoostPriority  (1040, ...
 03248  1336   NtWaitForSingleObject  ... ) == 0x0
 03250  1336   NtDeviceIoControlFile  (1032, 356, 0x0, 0x0, 0x12037,  (1032, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1032, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03251  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03249  1440   NtSetEventBoostPriority  ... ) == 0x0
 03252  1440   NtWaitForSingleObject  (440, 0, 0x0, ...
 03238  1308   NtDelayExecution  ... ) == 0x0
 03253  1308   NtSetEventBoostPriority  (440, ...
 03124  1328   NtWaitForSingleObject  ... ) == 0x0
 03254  1328   NtDelayExecution  (0, {-10000, -1}, ...
 03253  1308   NtSetEventBoostPriority  ... ) == 0x0
 03255  1308   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03256  1308   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 14679588, 67, ... 1044, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 14679588, 67, ... 1044, {status=0x0, info=0}, ) == 0x0
 03257  1308   NtDeviceIoControlFile  (1044, 360, 0x0, 0x0, 0x12047,  (1044, 360, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\340\212%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03258  1308   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03259  1308   NtDeviceIoControlFile  (1044, 360, 0x0, 0x0, 0x1203b,  (1044, 360, 0x0, 0x0, 0x1203b, "\2\0\0\0\10\350$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03260  1308   NtDeviceIoControlFile  (1044, 360, 0x0, 0x0, 0x12003,  (1044, 360, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1048}, "\1\0\0\0\1\0\0\0\16\0\2\0\4?\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1048},  (1044, 360, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1048}, "\1\0\0\0\1\0\0\0\16\0\2\0\4?\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03261  1308   NtDeviceIoControlFile  (1044, 360, 0x0, 0x0, 0x12047,  (1044, 360, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\0\212%\0\2\0\4?\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03262  1308   NtDeviceIoControlFile  (412, 0, 0x0, 0x257c88, 0x12007,  (412, 0, 0x0, 0x257c88, 0x12007, "\0\0\0\0\16\0\2\0\24\4\0\0\1\0\0\0\16\0\2\0\1\275\300\250|\207\0\0\0\0\0\0\0\0", 34, 8, ... {status=0x103, info=0}, "", ) , 34, 8, ... {status=0x103, info=0}, "", ) == 0x103
 03263  1308   NtWaitForSingleObject  (440, 0, 0x0, ...
 03254  1328   NtDelayExecution  ... ) == 0x0
 03264  1328   NtSetEventBoostPriority  (440, ...
 03140  1324   NtWaitForSingleObject  ... ) == 0x0
 03265  1324   NtDelayExecution  (0, {-10000, -1}, ...
 03264  1328   NtSetEventBoostPriority  ... ) == 0x0
 03266  1328   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03267  1328   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 20971044, 67, ... 1052, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 20971044, 67, ... 1052, {status=0x0, info=0}, ) == 0x0
 03268  1328   NtDeviceIoControlFile  (1052, 396, 0x0, 0x0, 0x12047,  (1052, 396, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0x\214%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03269  1328   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03270  1328   NtDeviceIoControlFile  (1052, 396, 0x0, 0x0, 0x1203b,  (1052, 396, 0x0, 0x0, 0x1203b, "\2\0\0\0h\350$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03271  1328   NtDeviceIoControlFile  (1052, 396, 0x0, 0x0, 0x12003,  (1052, 396, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1056}, "\1\0\0\0\1\0\0\0\16\0\2\0\4@\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1056},  (1052, 396, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1056}, "\1\0\0\0\1\0\0\0\16\0\2\0\4@\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03272  1328   NtDeviceIoControlFile  (1052, 396, 0x0, 0x0, 0x12047,  (1052, 396, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\230\213%\0\2\0\4@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03273  1328   NtAllocateVirtualMemory  (-1, 2482176, 0, 4096, 4096, 4, ... 2482176, 4096, ) == 0x0
 03274  1328   NtDeviceIoControlFile  (412, 0, 0x0, 0x25e008, 0x12007,  (412, 0, 0x0, 0x25e008, 0x12007, "\0\0\0\0\16\0\2\0\34\4\0\0\1\0\0\0\16\0\2\0\1\275^\11o\6\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03251  1336   NtRemoveIoCompletion  ... 1906658213, 2482184, {status=0xc000023d, info=0}, ) == 0x0
 03275  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1060, ) == 0x0
 03276  1336   NtWaitForSingleObject  (1060, 0, 0x0, ...
 03274  1328   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03277  1328   NtSetEventBoostPriority  (1060, ...
 03276  1336   NtWaitForSingleObject  ... ) == 0x0
 03278  1336   NtDeviceIoControlFile  (1052, 356, 0x0, 0x0, 0x12037,  (1052, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1052, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03279  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03277  1328   NtSetEventBoostPriority  ... ) == 0x0
 03280  1328   NtWaitForSingleObject  (440, 0, 0x0, ...
 03265  1324   NtDelayExecution  ... ) == 0x0
 03281  1324   NtSetEventBoostPriority  (440, ...
 03156  1332   NtWaitForSingleObject  ... ) == 0x0
 03282  1332   NtDelayExecution  (0, {-10000, -1}, ...
 03281  1324   NtSetEventBoostPriority  ... ) == 0x0
 03283  1324   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03284  1324   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 16776740, 67, ... 1064, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 16776740, 67, ... 1064, {status=0x0, info=0}, ) == 0x0
 03285  1324   NtDeviceIoControlFile  (1064, 380, 0x0, 0x0, 0x12047,  (1064, 380, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\240\341%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03286  1324   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03287  1324   NtDeviceIoControlFile  (1064, 380, 0x0, 0x0, 0x1203b,  (1064, 380, 0x0, 0x0, 0x1203b, "\2\0\0\0x\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03288  1324   NtDeviceIoControlFile  (1064, 380, 0x0, 0x0, 0x12003,  (1064, 380, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1068}, "\1\0\0\0\1\0\0\0\16\0\2\0\4A\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1068},  (1064, 380, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1068}, "\1\0\0\0\1\0\0\0\16\0\2\0\4A\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03289  1324   NtDeviceIoControlFile  (1064, 380, 0x0, 0x0, 0x12047,  (1064, 380, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\300\340%\0\2\0\4A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03290  1324   NtDeviceIoControlFile  (412, 0, 0x0, 0x25e008, 0x12007,  (412, 0, 0x0, 0x25e008, 0x12007, "\0\0\0\0\16\0\2\0(\4\0\0\1\0\0\0\16\0\2\0\1\275\271Z\303\6\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03279  1336   NtRemoveIoCompletion  ... 1906658213, 2482184, {status=0xc000023d, info=0}, ) == 0x0
 03291  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1072, ) == 0x0
 03292  1336   NtWaitForSingleObject  (1072, 0, 0x0, ...
 03290  1324   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03293  1324   NtSetEventBoostPriority  (1072, ...
 03292  1336   NtWaitForSingleObject  ... ) == 0x0
 03294  1336   NtDeviceIoControlFile  (1064, 356, 0x0, 0x0, 0x12037,  (1064, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1064, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03295  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03293  1324   NtSetEventBoostPriority  ... ) == 0x0
 03296  1324   NtWaitForSingleObject  (440, 0, 0x0, ...
 03282  1332   NtDelayExecution  ... ) == 0x0
 03297  1332   NtSetEventBoostPriority  (440, ...
 03172  1312   NtWaitForSingleObject  ... ) == 0x0
 03298  1312   NtDelayExecution  (0, {-10000, -1}, ...
 03297  1332   NtSetEventBoostPriority  ... ) == 0x0
 03299  1332   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03300  1332   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 18873892, 67, ... 1076, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 18873892, 67, ... 1076, {status=0x0, info=0}, ) == 0x0
 03301  1332   NtDeviceIoControlFile  (1076, 400, 0x0, 0x0, 0x12047,  (1076, 400, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\08\343%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03302  1332   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03303  1332   NtDeviceIoControlFile  (1076, 400, 0x0, 0x0, 0x1203b,  (1076, 400, 0x0, 0x0, 0x1203b, "\2\0\0\0\10\350$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03304  1332   NtDeviceIoControlFile  (1076, 400, 0x0, 0x0, 0x12003,  (1076, 400, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1080}, "\1\0\0\0\1\0\0\0\16\0\2\0\4B\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1080},  (1076, 400, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1080}, "\1\0\0\0\1\0\0\0\16\0\2\0\4B\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03305  1332   NtDeviceIoControlFile  (1076, 400, 0x0, 0x0, 0x12047,  (1076, 400, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0X\342%\0\2\0\4B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03306  1332   NtDeviceIoControlFile  (412, 0, 0x0, 0x25e008, 0x12007,  (412, 0, 0x0, 0x25e008, 0x12007, "\0\0\0\0\16\0\2\04\4\0\0\1\0\0\0\16\0\2\0\1\275\226At\6\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03295  1336   NtRemoveIoCompletion  ... 1906658213, 2482184, {status=0xc000023d, info=0}, ) == 0x0
 03307  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1084, ) == 0x0
 03308  1336   NtWaitForSingleObject  (1084, 0, 0x0, ...
 03306  1332   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03309  1332   NtSetEventBoostPriority  (1084, ...
 03308  1336   NtWaitForSingleObject  ... ) == 0x0
 03310  1336   NtDeviceIoControlFile  (1076, 356, 0x0, 0x0, 0x12037,  (1076, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1076, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03311  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03309  1332   NtSetEventBoostPriority  ... ) == 0x0
 03312  1332   NtWaitForSingleObject  (440, 0, 0x0, ...
 03298  1312   NtDelayExecution  ... ) == 0x0
 03313  1312   NtSetEventBoostPriority  (440, ...
 03188  1344   NtWaitForSingleObject  ... ) == 0x0
 03314  1344   NtDelayExecution  (0, {-10000, -1}, ...
 03313  1312   NtSetEventBoostPriority  ... ) == 0x0
 03315  1312   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03316  1312   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 25165348, 67, ... 1088, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 25165348, 67, ... 1088, {status=0x0, info=0}, ) == 0x0
 03317  1312   NtDeviceIoControlFile  (1088, 448, 0x0, 0x0, 0x12047,  (1088, 448, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\320\344%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03318  1312   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03319  1312   NtDeviceIoControlFile  (1088, 448, 0x0, 0x0, 0x1203b,  (1088, 448, 0x0, 0x0, 0x1203b, "\2\0\0\0\30\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03320  1312   NtDeviceIoControlFile  (1088, 448, 0x0, 0x0, 0x12003,  (1088, 448, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1092}, "\1\0\0\0\1\0\0\0\16\0\2\0\4C\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1092},  (1088, 448, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1092}, "\1\0\0\0\1\0\0\0\16\0\2\0\4C\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03321  1312   NtDeviceIoControlFile  (1088, 448, 0x0, 0x0, 0x12047,  (1088, 448, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\360\343%\0\2\0\4C\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03322  1312   NtDeviceIoControlFile  (412, 0, 0x0, 0x25e008, 0x12007,  (412, 0, 0x0, 0x25e008, 0x12007, "\0\0\0\0\16\0\2\0@\4\0\0\1\0\0\0\16\0\2\0\1\275$N&\6\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03311  1336   NtRemoveIoCompletion  ... 1906658213, 2482184, {status=0xc000023d, info=0}, ) == 0x0
 03323  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1096, ) == 0x0
 03324  1336   NtWaitForSingleObject  (1096, 0, 0x0, ...
 03322  1312   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03325  1312   NtSetEventBoostPriority  (1096, ...
 03324  1336   NtWaitForSingleObject  ... ) == 0x0
 03326  1336   NtDeviceIoControlFile  (1088, 356, 0x0, 0x0, 0x12037,  (1088, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1088, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03327  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03325  1312   NtSetEventBoostPriority  ... ) == 0x0
 03328  1312   NtWaitForSingleObject  (440, 0, 0x0, ...
 03314  1344   NtDelayExecution  ... ) == 0x0
 03329  1344   NtSetEventBoostPriority  (440, ...
 03204  1320   NtWaitForSingleObject  ... ) == 0x0
 03330  1320   NtDelayExecution  (0, {-10000, -1}, ...
 03329  1344   NtSetEventBoostPriority  ... ) == 0x0
 03331  1344   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03332  1344   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 27262500, 67, ... 1100, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 27262500, 67, ... 1100, {status=0x0, info=0}, ) == 0x0
 03333  1344   NtDeviceIoControlFile  (1100, 476, 0x0, 0x0, 0x12047,  (1100, 476, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0h\346%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03334  1344   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03335  1344   NtDeviceIoControlFile  (1100, 476, 0x0, 0x0, 0x1203b,  (1100, 476, 0x0, 0x0, 0x1203b, "\2\0\0\0\250\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03336  1344   NtDeviceIoControlFile  (1100, 476, 0x0, 0x0, 0x12003,  (1100, 476, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1104}, "\1\0\0\0\1\0\0\0\16\0\2\0\4D\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1104},  (1100, 476, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1104}, "\1\0\0\0\1\0\0\0\16\0\2\0\4D\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03337  1344   NtDeviceIoControlFile  (1100, 476, 0x0, 0x0, 0x12047,  (1100, 476, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\210\345%\0\2\0\4D\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03338  1344   NtDeviceIoControlFile  (412, 0, 0x0, 0x25e008, 0x12007,  (412, 0, 0x0, 0x25e008, 0x12007, "\0\0\0\0\16\0\2\0L\4\0\0\1\0\0\0\16\0\2\0\1\275\255v\270\6\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03327  1336   NtRemoveIoCompletion  ... 1906658213, 2482184, {status=0xc000023d, info=0}, ) == 0x0
 03339  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1108, ) == 0x0
 03340  1336   NtWaitForSingleObject  (1108, 0, 0x0, ...
 03338  1344   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03341  1344   NtSetEventBoostPriority  (1108, ...
 03340  1336   NtWaitForSingleObject  ... ) == 0x0
 03342  1336   NtDeviceIoControlFile  (1100, 356, 0x0, 0x0, 0x12037,  (1100, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1100, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03343  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03341  1344   NtSetEventBoostPriority  ... ) == 0x0
 03344  1344   NtWaitForSingleObject  (440, 0, 0x0, ...
 03330  1320   NtDelayExecution  ... ) == 0x0
 03345  1320   NtSetEventBoostPriority  (440, ...
 03220  1348   NtWaitForSingleObject  ... ) == 0x0
 03346  1348   NtDelayExecution  (0, {-10000, -1}, ...
 03345  1320   NtSetEventBoostPriority  ... ) == 0x0
 03347  1320   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03348  1320   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 29359652, 67, ... 1112, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 29359652, 67, ... 1112, {status=0x0, info=0}, ) == 0x0
 03349  1320   NtDeviceIoControlFile  (1112, 488, 0x0, 0x0, 0x12047,  (1112, 488, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\0\350%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03350  1320   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03351  1320   NtDeviceIoControlFile  (1112, 488, 0x0, 0x0, 0x1203b,  (1112, 488, 0x0, 0x0, 0x1203b, "\2\0\0\08\350$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03352  1320   NtDeviceIoControlFile  (1112, 488, 0x0, 0x0, 0x12003,  (1112, 488, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1116}, "\1\0\0\0\1\0\0\0\16\0\2\0\4E\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1116},  (1112, 488, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1116}, "\1\0\0\0\1\0\0\0\16\0\2\0\4E\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03353  1320   NtDeviceIoControlFile  (1112, 488, 0x0, 0x0, 0x12047,  (1112, 488, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0 \347%\0\2\0\4E\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03354  1320   NtDeviceIoControlFile  (412, 0, 0x0, 0x25e008, 0x12007,  (412, 0, 0x0, 0x25e008, 0x12007, "\0\0\0\0\16\0\2\0X\4\0\0\1\0\0\0\16\0\2\0\1\275\331\270\15\6\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03343  1336   NtRemoveIoCompletion  ... 1906658213, 2482184, {status=0xc000023d, info=0}, ) == 0x0
 03355  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1120, ) == 0x0
 03356  1336   NtWaitForSingleObject  (1120, 0, 0x0, ...
 03354  1320   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03357  1320   NtSetEventBoostPriority  (1120, ...
 03356  1336   NtWaitForSingleObject  ... ) == 0x0
 03358  1336   NtDeviceIoControlFile  (1112, 356, 0x0, 0x0, 0x12037,  (1112, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1112, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03359  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03357  1320   NtSetEventBoostPriority  ... ) == 0x0
 03360  1320   NtWaitForSingleObject  (440, 0, 0x0, ...
 03346  1348   NtDelayExecution  ... ) == 0x0
 03361  1348   NtSetEventBoostPriority  (440, ...
 03236  1156   NtWaitForSingleObject  ... ) == 0x0
 03362  1156   NtDelayExecution  (0, {-10000, -1}, ...
 03361  1348   NtSetEventBoostPriority  ... ) == 0x0
 03363  1348   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03364  1348   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 31456804, 67, ... 1124, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 31456804, 67, ... 1124, {status=0x0, info=0}, ) == 0x0
 03365  1348   NtDeviceIoControlFile  (1124, 516, 0x0, 0x0, 0x12047,  (1124, 516, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\230\352%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03366  1348   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03367  1348   NtDeviceIoControlFile  (1124, 516, 0x0, 0x0, 0x1203b,  (1124, 516, 0x0, 0x0, 0x1203b, "\2\0\0\0H\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03368  1348   NtDeviceIoControlFile  (1124, 516, 0x0, 0x0, 0x12003,  (1124, 516, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1128}, "\1\0\0\0\1\0\0\0\16\0\2\0\4F\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1128},  (1124, 516, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1128}, "\1\0\0\0\1\0\0\0\16\0\2\0\4F\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03369  1348   NtDeviceIoControlFile  (1124, 516, 0x0, 0x0, 0x12047,  (1124, 516, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\270\351%\0\2\0\4F\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03370  1348   NtDeviceIoControlFile  (412, 0, 0x0, 0x25e008, 0x12007,  (412, 0, 0x0, 0x25e008, 0x12007, "\0\0\0\0\16\0\2\0d\4\0\0\1\0\0\0\16\0\2\0\1\275rY\224\6\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03359  1336   NtRemoveIoCompletion  ... 1906658213, 2482184, {status=0xc000023d, info=0}, ) == 0x0
 03371  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1132, ) == 0x0
 03372  1336   NtWaitForSingleObject  (1132, 0, 0x0, ...
 03370  1348   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03373  1348   NtSetEventBoostPriority  (1132, ...
 03372  1336   NtWaitForSingleObject  ... ) == 0x0
 03374  1336   NtDeviceIoControlFile  (1124, 356, 0x0, 0x0, 0x12037,  (1124, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1124, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03375  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03373  1348   NtSetEventBoostPriority  ... ) == 0x0
 03376  1348   NtWaitForSingleObject  (440, 0, 0x0, ...
 03362  1156   NtDelayExecution  ... ) == 0x0
 03377  1156   NtSetEventBoostPriority  (440, ...
 03252  1440   NtWaitForSingleObject  ... ) == 0x0
 03378  1440   NtDelayExecution  (0, {-10000, -1}, ...
 03377  1156   NtSetEventBoostPriority  ... ) == 0x0
 03379  1156   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03380  1156   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 33553956, 67, ... 1136, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 33553956, 67, ... 1136, {status=0x0, info=0}, ) == 0x0
 03381  1156   NtDeviceIoControlFile  (1136, 504, 0x0, 0x0, 0x12047,  (1136, 504, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\00\354%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03382  1156   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03383  1156   NtDeviceIoControlFile  (1136, 504, 0x0, 0x0, 0x1203b,  (1136, 504, 0x0, 0x0, 0x1203b, "\2\0\0\0\324\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03384  1156   NtDeviceIoControlFile  (1136, 504, 0x0, 0x0, 0x12003,  (1136, 504, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1140}, "\1\0\0\0\1\0\0\0\16\0\2\0\4G\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1140},  (1136, 504, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1140}, "\1\0\0\0\1\0\0\0\16\0\2\0\4G\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03385  1156   NtDeviceIoControlFile  (1136, 504, 0x0, 0x0, 0x12047,  (1136, 504, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0P\353%\0\2\0\4G\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03386  1156   NtDeviceIoControlFile  (412, 0, 0x0, 0x25e008, 0x12007,  (412, 0, 0x0, 0x25e008, 0x12007, "\0\0\0\0\16\0\2\0p\4\0\0\1\0\0\0\16\0\2\0\1\275|O\376\6\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03375  1336   NtRemoveIoCompletion  ... 1906658213, 2482184, {status=0xc000023d, info=0}, ) == 0x0
 03387  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1144, ) == 0x0
 03388  1336   NtWaitForSingleObject  (1144, 0, 0x0, ...
 03386  1156   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03389  1156   NtSetEventBoostPriority  (1144, ...
 03388  1336   NtWaitForSingleObject  ... ) == 0x0
 03390  1336   NtDeviceIoControlFile  (1136, 356, 0x0, 0x0, 0x12037,  (1136, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1136, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03391  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03389  1156   NtSetEventBoostPriority  ... ) == 0x0
 03392  1156   NtWaitForSingleObject  (440, 0, 0x0, ...
 03378  1440   NtDelayExecution  ... ) == 0x0
 03393  1440   NtSetEventBoostPriority  (440, ...
 03263  1308   NtWaitForSingleObject  ... ) == 0x0
 03394  1308   NtDelayExecution  (0, {-10000, -1}, ...
 03393  1440   NtSetEventBoostPriority  ... ) == 0x0
 03395  1440   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03396  1440   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 35651108, 67, ... 1148, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 35651108, 67, ... 1148, {status=0x0, info=0}, ) == 0x0
 03397  1440   NtDeviceIoControlFile  (1148, 548, 0x0, 0x0, 0x12047,  (1148, 548, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\310\355%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03398  1440   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03399  1440   NtDeviceIoControlFile  (1148, 548, 0x0, 0x0, 0x1203b,  (1148, 548, 0x0, 0x0, 0x1203b, "\2\0\0\0h\350$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03400  1440   NtDeviceIoControlFile  (1148, 548, 0x0, 0x0, 0x12003,  (1148, 548, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1152}, "\1\0\0\0\1\0\0\0\16\0\2\0\4H\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1152},  (1148, 548, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1152}, "\1\0\0\0\1\0\0\0\16\0\2\0\4H\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03401  1440   NtDeviceIoControlFile  (1148, 548, 0x0, 0x0, 0x12047,  (1148, 548, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\350\354%\0\2\0\4H\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03402  1440   NtDeviceIoControlFile  (412, 0, 0x0, 0x25e008, 0x12007,  (412, 0, 0x0, 0x25e008, 0x12007, "\0\0\0\0\16\0\2\0|\4\0\0\1\0\0\0\16\0\2\0\1\275\300\270i\6\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03391  1336   NtRemoveIoCompletion  ... 1906658213, 2482184, {status=0xc000023d, info=0}, ) == 0x0
 03403  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1156, ) == 0x0
 03404  1336   NtWaitForSingleObject  (1156, 0, 0x0, ...
 03402  1440   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03405  1440   NtSetEventBoostPriority  (1156, ...
 03404  1336   NtWaitForSingleObject  ... ) == 0x0
 03406  1336   NtDeviceIoControlFile  (1148, 356, 0x0, 0x0, 0x12037,  (1148, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1148, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03407  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03405  1440   NtSetEventBoostPriority  ... ) == 0x0
 03408  1440   NtWaitForSingleObject  (440, 0, 0x0, ...
 03394  1308   NtDelayExecution  ... ) == 0x0
 03409  1308   NtSetEventBoostPriority  (440, ...
 03280  1328   NtWaitForSingleObject  ... ) == 0x0
 03410  1328   NtDelayExecution  (0, {-10000, -1}, ...
 03409  1308   NtSetEventBoostPriority  ... ) == 0x0
 03411  1308   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03412  1308   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 14679584, 67, ... 1160, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 14679584, 67, ... 1160, {status=0x0, info=0}, ) == 0x0
 03413  1308   NtDeviceIoControlFile  (1160, 360, 0x0, 0x0, 0x12047,  (1160, 360, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0`\357%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03414  1308   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03415  1308   NtDeviceIoControlFile  (1160, 360, 0x0, 0x0, 0x1203b,  (1160, 360, 0x0, 0x0, 0x1203b, "\2\0\0\0x\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03416  1308   NtDeviceIoControlFile  (1160, 360, 0x0, 0x0, 0x12003,  (1160, 360, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1164}, "\1\0\0\0\1\0\0\0\16\0\2\0\4I\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1164},  (1160, 360, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1164}, "\1\0\0\0\1\0\0\0\16\0\2\0\4I\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03417  1308   NtDeviceIoControlFile  (1160, 360, 0x0, 0x0, 0x12047,  (1160, 360, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\200\356%\0\2\0\4I\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03418  1308   NtDeviceIoControlFile  (412, 0, 0x0, 0x25e008, 0x12007,  (412, 0, 0x0, 0x25e008, 0x12007, "\0\0\0\0\16\0\2\0\210\4\0\0\1\0\0\0\16\0\2\0\1\275\300\250|\210\0\0\0\0\0\0\0\0", 34, 8, ... {status=0x103, info=0}, "", ) , 34, 8, ... {status=0x103, info=0}, "", ) == 0x103
 03419  1308   NtWaitForSingleObject  (440, 0, 0x0, ...
 03410  1328   NtDelayExecution  ... ) == 0x0
 03420  1328   NtSetEventBoostPriority  (440, ...
 03296  1324   NtWaitForSingleObject  ... ) == 0x0
 03421  1324   NtDelayExecution  (0, {-10000, -1}, ...
 03420  1328   NtSetEventBoostPriority  ... ) == 0x0
 03422  1328   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03423  1328   NtAllocateVirtualMemory  (-1, 2486272, 0, 4096, 4096, 4, ... 2486272, 4096, ) == 0x0
 03424  1328   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 20971040, 67, ... 1168, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 20971040, 67, ... 1168, {status=0x0, info=0}, ) == 0x0
 03425  1328   NtDeviceIoControlFile  (1168, 396, 0x0, 0x0, 0x12047,  (1168, 396, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\370\360%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\14\0\0\20\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03426  1328   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03427  1328   NtDeviceIoControlFile  (1168, 396, 0x0, 0x0, 0x1203b,  (1168, 396, 0x0, 0x0, 0x1203b, "\2\0\0\0\324\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03428  1328   NtDeviceIoControlFile  (1168, 396, 0x0, 0x0, 0x12003,  (1168, 396, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1172}, "\1\0\0\0\1\0\0\0\16\0\2\0\4J\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1172},  (1168, 396, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1172}, "\1\0\0\0\1\0\0\0\16\0\2\0\4J\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03429  1328   NtDeviceIoControlFile  (1168, 396, 0x0, 0x0, 0x12047,  (1168, 396, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\30\360%\0\2\0\4J\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\14\0\0\20\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03430  1328   NtDeviceIoControlFile  (412, 0, 0x0, 0x25f140, 0x12007,  (412, 0, 0x0, 0x25f140, 0x12007, "\0\0\0\0\16\0\2\0\220\4\0\0\1\0\0\0\16\0\2\0\1\275^\11o\7\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03407  1336   NtRemoveIoCompletion  ... 1906658213, 2486592, {status=0xc000023d, info=0}, ) == 0x0
 03431  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1176, ) == 0x0
 03432  1336   NtWaitForSingleObject  (1176, 0, 0x0, ...
 03430  1328   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03433  1328   NtSetEventBoostPriority  (1176, ...
 03432  1336   NtWaitForSingleObject  ... ) == 0x0
 03434  1336   NtDeviceIoControlFile  (1168, 356, 0x0, 0x0, 0x12037,  (1168, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1168, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03435  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03433  1328   NtSetEventBoostPriority  ... ) == 0x0
 03436  1328   NtWaitForSingleObject  (440, 0, 0x0, ...
 03421  1324   NtDelayExecution  ... ) == 0x0
 03437  1324   NtSetEventBoostPriority  (440, ...
 03312  1332   NtWaitForSingleObject  ... ) == 0x0
 03438  1332   NtDelayExecution  (0, {-10000, -1}, ...
 03437  1324   NtSetEventBoostPriority  ... ) == 0x0
 03439  1324   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03440  1324   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 16776736, 67, ... 1180, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 16776736, 67, ... 1180, {status=0x0, info=0}, ) == 0x0
 03441  1324   NtDeviceIoControlFile  (1180, 380, 0x0, 0x0, 0x12047,  (1180, 380, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\330\362%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03442  1324   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03443  1324   NtDeviceIoControlFile  (1180, 380, 0x0, 0x0, 0x1203b,  (1180, 380, 0x0, 0x0, 0x1203b, "\2\0\0\0h\350$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03444  1324   NtDeviceIoControlFile  (1180, 380, 0x0, 0x0, 0x12003,  (1180, 380, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1184}, "\1\0\0\0\1\0\0\0\16\0\2\0\4K\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1184},  (1180, 380, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1184}, "\1\0\0\0\1\0\0\0\16\0\2\0\4K\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03445  1324   NtDeviceIoControlFile  (1180, 380, 0x0, 0x0, 0x12047,  (1180, 380, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\370\361%\0\2\0\4K\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03446  1324   NtDeviceIoControlFile  (412, 0, 0x0, 0x25f140, 0x12007,  (412, 0, 0x0, 0x25f140, 0x12007, "\0\0\0\0\16\0\2\0\234\4\0\0\1\0\0\0\16\0\2\0\1\275\271Z\303\7\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03435  1336   NtRemoveIoCompletion  ... 1906658213, 2486592, {status=0xc000023d, info=0}, ) == 0x0
 03447  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1188, ) == 0x0
 03448  1336   NtWaitForSingleObject  (1188, 0, 0x0, ...
 03446  1324   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03449  1324   NtSetEventBoostPriority  (1188, ...
 03448  1336   NtWaitForSingleObject  ... ) == 0x0
 03450  1336   NtDeviceIoControlFile  (1180, 356, 0x0, 0x0, 0x12037,  (1180, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1180, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03451  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03449  1324   NtSetEventBoostPriority  ... ) == 0x0
 03452  1324   NtWaitForSingleObject  (440, 0, 0x0, ...
 03438  1332   NtDelayExecution  ... ) == 0x0
 03453  1332   NtSetEventBoostPriority  (440, ...
 03328  1312   NtWaitForSingleObject  ... ) == 0x0
 03454  1312   NtDelayExecution  (0, {-10000, -1}, ...
 03453  1332   NtSetEventBoostPriority  ... ) == 0x0
 03455  1332   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03456  1332   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 18873888, 67, ... 1192, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 18873888, 67, ... 1192, {status=0x0, info=0}, ) == 0x0
 03457  1332   NtDeviceIoControlFile  (1192, 400, 0x0, 0x0, 0x12047,  (1192, 400, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0p\364%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03458  1332   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03459  1332   NtDeviceIoControlFile  (1192, 400, 0x0, 0x0, 0x1203b,  (1192, 400, 0x0, 0x0, 0x1203b, "\2\0\0\0x\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03460  1332   NtDeviceIoControlFile  (1192, 400, 0x0, 0x0, 0x12003,  (1192, 400, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1196}, "\1\0\0\0\1\0\0\0\16\0\2\0\4L\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1196},  (1192, 400, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1196}, "\1\0\0\0\1\0\0\0\16\0\2\0\4L\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03461  1332   NtDeviceIoControlFile  (1192, 400, 0x0, 0x0, 0x12047,  (1192, 400, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\220\363%\0\2\0\4L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03462  1332   NtDeviceIoControlFile  (412, 0, 0x0, 0x25f140, 0x12007,  (412, 0, 0x0, 0x25f140, 0x12007, "\0\0\0\0\16\0\2\0\250\4\0\0\1\0\0\0\16\0\2\0\1\275\226At\7\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03451  1336   NtRemoveIoCompletion  ... 1906658213, 2486592, {status=0xc000023d, info=0}, ) == 0x0
 03463  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1200, ) == 0x0
 03464  1336   NtWaitForSingleObject  (1200, 0, 0x0, ...
 03462  1332   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03465  1332   NtSetEventBoostPriority  (1200, ...
 03464  1336   NtWaitForSingleObject  ... ) == 0x0
 03466  1336   NtDeviceIoControlFile  (1192, 356, 0x0, 0x0, 0x12037,  (1192, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1192, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03467  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03465  1332   NtSetEventBoostPriority  ... ) == 0x0
 03468  1332   NtWaitForSingleObject  (440, 0, 0x0, ...
 03454  1312   NtDelayExecution  ... ) == 0x0
 03469  1312   NtSetEventBoostPriority  (440, ...
 03344  1344   NtWaitForSingleObject  ... ) == 0x0
 03470  1344   NtDelayExecution  (0, {-10000, -1}, ...
 03469  1312   NtSetEventBoostPriority  ... ) == 0x0
 03471  1312   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03472  1312   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 25165344, 67, ... 1204, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 25165344, 67, ... 1204, {status=0x0, info=0}, ) == 0x0
 03473  1312   NtDeviceIoControlFile  (1204, 448, 0x0, 0x0, 0x12047,  (1204, 448, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\10\366%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03474  1312   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03475  1312   NtDeviceIoControlFile  (1204, 448, 0x0, 0x0, 0x1203b,  (1204, 448, 0x0, 0x0, 0x1203b, "\2\0\0\0\10\350$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03476  1312   NtDeviceIoControlFile  (1204, 448, 0x0, 0x0, 0x12003,  (1204, 448, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1208}, "\1\0\0\0\1\0\0\0\16\0\2\0\4M\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1208},  (1204, 448, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1208}, "\1\0\0\0\1\0\0\0\16\0\2\0\4M\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03477  1312   NtDeviceIoControlFile  (1204, 448, 0x0, 0x0, 0x12047,  (1204, 448, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\365%\0\2\0\4M\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03478  1312   NtDeviceIoControlFile  (412, 0, 0x0, 0x25f140, 0x12007,  (412, 0, 0x0, 0x25f140, 0x12007, "\0\0\0\0\16\0\2\0\264\4\0\0\1\0\0\0\16\0\2\0\1\275$N&\7\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03467  1336   NtRemoveIoCompletion  ... 1906658213, 2486592, {status=0xc000023d, info=0}, ) == 0x0
 03479  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1212, ) == 0x0
 03480  1336   NtWaitForSingleObject  (1212, 0, 0x0, ...
 03478  1312   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03481  1312   NtSetEventBoostPriority  (1212, ...
 03480  1336   NtWaitForSingleObject  ... ) == 0x0
 03482  1336   NtDeviceIoControlFile  (1204, 356, 0x0, 0x0, 0x12037,  (1204, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1204, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03483  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03481  1312   NtSetEventBoostPriority  ... ) == 0x0
 03484  1312   NtWaitForSingleObject  (440, 0, 0x0, ...
 03470  1344   NtDelayExecution  ... ) == 0x0
 03485  1344   NtSetEventBoostPriority  (440, ...
 03360  1320   NtWaitForSingleObject  ... ) == 0x0
 03486  1320   NtDelayExecution  (0, {-10000, -1}, ...
 03485  1344   NtSetEventBoostPriority  ... ) == 0x0
 03487  1344   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03488  1344   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 27262496, 67, ... 1216, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 27262496, 67, ... 1216, {status=0x0, info=0}, ) == 0x0
 03489  1344   NtDeviceIoControlFile  (1216, 476, 0x0, 0x0, 0x12047,  (1216, 476, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\240\367%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03490  1344   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03491  1344   NtDeviceIoControlFile  (1216, 476, 0x0, 0x0, 0x1203b,  (1216, 476, 0x0, 0x0, 0x1203b, "\2\0\0\0\30\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03492  1344   NtDeviceIoControlFile  (1216, 476, 0x0, 0x0, 0x12003,  (1216, 476, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1220}, "\1\0\0\0\1\0\0\0\16\0\2\0\4N\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1220},  (1216, 476, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1220}, "\1\0\0\0\1\0\0\0\16\0\2\0\4N\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03493  1344   NtDeviceIoControlFile  (1216, 476, 0x0, 0x0, 0x12047,  (1216, 476, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\300\366%\0\2\0\4N\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03494  1344   NtDeviceIoControlFile  (412, 0, 0x0, 0x25f140, 0x12007,  (412, 0, 0x0, 0x25f140, 0x12007, "\0\0\0\0\16\0\2\0\300\4\0\0\1\0\0\0\16\0\2\0\1\275\255v\270\7\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03483  1336   NtRemoveIoCompletion  ... 1906658213, 2486592, {status=0xc000023d, info=0}, ) == 0x0
 03495  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1224, ) == 0x0
 03496  1336   NtWaitForSingleObject  (1224, 0, 0x0, ...
 03494  1344   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03497  1344   NtSetEventBoostPriority  (1224, ...
 03496  1336   NtWaitForSingleObject  ... ) == 0x0
 03498  1336   NtDeviceIoControlFile  (1216, 356, 0x0, 0x0, 0x12037,  (1216, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1216, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03499  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03497  1344   NtSetEventBoostPriority  ... ) == 0x0
 03500  1344   NtWaitForSingleObject  (440, 0, 0x0, ...
 03486  1320   NtDelayExecution  ... ) == 0x0
 03501  1320   NtSetEventBoostPriority  (440, ...
 03376  1348   NtWaitForSingleObject  ... ) == 0x0
 03502  1348   NtDelayExecution  (0, {-10000, -1}, ...
 03501  1320   NtSetEventBoostPriority  ... ) == 0x0
 03503  1320   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03504  1320   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 29359648, 67, ... 1228, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 29359648, 67, ... 1228, {status=0x0, info=0}, ) == 0x0
 03505  1320   NtDeviceIoControlFile  (1228, 488, 0x0, 0x0, 0x12047,  (1228, 488, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\08\371%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03506  1320   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03507  1320   NtDeviceIoControlFile  (1228, 488, 0x0, 0x0, 0x1203b,  (1228, 488, 0x0, 0x0, 0x1203b, "\2\0\0\0\250\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03508  1320   NtDeviceIoControlFile  (1228, 488, 0x0, 0x0, 0x12003,  (1228, 488, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1232}, "\1\0\0\0\1\0\0\0\16\0\2\0\4O\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1232},  (1228, 488, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1232}, "\1\0\0\0\1\0\0\0\16\0\2\0\4O\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03509  1320   NtDeviceIoControlFile  (1228, 488, 0x0, 0x0, 0x12047,  (1228, 488, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0X\370%\0\2\0\4O\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03510  1320   NtDeviceIoControlFile  (412, 0, 0x0, 0x25f140, 0x12007,  (412, 0, 0x0, 0x25f140, 0x12007, "\0\0\0\0\16\0\2\0\314\4\0\0\1\0\0\0\16\0\2\0\1\275\331\270\15\7\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03499  1336   NtRemoveIoCompletion  ... 1906658213, 2486592, {status=0xc000023d, info=0}, ) == 0x0
 03511  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1236, ) == 0x0
 03512  1336   NtWaitForSingleObject  (1236, 0, 0x0, ...
 03510  1320   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03513  1320   NtSetEventBoostPriority  (1236, ...
 03512  1336   NtWaitForSingleObject  ... ) == 0x0
 03514  1336   NtDeviceIoControlFile  (1228, 356, 0x0, 0x0, 0x12037,  (1228, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1228, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03515  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03513  1320   NtSetEventBoostPriority  ... ) == 0x0
 03516  1320   NtWaitForSingleObject  (440, 0, 0x0, ...
 03502  1348   NtDelayExecution  ... ) == 0x0
 03517  1348   NtSetEventBoostPriority  (440, ...
 03392  1156   NtWaitForSingleObject  ... ) == 0x0
 03518  1156   NtDelayExecution  (0, {-10000, -1}, ...
 03517  1348   NtSetEventBoostPriority  ... ) == 0x0
 03519  1348   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03520  1348   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 31456800, 67, ... 1240, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 31456800, 67, ... 1240, {status=0x0, info=0}, ) == 0x0
 03521  1348   NtDeviceIoControlFile  (1240, 516, 0x0, 0x0, 0x12047,  (1240, 516, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\320\372%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03522  1348   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03523  1348   NtDeviceIoControlFile  (1240, 516, 0x0, 0x0, 0x1203b,  (1240, 516, 0x0, 0x0, 0x1203b, "\2\0\0\08\350$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03524  1348   NtDeviceIoControlFile  (1240, 516, 0x0, 0x0, 0x12003,  (1240, 516, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1244}, "\1\0\0\0\1\0\0\0\16\0\2\0\4P\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1244},  (1240, 516, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1244}, "\1\0\0\0\1\0\0\0\16\0\2\0\4P\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03525  1348   NtDeviceIoControlFile  (1240, 516, 0x0, 0x0, 0x12047,  (1240, 516, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\360\371%\0\2\0\4P\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03526  1348   NtDeviceIoControlFile  (412, 0, 0x0, 0x25f140, 0x12007,  (412, 0, 0x0, 0x25f140, 0x12007, "\0\0\0\0\16\0\2\0\330\4\0\0\1\0\0\0\16\0\2\0\1\275rY\224\7\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03515  1336   NtRemoveIoCompletion  ... 1906658213, 2486592, {status=0xc000023d, info=0}, ) == 0x0
 03527  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1248, ) == 0x0
 03528  1336   NtWaitForSingleObject  (1248, 0, 0x0, ...
 03526  1348   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03529  1348   NtSetEventBoostPriority  (1248, ...
 03528  1336   NtWaitForSingleObject  ... ) == 0x0
 03530  1336   NtDeviceIoControlFile  (1240, 356, 0x0, 0x0, 0x12037,  (1240, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1240, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03531  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03529  1348   NtSetEventBoostPriority  ... ) == 0x0
 03532  1348   NtWaitForSingleObject  (440, 0, 0x0, ...
 03518  1156   NtDelayExecution  ... ) == 0x0
 03533  1156   NtSetEventBoostPriority  (440, ...
 03408  1440   NtWaitForSingleObject  ... ) == 0x0
 03534  1440   NtDelayExecution  (0, {-10000, -1}, ...
 03533  1156   NtSetEventBoostPriority  ... ) == 0x0
 03535  1156   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03536  1156   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 33553952, 67, ... 1252, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 33553952, 67, ... 1252, {status=0x0, info=0}, ) == 0x0
 03537  1156   NtDeviceIoControlFile  (1252, 504, 0x0, 0x0, 0x12047,  (1252, 504, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0h\374%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03538  1156   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03539  1156   NtDeviceIoControlFile  (1252, 504, 0x0, 0x0, 0x1203b,  (1252, 504, 0x0, 0x0, 0x1203b, "\2\0\0\0H\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03540  1156   NtDeviceIoControlFile  (1252, 504, 0x0, 0x0, 0x12003,  (1252, 504, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1256}, "\1\0\0\0\1\0\0\0\16\0\2\0\4Q\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1256},  (1252, 504, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1256}, "\1\0\0\0\1\0\0\0\16\0\2\0\4Q\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03541  1156   NtDeviceIoControlFile  (1252, 504, 0x0, 0x0, 0x12047,  (1252, 504, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\210\373%\0\2\0\4Q\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03542  1156   NtDeviceIoControlFile  (412, 0, 0x0, 0x25f140, 0x12007,  (412, 0, 0x0, 0x25f140, 0x12007, "\0\0\0\0\16\0\2\0\344\4\0\0\1\0\0\0\16\0\2\0\1\275|O\376\7\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03531  1336   NtRemoveIoCompletion  ... 1906658213, 2486592, {status=0xc000023d, info=0}, ) == 0x0
 03543  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1260, ) == 0x0
 03544  1336   NtWaitForSingleObject  (1260, 0, 0x0, ...
 03542  1156   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03545  1156   NtSetEventBoostPriority  (1260, ...
 03544  1336   NtWaitForSingleObject  ... ) == 0x0
 03546  1336   NtDeviceIoControlFile  (1252, 356, 0x0, 0x0, 0x12037,  (1252, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1252, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03547  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03545  1156   NtSetEventBoostPriority  ... ) == 0x0
 03548  1156   NtWaitForSingleObject  (440, 0, 0x0, ...
 03534  1440   NtDelayExecution  ... ) == 0x0
 03549  1440   NtSetEventBoostPriority  (440, ...
 03419  1308   NtWaitForSingleObject  ... ) == 0x0
 03550  1308   NtDelayExecution  (0, {-10000, -1}, ...
 03549  1440   NtSetEventBoostPriority  ... ) == 0x0
 03551  1440   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03552  1440   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 35651104, 67, ... 1264, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 35651104, 67, ... 1264, {status=0x0, info=0}, ) == 0x0
 03553  1440   NtDeviceIoControlFile  (1264, 548, 0x0, 0x0, 0x12047,  (1264, 548, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\0\376%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03554  1440   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03555  1440   NtDeviceIoControlFile  (1264, 548, 0x0, 0x0, 0x1203b,  (1264, 548, 0x0, 0x0, 0x1203b, "\2\0\0\0\324\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03556  1440   NtDeviceIoControlFile  (1264, 548, 0x0, 0x0, 0x12003,  (1264, 548, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1268}, "\1\0\0\0\1\0\0\0\16\0\2\0\4R\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1268},  (1264, 548, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1268}, "\1\0\0\0\1\0\0\0\16\0\2\0\4R\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03557  1440   NtDeviceIoControlFile  (1264, 548, 0x0, 0x0, 0x12047,  (1264, 548, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0 \375%\0\2\0\4R\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03558  1440   NtDeviceIoControlFile  (412, 0, 0x0, 0x25f140, 0x12007,  (412, 0, 0x0, 0x25f140, 0x12007, "\0\0\0\0\16\0\2\0\360\4\0\0\1\0\0\0\16\0\2\0\1\275\300\270i\7\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03547  1336   NtRemoveIoCompletion  ... 1906658213, 2486592, {status=0xc000023d, info=0}, ) == 0x0
 03559  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1272, ) == 0x0
 03560  1336   NtWaitForSingleObject  (1272, 0, 0x0, ...
 03558  1440   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03561  1440   NtSetEventBoostPriority  (1272, ...
 03560  1336   NtWaitForSingleObject  ... ) == 0x0
 03562  1336   NtDeviceIoControlFile  (1264, 356, 0x0, 0x0, 0x12037,  (1264, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1264, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03563  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03561  1440   NtSetEventBoostPriority  ... ) == 0x0
 03564  1440   NtWaitForSingleObject  (440, 0, 0x0, ...
 03550  1308   NtDelayExecution  ... ) == 0x0
 03565  1308   NtSetEventBoostPriority  (440, ...
 03436  1328   NtWaitForSingleObject  ... ) == 0x0
 03566  1328   NtDelayExecution  (0, {-10000, -1}, ...
 03565  1308   NtSetEventBoostPriority  ... ) == 0x0
 03567  1308   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03568  1308   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 14679580, 67, ... 1276, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 14679580, 67, ... 1276, {status=0x0, info=0}, ) == 0x0
 03569  1308   NtDeviceIoControlFile  (1276, 360, 0x0, 0x0, 0x12047,  (1276, 360, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\230\377%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03570  1308   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03571  1308   NtDeviceIoControlFile  (1276, 360, 0x0, 0x0, 0x1203b,  (1276, 360, 0x0, 0x0, 0x1203b, "\2\0\0\0h\350$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03572  1308   NtDeviceIoControlFile  (1276, 360, 0x0, 0x0, 0x12003,  (1276, 360, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1280}, "\1\0\0\0\1\0\0\0\16\0\2\0\4S\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1280},  (1276, 360, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1280}, "\1\0\0\0\1\0\0\0\16\0\2\0\4S\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03573  1308   NtDeviceIoControlFile  (1276, 360, 0x0, 0x0, 0x12047,  (1276, 360, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\270\376%\0\2\0\4S\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03574  1308   NtDeviceIoControlFile  (412, 0, 0x0, 0x25f140, 0x12007,  (412, 0, 0x0, 0x25f140, 0x12007, "\0\0\0\0\16\0\2\0\374\4\0\0\1\0\0\0\16\0\2\0\1\275\300\250|\211\0\0\0\0\0\0\0\0", 34, 8, ... {status=0x103, info=0}, "", ) , 34, 8, ... {status=0x103, info=0}, "", ) == 0x103
 03575  1308   NtWaitForSingleObject  (440, 0, 0x0, ...
 03566  1328   NtDelayExecution  ... ) == 0x0
 03576  1328   NtSetEventBoostPriority  (440, ...
 03452  1324   NtWaitForSingleObject  ... ) == 0x0
 03577  1324   NtDelayExecution  (0, {-10000, -1}, ...
 03576  1328   NtSetEventBoostPriority  ... ) == 0x0
 03578  1328   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03579  1328   NtAllocateVirtualMemory  (-1, 2490368, 0, 4096, 4096, 4, ... 2490368, 4096, ) == 0x0
 03580  1328   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 20971036, 67, ... 1284, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 20971036, 67, ... 1284, {status=0x0, info=0}, ) == 0x0
 03581  1328   NtDeviceIoControlFile  (1284, 396, 0x0, 0x0, 0x12047,  (1284, 396, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\00\1&\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\2\5\0\0\20\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03582  1328   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03583  1328   NtDeviceIoControlFile  (1284, 396, 0x0, 0x0, 0x1203b,  (1284, 396, 0x0, 0x0, 0x1203b, "\2\0\0\0H\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03584  1328   NtDeviceIoControlFile  (1284, 396, 0x0, 0x0, 0x12003,  (1284, 396, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1288}, "\1\0\0\0\1\0\0\0\16\0\2\0\4T\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1288},  (1284, 396, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1288}, "\1\0\0\0\1\0\0\0\16\0\2\0\4T\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03585  1328   NtDeviceIoControlFile  (1284, 396, 0x0, 0x0, 0x12047,  (1284, 396, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0P\0&\0\2\0\4T\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\2\5\0\0\20\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03586  1328   NtDeviceIoControlFile  (412, 0, 0x0, 0x260178, 0x12007,  (412, 0, 0x0, 0x260178, 0x12007, "\0\0\0\0\16\0\2\0\4\5\0\0\1\0\0\0\16\0\2\0\1\275^\11o\10\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03563  1336   NtRemoveIoCompletion  ... 1906658213, 2490744, {status=0xc000023d, info=0}, ) == 0x0
 03587  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1292, ) == 0x0
 03588  1336   NtWaitForSingleObject  (1292, 0, 0x0, ...
 03586  1328   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03589  1328   NtSetEventBoostPriority  (1292, ...
 03588  1336   NtWaitForSingleObject  ... ) == 0x0
 03590  1336   NtDeviceIoControlFile  (1284, 356, 0x0, 0x0, 0x12037,  (1284, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1284, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03591  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03589  1328   NtSetEventBoostPriority  ... ) == 0x0
 03592  1328   NtWaitForSingleObject  (440, 0, 0x0, ...
 03577  1324   NtDelayExecution  ... ) == 0x0
 03593  1324   NtSetEventBoostPriority  (440, ...
 03468  1332   NtWaitForSingleObject  ... ) == 0x0
 03594  1332   NtDelayExecution  (0, {-10000, -1}, ...
 03593  1324   NtSetEventBoostPriority  ... ) == 0x0
 03595  1324   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03596  1324   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 16776732, 67, ... 1296, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 16776732, 67, ... 1296, {status=0x0, info=0}, ) == 0x0
 03597  1324   NtDeviceIoControlFile  (1296, 380, 0x0, 0x0, 0x12047,  (1296, 380, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\20\3&\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03598  1324   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03599  1324   NtDeviceIoControlFile  (1296, 380, 0x0, 0x0, 0x1203b,  (1296, 380, 0x0, 0x0, 0x1203b, "\2\0\0\0\324\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03600  1324   NtDeviceIoControlFile  (1296, 380, 0x0, 0x0, 0x12003,  (1296, 380, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1300}, "\1\0\0\0\1\0\0\0\16\0\2\0\4U\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1300},  (1296, 380, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1300}, "\1\0\0\0\1\0\0\0\16\0\2\0\4U\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03601  1324   NtDeviceIoControlFile  (1296, 380, 0x0, 0x0, 0x12047,  (1296, 380, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\00\2&\0\2\0\4U\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03602  1324   NtDeviceIoControlFile  (412, 0, 0x0, 0x260178, 0x12007,  (412, 0, 0x0, 0x260178, 0x12007, "\0\0\0\0\16\0\2\0\20\5\0\0\1\0\0\0\16\0\2\0\1\275\271Z\303\10\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03591  1336   NtRemoveIoCompletion  ... 1906658213, 2490744, {status=0xc000023d, info=0}, ) == 0x0
 03603  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1304, ) == 0x0
 03604  1336   NtWaitForSingleObject  (1304, 0, 0x0, ...
 03602  1324   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03605  1324   NtSetEventBoostPriority  (1304, ...
 03604  1336   NtWaitForSingleObject  ... ) == 0x0
 03606  1336   NtDeviceIoControlFile  (1296, 356, 0x0, 0x0, 0x12037,  (1296, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1296, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03607  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03605  1324   NtSetEventBoostPriority  ... ) == 0x0
 03608  1324   NtWaitForSingleObject  (440, 0, 0x0, ...
 03594  1332   NtDelayExecution  ... ) == 0x0
 03609  1332   NtSetEventBoostPriority  (440, ...
 03484  1312   NtWaitForSingleObject  ... ) == 0x0
 03610  1312   NtDelayExecution  (0, {-10000, -1}, ...
 03609  1332   NtSetEventBoostPriority  ... ) == 0x0
 03611  1332   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03612  1332   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 18873884, 67, ... 1308, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 18873884, 67, ... 1308, {status=0x0, info=0}, ) == 0x0
 03613  1332   NtDeviceIoControlFile  (1308, 400, 0x0, 0x0, 0x12047,  (1308, 400, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\250\4&\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03614  1332   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03615  1332   NtDeviceIoControlFile  (1308, 400, 0x0, 0x0, 0x1203b,  (1308, 400, 0x0, 0x0, 0x1203b, "\2\0\0\0h\350$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03616  1332   NtDeviceIoControlFile  (1308, 400, 0x0, 0x0, 0x12003,  (1308, 400, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1312}, "\1\0\0\0\1\0\0\0\16\0\2\0\4V\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1312},  (1308, 400, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1312}, "\1\0\0\0\1\0\0\0\16\0\2\0\4V\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03617  1332   NtDeviceIoControlFile  (1308, 400, 0x0, 0x0, 0x12047,  (1308, 400, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\310\3&\0\2\0\4V\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03618  1332   NtDeviceIoControlFile  (412, 0, 0x0, 0x260178, 0x12007,  (412, 0, 0x0, 0x260178, 0x12007, "\0\0\0\0\16\0\2\0\34\5\0\0\1\0\0\0\16\0\2\0\1\275\226At\10\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03607  1336   NtRemoveIoCompletion  ... 1906658213, 2490744, {status=0xc000023d, info=0}, ) == 0x0
 03619  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1316, ) == 0x0
 03620  1336   NtWaitForSingleObject  (1316, 0, 0x0, ...
 03618  1332   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03621  1332   NtSetEventBoostPriority  (1316, ...
 03620  1336   NtWaitForSingleObject  ... ) == 0x0
 03622  1336   NtDeviceIoControlFile  (1308, 356, 0x0, 0x0, 0x12037,  (1308, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1308, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03623  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03621  1332   NtSetEventBoostPriority  ... ) == 0x0
 03624  1332   NtWaitForSingleObject  (440, 0, 0x0, ...
 03610  1312   NtDelayExecution  ... ) == 0x0
 03625  1312   NtSetEventBoostPriority  (440, ...
 03500  1344   NtWaitForSingleObject  ... ) == 0x0
 03626  1344   NtDelayExecution  (0, {-10000, -1}, ...
 03625  1312   NtSetEventBoostPriority  ... ) == 0x0
 03627  1312   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03628  1312   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 25165340, 67, ... 1320, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 25165340, 67, ... 1320, {status=0x0, info=0}, ) == 0x0
 03629  1312   NtDeviceIoControlFile  (1320, 448, 0x0, 0x0, 0x12047,  (1320, 448, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0@\6&\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03630  1312   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03631  1312   NtDeviceIoControlFile  (1320, 448, 0x0, 0x0, 0x1203b,  (1320, 448, 0x0, 0x0, 0x1203b, "\2\0\0\0x\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03632  1312   NtDeviceIoControlFile  (1320, 448, 0x0, 0x0, 0x12003,  (1320, 448, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1324}, "\1\0\0\0\1\0\0\0\16\0\2\0\4W\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1324},  (1320, 448, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1324}, "\1\0\0\0\1\0\0\0\16\0\2\0\4W\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03633  1312   NtDeviceIoControlFile  (1320, 448, 0x0, 0x0, 0x12047,  (1320, 448, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0`\5&\0\2\0\4W\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03634  1312   NtDeviceIoControlFile  (412, 0, 0x0, 0x260178, 0x12007,  (412, 0, 0x0, 0x260178, 0x12007, "\0\0\0\0\16\0\2\0(\5\0\0\1\0\0\0\16\0\2\0\1\275$N&\10\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03623  1336   NtRemoveIoCompletion  ... 1906658213, 2490744, {status=0xc000023d, info=0}, ) == 0x0
 03635  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1328, ) == 0x0
 03636  1336   NtWaitForSingleObject  (1328, 0, 0x0, ...
 03634  1312   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03637  1312   NtSetEventBoostPriority  (1328, ...
 03636  1336   NtWaitForSingleObject  ... ) == 0x0
 03638  1336   NtDeviceIoControlFile  (1320, 356, 0x0, 0x0, 0x12037,  (1320, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1320, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03639  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03637  1312   NtSetEventBoostPriority  ... ) == 0x0
 03640  1312   NtWaitForSingleObject  (440, 0, 0x0, ...
 03626  1344   NtDelayExecution  ... ) == 0x0
 03641  1344   NtSetEventBoostPriority  (440, ...
 03516  1320   NtWaitForSingleObject  ... ) == 0x0
 03642  1320   NtDelayExecution  (0, {-10000, -1}, ...
 03641  1344   NtSetEventBoostPriority  ... ) == 0x0
 03643  1344   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03644  1344   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 27262492, 67, ... 1332, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 27262492, 67, ... 1332, {status=0x0, info=0}, ) == 0x0
 03645  1344   NtDeviceIoControlFile  (1332, 476, 0x0, 0x0, 0x12047,  (1332, 476, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\330\7&\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03646  1344   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03647  1344   NtDeviceIoControlFile  (1332, 476, 0x0, 0x0, 0x1203b,  (1332, 476, 0x0, 0x0, 0x1203b, "\2\0\0\0\10\350$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03648  1344   NtDeviceIoControlFile  (1332, 476, 0x0, 0x0, 0x12003,  (1332, 476, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1336}, "\1\0\0\0\1\0\0\0\16\0\2\0\4X\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1336},  (1332, 476, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1336}, "\1\0\0\0\1\0\0\0\16\0\2\0\4X\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03649  1344   NtDeviceIoControlFile  (1332, 476, 0x0, 0x0, 0x12047,  (1332, 476, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\370\6&\0\2\0\4X\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03650  1344   NtDeviceIoControlFile  (412, 0, 0x0, 0x260178, 0x12007,  (412, 0, 0x0, 0x260178, 0x12007, "\0\0\0\0\16\0\2\04\5\0\0\1\0\0\0\16\0\2\0\1\275\255v\270\10\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03639  1336   NtRemoveIoCompletion  ... 1906658213, 2490744, {status=0xc000023d, info=0}, ) == 0x0
 03651  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1340, ) == 0x0
 03652  1336   NtWaitForSingleObject  (1340, 0, 0x0, ...
 03650  1344   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03653  1344   NtSetEventBoostPriority  (1340, ...
 03652  1336   NtWaitForSingleObject  ... ) == 0x0
 03654  1336   NtDeviceIoControlFile  (1332, 356, 0x0, 0x0, 0x12037,  (1332, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1332, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03655  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03653  1344   NtSetEventBoostPriority  ... ) == 0x0
 03656  1344   NtWaitForSingleObject  (440, 0, 0x0, ...
 03642  1320   NtDelayExecution  ... ) == 0x0
 03657  1320   NtSetEventBoostPriority  (440, ...
 03532  1348   NtWaitForSingleObject  ... ) == 0x0
 03658  1348   NtDelayExecution  (0, {-10000, -1}, ...
 03657  1320   NtSetEventBoostPriority  ... ) == 0x0
 03659  1320   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03660  1320   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 29359644, 67, ... 1344, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 29359644, 67, ... 1344, {status=0x0, info=0}, ) == 0x0
 03661  1320   NtDeviceIoControlFile  (1344, 488, 0x0, 0x0, 0x12047,  (1344, 488, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0p\11&\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03662  1320   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03663  1320   NtDeviceIoControlFile  (1344, 488, 0x0, 0x0, 0x1203b,  (1344, 488, 0x0, 0x0, 0x1203b, "\2\0\0\0\30\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03664  1320   NtDeviceIoControlFile  (1344, 488, 0x0, 0x0, 0x12003,  (1344, 488, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1348}, "\1\0\0\0\1\0\0\0\16\0\2\0\4Y\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1348},  (1344, 488, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1348}, "\1\0\0\0\1\0\0\0\16\0\2\0\4Y\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03665  1320   NtDeviceIoControlFile  (1344, 488, 0x0, 0x0, 0x12047,  (1344, 488, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\220\10&\0\2\0\4Y\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03666  1320   NtDeviceIoControlFile  (412, 0, 0x0, 0x260178, 0x12007,  (412, 0, 0x0, 0x260178, 0x12007, "\0\0\0\0\16\0\2\0@\5\0\0\1\0\0\0\16\0\2\0\1\275\331\270\15\10\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03655  1336   NtRemoveIoCompletion  ... 1906658213, 2490744, {status=0xc000023d, info=0}, ) == 0x0
 03667  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1352, ) == 0x0
 03668  1336   NtWaitForSingleObject  (1352, 0, 0x0, ...
 03666  1320   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03669  1320   NtSetEventBoostPriority  (1352, ...
 03668  1336   NtWaitForSingleObject  ... ) == 0x0
 03670  1336   NtDeviceIoControlFile  (1344, 356, 0x0, 0x0, 0x12037,  (1344, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1344, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03671  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03669  1320   NtSetEventBoostPriority  ... ) == 0x0
 03672  1320   NtWaitForSingleObject  (440, 0, 0x0, ...
 03658  1348   NtDelayExecution  ... ) == 0x0
 03673  1348   NtSetEventBoostPriority  (440, ...
 03548  1156   NtWaitForSingleObject  ... ) == 0x0
 03674  1156   NtDelayExecution  (0, {-10000, -1}, ...
 03673  1348   NtSetEventBoostPriority  ... ) == 0x0
 03675  1348   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03676  1348   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 31456796, 67, ... 1356, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 31456796, 67, ... 1356, {status=0x0, info=0}, ) == 0x0
 03677  1348   NtDeviceIoControlFile  (1356, 516, 0x0, 0x0, 0x12047,  (1356, 516, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\10\13&\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03678  1348   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03679  1348   NtDeviceIoControlFile  (1356, 516, 0x0, 0x0, 0x1203b,  (1356, 516, 0x0, 0x0, 0x1203b, "\2\0\0\0\250\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03680  1348   NtDeviceIoControlFile  (1356, 516, 0x0, 0x0, 0x12003,  (1356, 516, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1360}, "\1\0\0\0\1\0\0\0\16\0\2\0\4Z\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1360},  (1356, 516, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1360}, "\1\0\0\0\1\0\0\0\16\0\2\0\4Z\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03681  1348   NtDeviceIoControlFile  (1356, 516, 0x0, 0x0, 0x12047,  (1356, 516, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\12&\0\2\0\4Z\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03682  1348   NtDeviceIoControlFile  (412, 0, 0x0, 0x260178, 0x12007,  (412, 0, 0x0, 0x260178, 0x12007, "\0\0\0\0\16\0\2\0L\5\0\0\1\0\0\0\16\0\2\0\1\275rY\224\10\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03671  1336   NtRemoveIoCompletion  ... 1906658213, 2490744, {status=0xc000023d, info=0}, ) == 0x0
 03683  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1364, ) == 0x0
 03684  1336   NtWaitForSingleObject  (1364, 0, 0x0, ...
 03682  1348   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03685  1348   NtSetEventBoostPriority  (1364, ...
 03684  1336   NtWaitForSingleObject  ... ) == 0x0
 03686  1336   NtDeviceIoControlFile  (1356, 356, 0x0, 0x0, 0x12037,  (1356, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1356, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03687  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03685  1348   NtSetEventBoostPriority  ... ) == 0x0
 03688  1348   NtWaitForSingleObject  (440, 0, 0x0, ...
 03674  1156   NtDelayExecution  ... ) == 0x0
 03689  1156   NtSetEventBoostPriority  (440, ...
 03564  1440   NtWaitForSingleObject  ... ) == 0x0
 03690  1440   NtDelayExecution  (0, {-10000, -1}, ...
 03689  1156   NtSetEventBoostPriority  ... ) == 0x0
 03691  1156   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03692  1156   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 33553948, 67, ... 1368, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 33553948, 67, ... 1368, {status=0x0, info=0}, ) == 0x0
 03693  1156   NtDeviceIoControlFile  (1368, 504, 0x0, 0x0, 0x12047,  (1368, 504, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\240\16&\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03694  1156   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03695  1156   NtDeviceIoControlFile  (1368, 504, 0x0, 0x0, 0x1203b,  (1368, 504, 0x0, 0x0, 0x1203b, "\2\0\0\08\350$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03696  1156   NtDeviceIoControlFile  (1368, 504, 0x0, 0x0, 0x12003,  (1368, 504, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1372}, "\1\0\0\0\1\0\0\0\16\0\2\0\4[\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1372},  (1368, 504, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1372}, "\1\0\0\0\1\0\0\0\16\0\2\0\4[\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03697  1156   NtDeviceIoControlFile  (1368, 504, 0x0, 0x0, 0x12047,  (1368, 504, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\300\15&\0\2\0\4[\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03698  1156   NtDeviceIoControlFile  (412, 0, 0x0, 0x260178, 0x12007,  (412, 0, 0x0, 0x260178, 0x12007, "\0\0\0\0\16\0\2\0X\5\0\0\1\0\0\0\16\0\2\0\1\275|O\376\10\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03687  1336   NtRemoveIoCompletion  ... 1906658213, 2490744, {status=0xc000023d, info=0}, ) == 0x0
 03699  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1376, ) == 0x0
 03700  1336   NtWaitForSingleObject  (1376, 0, 0x0, ...
 03698  1156   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03701  1156   NtSetEventBoostPriority  (1376, ...
 03700  1336   NtWaitForSingleObject  ... ) == 0x0
 03702  1336   NtDeviceIoControlFile  (1368, 356, 0x0, 0x0, 0x12037,  (1368, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1368, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03703  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03701  1156   NtSetEventBoostPriority  ... ) == 0x0
 03704  1156   NtWaitForSingleObject  (440, 0, 0x0, ...
 03690  1440   NtDelayExecution  ... ) == 0x0
 03705  1440   NtSetEventBoostPriority  (440, ...
 03575  1308   NtWaitForSingleObject  ... ) == 0x0
 03706  1308   NtDelayExecution  (0, {-10000, -1}, ...
 03705  1440   NtSetEventBoostPriority  ... ) == 0x0
 03707  1440   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03708  1440   NtAllocateVirtualMemory  (-1, 2494464, 0, 4096, 4096, 4, ... 2494464, 4096, ) == 0x0
 03709  1440   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 35651100, 67, ... 1380, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 35651100, 67, ... 1380, {status=0x0, info=0}, ) == 0x0
 03710  1440   NtDeviceIoControlFile  (1380, 548, 0x0, 0x0, 0x12047,  (1380, 548, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\08\20&\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03711  1440   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03712  1440   NtDeviceIoControlFile  (1380, 548, 0x0, 0x0, 0x1203b,  (1380, 548, 0x0, 0x0, 0x1203b, "\2\0\0\0H\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03713  1440   NtDeviceIoControlFile  (1380, 548, 0x0, 0x0, 0x12003,  (1380, 548, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1384}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1384},  (1380, 548, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1384}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03714  1440   NtDeviceIoControlFile  (1380, 548, 0x0, 0x0, 0x12047,  (1380, 548, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0X\17&\0\2\0\4\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03715  1440   NtDeviceIoControlFile  (412, 0, 0x0, 0x260178, 0x12007,  (412, 0, 0x0, 0x260178, 0x12007, "\0\0\0\0\16\0\2\0d\5\0\0\1\0\0\0\16\0\2\0\1\275\300\270i\10\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03703  1336   NtRemoveIoCompletion  ... 1906658213, 2490744, {status=0xc000023d, info=0}, ) == 0x0
 03716  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1388, ) == 0x0
 03717  1336   NtWaitForSingleObject  (1388, 0, 0x0, ...
 03715  1440   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03718  1440   NtSetEventBoostPriority  (1388, ...
 03717  1336   NtWaitForSingleObject  ... ) == 0x0
 03719  1336   NtDeviceIoControlFile  (1380, 356, 0x0, 0x0, 0x12037,  (1380, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1380, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03720  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03718  1440   NtSetEventBoostPriority  ... ) == 0x0
 03721  1440   NtWaitForSingleObject  (440, 0, 0x0, ...
 03706  1308   NtDelayExecution  ... ) == 0x0
 03722  1308   NtSetEventBoostPriority  (440, ...
 03592  1328   NtWaitForSingleObject  ... ) == 0x0
 03723  1328   NtDelayExecution  (0, {-10000, -1}, ...
 03722  1308   NtSetEventBoostPriority  ... ) == 0x0
 03724  1308   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03725  1308   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 14679576, 67, ... 1392, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 14679576, 67, ... 1392, {status=0x0, info=0}, ) == 0x0
 03726  1308   NtDeviceIoControlFile  (1392, 360, 0x0, 0x0, 0x12047,  (1392, 360, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\320\21&\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03727  1308   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03728  1308   NtDeviceIoControlFile  (1392, 360, 0x0, 0x0, 0x1203b,  (1392, 360, 0x0, 0x0, 0x1203b, "\2\0\0\0\324\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03729  1308   NtDeviceIoControlFile  (1392, 360, 0x0, 0x0, 0x12003,  (1392, 360, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1396}, "\1\0\0\0\1\0\0\0\16\0\2\0\4]\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1396},  (1392, 360, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1396}, "\1\0\0\0\1\0\0\0\16\0\2\0\4]\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03730  1308   NtDeviceIoControlFile  (1392, 360, 0x0, 0x0, 0x12047,  (1392, 360, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\360\20&\0\2\0\4]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03731  1308   NtDeviceIoControlFile  (412, 0, 0x0, 0x260178, 0x12007,  (412, 0, 0x0, 0x260178, 0x12007, "\0\0\0\0\16\0\2\0p\5\0\0\1\0\0\0\16\0\2\0\1\275\300\250|\212\0\0\0\0\0\0\0\0", 34, 8, ... {status=0x103, info=0}, "", ) , 34, 8, ... {status=0x103, info=0}, "", ) == 0x103
 03732  1308   NtWaitForSingleObject  (440, 0, 0x0, ...
 03723  1328   NtDelayExecution  ... ) == 0x0
 03733  1328   NtSetEventBoostPriority  (440, ...
 03608  1324   NtWaitForSingleObject  ... ) == 0x0
 03734  1324   NtDelayExecution  (0, {-10000, -1}, ...
 03733  1328   NtSetEventBoostPriority  ... ) == 0x0
 03735  1328   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03736  1328   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 20971032, 67, ... 1400, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 20971032, 67, ... 1400, {status=0x0, info=0}, ) == 0x0
 03737  1328   NtDeviceIoControlFile  (1400, 396, 0x0, 0x0, 0x12047,  (1400, 396, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0h\23&\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03738  1328   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03739  1328   NtDeviceIoControlFile  (1400, 396, 0x0, 0x0, 0x1203b,  (1400, 396, 0x0, 0x0, 0x1203b, "\2\0\0\08\350$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03740  1328   NtDeviceIoControlFile  (1400, 396, 0x0, 0x0, 0x12003,  (1400, 396, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1404}, "\1\0\0\0\1\0\0\0\16\0\2\0\4^\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1404},  (1400, 396, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1404}, "\1\0\0\0\1\0\0\0\16\0\2\0\4^\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03741  1328   NtDeviceIoControlFile  (1400, 396, 0x0, 0x0, 0x12047,  (1400, 396, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\210\22&\0\2\0\4^\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03742  1328   NtDeviceIoControlFile  (412, 0, 0x0, 0x2613b0, 0x12007,  (412, 0, 0x0, 0x2613b0, 0x12007, "\0\0\0\0\16\0\2\0x\5\0\0\1\0\0\0\16\0\2\0\1\275^\11o\11\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03720  1336   NtRemoveIoCompletion  ... 1906658213, 2495408, {status=0xc000023d, info=0}, ) == 0x0
 03743  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1408, ) == 0x0
 03744  1336   NtWaitForSingleObject  (1408, 0, 0x0, ...
 03742  1328   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03745  1328   NtSetEventBoostPriority  (1408, ...
 03744  1336   NtWaitForSingleObject  ... ) == 0x0
 03746  1336   NtDeviceIoControlFile  (1400, 356, 0x0, 0x0, 0x12037,  (1400, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1400, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03747  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03745  1328   NtSetEventBoostPriority  ... ) == 0x0
 03748  1328   NtWaitForSingleObject  (440, 0, 0x0, ...
 03734  1324   NtDelayExecution  ... ) == 0x0
 03749  1324   NtSetEventBoostPriority  (440, ...
 03624  1332   NtWaitForSingleObject  ... ) == 0x0
 03750  1332   NtDelayExecution  (0, {-10000, -1}, ...
 03749  1324   NtSetEventBoostPriority  ... ) == 0x0
 03751  1324   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03752  1324   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 16776728, 67, ... 1412, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 16776728, 67, ... 1412, {status=0x0, info=0}, ) == 0x0
 03753  1324   NtDeviceIoControlFile  (1412, 380, 0x0, 0x0, 0x12047,  (1412, 380, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0H\25&\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03754  1324   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03755  1324   NtDeviceIoControlFile  (1412, 380, 0x0, 0x0, 0x1203b,  (1412, 380, 0x0, 0x0, 0x1203b, "\2\0\0\0H\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03756  1324   NtDeviceIoControlFile  (1412, 380, 0x0, 0x0, 0x12003,  (1412, 380, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1416}, "\1\0\0\0\1\0\0\0\16\0\2\0\4_\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1416},  (1412, 380, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1416}, "\1\0\0\0\1\0\0\0\16\0\2\0\4_\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03757  1324   NtDeviceIoControlFile  (1412, 380, 0x0, 0x0, 0x12047,  (1412, 380, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0h\24&\0\2\0\4_\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03758  1324   NtDeviceIoControlFile  (412, 0, 0x0, 0x2613b0, 0x12007,  (412, 0, 0x0, 0x2613b0, 0x12007, "\0\0\0\0\16\0\2\0\204\5\0\0\1\0\0\0\16\0\2\0\1\275\271Z\303\11\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03747  1336   NtRemoveIoCompletion  ... 1906658213, 2495408, {status=0xc000023d, info=0}, ) == 0x0
 03759  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1420, ) == 0x0
 03760  1336   NtWaitForSingleObject  (1420, 0, 0x0, ...
 03758  1324   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03761  1324   NtSetEventBoostPriority  (1420, ...
 03760  1336   NtWaitForSingleObject  ... ) == 0x0
 03762  1336   NtDeviceIoControlFile  (1412, 356, 0x0, 0x0, 0x12037,  (1412, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1412, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03763  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03761  1324   NtSetEventBoostPriority  ... ) == 0x0
 03764  1324   NtWaitForSingleObject  (440, 0, 0x0, ...
 03750  1332   NtDelayExecution  ... ) == 0x0
 03765  1332   NtSetEventBoostPriority  (440, ...
 03640  1312   NtWaitForSingleObject  ... ) == 0x0
 03766  1312   NtDelayExecution  (0, {-10000, -1}, ...
 03765  1332   NtSetEventBoostPriority  ... ) == 0x0
 03767  1332   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03768  1332   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 18873880, 67, ... 1424, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 18873880, 67, ... 1424, {status=0x0, info=0}, ) == 0x0
 03769  1332   NtDeviceIoControlFile  (1424, 400, 0x0, 0x0, 0x12047,  (1424, 400, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\230\260%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0X\17&\0\250\255%\0\270\261%\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0HM%\0\0\0\0\0\0\0\0\0\0\0\0\0\0`%\0\0\0\0\0\0\0\0\0\0\0\0\0\21\0\15\0\0\1\10\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03770  1332   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03771  1332   NtDeviceIoControlFile  (1424, 400, 0x0, 0x0, 0x1203b,  (1424, 400, 0x0, 0x0, 0x1203b, "\2\0\0\0\324\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03772  1332   NtDeviceIoControlFile  (1424, 400, 0x0, 0x0, 0x12003,  (1424, 400, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1428}, "\1\0\0\0\1\0\0\0\16\0\2\0\4`\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1428},  (1424, 400, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1428}, "\1\0\0\0\1\0\0\0\16\0\2\0\4`\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03773  1332   NtDeviceIoControlFile  (1424, 400, 0x0, 0x0, 0x12047,  (1424, 400, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0p\27&\0\2\0\4`\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0X\17&\0\250\255%\0\270\261%\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0HM%\0\0\0\0\0\0\0\0\0\0\0\0\0\0`%\0\0\0\0\0\0\0\0\0\0\0\0\0\21\0\15\0\0\1\10\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03774  1332   NtDeviceIoControlFile  (412, 0, 0x0, 0x2613b0, 0x12007,  (412, 0, 0x0, 0x2613b0, 0x12007, "\0\0\0\0\16\0\2\0\220\5\0\0\1\0\0\0\16\0\2\0\1\275\226At\11\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03763  1336   NtRemoveIoCompletion  ... 1906658213, 2495408, {status=0xc000023d, info=0}, ) == 0x0
 03775  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1432, ) == 0x0
 03776  1336   NtWaitForSingleObject  (1432, 0, 0x0, ...
 03774  1332   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03777  1332   NtSetEventBoostPriority  (1432, ...
 03776  1336   NtWaitForSingleObject  ... ) == 0x0
 03778  1336   NtDeviceIoControlFile  (1424, 356, 0x0, 0x0, 0x12037,  (1424, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1424, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03779  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03777  1332   NtSetEventBoostPriority  ... ) == 0x0
 03780  1332   NtWaitForSingleObject  (440, 0, 0x0, ...
 03766  1312   NtDelayExecution  ... ) == 0x0
 03781  1312   NtSetEventBoostPriority  (440, ...
 03656  1344   NtWaitForSingleObject  ... ) == 0x0
 03782  1344   NtDelayExecution  (0, {-10000, -1}, ...
 03781  1312   NtSetEventBoostPriority  ... ) == 0x0
 03783  1312   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03784  1312   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 25165336, 67, ... 1436, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 25165336, 67, ... 1436, {status=0x0, info=0}, ) == 0x0
 03785  1312   NtDeviceIoControlFile  (1436, 448, 0x0, 0x0, 0x12047,  (1436, 448, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\340\260%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03786  1312   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03787  1312   NtDeviceIoControlFile  (1436, 448, 0x0, 0x0, 0x1203b,  (1436, 448, 0x0, 0x0, 0x1203b, "\2\0\0\0h\350$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03788  1312   NtDeviceIoControlFile  (1436, 448, 0x0, 0x0, 0x12003,  (1436, 448, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1440}, "\1\0\0\0\1\0\0\0\16\0\2\0\4a\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1440},  (1436, 448, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1440}, "\1\0\0\0\1\0\0\0\16\0\2\0\4a\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03789  1312   NtDeviceIoControlFile  (1436, 448, 0x0, 0x0, 0x12047,  (1436, 448, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\300\30&\0\2\0\4a\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03790  1312   NtDeviceIoControlFile  (412, 0, 0x0, 0x2613b0, 0x12007,  (412, 0, 0x0, 0x2613b0, 0x12007, "\0\0\0\0\16\0\2\0\234\5\0\0\1\0\0\0\16\0\2\0\1\275$N&\11\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03779  1336   NtRemoveIoCompletion  ... 1906658213, 2495408, {status=0xc000023d, info=0}, ) == 0x0
 03791  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1444, ) == 0x0
 03792  1336   NtWaitForSingleObject  (1444, 0, 0x0, ...
 03790  1312   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03793  1312   NtSetEventBoostPriority  (1444, ...
 03792  1336   NtWaitForSingleObject  ... ) == 0x0
 03794  1336   NtDeviceIoControlFile  (1436, 356, 0x0, 0x0, 0x12037,  (1436, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1436, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03795  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03793  1312   NtSetEventBoostPriority  ... ) == 0x0
 03796  1312   NtWaitForSingleObject  (440, 0, 0x0, ...
 03782  1344   NtDelayExecution  ... ) == 0x0
 03797  1344   NtSetEventBoostPriority  (440, ...
 03672  1320   NtWaitForSingleObject  ... ) == 0x0
 03798  1320   NtDelayExecution  (0, {-10000, -1}, ...
 03797  1344   NtSetEventBoostPriority  ... ) == 0x0
 03799  1344   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03800  1344   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 27262488, 67, ... 1448, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 27262488, 67, ... 1448, {status=0x0, info=0}, ) == 0x0
 03801  1344   NtDeviceIoControlFile  (1448, 476, 0x0, 0x0, 0x12047,  (1448, 476, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\20\33&\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03802  1344   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03803  1344   NtDeviceIoControlFile  (1448, 476, 0x0, 0x0, 0x1203b,  (1448, 476, 0x0, 0x0, 0x1203b, "\2\0\0\0x\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03804  1344   NtDeviceIoControlFile  (1448, 476, 0x0, 0x0, 0x12003,  (1448, 476, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1452}, "\1\0\0\0\1\0\0\0\16\0\2\0\4b\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1452},  (1448, 476, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1452}, "\1\0\0\0\1\0\0\0\16\0\2\0\4b\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03805  1344   NtDeviceIoControlFile  (1448, 476, 0x0, 0x0, 0x12047,  (1448, 476, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\00\32&\0\2\0\4b\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03806  1344   NtDeviceIoControlFile  (412, 0, 0x0, 0x2613b0, 0x12007,  (412, 0, 0x0, 0x2613b0, 0x12007, "\0\0\0\0\16\0\2\0\250\5\0\0\1\0\0\0\16\0\2\0\1\275\255v\270\11\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03795  1336   NtRemoveIoCompletion  ... 1906658213, 2495408, {status=0xc000023d, info=0}, ) == 0x0
 03807  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1456, ) == 0x0
 03808  1336   NtWaitForSingleObject  (1456, 0, 0x0, ...
 03806  1344   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03809  1344   NtSetEventBoostPriority  (1456, ...
 03808  1336   NtWaitForSingleObject  ... ) == 0x0
 03810  1336   NtDeviceIoControlFile  (1448, 356, 0x0, 0x0, 0x12037,  (1448, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1448, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03811  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03809  1344   NtSetEventBoostPriority  ... ) == 0x0
 03812  1344   NtWaitForSingleObject  (440, 0, 0x0, ...
 03798  1320   NtDelayExecution  ... ) == 0x0
 03813  1320   NtSetEventBoostPriority  (440, ...
 03688  1348   NtWaitForSingleObject  ... ) == 0x0
 03814  1348   NtDelayExecution  (0, {-10000, -1}, ...
 03813  1320   NtSetEventBoostPriority  ... ) == 0x0
 03815  1320   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03816  1320   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 29359640, 67, ... 1460, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 29359640, 67, ... 1460, {status=0x0, info=0}, ) == 0x0
 03817  1320   NtDeviceIoControlFile  (1460, 488, 0x0, 0x0, 0x12047,  (1460, 488, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\250\34&\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03818  1320   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03819  1320   NtDeviceIoControlFile  (1460, 488, 0x0, 0x0, 0x1203b,  (1460, 488, 0x0, 0x0, 0x1203b, "\2\0\0\0\10\350$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03820  1320   NtDeviceIoControlFile  (1460, 488, 0x0, 0x0, 0x12003,  (1460, 488, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1464}, "\1\0\0\0\1\0\0\0\16\0\2\0\4c\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1464},  (1460, 488, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1464}, "\1\0\0\0\1\0\0\0\16\0\2\0\4c\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03821  1320   NtDeviceIoControlFile  (1460, 488, 0x0, 0x0, 0x12047,  (1460, 488, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\310\33&\0\2\0\4c\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03822  1320   NtDeviceIoControlFile  (412, 0, 0x0, 0x2613b0, 0x12007,  (412, 0, 0x0, 0x2613b0, 0x12007, "\0\0\0\0\16\0\2\0\264\5\0\0\1\0\0\0\16\0\2\0\1\275\331\270\15\11\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03811  1336   NtRemoveIoCompletion  ... 1906658213, 2495408, {status=0xc000023d, info=0}, ) == 0x0
 03823  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1468, ) == 0x0
 03824  1336   NtWaitForSingleObject  (1468, 0, 0x0, ...
 03822  1320   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03825  1320   NtSetEventBoostPriority  (1468, ...
 03824  1336   NtWaitForSingleObject  ... ) == 0x0
 03826  1336   NtDeviceIoControlFile  (1460, 356, 0x0, 0x0, 0x12037,  (1460, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1460, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03827  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03825  1320   NtSetEventBoostPriority  ... ) == 0x0
 03828  1320   NtWaitForSingleObject  (440, 0, 0x0, ...
 03814  1348   NtDelayExecution  ... ) == 0x0
 03829  1348   NtSetEventBoostPriority  (440, ...
 03704  1156   NtWaitForSingleObject  ... ) == 0x0
 03830  1156   NtDelayExecution  (0, {-10000, -1}, ...
 03829  1348   NtSetEventBoostPriority  ... ) == 0x0
 03831  1348   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03832  1348   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 31456792, 67, ... 1472, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 31456792, 67, ... 1472, {status=0x0, info=0}, ) == 0x0
 03833  1348   NtDeviceIoControlFile  (1472, 516, 0x0, 0x0, 0x12047,  (1472, 516, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0@\36&\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03834  1348   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03835  1348   NtAllocateVirtualMemory  (-1, 2498560, 0, 4096, 4096, 4, ... 2498560, 4096, ) == 0x0
 03836  1348   NtDeviceIoControlFile  (1472, 516, 0x0, 0x0, 0x1203b,  (1472, 516, 0x0, 0x0, 0x1203b, "\2\0\0\0\30\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03837  1348   NtDeviceIoControlFile  (1472, 516, 0x0, 0x0, 0x12003,  (1472, 516, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1476}, "\1\0\0\0\1\0\0\0\16\0\2\0\4d\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1476},  (1472, 516, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1476}, "\1\0\0\0\1\0\0\0\16\0\2\0\4d\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03838  1348   NtDeviceIoControlFile  (1472, 516, 0x0, 0x0, 0x12047,  (1472, 516, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0`\35&\0\2\0\4d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03839  1348   NtDeviceIoControlFile  (412, 0, 0x0, 0x2613b0, 0x12007,  (412, 0, 0x0, 0x2613b0, 0x12007, "\0\0\0\0\16\0\2\0\300\5\0\0\1\0\0\0\16\0\2\0\1\275rY\224\11\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03827  1336   NtRemoveIoCompletion  ... 1906658213, 2495408, {status=0xc000023d, info=0}, ) == 0x0
 03840  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1480, ) == 0x0
 03841  1336   NtWaitForSingleObject  (1480, 0, 0x0, ...
 03839  1348   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03842  1348   NtSetEventBoostPriority  (1480, ...
 03841  1336   NtWaitForSingleObject  ... ) == 0x0
 03843  1336   NtDeviceIoControlFile  (1472, 356, 0x0, 0x0, 0x12037,  (1472, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1472, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03844  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03842  1348   NtSetEventBoostPriority  ... ) == 0x0
 03845  1348   NtWaitForSingleObject  (440, 0, 0x0, ...
 03830  1156   NtDelayExecution  ... ) == 0x0
 03846  1156   NtSetEventBoostPriority  (440, ...
 03721  1440   NtWaitForSingleObject  ... ) == 0x0
 03847  1440   NtDelayExecution  (0, {-10000, -1}, ...
 03846  1156   NtSetEventBoostPriority  ... ) == 0x0
 03848  1156   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03849  1156   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 33553944, 67, ... 1484, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 33553944, 67, ... 1484, {status=0x0, info=0}, ) == 0x0
 03850  1156   NtDeviceIoControlFile  (1484, 504, 0x0, 0x0, 0x12047,  (1484, 504, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0x\265%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\310\367%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\10\266%\00\273%\0\0\0\0\0\240\313%\0\0\0\0\0\0\0\0\00W%\0\370[%\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03851  1156   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03852  1156   NtDeviceIoControlFile  (1484, 504, 0x0, 0x0, 0x1203b,  (1484, 504, 0x0, 0x0, 0x1203b, "\2\0\0\0\250\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03853  1156   NtDeviceIoControlFile  (1484, 504, 0x0, 0x0, 0x12003,  (1484, 504, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1488}, "\1\0\0\0\1\0\0\0\16\0\2\0\4e\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1488},  (1484, 504, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1488}, "\1\0\0\0\1\0\0\0\16\0\2\0\4e\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03854  1156   NtDeviceIoControlFile  (1484, 504, 0x0, 0x0, 0x12047,  (1484, 504, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0h &\0\2\0\4e\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\310\367%\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\10\266%\00\273%\0\0\0\0\0\240\313%\0\0\0\0\0\0\0\0\00W%\0\370[%\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03855  1156   NtDeviceIoControlFile  (412, 0, 0x0, 0x2613b0, 0x12007,  (412, 0, 0x0, 0x2613b0, 0x12007, "\0\0\0\0\16\0\2\0\314\5\0\0\1\0\0\0\16\0\2\0\1\275|O\376\11\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03844  1336   NtRemoveIoCompletion  ... 1906658213, 2495408, {status=0xc000023d, info=0}, ) == 0x0
 03856  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1492, ) == 0x0
 03857  1336   NtWaitForSingleObject  (1492, 0, 0x0, ...
 03855  1156   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03858  1156   NtSetEventBoostPriority  (1492, ...
 03857  1336   NtWaitForSingleObject  ... ) == 0x0
 03859  1336   NtDeviceIoControlFile  (1484, 356, 0x0, 0x0, 0x12037,  (1484, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1484, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03860  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03858  1156   NtSetEventBoostPriority  ... ) == 0x0
 03861  1156   NtWaitForSingleObject  (440, 0, 0x0, ...
 03847  1440   NtDelayExecution  ... ) == 0x0
 03862  1440   NtSetEventBoostPriority  (440, ...
 03732  1308   NtWaitForSingleObject  ... ) == 0x0
 03863  1308   NtDelayExecution  (0, {-10000, -1}, ...
 03862  1440   NtSetEventBoostPriority  ... ) == 0x0
 03864  1440   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03865  1440   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 35651096, 67, ... 1496, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 35651096, 67, ... 1496, {status=0x0, info=0}, ) == 0x0
 03866  1440   NtDeviceIoControlFile  (1496, 548, 0x0, 0x0, 0x12047,  (1496, 548, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\230"&\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) &\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 (1496, 548, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\230"&\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) ", ) == 0x0
 03867  1440   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03868  1440   NtDeviceIoControlFile  (1496, 548, 0x0, 0x0, 0x1203b,  (1496, 548, 0x0, 0x0, 0x1203b, "\2\0\0\08\350$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03869  1440   NtDeviceIoControlFile  (1496, 548, 0x0, 0x0, 0x12003,  (1496, 548, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1500}, "\1\0\0\0\1\0\0\0\16\0\2\0\4f\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1500},  (1496, 548, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1500}, "\1\0\0\0\1\0\0\0\16\0\2\0\4f\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03870  1440   NtDeviceIoControlFile  (1496, 548, 0x0, 0x0, 0x12047,  (1496, 548, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\270!&\0\2\0\4f\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03871  1440   NtDeviceIoControlFile  (412, 0, 0x0, 0x2613b0, 0x12007,  (412, 0, 0x0, 0x2613b0, 0x12007, "\0\0\0\0\16\0\2\0\330\5\0\0\1\0\0\0\16\0\2\0\1\275\300\270i\11\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03860  1336   NtRemoveIoCompletion  ... 1906658213, 2495408, {status=0xc000023d, info=0}, ) == 0x0
 03872  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1504, ) == 0x0
 03873  1336   NtWaitForSingleObject  (1504, 0, 0x0, ...
 03871  1440   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03874  1440   NtSetEventBoostPriority  (1504, ...
 03873  1336   NtWaitForSingleObject  ... ) == 0x0
 03875  1336   NtDeviceIoControlFile  (1496, 356, 0x0, 0x0, 0x12037,  (1496, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1496, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03876  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03874  1440   NtSetEventBoostPriority  ... ) == 0x0
 03877  1440   NtWaitForSingleObject  (440, 0, 0x0, ...
 03863  1308   NtDelayExecution  ... ) == 0x0
 03878  1308   NtSetEventBoostPriority  (440, ...
 03748  1328   NtWaitForSingleObject  ... ) == 0x0
 03879  1328   NtDelayExecution  (0, {-10000, -1}, ...
 03878  1308   NtSetEventBoostPriority  ... ) == 0x0
 03880  1308   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03881  1308   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 14679572, 67, ... 1508, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 14679572, 67, ... 1508, {status=0x0, info=0}, ) == 0x0
 03882  1308   NtDeviceIoControlFile  (1508, 360, 0x0, 0x0, 0x12047,  (1508, 360, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\20$&\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03883  1308   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03884  1308   NtDeviceIoControlFile  (1508, 360, 0x0, 0x0, 0x1203b,  (1508, 360, 0x0, 0x0, 0x1203b, "\2\0\0\0H\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03885  1308   NtDeviceIoControlFile  (1508, 360, 0x0, 0x0, 0x12003,  (1508, 360, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1512}, "\1\0\0\0\1\0\0\0\16\0\2\0\4g\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1512},  (1508, 360, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1512}, "\1\0\0\0\1\0\0\0\16\0\2\0\4g\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03886  1308   NtDeviceIoControlFile  (1508, 360, 0x0, 0x0, 0x12047,  (1508, 360, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\00#&\0\2\0\4g\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03887  1308   NtDeviceIoControlFile  (412, 0, 0x0, 0x2613b0, 0x12007,  (412, 0, 0x0, 0x2613b0, 0x12007, "\0\0\0\0\16\0\2\0\344\5\0\0\1\0\0\0\16\0\2\0\1\275\300\250|\213\0\0\0\0\0\0\0\0", 34, 8, ... {status=0x103, info=0}, "", ) , 34, 8, ... {status=0x103, info=0}, "", ) == 0x103
 03888  1308   NtWaitForSingleObject  (440, 0, 0x0, ...
 03879  1328   NtDelayExecution  ... ) == 0x0
 03889  1328   NtSetEventBoostPriority  (440, ...
 03764  1324   NtWaitForSingleObject  ... ) == 0x0
 03890  1324   NtDelayExecution  (0, {-10000, -1}, ...
 03889  1328   NtSetEventBoostPriority  ... ) == 0x0
 03891  1328   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03892  1328   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 20971028, 67, ... 1516, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 20971028, 67, ... 1516, {status=0x0, info=0}, ) == 0x0
 03893  1328   NtDeviceIoControlFile  (1516, 396, 0x0, 0x0, 0x12047,  (1516, 396, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\250%&\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03894  1328   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03895  1328   NtDeviceIoControlFile  (1516, 396, 0x0, 0x0, 0x1203b,  (1516, 396, 0x0, 0x0, 0x1203b, "\2\0\0\0\250\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03896  1328   NtDeviceIoControlFile  (1516, 396, 0x0, 0x0, 0x12003,  (1516, 396, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1520}, "\1\0\0\0\1\0\0\0\16\0\2\0\4h\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1520},  (1516, 396, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1520}, "\1\0\0\0\1\0\0\0\16\0\2\0\4h\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03897  1328   NtDeviceIoControlFile  (1516, 396, 0x0, 0x0, 0x12047,  (1516, 396, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\310$&\0\2\0\4h\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03898  1328   NtDeviceIoControlFile  (412, 0, 0x0, 0x2625f0, 0x12007,  (412, 0, 0x0, 0x2625f0, 0x12007, "\0\0\0\0\16\0\2\0\354\5\0\0\1\0\0\0\16\0\2\0\1\275^\11o\12\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03876  1336   NtRemoveIoCompletion  ... 1906658213, 2500080, {status=0xc000023d, info=0}, ) == 0x0
 03899  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1524, ) == 0x0
 03900  1336   NtWaitForSingleObject  (1524, 0, 0x0, ...
 03898  1328   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03901  1328   NtSetEventBoostPriority  (1524, ...
 03900  1336   NtWaitForSingleObject  ... ) == 0x0
 03902  1336   NtDeviceIoControlFile  (1516, 356, 0x0, 0x0, 0x12037,  (1516, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1516, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03903  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03901  1328   NtSetEventBoostPriority  ... ) == 0x0
 03904  1328   NtWaitForSingleObject  (440, 0, 0x0, ...
 03890  1324   NtDelayExecution  ... ) == 0x0
 03905  1324   NtSetEventBoostPriority  (440, ...
 03780  1332   NtWaitForSingleObject  ... ) == 0x0
 03906  1332   NtDelayExecution  (0, {-10000, -1}, ...
 03905  1324   NtSetEventBoostPriority  ... ) == 0x0
 03907  1324   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03908  1324   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 16776724, 67, ... 1528, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 16776724, 67, ... 1528, {status=0x0, info=0}, ) == 0x0
 03909  1324   NtDeviceIoControlFile  (1528, 380, 0x0, 0x0, 0x12047,  (1528, 380, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\210'&\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03910  1324   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03911  1324   NtDeviceIoControlFile  (1528, 380, 0x0, 0x0, 0x1203b,  (1528, 380, 0x0, 0x0, 0x1203b, "\2\0\0\08\350$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03912  1324   NtDeviceIoControlFile  (1528, 380, 0x0, 0x0, 0x12003,  (1528, 380, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1532}, "\1\0\0\0\1\0\0\0\16\0\2\0\4i\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1532},  (1528, 380, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1532}, "\1\0\0\0\1\0\0\0\16\0\2\0\4i\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03913  1324   NtDeviceIoControlFile  (1528, 380, 0x0, 0x0, 0x12047,  (1528, 380, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\250&&\0\2\0\4i\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03914  1324   NtDeviceIoControlFile  (412, 0, 0x0, 0x2625f0, 0x12007,  (412, 0, 0x0, 0x2625f0, 0x12007, "\0\0\0\0\16\0\2\0\370\5\0\0\1\0\0\0\16\0\2\0\1\275\271Z\303\12\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03903  1336   NtRemoveIoCompletion  ... 1906658213, 2500080, {status=0xc000023d, info=0}, ) == 0x0
 03915  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1536, ) == 0x0
 03916  1336   NtWaitForSingleObject  (1536, 0, 0x0, ...
 03914  1324   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03917  1324   NtSetEventBoostPriority  (1536, ...
 03916  1336   NtWaitForSingleObject  ... ) == 0x0
 03918  1336   NtDeviceIoControlFile  (1528, 356, 0x0, 0x0, 0x12037,  (1528, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1528, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03919  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03917  1324   NtSetEventBoostPriority  ... ) == 0x0
 03920  1324   NtWaitForSingleObject  (440, 0, 0x0, ...
 03906  1332   NtDelayExecution  ... ) == 0x0
 03921  1332   NtSetEventBoostPriority  (440, ...
 03796  1312   NtWaitForSingleObject  ... ) == 0x0
 03922  1312   NtDelayExecution  (0, {-10000, -1}, ...
 03921  1332   NtSetEventBoostPriority  ... ) == 0x0
 03923  1332   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03924  1332   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 18873876, 67, ... 1540, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 18873876, 67, ... 1540, {status=0x0, info=0}, ) == 0x0
 03925  1332   NtDeviceIoControlFile  (1540, 400, 0x0, 0x0, 0x12047,  (1540, 400, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0 )&\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03926  1332   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03927  1332   NtDeviceIoControlFile  (1540, 400, 0x0, 0x0, 0x1203b,  (1540, 400, 0x0, 0x0, 0x1203b, "\2\0\0\0H\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03928  1332   NtDeviceIoControlFile  (1540, 400, 0x0, 0x0, 0x12003,  (1540, 400, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1544}, "\1\0\0\0\1\0\0\0\16\0\2\0\4j\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1544},  (1540, 400, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1544}, "\1\0\0\0\1\0\0\0\16\0\2\0\4j\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03929  1332   NtDeviceIoControlFile  (1540, 400, 0x0, 0x0, 0x12047,  (1540, 400, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0@(&\0\2\0\4j\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03930  1332   NtDeviceIoControlFile  (412, 0, 0x0, 0x2625f0, 0x12007,  (412, 0, 0x0, 0x2625f0, 0x12007, "\0\0\0\0\16\0\2\0\4\6\0\0\1\0\0\0\16\0\2\0\1\275\226At\12\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03919  1336   NtRemoveIoCompletion  ... 1906658213, 2500080, {status=0xc000023d, info=0}, ) == 0x0
 03931  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1548, ) == 0x0
 03932  1336   NtWaitForSingleObject  (1548, 0, 0x0, ...
 03930  1332   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03933  1332   NtSetEventBoostPriority  (1548, ...
 03932  1336   NtWaitForSingleObject  ... ) == 0x0
 03934  1336   NtDeviceIoControlFile  (1540, 356, 0x0, 0x0, 0x12037,  (1540, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1540, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03935  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03933  1332   NtSetEventBoostPriority  ... ) == 0x0
 03936  1332   NtWaitForSingleObject  (440, 0, 0x0, ...
 03922  1312   NtDelayExecution  ... ) == 0x0
 03937  1312   NtSetEventBoostPriority  (440, ...
 03812  1344   NtWaitForSingleObject  ... ) == 0x0
 03938  1344   NtDelayExecution  (0, {-10000, -1}, ...
 03937  1312   NtSetEventBoostPriority  ... ) == 0x0
 03939  1312   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03940  1312   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 25165332, 67, ... 1552, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 25165332, 67, ... 1552, {status=0x0, info=0}, ) == 0x0
 03941  1312   NtDeviceIoControlFile  (1552, 448, 0x0, 0x0, 0x12047,  (1552, 448, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\270*&\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03942  1312   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03943  1312   NtDeviceIoControlFile  (1552, 448, 0x0, 0x0, 0x1203b,  (1552, 448, 0x0, 0x0, 0x1203b, "\2\0\0\0\324\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03944  1312   NtDeviceIoControlFile  (1552, 448, 0x0, 0x0, 0x12003,  (1552, 448, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1556}, "\1\0\0\0\1\0\0\0\16\0\2\0\4k\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1556},  (1552, 448, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1556}, "\1\0\0\0\1\0\0\0\16\0\2\0\4k\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03945  1312   NtDeviceIoControlFile  (1552, 448, 0x0, 0x0, 0x12047,  (1552, 448, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\330)&\0\2\0\4k\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03946  1312   NtDeviceIoControlFile  (412, 0, 0x0, 0x2625f0, 0x12007,  (412, 0, 0x0, 0x2625f0, 0x12007, "\0\0\0\0\16\0\2\0\20\6\0\0\1\0\0\0\16\0\2\0\1\275$N&\12\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03935  1336   NtRemoveIoCompletion  ... 1906658213, 2500080, {status=0xc000023d, info=0}, ) == 0x0
 03947  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1560, ) == 0x0
 03948  1336   NtWaitForSingleObject  (1560, 0, 0x0, ...
 03946  1312   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03949  1312   NtSetEventBoostPriority  (1560, ...
 03948  1336   NtWaitForSingleObject  ... ) == 0x0
 03950  1336   NtDeviceIoControlFile  (1552, 356, 0x0, 0x0, 0x12037,  (1552, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1552, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03951  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03949  1312   NtSetEventBoostPriority  ... ) == 0x0
 03952  1312   NtWaitForSingleObject  (440, 0, 0x0, ...
 03938  1344   NtDelayExecution  ... ) == 0x0
 03953  1344   NtSetEventBoostPriority  (440, ...
 03828  1320   NtWaitForSingleObject  ... ) == 0x0
 03954  1320   NtDelayExecution  (0, {-10000, -1}, ...
 03953  1344   NtSetEventBoostPriority  ... ) == 0x0
 03955  1344   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03956  1344   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 27262484, 67, ... 1564, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 27262484, 67, ... 1564, {status=0x0, info=0}, ) == 0x0
 03957  1344   NtDeviceIoControlFile  (1564, 476, 0x0, 0x0, 0x12047,  (1564, 476, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0P,&\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03958  1344   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03959  1344   NtDeviceIoControlFile  (1564, 476, 0x0, 0x0, 0x1203b,  (1564, 476, 0x0, 0x0, 0x1203b, "\2\0\0\0h\350$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03960  1344   NtDeviceIoControlFile  (1564, 476, 0x0, 0x0, 0x12003,  (1564, 476, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1568}, "\1\0\0\0\1\0\0\0\16\0\2\0\4l\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1568},  (1564, 476, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1568}, "\1\0\0\0\1\0\0\0\16\0\2\0\4l\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03961  1344   NtDeviceIoControlFile  (1564, 476, 0x0, 0x0, 0x12047,  (1564, 476, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0p+&\0\2\0\4l\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03962  1344   NtDeviceIoControlFile  (412, 0, 0x0, 0x2625f0, 0x12007,  (412, 0, 0x0, 0x2625f0, 0x12007, "\0\0\0\0\16\0\2\0\34\6\0\0\1\0\0\0\16\0\2\0\1\275\255v\270\12\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03951  1336   NtRemoveIoCompletion  ... 1906658213, 2500080, {status=0xc000023d, info=0}, ) == 0x0
 03963  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1572, ) == 0x0
 03964  1336   NtWaitForSingleObject  (1572, 0, 0x0, ...
 03962  1344   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03965  1344   NtSetEventBoostPriority  (1572, ...
 03964  1336   NtWaitForSingleObject  ... ) == 0x0
 03966  1336   NtDeviceIoControlFile  (1564, 356, 0x0, 0x0, 0x12037,  (1564, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1564, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03967  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03965  1344   NtSetEventBoostPriority  ... ) == 0x0
 03968  1344   NtWaitForSingleObject  (440, 0, 0x0, ...
 03954  1320   NtDelayExecution  ... ) == 0x0
 03969  1320   NtSetEventBoostPriority  (440, ...
 03845  1348   NtWaitForSingleObject  ... ) == 0x0
 03970  1348   NtDelayExecution  (0, {-10000, -1}, ...
 03969  1320   NtSetEventBoostPriority  ... ) == 0x0
 03971  1320   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03972  1320   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 29359636, 67, ... 1576, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 29359636, 67, ... 1576, {status=0x0, info=0}, ) == 0x0
 03973  1320   NtDeviceIoControlFile  (1576, 488, 0x0, 0x0, 0x12047,  (1576, 488, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\350-&\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03974  1320   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03975  1320   NtDeviceIoControlFile  (1576, 488, 0x0, 0x0, 0x1203b,  (1576, 488, 0x0, 0x0, 0x1203b, "\2\0\0\0x\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03976  1320   NtDeviceIoControlFile  (1576, 488, 0x0, 0x0, 0x12003,  (1576, 488, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1580}, "\1\0\0\0\1\0\0\0\16\0\2\0\4m\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1580},  (1576, 488, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1580}, "\1\0\0\0\1\0\0\0\16\0\2\0\4m\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03977  1320   NtDeviceIoControlFile  (1576, 488, 0x0, 0x0, 0x12047,  (1576, 488, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\10-&\0\2\0\4m\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03978  1320   NtDeviceIoControlFile  (412, 0, 0x0, 0x2625f0, 0x12007,  (412, 0, 0x0, 0x2625f0, 0x12007, "\0\0\0\0\16\0\2\0(\6\0\0\1\0\0\0\16\0\2\0\1\275\331\270\15\12\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03967  1336   NtRemoveIoCompletion  ... 1906658213, 2500080, {status=0xc000023d, info=0}, ) == 0x0
 03979  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1584, ) == 0x0
 03980  1336   NtWaitForSingleObject  (1584, 0, 0x0, ...
 03978  1320   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03981  1320   NtSetEventBoostPriority  (1584, ...
 03980  1336   NtWaitForSingleObject  ... ) == 0x0
 03982  1336   NtDeviceIoControlFile  (1576, 356, 0x0, 0x0, 0x12037,  (1576, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1576, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03983  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03981  1320   NtSetEventBoostPriority  ... ) == 0x0
 03984  1320   NtWaitForSingleObject  (440, 0, 0x0, ...
 03970  1348   NtDelayExecution  ... ) == 0x0
 03985  1348   NtSetEventBoostPriority  (440, ...
 03861  1156   NtWaitForSingleObject  ... ) == 0x0
 03986  1156   NtDelayExecution  (0, {-10000, -1}, ...
 03985  1348   NtSetEventBoostPriority  ... ) == 0x0
 03987  1348   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03988  1348   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 31456788, 67, ... 1588, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 31456788, 67, ... 1588, {status=0x0, info=0}, ) == 0x0
 03989  1348   NtDeviceIoControlFile  (1588, 516, 0x0, 0x0, 0x12047,  (1588, 516, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\200/&\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03990  1348   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 03991  1348   NtDeviceIoControlFile  (1588, 516, 0x0, 0x0, 0x1203b,  (1588, 516, 0x0, 0x0, 0x1203b, "\2\0\0\0\10\350$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03992  1348   NtDeviceIoControlFile  (1588, 516, 0x0, 0x0, 0x12003,  (1588, 516, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1592}, "\1\0\0\0\1\0\0\0\16\0\2\0\4n\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1592},  (1588, 516, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1592}, "\1\0\0\0\1\0\0\0\16\0\2\0\4n\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03993  1348   NtDeviceIoControlFile  (1588, 516, 0x0, 0x0, 0x12047,  (1588, 516, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\240.&\0\2\0\4n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03994  1348   NtDeviceIoControlFile  (412, 0, 0x0, 0x2625f0, 0x12007,  (412, 0, 0x0, 0x2625f0, 0x12007, "\0\0\0\0\16\0\2\04\6\0\0\1\0\0\0\16\0\2\0\1\275rY\224\12\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03983  1336   NtRemoveIoCompletion  ... 1906658213, 2500080, {status=0xc000023d, info=0}, ) == 0x0
 03995  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1596, ) == 0x0
 03996  1336   NtWaitForSingleObject  (1596, 0, 0x0, ...
 03994  1348   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 03997  1348   NtSetEventBoostPriority  (1596, ...
 03996  1336   NtWaitForSingleObject  ... ) == 0x0
 03998  1336   NtDeviceIoControlFile  (1588, 356, 0x0, 0x0, 0x12037,  (1588, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1588, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03999  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 03997  1348   NtSetEventBoostPriority  ... ) == 0x0
 04000  1348   NtWaitForSingleObject  (440, 0, 0x0, ...
 03986  1156   NtDelayExecution  ... ) == 0x0
 04001  1156   NtSetEventBoostPriority  (440, ...
 03877  1440   NtWaitForSingleObject  ... ) == 0x0
 04002  1440   NtDelayExecution  (0, {-10000, -1}, ...
 04001  1156   NtSetEventBoostPriority  ... ) == 0x0
 04003  1156   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 04004  1156   NtAllocateVirtualMemory  (-1, 2502656, 0, 4096, 4096, 4, ... 2502656, 4096, ) == 0x0
 04005  1156   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 33553940, 67, ... 1600, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 33553940, 67, ... 1600, {status=0x0, info=0}, ) == 0x0
 04006  1156   NtDeviceIoControlFile  (1600, 504, 0x0, 0x0, 0x12047,  (1600, 504, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\301&\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 04007  1156   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 04008  1156   NtDeviceIoControlFile  (1600, 504, 0x0, 0x0, 0x1203b,  (1600, 504, 0x0, 0x0, 0x1203b, "\2\0\0\0\30\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 04009  1156   NtDeviceIoControlFile  (1600, 504, 0x0, 0x0, 0x12003,  (1600, 504, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1604}, "\1\0\0\0\1\0\0\0\16\0\2\0\4o\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1604},  (1600, 504, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1604}, "\1\0\0\0\1\0\0\0\16\0\2\0\4o\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 04010  1156   NtDeviceIoControlFile  (1600, 504, 0x0, 0x0, 0x12047,  (1600, 504, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\080&\0\2\0\4o\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 04011  1156   NtDeviceIoControlFile  (412, 0, 0x0, 0x2625f0, 0x12007,  (412, 0, 0x0, 0x2625f0, 0x12007, "\0\0\0\0\16\0\2\0@\6\0\0\1\0\0\0\16\0\2\0\1\275|O\376\12\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 03999  1336   NtRemoveIoCompletion  ... 1906658213, 2500080, {status=0xc000023d, info=0}, ) == 0x0
 04012  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1608, ) == 0x0
 04013  1336   NtWaitForSingleObject  (1608, 0, 0x0, ...
 04011  1156   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 04014  1156   NtSetEventBoostPriority  (1608, ...
 04013  1336   NtWaitForSingleObject  ... ) == 0x0
 04015  1336   NtDeviceIoControlFile  (1600, 356, 0x0, 0x0, 0x12037,  (1600, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1600, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 04016  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 04014  1156   NtSetEventBoostPriority  ... ) == 0x0
 04017  1156   NtWaitForSingleObject  (440, 0, 0x0, ...
 04002  1440   NtDelayExecution  ... ) == 0x0
 04018  1440   NtSetEventBoostPriority  (440, ...
 03888  1308   NtWaitForSingleObject  ... ) == 0x0
 04019  1308   NtDelayExecution  (0, {-10000, -1}, ...
 04018  1440   NtSetEventBoostPriority  ... ) == 0x0
 04020  1440   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 04021  1440   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 35651092, 67, ... 1612, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 35651092, 67, ... 1612, {status=0x0, info=0}, ) == 0x0
 04022  1440   NtDeviceIoControlFile  (1612, 548, 0x0, 0x0, 0x12047,  (1612, 548, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\2602&\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 04023  1440   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 04024  1440   NtDeviceIoControlFile  (1612, 548, 0x0, 0x0, 0x1203b,  (1612, 548, 0x0, 0x0, 0x1203b, "\2\0\0\0\250\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 04025  1440   NtDeviceIoControlFile  (1612, 548, 0x0, 0x0, 0x12003,  (1612, 548, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1616}, "\1\0\0\0\1\0\0\0\16\0\2\0\4p\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1616},  (1612, 548, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1616}, "\1\0\0\0\1\0\0\0\16\0\2\0\4p\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 04026  1440   NtDeviceIoControlFile  (1612, 548, 0x0, 0x0, 0x12047,  (1612, 548, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\3201&\0\2\0\4p\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 04027  1440   NtDeviceIoControlFile  (412, 0, 0x0, 0x2625f0, 0x12007,  (412, 0, 0x0, 0x2625f0, 0x12007, "\0\0\0\0\16\0\2\0L\6\0\0\1\0\0\0\16\0\2\0\1\275\300\270i\12\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 04016  1336   NtRemoveIoCompletion  ... 1906658213, 2500080, {status=0xc000023d, info=0}, ) == 0x0
 04028  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1620, ) == 0x0
 04029  1336   NtWaitForSingleObject  (1620, 0, 0x0, ...
 04027  1440   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 04030  1440   NtSetEventBoostPriority  (1620, ...
 04029  1336   NtWaitForSingleObject  ... ) == 0x0
 04031  1336   NtDeviceIoControlFile  (1612, 356, 0x0, 0x0, 0x12037,  (1612, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1612, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 04032  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 04030  1440   NtSetEventBoostPriority  ... ) == 0x0
 04033  1440   NtWaitForSingleObject  (440, 0, 0x0, ...
 04019  1308   NtDelayExecution  ... ) == 0x0
 04034  1308   NtSetEventBoostPriority  (440, ...
 03904  1328   NtWaitForSingleObject  ... ) == 0x0
 04035  1328   NtDelayExecution  (0, {-10000, -1}, ...
 04034  1308   NtSetEventBoostPriority  ... ) == 0x0
 04036  1308   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 04037  1308   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 14679568, 67, ... 1624, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 14679568, 67, ... 1624, {status=0x0, info=0}, ) == 0x0
 04038  1308   NtDeviceIoControlFile  (1624, 360, 0x0, 0x0, 0x12047,  (1624, 360, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0H4&\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 04039  1308   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 04040  1308   NtDeviceIoControlFile  (1624, 360, 0x0, 0x0, 0x1203b,  (1624, 360, 0x0, 0x0, 0x1203b, "\2\0\0\08\350$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 04041  1308   NtDeviceIoControlFile  (1624, 360, 0x0, 0x0, 0x12003,  (1624, 360, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1628}, "\1\0\0\0\1\0\0\0\16\0\2\0\4q\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1628},  (1624, 360, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1628}, "\1\0\0\0\1\0\0\0\16\0\2\0\4q\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 04042  1308   NtDeviceIoControlFile  (1624, 360, 0x0, 0x0, 0x12047,  (1624, 360, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0h3&\0\2\0\4q\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 04043  1308   NtDeviceIoControlFile  (412, 0, 0x0, 0x2625f0, 0x12007,  (412, 0, 0x0, 0x2625f0, 0x12007, "\0\0\0\0\16\0\2\0X\6\0\0\1\0\0\0\16\0\2\0\1\275\300\250|\214\0\0\0\0\0\0\0\0", 34, 8, ... {status=0x103, info=0}, "", ) , 34, 8, ... {status=0x103, info=0}, "", ) == 0x103
 04044  1308   NtWaitForSingleObject  (440, 0, 0x0, ...
 04035  1328   NtDelayExecution  ... ) == 0x0
 04045  1328   NtSetEventBoostPriority  (440, ...
 03920  1324   NtWaitForSingleObject  ... ) == 0x0
 04046  1324   NtDelayExecution  (0, {-10000, -1}, ...
 04045  1328   NtSetEventBoostPriority  ... ) == 0x0
 04047  1328   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 04048  1328   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 20971024, 67, ... 1632, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 20971024, 67, ... 1632, {status=0x0, info=0}, ) == 0x0
 04049  1328   NtDeviceIoControlFile  (1632, 396, 0x0, 0x0, 0x12047,  (1632, 396, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\3405&\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 04050  1328   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 04051  1328   NtDeviceIoControlFile  (1632, 396, 0x0, 0x0, 0x1203b,  (1632, 396, 0x0, 0x0, 0x1203b, "\2\0\0\0\30\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 04052  1328   NtDeviceIoControlFile  (1632, 396, 0x0, 0x0, 0x12003,  (1632, 396, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1636}, "\1\0\0\0\1\0\0\0\16\0\2\0\4r\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1636},  (1632, 396, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1636}, "\1\0\0\0\1\0\0\0\16\0\2\0\4r\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 04053  1328   NtDeviceIoControlFile  (1632, 396, 0x0, 0x0, 0x12047,  (1632, 396, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\05&\0\2\0\4r\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 04054  1328   NtDeviceIoControlFile  (412, 0, 0x0, 0x263628, 0x12007,  (412, 0, 0x0, 0x263628, 0x12007, "\0\0\0\0\16\0\2\0`\6\0\0\1\0\0\0\16\0\2\0\1\275^\11o\13\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 04032  1336   NtRemoveIoCompletion  ... 1906658213, 2504232, {status=0xc000023d, info=0}, ) == 0x0
 04055  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1640, ) == 0x0
 04056  1336   NtWaitForSingleObject  (1640, 0, 0x0, ...
 04054  1328   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 04057  1328   NtSetEventBoostPriority  (1640, ...
 04056  1336   NtWaitForSingleObject  ... ) == 0x0
 04058  1336   NtDeviceIoControlFile  (1632, 356, 0x0, 0x0, 0x12037,  (1632, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1632, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 04059  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 04057  1328   NtSetEventBoostPriority  ... ) == 0x0
 04060  1328   NtWaitForSingleObject  (440, 0, 0x0, ...
 04046  1324   NtDelayExecution  ... ) == 0x0
 04061  1324   NtSetEventBoostPriority  (440, ...
 03936  1332   NtWaitForSingleObject  ... ) == 0x0
 04062  1332   NtDelayExecution  (0, {-10000, -1}, ...
 04061  1324   NtSetEventBoostPriority  ... ) == 0x0
 04063  1324   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 04064  1324   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 16776720, 67, ... 1644, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 16776720, 67, ... 1644, {status=0x0, info=0}, ) == 0x0
 04065  1324   NtDeviceIoControlFile  (1644, 380, 0x0, 0x0, 0x12047,  (1644, 380, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\3007&\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 04066  1324   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 04067  1324   NtDeviceIoControlFile  (1644, 380, 0x0, 0x0, 0x1203b,  (1644, 380, 0x0, 0x0, 0x1203b, "\2\0\0\0\250\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 04068  1324   NtDeviceIoControlFile  (1644, 380, 0x0, 0x0, 0x12003,  (1644, 380, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1648}, "\1\0\0\0\1\0\0\0\16\0\2\0\4s\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1648},  (1644, 380, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1648}, "\1\0\0\0\1\0\0\0\16\0\2\0\4s\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 04069  1324   NtDeviceIoControlFile  (1644, 380, 0x0, 0x0, 0x12047,  (1644, 380, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\3406&\0\2\0\4s\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 04070  1324   NtDeviceIoControlFile  (412, 0, 0x0, 0x263628, 0x12007,  (412, 0, 0x0, 0x263628, 0x12007, "\0\0\0\0\16\0\2\0l\6\0\0\1\0\0\0\16\0\2\0\1\275\271Z\303\13\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 04059  1336   NtRemoveIoCompletion  ... 1906658213, 2504232, {status=0xc000023d, info=0}, ) == 0x0
 04071  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1652, ) == 0x0
 04072  1336   NtWaitForSingleObject  (1652, 0, 0x0, ...
 04070  1324   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 04073  1324   NtSetEventBoostPriority  (1652, ...
 04072  1336   NtWaitForSingleObject  ... ) == 0x0
 04074  1336   NtDeviceIoControlFile  (1644, 356, 0x0, 0x0, 0x12037,  (1644, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1644, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 04075  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 04073  1324   NtSetEventBoostPriority  ... ) == 0x0
 04076  1324   NtWaitForSingleObject  (440, 0, 0x0, ...
 04062  1332   NtDelayExecution  ... ) == 0x0
 04077  1332   NtSetEventBoostPriority  (440, ...
 03952  1312   NtWaitForSingleObject  ... ) == 0x0
 04078  1312   NtDelayExecution  (0, {-10000, -1}, ...
 04077  1332   NtSetEventBoostPriority  ... ) == 0x0
 04079  1332   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 04080  1332   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 18873872, 67, ... 1656, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 18873872, 67, ... 1656, {status=0x0, info=0}, ) == 0x0
 04081  1332   NtDeviceIoControlFile  (1656, 400, 0x0, 0x0, 0x12047,  (1656, 400, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0X9&\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 04082  1332   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 04083  1332   NtDeviceIoControlFile  (1656, 400, 0x0, 0x0, 0x1203b,  (1656, 400, 0x0, 0x0, 0x1203b, "\2\0\0\08\350$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 04084  1332   NtDeviceIoControlFile  (1656, 400, 0x0, 0x0, 0x12003,  (1656, 400, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1660}, "\1\0\0\0\1\0\0\0\16\0\2\0\4t\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1660},  (1656, 400, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1660}, "\1\0\0\0\1\0\0\0\16\0\2\0\4t\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 04085  1332   NtDeviceIoControlFile  (1656, 400, 0x0, 0x0, 0x12047,  (1656, 400, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0x8&\0\2\0\4t\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 04086  1332   NtDeviceIoControlFile  (412, 0, 0x0, 0x263628, 0x12007,  (412, 0, 0x0, 0x263628, 0x12007, "\0\0\0\0\16\0\2\0x\6\0\0\1\0\0\0\16\0\2\0\1\275\226At\13\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 04075  1336   NtRemoveIoCompletion  ... 1906658213, 2504232, {status=0xc000023d, info=0}, ) == 0x0
 04087  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1664, ) == 0x0
 04088  1336   NtWaitForSingleObject  (1664, 0, 0x0, ...
 04086  1332   NtDeviceIoControlFile  ... {status=0xc000023d, info=0}, "", ) == 0x103
 04089  1332   NtSetEventBoostPriority  (1664, ...
 04088  1336   NtWaitForSingleObject  ... ) == 0x0
 04090  1336   NtDeviceIoControlFile  (1656, 356, 0x0, 0x0, 0x12037,  (1656, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (1656, 356, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 04091  1336   NtRemoveIoCompletion  (372, {1294967296, -1}, ...
 04089  1332   NtSetEventBoostPriority  ... ) == 0x0
 04092  1332   NtWaitForSingleObject  (440, 0, 0x0, ...
 04078  1312   NtDelayExecution  ... ) == 0x0
 04093  1312   NtSetEventBoostPriority  (440, ...
 03968  1344   NtWaitForSingleObject  ... ) == 0x0
 04094  1344   NtDelayExecution  (0, {-10000, -1}, ...
 04093  1312   NtSetEventBoostPriority  ... ) == 0x0
 04095  1312   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 04096  1312   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 25165328, 67, ... 1668, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 25165328, 67, ... 1668, {status=0x0, info=0}, ) == 0x0
 04097  1312   NtDeviceIoControlFile  (1668, 448, 0x0, 0x0, 0x12047,  (1668, 448, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\360:&\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 04098  1312   NtWaitForSingleObject  (84, 0, {0, 0}, ... ) == 0x102
 04099  1312   NtDeviceIoControlFile  (1668, 448, 0x0, 0x0, 0x1203b,  (1668, 448, 0x0, 0x0, 0x1203b, "\2\0\0\0H\347$\0\1\0\0\0\2$\370w", 16, 0, ... {status=0x0, info=0}, 0x0, ) , 16, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 04100  1312   NtDeviceIoControlFile  (1668, 448, 0x0, 0x0, 0x12003,  (1668, 448, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1672}, "\1\0\0\0\1\0\0\0\16\0\2\0\4u\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=1672},  (1668, 448, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=1672}, "\1\0\0\0\1\0\0\0\16\0\2\0\4u\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 04101  1312   NtDeviceIoControlFile  (1668, 448, 0x0, 0x0, 0x12047,  (1668, 448, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0@\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\20:&\0\2\0\4u\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 04102  1312   NtDeviceIoControlFile  (412, 0, 0x0, 0x263628, 0x12007,  (412, 0, 0x0, 0x263628, 0x12007, "\0\0\0\0\16\0\2\0\204\6\0\0\1\0\0\0\16\0\2\0\1\275$N&\13\0\0\0\0\0\0\0\0", 34, 8, ... , 34, 8, ...
 04091  1336   NtRemoveIoCompletion  ... 1906658213, 2504232, {status=0xc000023d, info=0}, ) == 0x0
 04103  1336   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 1676, ) == 0x0