Summary:


NtAdjustPrivilegesToken(>)  1 
NtTestAlert(>)  1 
NtSetInformationObject(>)  2 
NtQuerySystemInformation(>)  14 

NtCallbackReturn(>)  1 
NtUserCallNoParam(>)  1 
NtTerminateProcess(>)  2 
NtUserRegisterClassExWOW(>)  14 

NtCreateThread(>)  1 
NtUserGetThreadDesktop(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtCreateFile(>)  15 

NtDelayExecution(>)  1 
NtWaitForMultipleObjects(>)  1 
NtSetInformationThread(>)  3 
NtFreeVirtualMemory(>)  29 

NtGdiCreateBitmap(>)  1 
NtWriteFile(>)  1 
NtQueryInformationToken(>)  4 
NtOpenProcess(>)  29 

NtGdiInit(>)  1 
NtContinue(>)  2 
NtQueryVolumeInformationFile(>)  4 
NtFlushInstructionCache(>)  31 

NtGdiQueryFontAssocInfo(>)  1 
NtCreateIoCompletion(>)  2 
NtGdiGetStockObject(>)  5 
NtOpenKey(>)  37 

NtGdiSelectBitmap(>)  1 
NtCreateSemaphore(>)  2 
NtQuerySection(>)  5 
NtUnmapViewOfSection(>)  38 

NtOpenKeyedEvent(>)  1 
NtDuplicateObject(>)  2 
NtDeviceIoControlFile(>)  6 
NtOpenSection(>)  45 

NtOpenSymbolicLinkObject(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtFsControlFile(>)  6 
NtQueryVirtualMemory(>)  55 

NtQueryInformationFile(>)  1 
NtOpenDirectoryObject(>)  2 
NtQueryInformationProcess(>)  8 
NtCreateSection(>)  59 

NtQueryObject(>)  1 
NtOpenProcessToken(>)  2 
NtOpenFile(>)  9 
NtAllocateVirtualMemory(>)  78 

NtQuerySymbolicLinkObject(>)  1 
NtOpenProcessTokenEx(>)  2 
NtRequestWaitReplyPort(>)  9 
NtMapViewOfSection(>)  84 

NtQuerySystemTime(>)  1 
NtOpenThreadToken(>)  2 
NtUserFindExistingCursorIcon(>)  9 
NtWriteVirtualMemory(>)  116 

NtRegisterThreadTerminatePort(>)  1 
NtOpenThreadTokenEx(>)  2 
NtQueryAttributesFile(>)  12 
NtProtectVirtualMemory(>)  179 

NtResumeThread(>)  1 
NtQueryDefaultLocale(>)  2 
NtQueryValueKey(>)  12 
NtClose(>)  233 

NtSecureConnectPort(>)  1 
NtReadFile(>)  2 
NtCreateEvent(>)  13 

NtSetInformationProcess(>)  1 
NtSetInformationFile(>)  2 

Trace:
 00001  2016   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... -2147482748, {status=0x0, info=1}, ) }, 0, 32, ... -2147482748, {status=0x0, info=1}, ) == 0x0
 00002  2016   NtQueryInformationFile  (-2147482748, -135238604, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00003  2016   NtReadFile  (-2147482748, 0, 0, 0, 13474, 0x0, 0, ... {status=0x0, info=13474},  (-2147482748, 0, 0, 0, 13474, 0x0, 0, ... {status=0x0, info=13474}, "\21\0\0\0SCCA\17\0\0\0\2424\0\0P\0A\0C\0K\0E\0D\0.\0E\0X\0E\0\0\0\0\00\366i\201\0\0\0\0\0\0\0\0\20\0\0\0@-\201\367\0@\300\367\30,\201\367x@s\201@-\201\367\241\6\355\11\0\0\0\0\230\0\0\0\34\0\0\0\310\2\0\0\331\2\0\0\364$\0\0\36\14\0\0\301\0\0\1\0\0\0\212\3\0\0\200\14V6\217\260\310\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\01\0\0\0\0\0\0\02\0\0\0\2\0\0\01\0\0\0%\1\0\0f\0\0\05\0\0\0\6\0\0\0V\1\0\0\5\0\0\0\322\0\0\04\0\0\0\4\0\0\0[\1\0\0\3\0\0\0<\1\0\03\0\0\0\4\0\0\0^\1\0\0\4\0\0\0\244\1\0\05\0\0\0\4\0\0\0b\1\0\0\32\0\0\0\20\2\0\03\0\0\0\2\0\0\0|\1\0\0\23\0\0\0x\2\0\02\0\0\0\2\0\0\0\217\1\0\0\7\0\0\0\336\2\0\02\0\0\0\6\0\0\0\226\1\0\0\22\0\0\0D\3\0\05\0\0\0\2\0\0\0\250\1\0\0\14\0\0\0\260\3\0\03\0\0\0\2\0\0\0\264\1\0\0\13\0\0\0\30\4\0\05\0\0\0\2\0\0\0\277\1\0\0*\0\0\0\204\4\0\03\0\0\0\2\0\0\0\351\1\0\0\21\0\0\0\354\4\0\02\0\0\0\2\0\0\0\372\1\0\0\2\0\0\0R\5\0\02\0\0\0\4\0\0\0\374\1\0\0\1\0\0\0\270\5\0\04\0\0\0\4\0\0\0\375\1\0\0\22\0\0\0"\6\0\04\0\0\0\6\0\0\0\17\2\0\0\36\0\0\0\214\6\0\04\0\0\0\2\0\0\0-\2\0\0\13\0\0\0", ) \6\0\04\0\0\0\6\0\0\0\17\2\0\0\36\0\0\0\214\6\0\04\0\0\0\2\0\0\0-\2\0\0\13\0\0\0", ) == 0x0
 00004  2016   NtClose  (-2147482748, ... ) == 0x0
 00005  2016   NtCreateFile  (0x100080, {24, 0, 0x240, 0, 0,  (0x100080, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1"}, 0x0, 0, 7, 1, 32, 0, 0, ... -2147482748, {status=0x0, info=0}, ) }, 0x0, 0, 7, 1, 32, 0, 0, ... -2147482748, {status=0x0, info=0}, ) == 0x0
 00006  2016   NtQueryVolumeInformationFile  (-2147482748, -135238648, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00007  2016   NtClose  (-2147482748, ... ) == 0x0
 00008  2016   NtCreateFile  (0x100180, {24, 0, 0x240, 0, 0,  (0x100180, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1"}, 0x0, 0, 7, 1, 32, 0, 0, ... }, 0x0, 0, 7, 1, 32, 0, 0, ...
 00009  2016   NtContinue  (-135243448, 0, ...
 00008  2016   NtCreateFile  ... -2147482748, {status=0x0, info=1}, ) == 0x0
 00010  2016   NtQueryVolumeInformationFile  (-2147482748, -135238660, 24, Volume, ... {status=0x0, info=18}, ) == 0x0
 00011  2016   NtFsControlFile  (-2147482748, 0, 0x0, 0x0, 0x90120,  (-2147482748, 0, 0x0, 0x0, 0x90120, "\1\0\0\0!\0\0\0H\10\0\0\0\0\1\0\2309\0\0\0\0\2\0\15\1\0\0\0\0\1\0\357\0\0\0\0\3\0X\244\0\0\0\0\4\0\217\10\0\0\0\0\1\0\214;\0\0\0\0\2\0XK\0\0\0\0\3\0f\10\0\0\0\0\1\0Z\10\0\0\0\0\1\0\304\10\0\0\0\0\1\0Y\10\0\0\0\0\1\0C\10\0\0\0\0\1\0/:\0\0\0\0\3\0\235\244\0\0\0\0\3\0\26\11\0\0\0\0\1\0\201\246\0\0\0\0\3\0\224\246\0\0\0\0\3\0@C\0\0\0\0\2\0r\10\0\0\0\0\1\0g\10\0\0\0\0\1\0\2\1\0\0\0\0\1\0o%\0\0\0\0\3\0\243\10\0\0\0\0\1\0q\10\0\0\0\0\1\0p\10\0\0\0\0\1\0@\31\0\0\0\0\1\0\2339\0\0\0\0\1\0\5\0\0\0\0\0\5\0\34\0\0\0\0\0\1\0'\0\0\0\0\0\1\0\210\0\0\0\0\0\1\0\2329\0\0\0\0\1\0", 272, 0, ... {status=0x0, info=0}, 0x0, ) , 272, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00012  2016   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) == 0x0
 00013  2016   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=1146}, ) == 0x0
 00014  2016   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00015  2016   NtClose  (-2147481484, ... ) == 0x0
 00016  2016   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) == 0x0
 00017  2016   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=15820}, ) == 0x0
 00018  2016   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00019  2016   NtClose  (-2147481484, ... ) == 0x0
 00020  2016   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) == 0x0
 00021  2016   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=16366}, ) == 0x0
 00022  2016   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16354}, ) == 0x0
 00023  2016   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16348}, ) == 0x0
 00024  2016   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16364}, ) == 0x0
 00025  2016   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=11386}, ) == 0x0
 00026  2016   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00027  2016   NtClose  (-2147481484, ... ) == 0x0
 00028  2016   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) == 0x0
 00029  2016   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=2228}, ) == 0x0
 00030  2016   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00031  2016   NtClose  (-2147481484, ... ) == 0x0
 00032  2016   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.2982_X-WW_AC3F9C03\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147481484, {status=0x0, info=1}, ) == 0x0
 00033  2016   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=68}, ) == 0x0
 00034  2016   NtQueryDirectoryFile  (-2147481484, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00035  2016   NtClose  (-2147481484, ... ) == 0x0
 00036  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481484, ... -2147482104, ) == 0x0
 00037  2016   NtClose  (-2147482104, ... ) == 0x0
 00038  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482104, ... -2147482660, ) == 0x0
 00039  2016   NtClose  (-2147482660, ... ) == 0x0
 00040  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482660, ... -2147482656, ) == 0x0
 00041  2016   NtClose  (-2147482656, ... ) == 0x0
 00042  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482656, ... -2147482652, ) == 0x0
 00043  2016   NtClose  (-2147482652, ... ) == 0x0
 00044  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482652, ... -2147482724, ) == 0x0
 00045  2016   NtClose  (-2147482724, ... ) == 0x0
 00046  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482724, ... -2147481452, ) == 0x0
 00047  2016   NtClose  (-2147481452, ... ) == 0x0
 00048  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481452, ... -2147482684, ) == 0x0
 00049  2016   NtClose  (-2147482684, ... ) == 0x0
 00050  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482684, ... -2147482680, ) == 0x0
 00051  2016   NtClose  (-2147482680, ... ) == 0x0
 00052  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482680, ... -2147481628, ) == 0x0
 00053  2016   NtClose  (-2147481628, ... ) == 0x0
 00054  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481628, ... -2147482760, ) == 0x0
 00055  2016   NtClose  (-2147482760, ... ) == 0x0
 00056  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482760, ... -2147482764, ) == 0x0
 00057  2016   NtClose  (-2147482764, ... ) == 0x0
 00058  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482764, ... -2147482688, ) == 0x0
 00059  2016   NtClose  (-2147482688, ... ) == 0x0
 00060  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482688, ... -2147482136, ) == 0x0
 00061  2016   NtClose  (-2147482136, ... ) == 0x0
 00062  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482136, ... -2147481480, ) == 0x0
 00063  2016   NtClose  (-2147481480, ... ) == 0x0
 00064  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481480, ... -2147482676, ) == 0x0
 00065  2016   NtClose  (-2147482676, ... ) == 0x0
 00066  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482676, ... -2147482672, ) == 0x0
 00067  2016   NtClose  (-2147482672, ... ) == 0x0
 00068  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482672, ... -2147482668, ) == 0x0
 00069  2016   NtClose  (-2147482668, ... ) == 0x0
 00070  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482668, ... -2147482664, ) == 0x0
 00071  2016   NtClose  (-2147482664, ... ) == 0x0
 00072  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482664, ... -2147481588, ) == 0x0
 00073  2016   NtClose  (-2147481588, ... ) == 0x0
 00074  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481588, ... -2147481584, ) == 0x0
 00075  2016   NtClose  (-2147481584, ... ) == 0x0
 00076  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481584, ... -2147482692, ) == 0x0
 00077  2016   NtClose  (-2147482692, ... ) == 0x0
 00078  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482692, ... -2147481512, ) == 0x0
 00079  2016   NtClose  (-2147481512, ... ) == 0x0
 00080  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481512, ... -2147481580, ) == 0x0
 00081  2016   NtClose  (-2147481580, ... ) == 0x0
 00082  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481580, ... -2147481552, ) == 0x0
 00083  2016   NtClose  (-2147481552, ... ) == 0x0
 00084  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481552, ... -2147481592, ) == 0x0
 00085  2016   NtClose  (-2147481592, ... ) == 0x0
 00086  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481592, ... -2147481596, ) == 0x0
 00087  2016   NtClose  (-2147481596, ... ) == 0x0
 00088  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481596, ... -2147482108, ) == 0x0
 00089  2016   NtClose  (-2147482108, ... ) == 0x0
 00090  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482108, ... -2147482732, ) == 0x0
 00091  2016   NtClose  (-2147482732, ... ) == 0x0
 00092  2016   NtClose  (-2147481484, ... ) == 0x0
 00093  2016   NtClose  (-2147482104, ... ) == 0x0
 00094  2016   NtClose  (-2147482660, ... ) == 0x0
 00095  2016   NtClose  (-2147482656, ... ) == 0x0
 00096  2016   NtClose  (-2147482652, ... ) == 0x0
 00097  2016   NtClose  (-2147482724, ... ) == 0x0
 00098  2016   NtClose  (-2147481452, ... ) == 0x0
 00099  2016   NtClose  (-2147482684, ... ) == 0x0
 00100  2016   NtClose  (-2147482680, ... ) == 0x0
 00101  2016   NtClose  (-2147481628, ... ) == 0x0
 00102  2016   NtClose  (-2147482760, ... ) == 0x0
 00103  2016   NtClose  (-2147482764, ... ) == 0x0
 00104  2016   NtClose  (-2147482688, ... ) == 0x0
 00105  2016   NtClose  (-2147482136, ... ) == 0x0
 00106  2016   NtClose  (-2147481480, ... ) == 0x0
 00107  2016   NtClose  (-2147482676, ... ) == 0x0
 00108  2016   NtClose  (-2147482672, ... ) == 0x0
 00109  2016   NtClose  (-2147482668, ... ) == 0x0
 00110  2016   NtClose  (-2147482664, ... ) == 0x0
 00111  2016   NtClose  (-2147481588, ... ) == 0x0
 00112  2016   NtClose  (-2147481584, ... ) == 0x0
 00113  2016   NtClose  (-2147482692, ... ) == 0x0
 00114  2016   NtClose  (-2147481512, ... ) == 0x0
 00115  2016   NtClose  (-2147481580, ... ) == 0x0
 00116  2016   NtClose  (-2147481552, ... ) == 0x0
 00117  2016   NtClose  (-2147481592, ... ) == 0x0
 00118  2016   NtClose  (-2147481596, ... ) == 0x0
 00119  2016   NtClose  (-2147482108, ... ) == 0x0
 00120  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482108, ... -2147481596, ) == 0x0
 00121  2016   NtClose  (-2147481596, ... ) == 0x0
 00122  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481596, ... -2147481592, ) == 0x0
 00123  2016   NtClose  (-2147481592, ... ) == 0x0
 00124  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481592, ... -2147481552, ) == 0x0
 00125  2016   NtClose  (-2147481552, ... ) == 0x0
 00126  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481552, ... -2147481580, ) == 0x0
 00127  2016   NtClose  (-2147481580, ... ) == 0x0
 00128  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481580, ... -2147481512, ) == 0x0
 00129  2016   NtClose  (-2147481512, ... ) == 0x0
 00130  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481512, ... -2147482692, ) == 0x0
 00131  2016   NtClose  (-2147482692, ... ) == 0x0
 00132  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482692, ... -2147481584, ) == 0x0
 00133  2016   NtClose  (-2147481584, ... ) == 0x0
 00134  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481584, ... -2147481588, ) == 0x0
 00135  2016   NtClose  (-2147481588, ... ) == 0x0
 00136  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481588, ... -2147482664, ) == 0x0
 00137  2016   NtClose  (-2147482664, ... ) == 0x0
 00138  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482664, ... -2147482668, ) == 0x0
 00139  2016   NtClose  (-2147482668, ... ) == 0x0
 00140  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482668, ... -2147482672, ) == 0x0
 00141  2016   NtClose  (-2147482672, ... ) == 0x0
 00142  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482672, ... -2147482676, ) == 0x0
 00143  2016   NtClose  (-2147482676, ... ) == 0x0
 00144  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482676, ... -2147481480, ) == 0x0
 00145  2016   NtClose  (-2147481480, ... ) == 0x0
 00146  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481480, ... -2147482136, ) == 0x0
 00147  2016   NtClose  (-2147482136, ... ) == 0x0
 00148  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482136, ... -2147482688, ) == 0x0
 00149  2016   NtClose  (-2147482688, ... ) == 0x0
 00150  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482688, ... -2147482764, ) == 0x0
 00151  2016   NtClose  (-2147482764, ... ) == 0x0
 00152  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482764, ... -2147482760, ) == 0x0
 00153  2016   NtClose  (-2147482760, ... ) == 0x0
 00154  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482760, ... -2147481628, ) == 0x0
 00155  2016   NtClose  (-2147481628, ... ) == 0x0
 00156  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481628, ... -2147482680, ) == 0x0
 00157  2016   NtClose  (-2147482680, ... ) == 0x0
 00158  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482680, ... -2147482684, ) == 0x0
 00159  2016   NtClose  (-2147482684, ... ) == 0x0
 00160  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482684, ... -2147481452, ) == 0x0
 00161  2016   NtClose  (-2147481452, ... ) == 0x0
 00162  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481452, ... -2147482724, ) == 0x0
 00163  2016   NtClose  (-2147482724, ... ) == 0x0
 00164  2016   NtClose  (-2147482108, ... ) == 0x0
 00165  2016   NtClose  (-2147481596, ... ) == 0x0
 00166  2016   NtClose  (-2147481592, ... ) == 0x0
 00167  2016   NtClose  (-2147481552, ... ) == 0x0
 00168  2016   NtClose  (-2147481580, ... ) == 0x0
 00169  2016   NtClose  (-2147481512, ... ) == 0x0
 00170  2016   NtClose  (-2147482692, ... ) == 0x0
 00171  2016   NtClose  (-2147481584, ... ) == 0x0
 00172  2016   NtClose  (-2147481588, ... ) == 0x0
 00173  2016   NtClose  (-2147482664, ... ) == 0x0
 00174  2016   NtClose  (-2147482668, ... ) == 0x0
 00175  2016   NtClose  (-2147482672, ... ) == 0x0
 00176  2016   NtClose  (-2147482676, ... ) == 0x0
 00177  2016   NtClose  (-2147481480, ... ) == 0x0
 00178  2016   NtClose  (-2147482136, ... ) == 0x0
 00179  2016   NtClose  (-2147482688, ... ) == 0x0
 00180  2016   NtClose  (-2147482764, ... ) == 0x0
 00181  2016   NtClose  (-2147482760, ... ) == 0x0
 00182  2016   NtClose  (-2147481628, ... ) == 0x0
 00183  2016   NtClose  (-2147482680, ... ) == 0x0
 00184  2016   NtClose  (-2147482684, ... ) == 0x0
 00185  2016   NtClose  (-2147481452, ... ) == 0x0
 00186  2016   NtClose  (-2147482748, ... ) == 0x0
 00187  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00188  2016   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 8, ) }, ... 8, ) == 0x0
 00189  2016   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00190  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 524288, 1048576, ) == 0x0
 00191  2016   NtAllocateVirtualMemory  (-1, 524288, 0, 4096, 4096, 4, ... 524288, 4096, ) == 0x0
 00192  2016   NtAllocateVirtualMemory  (-1, 528384, 0, 8192, 4096, 4, ... 528384, 8192, ) == 0x0
 00193  2016   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00194  2016   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 1572864, 65536, ) == 0x0
 00195  2016   NtAllocateVirtualMemory  (-1, 1572864, 0, 24576, 4096, 4, ... 1572864, 24576, ) == 0x0
 00196  2016   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 12, ) }, ... 12, ) == 0x0
 00197  2016   NtOpenSymbolicLinkObject  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "KnownDllPath"}, ... 16, ) }, ... 16, ) == 0x0
 00198  2016   NtQuerySymbolicLinkObject  (16, ...  (16, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00199  2016   NtClose  (16, ... ) == 0x0
 00200  2016   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 16, {status=0x0, info=1}, ) }, 3, 33, ... 16, {status=0x0, info=1}, ) == 0x0
 00201  2016   NtQueryVolumeInformationFile  (16, 457420, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00202  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 457372, ... ) }, 457372, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00203  2016   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "kernel32.dll"}, ... 20, ) }, ... 20, ) == 0x0
 00204  2016   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00205  2016   NtClose  (20, ... ) == 0x0
 00206  2016   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00207  2016   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00208  2016   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00209  2016   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00210  2016   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00211  2016   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00212  2016   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 20, ) == 0x0
 00213  2016   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 20, 0, 65536, 0, 0}, 533304, {12, 0, 0}, 455512, 44, ... 28, {24, 20, 0, 65536, 1638400, 18939904}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 20, 0, 65536, 0, 0}, 533304, {12, 0, 0}, 455512, 44, ... 28, {24, 20, 0, 65536, 1638400, 18939904}, {0, 0, 0}, 200, 44, ) == 0x0
 00214  2016   NtClose  (20, ... ) == 0x0
 00215  2016   NtQueryObject  (28, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00216  2016   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00217  2016   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00218  2016   NtQueryVirtualMemory  (-1, 0x190000, Basic, 28, ... {BaseAddress=0x190000,AllocationBase=0x190000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00219  2016   NtAllocateVirtualMemory  (-1, 1638400, 0, 4096, 4096, 4, ... 1638400, 4096, ) == 0x0
 00220  2016   NtRequestWaitReplyPort  (28, {28, 56, new_msg, 0, 455828, 456028, 2089900544, 455752}  (28, {28, 56, new_msg, 0, 455828, 456028, 2089900544, 455752} "\210\6!\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" ... {28, 56, reply, 0, 896, 2016, 81841, 0} "0\346\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81841, 0}  (28, {28, 56, new_msg, 0, 455828, 456028, 2089900544, 455752} "\210\6!\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" ... {28, 56, reply, 0, 896, 2016, 81841, 0} "0\346\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" )  ) == 0x0
 00221  2016   NtRegisterThreadTerminatePort  (28, ... ) == 0x0
 00222  2016   NtAllocateVirtualMemory  (-1, 446464, 0, 4096, 4096, 260, ... 446464, 4096, ) == 0x0
 00223  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 20, ) }, ... 20, ) == 0x0
 00224  2016   NtQueryValueKey  (20,  (20, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (20, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00225  2016   NtClose  (20, ... ) == 0x0
 00226  2016   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 20, ) }, ... 20, ) == 0x0
 00227  2016   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x1a0000), 0x0, 90112, ) == 0x0
 00228  2016   NtClose  (20, ... ) == 0x0
 00229  2016   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00230  2016   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 20, ) }, ... 20, ) == 0x0
 00231  2016   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x1c0000), 0x0, 249856, ) == 0x0
 00232  2016   NtClose  (20, ... ) == 0x0
 00233  2016   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 20, ) }, ... 20, ) == 0x0
 00234  2016   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x200000), 0x0, 266240, ) == 0x0
 00235  2016   NtQuerySection  (20, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00236  2016   NtClose  (20, ... ) == 0x0
 00237  2016   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 20, ) }, ... 20, ) == 0x0
 00238  2016   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x250000), 0x0, 24576, ) == 0x0
 00239  2016   NtClose  (20, ... ) == 0x0
 00240  2016   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00241  2016   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00242  2016   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00243  2016   NtAllocateVirtualMemory  (-1, 1642496, 0, 8192, 4096, 4, ... 1642496, 8192, ) == 0x0
 00244  2016   NtRequestWaitReplyPort  (28, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (28, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6!\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" ... {24, 52, reply, 0, 896, 2016, 81842, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" )  ... {24, 52, reply, 0, 896, 2016, 81842, 0}  (28, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6!\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" ... {24, 52, reply, 0, 896, 2016, 81842, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" )  ) == 0x0
 00245  2016   NtRequestWaitReplyPort  (28, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (28, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6!\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" ... {28, 56, reply, 0, 896, 2016, 81843, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81843, 0}  (28, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6!\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" ... {28, 56, reply, 0, 896, 2016, 81843, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" )  ) == 0x0
 00246  2016   NtWaitForMultipleObjects  (2, (20, 32, ), 1, 0, 0x0, ... ) == 0x0
 00247  2016   NtClose  (20, ... ) == 0x0
 00248  2016   NtClose  (32, ... ) == 0x0
 00249  2016   NtRequestWaitReplyPort  (28, {24, 52, new_msg, 0, 0, 0, 0, 0}  (28, {24, 52, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0Q\2\2\0\0\0\0\0\0\0\0\0\1\0<\0\0\0\0\0" ... {24, 52, reply, 0, 896, 2016, 81844, 0} "\0\0\0\0Q\2\2\0\273\0\0\300\0\0\0\0\1\0<\0\0\0\0\0" )  ... {24, 52, reply, 0, 896, 2016, 81844, 0}  (28, {24, 52, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0Q\2\2\0\0\0\0\0\0\0\0\0\1\0<\0\0\0\0\0" ... {24, 52, reply, 0, 896, 2016, 81844, 0} "\0\0\0\0Q\2\2\0\273\0\0\300\0\0\0\0\1\0<\0\0\0\0\0" )  ) == 0x0
 00250  2016   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00251  2016   NtAllocateVirtualMemory  (-1, 536576, 0, 4096, 4096, 4, ... 536576, 4096, ) == 0x0
 00252  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 456112, ... ) }, 456112, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00253  2016   NtFsControlFile  (16, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00254  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 456112, ... ) }, 456112, ... ) == 0x0
 00255  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00256  2016   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 20, ) == 0x0
 00257  2016   NtQuerySection  (20, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00258  2016   NtOpenProcessToken  (-1, 0x8, ... 44, ) == 0x0
 00259  2016   NtQueryInformationToken  (44, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00260  2016   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00261  2016   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 48, ) }, ... 48, ) == 0x0
 00262  2016   NtQueryValueKey  (48,  (48, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (48, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00263  2016   NtClose  (48, ... ) == 0x0
 00264  2016   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00265  2016   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 48, ) == 0x0
 00266  2016   NtQueryInformationToken  (48, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00267  2016   NtClose  (48, ... ) == 0x0
 00268  2016   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00269  2016   NtClose  (44, ... ) == 0x0
 00270  2016   NtClose  (32, ... ) == 0x0
 00271  2016   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00272  2016   NtClose  (20, ... ) == 0x0
 00273  2016   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "msvcrt.dll"}, ... 20, ) }, ... 20, ) == 0x0
 00274  2016   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00275  2016   NtClose  (20, ... ) == 0x0
 00276  2016   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00277  2016   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00278  2016   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00279  2016   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00280  2016   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00281  2016   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00282  2016   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00283  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 455296, ... ) }, 455296, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00284  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 455296, ... ) }, 455296, ... ) == 0x0
 00285  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 20, {status=0x0, info=1}, ) }, 5, 96, ... 20, {status=0x0, info=1}, ) == 0x0
 00286  2016   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 20, ... 32, ) == 0x0
 00287  2016   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00288  2016   NtClose  (20, ... ) == 0x0
 00289  2016   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00290  2016   NtClose  (32, ... ) == 0x0
 00291  2016   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "ADVAPI32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00292  2016   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00293  2016   NtClose  (32, ... ) == 0x0
 00294  2016   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00295  2016   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00296  2016   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00297  2016   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "RPCRT4.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00298  2016   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00299  2016   NtClose  (32, ... ) == 0x0
 00300  2016   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00301  2016   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00302  2016   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00303  2016   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00304  2016   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00305  2016   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00306  2016   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00307  2016   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00308  2016   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00309  2016   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00310  2016   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00311  2016   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00312  2016   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00313  2016   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00314  2016   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00315  2016   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00316  2016   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00317  2016   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00318  2016   NtProtectVirtualMemory  (-1, (0x1001000), 384, 4, ... (0x1001000), 4096, 128, ) == 0x0
 00319  2016   NtProtectVirtualMemory  (-1, (0x1001000), 4096, 128, ... (0x1001000), 4096, 4, ) == 0x0
 00320  2016   NtFlushInstructionCache  (-1, 16781312, 384, ... ) == 0x0
 00321  2016   NtProtectVirtualMemory  (-1, (0x1001000), 384, 4, ... (0x1001000), 4096, 64, ) == 0x0
 00322  2016   NtProtectVirtualMemory  (-1, (0x1001000), 4096, 64, ... (0x1001000), 4096, 4, ) == 0x0
 00323  2016   NtFlushInstructionCache  (-1, 16781312, 384, ... ) == 0x0
 00324  2016   NtProtectVirtualMemory  (-1, (0x1001000), 384, 4, ... (0x1001000), 4096, 64, ) == 0x0
 00325  2016   NtProtectVirtualMemory  (-1, (0x1001000), 4096, 64, ... (0x1001000), 4096, 4, ) == 0x0
 00326  2016   NtFlushInstructionCache  (-1, 16781312, 384, ... ) == 0x0
 00327  2016   NtProtectVirtualMemory  (-1, (0x1001000), 384, 4, ... (0x1001000), 4096, 64, ) == 0x0
 00328  2016   NtProtectVirtualMemory  (-1, (0x1001000), 4096, 64, ... (0x1001000), 4096, 4, ) == 0x0
 00329  2016   NtFlushInstructionCache  (-1, 16781312, 384, ... ) == 0x0
 00330  2016   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00331  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\iphlpapi.dll"}, 456112, ... ) }, 456112, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00332  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\iphlpapi.dll"}, 456112, ... ) }, 456112, ... ) == 0x0
 00333  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\iphlpapi.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00334  2016   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 20, ) == 0x0
 00335  2016   NtQuerySection  (20, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00336  2016   NtClose  (32, ... ) == 0x0
 00337  2016   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d60000), 0x0, 102400, ) == 0x0
 00338  2016   NtClose  (20, ... ) == 0x0
 00339  2016   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00340  2016   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00341  2016   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00342  2016   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00343  2016   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00344  2016   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00345  2016   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00346  2016   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00347  2016   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00348  2016   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00349  2016   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00350  2016   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00351  2016   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "USER32.dll"}, ... 20, ) }, ... 20, ) == 0x0
 00352  2016   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00353  2016   NtClose  (20, ... ) == 0x0
 00354  2016   NtOpenSection  (0xe, {24, 12, 0x40, 0, 0,  (0xe, {24, 12, 0x40, 0, 0, "GDI32.dll"}, ... 20, ) }, ... 20, ) == 0x0
 00355  2016   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00356  2016   NtClose  (20, ... ) == 0x0
 00357  2016   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00358  2016   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00359  2016   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00360  2016   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00361  2016   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00362  2016   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00363  2016   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00364  2016   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00365  2016   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00366  2016   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00367  2016   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00368  2016   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00369  2016   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00370  2016   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00371  2016   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00372  2016   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00373  2016   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00374  2016   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00375  2016   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00376  2016   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00377  2016   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00378  2016   NtProtectVirtualMemory  (-1, (0x76d61000), 500, 4, ... (0x76d61000), 4096, 32, ) == 0x0
 00379  2016   NtProtectVirtualMemory  (-1, (0x76d61000), 4096, 32, ... (0x76d61000), 4096, 4, ) == 0x0
 00380  2016   NtFlushInstructionCache  (-1, 1993740288, 500, ... ) == 0x0
 00381  2016   NtProtectVirtualMemory  (-1, (0x1001000), 384, 4, ... (0x1001000), 4096, 64, ) == 0x0
 00382  2016   NtProtectVirtualMemory  (-1, (0x1001000), 4096, 64, ... (0x1001000), 4096, 4, ) == 0x0
 00383  2016   NtFlushInstructionCache  (-1, 16781312, 384, ... ) == 0x0
 00384  2016   NtProtectVirtualMemory  (-1, (0x1001000), 384, 4, ... (0x1001000), 4096, 64, ) == 0x0
 00385  2016   NtProtectVirtualMemory  (-1, (0x1001000), 4096, 64, ... (0x1001000), 4096, 4, ) == 0x0
 00386  2016   NtFlushInstructionCache  (-1, 16781312, 384, ... ) == 0x0
 00387  2016   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00388  2016   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00389  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00390  2016   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00391  2016   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2490368, 65536, ) == 0x0
 00392  2016   NtAllocateVirtualMemory  (-1, 2490368, 0, 4096, 4096, 4, ... 2490368, 4096, ) == 0x0
 00393  2016   NtAllocateVirtualMemory  (-1, 2494464, 0, 8192, 4096, 4, ... 2494464, 8192, ) == 0x0
 00394  2016   NtRequestWaitReplyPort  (28, {28, 56, new_msg, 0, 524648, 0, 0, 537096}  (28, {28, 56, new_msg, 0, 524648, 0, 0, 537096} "\0\0\0\0#\2\2\0\0\0\0\0x\1\10\0 \0\0\0\1\0<\0\3\0\0\0" ... {28, 56, reply, 0, 896, 2016, 81845, 0} "\0\0\0\0#\2\2\0\0\0\0\0x\1\10\0\1\0\0\0\1\0<\0\3\0\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81845, 0}  (28, {28, 56, new_msg, 0, 524648, 0, 0, 537096} "\0\0\0\0#\2\2\0\0\0\0\0x\1\10\0 \0\0\0\1\0<\0\3\0\0\0" ... {28, 56, reply, 0, 896, 2016, 81845, 0} "\0\0\0\0#\2\2\0\0\0\0\0x\1\10\0\1\0\0\0\1\0<\0\3\0\0\0" )  ) == 0x0
 00395  2016   NtQueryVolumeInformationFile  (4, 456928, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00396  2016   NtRequestWaitReplyPort  (28, {28, 56, new_msg, 0, 2089884154, 2498384, 1, 0}  (28, {28, 56, new_msg, 0, 2089884154, 2498384, 1, 0} "\0\0\0\0#\2\2\0\200\310\227|\234\367\6\0\1\0\0\0\1\0<\0\13\0\0\0" ... {28, 56, reply, 0, 896, 2016, 81846, 0} "\0\0\0\0#\2\2\0\0\0\0\0\234\367\6\0\1\0\0\0\1\0<\0\13\0\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81846, 0}  (28, {28, 56, new_msg, 0, 2089884154, 2498384, 1, 0} "\0\0\0\0#\2\2\0\200\310\227|\234\367\6\0\1\0\0\0\1\0<\0\13\0\0\0" ... {28, 56, reply, 0, 896, 2016, 81846, 0} "\0\0\0\0#\2\2\0\0\0\0\0\234\367\6\0\1\0\0\0\1\0<\0\13\0\0\0" )  ) == 0x0
 00397  2016   NtAllocateVirtualMemory  (-1, 2502656, 0, 4096, 4096, 4, ... 2502656, 4096, ) == 0x0
 00398  2016   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 20, ) }, ... 20, ) == 0x0
 00399  2016   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x270000), 0x0, 12288, ) == 0x0
 00400  2016   NtClose  (20, ... ) == 0x0
 00401  2016   NtAllocateVirtualMemory  (-1, 2506752, 0, 4096, 4096, 4, ... 2506752, 4096, ) == 0x0
 00402  2016   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00403  2016   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00404  2016   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00405  2016   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00406  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00407  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00408  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 20, ) }, ... 20, ) == 0x0
 00409  2016   NtQueryValueKey  (20,  (20, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00410  2016   NtClose  (20, ... ) == 0x0
 00411  2016   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 20, ) }, ... 20, ) == 0x0
 00412  2016   NtSetInformationObject  (20, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00413  2016   NtOpenKey  (0x20019, {24, 20, 0x40, 0, 0,  (0x20019, {24, 20, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00414  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00415  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00416  2016   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00417  2016   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00418  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00419  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00420  2016   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00421  2016   NtRequestWaitReplyPort  (28, {28, 56, new_msg, 0, 256, 0, 256, 456404}  (28, {28, 56, new_msg, 0, 256, 0, 256, 456404} "\210\6!\1\0\0\0\0\270;\10\0h\1\10\0\3\0\0\0\234\6!\1$\1\0\0" ... {28, 56, reply, 0, 896, 2016, 81847, 0} "\320G\26\0\0\0\0\0\0\0\0\0h\1\10\0\3\0\0\0\234\6!\1$\1\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81847, 0}  (28, {28, 56, new_msg, 0, 256, 0, 256, 456404} "\210\6!\1\0\0\0\0\270;\10\0h\1\10\0\3\0\0\0\234\6!\1$\1\0\0" ... {28, 56, reply, 0, 896, 2016, 81847, 0} "\320G\26\0\0\0\0\0\0\0\0\0h\1\10\0\3\0\0\0\234\6!\1$\1\0\0" )  ) == 0x0
 00422  2016   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 32, ) }, ... 32, ) == 0x0
 00423  2016   NtQueryValueKey  (32,  (32, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00424  2016   NtClose  (32, ... ) == 0x0
 00425  2016   NtAllocateVirtualMemory  (-1, 540672, 0, 4096, 4096, 4, ... 540672, 4096, ) == 0x0
 00426  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 452988, ... ) }, 452988, ... ) == 0x0
 00427  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00428  2016   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 32, ... 44, ) == 0x0
 00429  2016   NtClose  (32, ... ) == 0x0
 00430  2016   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x350000), 0x0, 110592, ) == 0x0
 00431  2016   NtClose  (44, ... ) == 0x0
 00432  2016   NtUnmapViewOfSection  (-1, 0x350000, ... ) == 0x0
 00433  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 452896, ... ) }, 452896, ... ) == 0x0
 00434  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 44, {status=0x0, info=1}, ) }, 5, 96, ... 44, {status=0x0, info=1}, ) == 0x0
 00435  2016   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 44, ... 32, ) == 0x0
 00436  2016   NtClose  (44, ... ) == 0x0
 00437  2016   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x350000), 0x0, 110592, ) == 0x0
 00438  2016   NtClose  (32, ... ) == 0x0
 00439  2016   NtUnmapViewOfSection  (-1, 0x350000, ... ) == 0x0
 00440  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 453204, ... ) }, 453204, ... ) == 0x0
 00441  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00442  2016   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 44, ) == 0x0
 00443  2016   NtQuerySection  (44, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00444  2016   NtClose  (32, ... ) == 0x0
 00445  2016   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00446  2016   NtClose  (44, ... ) == 0x0
 00447  2016   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00448  2016   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00449  2016   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00450  2016   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00451  2016   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00452  2016   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00453  2016   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00454  2016   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00455  2016   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00456  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00457  2016   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00458  2016   NtAllocateVirtualMemory  (-1, 442368, 0, 4096, 4096, 260, ... 442368, 4096, ) == 0x0
 00459  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 450120, ... ) }, 450120, ... ) == 0x0
 00460  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00461  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00462  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00463  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 453524, ... ) }, 453524, ... ) == 0x0
 00464  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00465  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 44, ) }, ... 44, ) == 0x0
 00466  2016   NtQueryValueKey  (44,  (44, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00467  2016   NtClose  (44, ... ) == 0x0
 00468  2016   NtMapViewOfSection  (-2147482748, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x350000), 0x0, 1060864, ) == 0x0
 00469  2016   NtClose  (-2147482748, ... ) == 0x0
 00470  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 44, ) == 0x0
 00471  2016   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00472  2016   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482748, ) == 0x0
 00473  2016   NtQueryInformationToken  (-2147482748, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00474  2016   NtQueryInformationToken  (-2147482748, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00475  2016   NtClose  (-2147482748, ... ) == 0x0
 00476  2016   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4587520, 4096, ) == 0x0
 00477  2016   NtFreeVirtualMemory  (-1, (0x460000), 4096, 32768, ... (0x460000), 4096, ) == 0x0
 00478  2016   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482748, ) }, ... -2147482748, ) == 0x0
 00479  2016   NtQueryValueKey  (-2147482748,  (-2147482748, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00480  2016   NtClose  (-2147482748, ... ) == 0x0
 00481  2016   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482748, ) }, ... -2147482748, ) == 0x0
 00482  2016   NtQueryValueKey  (-2147482748,  (-2147482748, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00483  2016   NtClose  (-2147482748, ... ) == 0x0
 00484  2016   NtQueryDefaultLocale  (0, -135747252, ... ) == 0x0
 00485  2016   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00486  2016   NtUserCallNoParam  (24, ... ) == 0x0
 00487  2016   NtGdiCreateCompatibleDC  (0, ...
 00488  2016   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4587520, 4096, ) == 0x0
 00487  2016   NtGdiCreateCompatibleDC  ... ) == 0x860107ab
 00489  2016   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00490  2016   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00491  2016   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0x870506a2
 00492  2016   NtGdiCreateSolidBrush  (0, 0, ...
 00493  2016   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 7798784, 4096, ) == 0x0
 00492  2016   NtGdiCreateSolidBrush  ... ) == 0x1100680
 00494  2016   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00495  2016   NtGdiCreateCompatibleDC  (0, ... ) == 0xf6010687
 00496  2016   NtGdiSelectBitmap  (-167704953, -2029713758, ... ) == 0x185000f
 00497  2016   NtUserGetThreadDesktop  (2016, 0, ... ) == 0x30
 00498  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00499  2016   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00500  2016   NtClose  (52, ... ) == 0x0
 00501  2016   NtUserFindExistingCursorIcon  (454700, 454716, 454764, ... ) == 0x10011
 00502  2016   NtUserRegisterClassExWOW  (454712, 454780, 454796, 454812, 673, 128, 0, ... ) == 0x8177c017
 00503  2016   NtUserFindExistingCursorIcon  (454700, 454716, 454764, ... ) == 0x10011
 00504  2016   NtUserRegisterClassExWOW  (454712, 454780, 454796, 454812, 674, 128, 0, ... ) == 0x8177c01c
 00505  2016   NtUserFindExistingCursorIcon  (454700, 454716, 454764, ... ) == 0x10011
 00506  2016   NtUserRegisterClassExWOW  (454712, 454780, 454796, 454812, 675, 128, 0, ... ) == 0x8177c01e
 00507  2016   NtUserFindExistingCursorIcon  (454700, 454716, 454764, ... ) == 0x10011
 00508  2016   NtUserRegisterClassExWOW  (454712, 454780, 454796, 454812, 676, 128, 0, ... ) == 0x81778002
 00509  2016   NtUserFindExistingCursorIcon  (454700, 454716, 454764, ... ) == 0x10013
 00510  2016   NtUserRegisterClassExWOW  (454712, 454780, 454796, 454812, 677, 128, 0, ... ) == 0x8177c018
 00511  2016   NtUserFindExistingCursorIcon  (454700, 454716, 454764, ... ) == 0x10011
 00512  2016   NtUserRegisterClassExWOW  (454712, 454780, 454796, 454812, 678, 128, 0, ... ) == 0x8177c01a
 00513  2016   NtUserFindExistingCursorIcon  (454700, 454716, 454764, ... ) == 0x10011
 00514  2016   NtUserRegisterClassExWOW  (454712, 454780, 454796, 454812, 679, 128, 0, ... ) == 0x8177c01d
 00515  2016   NtUserFindExistingCursorIcon  (454700, 454716, 454764, ... ) == 0x10011
 00516  2016   NtUserRegisterClassExWOW  (454712, 454780, 454796, 454812, 681, 128, 0, ... ) == 0x8177c026
 00517  2016   NtUserFindExistingCursorIcon  (454700, 454716, 454764, ... ) == 0x10011
 00518  2016   NtUserRegisterClassExWOW  (454712, 454780, 454796, 454812, 680, 128, 0, ... ) == 0x8177c019
 00519  2016   NtUserRegisterClassExWOW  (454664, 454732, 454748, 454764, 0, 128, 0, ... ) == 0x8177c020
 00520  2016   NtUserRegisterClassExWOW  (454920, 455016, 455000, 454988, 0, 130, 0, ... ) == 0x8177c022
 00521  2016   NtUserRegisterClassExWOW  (454664, 454732, 454748, 454764, 0, 128, 0, ... ) == 0x8177c023
 00522  2016   NtUserRegisterClassExWOW  (454920, 455016, 455000, 454988, 0, 130, 0, ... ) == 0x8177c024
 00523  2016   NtUserRegisterClassExWOW  (454664, 454732, 454748, 454764, 0, 128, 0, ... ) == 0x8177c025
 00524  2016   NtCallbackReturn  (0, 0, 0, ...
 00525  2016   NtGdiInit  (... ) == 0x1
 00526  2016   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00527  2016   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00528  2016   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00529  2016   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 7864320, 65536, ) == 0x0
 00530  2016   NtAllocateVirtualMemory  (-1, 7864320, 0, 4096, 4096, 4, ... 7864320, 4096, ) == 0x0
 00531  2016   NtAllocateVirtualMemory  (-1, 7868416, 0, 8192, 4096, 4, ... 7868416, 8192, ) == 0x0
 00532  2016   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 52, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 52, {status=0x0, info=0}, ) == 0x0
 00533  2016   NtCreateFile  (0x40000000, {24, 0, 0x40, 0, 0,  (0x40000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 56, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 56, {status=0x0, info=0}, ) == 0x0
 00534  2016   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 60, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 60, {status=0x0, info=0}, ) == 0x0
 00535  2016   NtCreateFile  (0x100003, {24, 0, 0x40, 0, 0,  (0x100003, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 64, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 64, {status=0x0, info=0}, ) == 0x0
 00536  2016   NtCreateFile  (0x20100080, {24, 0, 0x40, 0, 456856,  (0x20100080, {24, 0, 0x40, 0, 456856, "\??\Ip"}, 0x0, 128, 3, 1, 64, 0, 0, ... 68, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 64, 0, 0, ... 68, {status=0x0, info=0}, ) == 0x0
 00537  2016   NtAllocateVirtualMemory  (-1, 7876608, 0, 36864, 4096, 4, ... 7876608, 36864, ) == 0x0
 00538  2016   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 72, ) == 0x0
 00539  2016   NtDeviceIoControlFile  (52, 72, 0x0, 0x0, 0x120003,  (52, 72, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (52, 72, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 00540  2016   NtClose  (72, ... ) == 0x0
 00541  2016   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 72, ) == 0x0
 00542  2016   NtDeviceIoControlFile  (52, 72, 0x0, 0x0, 0x120003,  (52, 72, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\365@\250\25(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , 36, 348, ... {status=0x0, info=118},  (52, 72, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\365@\250\25(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\5\0\0\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , ) == 0x0
 00543  2016   NtClose  (72, ... ) == 0x0
 00544  2016   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 72, ) == 0x0
 00545  2016   NtDeviceIoControlFile  (52, 72, 0x0, 0x0, 0x120003,  (52, 72, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\271\233\363j\201\1\0\0\0\5\0\0\0\232A\250\25QC\241\6i\205\1\0\330\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3712k\0\351\221\0\0\360\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , 36, 348, ... {status=0x0, info=158},  (52, 72, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\271\233\363j\201\1\0\0\0\5\0\0\0\232A\250\25QC\241\6i\205\1\0\330\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3712k\0\351\221\0\0\360\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , ) == 0x0
 00546  2016   NtClose  (72, ... ) == 0x0
 00547  2016   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 72, ) == 0x0
 00548  2016   NtDeviceIoControlFile  (52, 72, 0x0, 0x0, 0x120003,  (52, 72, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (52, 72, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 00549  2016   NtClose  (72, ... ) == 0x0
 00550  2016   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 72, ) == 0x0
 00551  2016   NtDeviceIoControlFile  (52, 72, 0x0, 0x0, 0x120003,  (52, 72, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , 36, 4, ... {status=0x0, info=4},  (52, 72, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , ) == 0x0
 00552  2016   NtClose  (72, ... ) == 0x0
 00553  2016   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 72, ) == 0x0
 00554  2016   NtDeviceIoControlFile  (52, 72, 0x0, 0x0, 0x120003,  (52, 72, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , 36, 8, ... {status=0x0, info=8},  (52, 72, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , ) == 0x0
 00555  2016   NtClose  (72, ... ) == 0x0
 00556  2016   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 72, ) == 0x0
 00557  2016   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 76, ) == 0x0
 00558  2016   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 7929856, 65536, ) == 0x0
 00559  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00560  2016   NtAllocateVirtualMemory  (-1, 7929856, 0, 1, 4096, 4, ... 7929856, 4096, ) == 0x0
 00561  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00562  2016   NtFreeVirtualMemory  (-1, (0x790000), 0, 32768, ... (0x790000), 65536, ) == 0x0
 00563  2016   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 7929856, 65536, ) == 0x0
 00564  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00565  2016   NtAllocateVirtualMemory  (-1, 7929856, 0, 1, 4096, 4, ... 7929856, 4096, ) == 0x0
 00566  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00567  2016   NtFreeVirtualMemory  (-1, (0x790000), 0, 32768, ... (0x790000), 65536, ) == 0x0
 00568  2016   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 7929856, 65536, ) == 0x0
 00569  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00570  2016   NtAllocateVirtualMemory  (-1, 7929856, 0, 1, 4096, 4, ... 7929856, 4096, ) == 0x0
 00571  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00572  2016   NtFreeVirtualMemory  (-1, (0x790000), 0, 32768, ... (0x790000), 65536, ) == 0x0
 00573  2016   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 7929856, 65536, ) == 0x0
 00574  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00575  2016   NtAllocateVirtualMemory  (-1, 7929856, 0, 1, 4096, 4, ... 7929856, 4096, ) == 0x0
 00576  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00577  2016   NtFreeVirtualMemory  (-1, (0x790000), 0, 32768, ... (0x790000), 65536, ) == 0x0
 00578  2016   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 7929856, 65536, ) == 0x0
 00579  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00580  2016   NtAllocateVirtualMemory  (-1, 7929856, 0, 1, 4096, 4, ... 7929856, 4096, ) == 0x0
 00581  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00582  2016   NtFreeVirtualMemory  (-1, (0x790000), 0, 32768, ... (0x790000), 65536, ) == 0x0
 00583  2016   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 7929856, 65536, ) == 0x0
 00584  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00585  2016   NtAllocateVirtualMemory  (-1, 7929856, 0, 1, 4096, 4, ... 7929856, 4096, ) == 0x0
 00586  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00587  2016   NtFreeVirtualMemory  (-1, (0x790000), 0, 32768, ... (0x790000), 65536, ) == 0x0
 00588  2016   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 7929856, 65536, ) == 0x0
 00589  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00590  2016   NtAllocateVirtualMemory  (-1, 7929856, 0, 1, 4096, 4, ... 7929856, 4096, ) == 0x0
 00591  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00592  2016   NtFreeVirtualMemory  (-1, (0x790000), 0, 32768, ... (0x790000), 65536, ) == 0x0
 00593  2016   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 7929856, 65536, ) == 0x0
 00594  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00595  2016   NtAllocateVirtualMemory  (-1, 7929856, 0, 1, 4096, 4, ... 7929856, 4096, ) == 0x0
 00596  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00597  2016   NtFreeVirtualMemory  (-1, (0x790000), 0, 32768, ... (0x790000), 65536, ) == 0x0
 00598  2016   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 7929856, 65536, ) == 0x0
 00599  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00600  2016   NtAllocateVirtualMemory  (-1, 7929856, 0, 1, 4096, 4, ... 7929856, 4096, ) == 0x0
 00601  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00602  2016   NtFreeVirtualMemory  (-1, (0x790000), 0, 32768, ... (0x790000), 65536, ) == 0x0
 00603  2016   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 7929856, 65536, ) == 0x0
 00604  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00605  2016   NtAllocateVirtualMemory  (-1, 7929856, 0, 1, 4096, 4, ... 7929856, 4096, ) == 0x0
 00606  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00607  2016   NtFreeVirtualMemory  (-1, (0x790000), 0, 32768, ... (0x790000), 65536, ) == 0x0
 00608  2016   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 7929856, 65536, ) == 0x0
 00609  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00610  2016   NtAllocateVirtualMemory  (-1, 7929856, 0, 1, 4096, 4, ... 7929856, 4096, ) == 0x0
 00611  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00612  2016   NtFreeVirtualMemory  (-1, (0x790000), 0, 32768, ... (0x790000), 65536, ) == 0x0
 00613  2016   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 7929856, 65536, ) == 0x0
 00614  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00615  2016   NtAllocateVirtualMemory  (-1, 7929856, 0, 1, 4096, 4, ... 7929856, 4096, ) == 0x0
 00616  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00617  2016   NtFreeVirtualMemory  (-1, (0x790000), 0, 32768, ... (0x790000), 65536, ) == 0x0
 00618  2016   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 7929856, 65536, ) == 0x0
 00619  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00620  2016   NtAllocateVirtualMemory  (-1, 7929856, 0, 1, 4096, 4, ... 7929856, 4096, ) == 0x0
 00621  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00622  2016   NtFreeVirtualMemory  (-1, (0x790000), 0, 32768, ... (0x790000), 65536, ) == 0x0
 00623  2016   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 7929856, 65536, ) == 0x0
 00624  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00625  2016   NtAllocateVirtualMemory  (-1, 7929856, 0, 1, 4096, 4, ... 7929856, 4096, ) == 0x0
 00626  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00627  2016   NtFreeVirtualMemory  (-1, (0x790000), 0, 32768, ... (0x790000), 65536, ) == 0x0
 00628  2016   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 7929856, 65536, ) == 0x0
 00629  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00630  2016   NtAllocateVirtualMemory  (-1, 7929856, 0, 1, 4096, 4, ... 7929856, 4096, ) == 0x0
 00631  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00632  2016   NtFreeVirtualMemory  (-1, (0x790000), 0, 32768, ... (0x790000), 65536, ) == 0x0
 00633  2016   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 7929856, 65536, ) == 0x0
 00634  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00635  2016   NtAllocateVirtualMemory  (-1, 7929856, 0, 1, 4096, 4, ... 7929856, 4096, ) == 0x0
 00636  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00637  2016   NtFreeVirtualMemory  (-1, (0x790000), 0, 32768, ... (0x790000), 65536, ) == 0x0
 00638  2016   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 7929856, 65536, ) == 0x0
 00639  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00640  2016   NtAllocateVirtualMemory  (-1, 7929856, 0, 1, 4096, 4, ... 7929856, 4096, ) == 0x0
 00641  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00642  2016   NtFreeVirtualMemory  (-1, (0x790000), 0, 32768, ... (0x790000), 65536, ) == 0x0
 00643  2016   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 7929856, 65536, ) == 0x0
 00644  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00645  2016   NtAllocateVirtualMemory  (-1, 7929856, 0, 1, 4096, 4, ... 7929856, 4096, ) == 0x0
 00646  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00647  2016   NtFreeVirtualMemory  (-1, (0x790000), 0, 32768, ... (0x790000), 65536, ) == 0x0
 00648  2016   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 7929856, 65536, ) == 0x0
 00649  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00650  2016   NtAllocateVirtualMemory  (-1, 7929856, 0, 1, 4096, 4, ... 7929856, 4096, ) == 0x0
 00651  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00652  2016   NtFreeVirtualMemory  (-1, (0x790000), 0, 32768, ... (0x790000), 65536, ) == 0x0
 00653  2016   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 7929856, 65536, ) == 0x0
 00654  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00655  2016   NtAllocateVirtualMemory  (-1, 7929856, 0, 1, 4096, 4, ... 7929856, 4096, ) == 0x0
 00656  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00657  2016   NtFreeVirtualMemory  (-1, (0x790000), 0, 32768, ... (0x790000), 65536, ) == 0x0
 00658  2016   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 7929856, 65536, ) == 0x0
 00659  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00660  2016   NtAllocateVirtualMemory  (-1, 7929856, 0, 1, 4096, 4, ... 7929856, 4096, ) == 0x0
 00661  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00662  2016   NtFreeVirtualMemory  (-1, (0x790000), 0, 32768, ... (0x790000), 65536, ) == 0x0
 00663  2016   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 7929856, 65536, ) == 0x0
 00664  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00665  2016   NtAllocateVirtualMemory  (-1, 7929856, 0, 1, 4096, 4, ... 7929856, 4096, ) == 0x0
 00666  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00667  2016   NtFreeVirtualMemory  (-1, (0x790000), 0, 32768, ... (0x790000), 65536, ) == 0x0
 00668  2016   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 7929856, 65536, ) == 0x0
 00669  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00670  2016   NtAllocateVirtualMemory  (-1, 7929856, 0, 1, 4096, 4, ... 7929856, 4096, ) == 0x0
 00671  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00672  2016   NtFreeVirtualMemory  (-1, (0x790000), 0, 32768, ... (0x790000), 65536, ) == 0x0
 00673  2016   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 7929856, 65536, ) == 0x0
 00674  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00675  2016   NtAllocateVirtualMemory  (-1, 7929856, 0, 1, 4096, 4, ... 7929856, 4096, ) == 0x0
 00676  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00677  2016   NtFreeVirtualMemory  (-1, (0x790000), 0, 32768, ... (0x790000), 65536, ) == 0x0
 00678  2016   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 7929856, 65536, ) == 0x0
 00679  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 00680  2016   NtAllocateVirtualMemory  (-1, 7929856, 0, 1, 4096, 4, ... 7929856, 4096, ) == 0x0
 00681  2016   NtQueryVirtualMemory  (-1, 0x790000, Basic, 28, ... {BaseAddress=0x790000,AllocationBase=0x790000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 00682  2016   NtFreeVirtualMemory  (-1, (0x790000), 0, 32768, ... (0x790000), 65536, ) == 0x0
 00683  2016   NtOpenKey  (0x20019, {24, 20, 0x40, 0, 0,  (0x20019, {24, 20, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Linkage"}, ... 80, ) }, ... 80, ) == 0x0
 00684  2016   NtOpenKey  (0x20019, {24, 20, 0x40, 0, 0,  (0x20019, {24, 20, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"}, ... 84, ) }, ... 84, ) == 0x0
 00685  2016   NtOpenKey  (0x20019, {24, 20, 0x40, 0, 0,  (0x20019, {24, 20, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces"}, ... 88, ) }, ... 88, ) == 0x0
 00686  2016   NtOpenKey  (0x20019, {24, 20, 0x40, 0, 0,  (0x20019, {24, 20, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters"}, ... 92, ) }, ... 92, ) == 0x0
 00687  2016   NtTestAlert  (... ) == 0x0
 00688  2016   NtContinue  (458032, 1, ...
 00689  2016   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x1004310,}, 4, ... ) == 0x0
 00690  2016   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 96, ) }, ... 96, ) == 0x0
 00691  2016   NtCreateEvent  (0x1f0003, {24, 96, 0x80, 458660, 0,  (0x1f0003, {24, 96, 0x80, 458660, 0, "VT_3"}, 1, 0, ... 100, ) }, 1, 0, ... 100, ) == 0x0
 00692  2016   NtCreateSection  (0xe, {24, 0, 0x40, 458660, 0,  (0xe, {24, 0, 0x40, 458660, 0, "\BaseNamedObjects\W32_Virtu"}, {27086, 0}, 64, 134217728, 0, ... 104, ) }, {27086, 0}, 64, 134217728, 0, ... 104, ) == 0x0
 00693  2016   NtMapViewOfSection  (104, -1, (0x0), 0, 27086, 0x0, 27086, 2, 0, 64, ... (0x790000), 0x0, 28672, ) == 0x0
 00694  2016   NtOpenProcessToken  (-1, 0x20, ... 108, ) == 0x0
 00695  2016   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00696  2016   NtOpenKey  (0x20019, {24, 20, 0x40, 0, 0,  (0x20019, {24, 20, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00697  2016   NtOpenKey  (0x20019, {24, 20, 0x40, 0, 0,  (0x20019, {24, 20, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 112, ) }, ... 112, ) == 0x0
 00698  2016   NtQueryValueKey  (112,  (112, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00699  2016   NtClose  (112, ... ) == 0x0
 00700  2016   NtOpenKey  (0x20019, {24, 20, 0x40, 0, 0,  (0x20019, {24, 20, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00701  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 112, ) == 0x0
 00702  2016   NtAllocateVirtualMemory  (-1, 544768, 0, 4096, 4096, 4, ... 544768, 4096, ) == 0x0
 00703  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 116, ) == 0x0
 00704  2016   NtQuerySystemTime  (... {1442579164, 29929616}, ) == 0x0
 00705  2016   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 120, ) == 0x0
 00706  2016   NtOpenKey  (0x20019, {24, 20, 0x40, 0, 0,  (0x20019, {24, 20, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00707  2016   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00708  2016   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00709  2016   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00710  2016   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 124, ) == 0x0
 00711  2016   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 128, ) == 0x0
 00712  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 132, ) }, ... 132, ) == 0x0
 00713  2016   NtOpenKey  (0x20019, {24, 132, 0x40, 0, 0,  (0x20019, {24, 132, 0x40, 0, 0, "ActiveComputerName"}, ... 136, ) }, ... 136, ) == 0x0
 00714  2016   NtQueryValueKey  (136,  (136, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (136, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (136, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 00715  2016   NtClose  (136, ... ) == 0x0
 00716  2016   NtClose  (132, ... ) == 0x0
 00717  2016   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 132, ) == 0x0
 00718  2016   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 136, ) == 0x0
 00719  2016   NtDuplicateObject  (-1, 132, -1, 0x0, 0, 2, ... 140, ) == 0x0
 00720  2016   NtAllocateVirtualMemory  (-1, 548864, 0, 4096, 4096, 4, ... 548864, 4096, ) == 0x0
 00721  2016   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00722  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 144, ) == 0x0
 00723  2016   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00724  2016   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00725  2016   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 456820,  (0xc0100080, {24, 0, 0x40, 0, 456820, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 148, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 148, {status=0x0, info=1}, ) == 0x0
 00726  2016   NtSetInformationFile  (148, 456876, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00727  2016   NtSetInformationFile  (148, 456864, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00728  2016   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00729  2016   NtWriteFile  (148, 125, 0, 0,  (148, 125, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00730  2016   NtReadFile  (148, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (148, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20k+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 00731  2016   NtFsControlFile  (148, 125, 0x0, 0x0, 0x11c017,  (148, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\6\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20k+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (148, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\6\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20k+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 00732  2016   NtFsControlFile  (148, 125, 0x0, 0x0, 0x11c017,  (148, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28 \0"\0hK\10\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28\0\0\0\0", ) \0hK\10\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (148, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28 \0"\0hK\10\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28\0\0\0\0", ) == 0x103
 00733  2016   NtFsControlFile  (148, 125, 0x0, 0x0, 0x11c017,  (148, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (148, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 00734  2016   NtClose  (144, ... ) == 0x0
 00735  2016   NtClose  (148, ... ) == 0x0
 00736  2016   NtAdjustPrivilegesToken  (108, 0, 458664, 0, 0, 0, ... ) == 0x0
 00737  2016   NtClose  (108, ... ) == 0x0
 00738  2016   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 7995392, 65536, ) == 0x0
 00739  2016   NtQuerySystemInformation  (ProcessesAndThreads, 65536, ... {system info, class 5, size 500}, 0x0, ) == 0x0
 00740  2016   NtCreateSection  (0xf0007, 0x0, {18400, 0}, 4, 134217728, 0, ... 108, ) == 0x0
 00741  2016   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x7b0000), {0, 0}, 20480, ) == 0x0
 00742  2016   NtUnmapViewOfSection  (-1, 0x7b0000, ... ) == 0x0
 00743  2016   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x7b0000), {0, 0}, 20480, ) == 0x0
 00744  2016   NtFreeVirtualMemory  (-1, (0x7a0000), 0, 32768, ... (0x7a0000), 65536, ) == 0x0
 00745  2016   NtUnmapViewOfSection  (-1, 0x7b0000, ... ) == 0x0
 00746  2016   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x7a0000), {0, 0}, 20480, ) == 0x0
 00747  2016   NtUnmapViewOfSection  (-1, 0x7a0000, ... ) == 0x0
 00748  2016   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x7a0000), {0, 0}, 20480, ) == 0x0
 00749  2016   NtUnmapViewOfSection  (-1, 0x7a0000, ... ) == 0x0
 00750  2016   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x7a0000), {0, 0}, 20480, ) == 0x0
 00751  2016   NtUnmapViewOfSection  (-1, 0x7a0000, ... ) == 0x0
 00752  2016   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x7a0000), {0, 0}, 20480, ) == 0x0
 00753  2016   NtUnmapViewOfSection  (-1, 0x7a0000, ... ) == 0x0
 00754  2016   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x7a0000), {0, 0}, 20480, ) == 0x0
 00755  2016   NtUnmapViewOfSection  (-1, 0x7a0000, ... ) == 0x0
 00756  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {580, 0}, ... 148, ) == 0x0
 00757  2016   NtOpenSection  (0xe, {24, 96, 0x0, 0, 0,  (0xe, {24, 96, 0x0, 0, 0, "W32_Virtu"}, ... 144, ) }, ... 144, ) == 0x0
 00758  2016   NtMapViewOfSection  (144, 148, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff90000), 0x0, 28672, ) == 0x0
 00759  2016   NtClose  (144, ... ) == 0x0
 00760  2016   NtProtectVirtualMemory  (148, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00761  2016   NtWriteVirtualMemory  (148, 0x7c90d682,  (148, 0x7c90d682, "\350\15Mh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00762  2016   NtProtectVirtualMemory  (148, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00763  2016   NtWriteVirtualMemory  (148, 0x7c90dcfd,  (148, 0x7c90dcfd, "\350\337Fh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00764  2016   NtProtectVirtualMemory  (148, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00765  2016   NtWriteVirtualMemory  (148, 0x7c90d754,  (148, 0x7c90d754, "\350\217Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00766  2016   NtProtectVirtualMemory  (148, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00767  2016   NtWriteVirtualMemory  (148, 0x7c90d769,  (148, 0x7c90d769, "\350\207Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00768  2016   NtAllocateVirtualMemory  (148, 0, 0, 262144, 8192, 4, ... 19595264, 262144, ) == 0x0
 00769  2016   NtAllocateVirtualMemory  (148, 19849216, 0, 8192, 4096, 4, ... 19849216, 8192, ) == 0x0
 00770  2016   NtProtectVirtualMemory  (148, (0x12ee000), 4096, 260, ... (0x12ee000), 4096, 4, ) == 0x0
 00771  2016   NtCreateThread  (0x1f03ff, 0x0, 148, 457408, 457352, 1, ... 144, {580, 420}, ) == 0x0
 00772  2016   NtRequestWaitReplyPort  (28, {28, 56, new_msg, 0, 0, 0, 0, 0}  (28, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\220\0\0\0D\2\0\0\244\1\0\0" ... {28, 56, reply, 0, 896, 2016, 81848, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\220\0\0\0D\2\0\0\244\1\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81848, 0}  (28, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\220\0\0\0D\2\0\0\244\1\0\0" ... {28, 56, reply, 0, 896, 2016, 81848, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\220\0\0\0D\2\0\0\244\1\0\0" )  ) == 0x0
 00773  2016   NtResumeThread  (144, ... 1, ) == 0x0
 00774  2016   NtDelayExecution  (0, {-100000, -1}, ... ) == 0x0
 00775  2016   NtClose  (148, ... ) == 0x0
 00776  2016   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x7a0000), {0, 0}, 20480, ) == 0x0
 00777  2016   NtUnmapViewOfSection  (-1, 0x7a0000, ... ) == 0x0
 00778  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {640, 0}, ... 148, ) == 0x0
 00779  2016   NtOpenSection  (0xe, {24, 96, 0x0, 0, 0,  (0xe, {24, 96, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 00780  2016   NtMapViewOfSection  (152, 148, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff90000), 0x0, 28672, ) == 0x0
 00781  2016   NtClose  (152, ... ) == 0x0
 00782  2016   NtProtectVirtualMemory  (148, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00783  2016   NtWriteVirtualMemory  (148, 0x7c90d682,  (148, 0x7c90d682, "\350\15Mh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00784  2016   NtProtectVirtualMemory  (148, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00785  2016   NtWriteVirtualMemory  (148, 0x7c90dcfd,  (148, 0x7c90dcfd, "\350\337Fh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00786  2016   NtProtectVirtualMemory  (148, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00787  2016   NtWriteVirtualMemory  (148, 0x7c90d754,  (148, 0x7c90d754, "\350\217Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00788  2016   NtProtectVirtualMemory  (148, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00789  2016   NtWriteVirtualMemory  (148, 0x7c90d769,  (148, 0x7c90d769, "\350\207Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00790  2016   NtClose  (148, ... ) == 0x0
 00791  2016   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x7a0000), {0, 0}, 20480, ) == 0x0
 00792  2016   NtUnmapViewOfSection  (-1, 0x7a0000, ... ) == 0x0
 00793  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {652, 0}, ... 148, ) == 0x0
 00794  2016   NtOpenSection  (0xe, {24, 96, 0x0, 0, 0,  (0xe, {24, 96, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 00795  2016   NtMapViewOfSection  (152, 148, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff90000), 0x0, 28672, ) == 0x0
 00796  2016   NtClose  (152, ... ) == 0x0
 00797  2016   NtProtectVirtualMemory  (148, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00798  2016   NtWriteVirtualMemory  (148, 0x7c90d682,  (148, 0x7c90d682, "\350\15Mh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00799  2016   NtProtectVirtualMemory  (148, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00800  2016   NtWriteVirtualMemory  (148, 0x7c90dcfd,  (148, 0x7c90dcfd, "\350\337Fh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00801  2016   NtProtectVirtualMemory  (148, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00802  2016   NtWriteVirtualMemory  (148, 0x7c90d754,  (148, 0x7c90d754, "\350\217Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00803  2016   NtProtectVirtualMemory  (148, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00804  2016   NtWriteVirtualMemory  (148, 0x7c90d769,  (148, 0x7c90d769, "\350\207Lh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00805  2016   NtClose  (148, ... ) == 0x0
 00806  2016   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x7a0000), {0, 0}, 20480, ) == 0x0
 00807  2016   NtUnmapViewOfSection  (-1, 0x7a0000, ... ) == 0x0
 00808  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {816, 0}, ... 148, ) == 0x0
 00809  2016   NtOpenSection  (0xe, {24, 96, 0x0, 0, 0,  (0xe, {24, 96, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 00810  2016   NtMapViewOfSection  (152, 148, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00811  2016   NtClose  (152, ... ) == 0x0
 00812  2016   NtProtectVirtualMemory  (148, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00813  2016   NtWriteVirtualMemory  (148, 0x7c90d682,  (148, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00814  2016   NtProtectVirtualMemory  (148, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00815  2016   NtWriteVirtualMemory  (148, 0x7c90dcfd,  (148, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00816  2016   NtProtectVirtualMemory  (148, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00817  2016   NtWriteVirtualMemory  (148, 0x7c90d754,  (148, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00818  2016   NtProtectVirtualMemory  (148, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00819  2016   NtWriteVirtualMemory  (148, 0x7c90d769,  (148, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00820  2016   NtClose  (148, ... ) == 0x0
 00821  2016   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x7a0000), {0, 0}, 20480, ) == 0x0
 00822  2016   NtUnmapViewOfSection  (-1, 0x7a0000, ... ) == 0x0
 00823  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {904, 0}, ... 148, ) == 0x0
 00824  2016   NtOpenSection  (0xe, {24, 96, 0x0, 0, 0,  (0xe, {24, 96, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 00825  2016   NtMapViewOfSection  (152, 148, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00826  2016   NtClose  (152, ... ) == 0x0
 00827  2016   NtProtectVirtualMemory  (148, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00828  2016   NtWriteVirtualMemory  (148, 0x7c90d682,  (148, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00829  2016   NtProtectVirtualMemory  (148, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00830  2016   NtWriteVirtualMemory  (148, 0x7c90dcfd,  (148, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00831  2016   NtProtectVirtualMemory  (148, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00832  2016   NtWriteVirtualMemory  (148, 0x7c90d754,  (148, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00833  2016   NtProtectVirtualMemory  (148, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00834  2016   NtWriteVirtualMemory  (148, 0x7c90d769,  (148, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00835  2016   NtClose  (148, ... ) == 0x0
 00836  2016   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x7a0000), {0, 0}, 20480, ) == 0x0
 00837  2016   NtUnmapViewOfSection  (-1, 0x7a0000, ... ) == 0x0
 00838  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1000, 0}, ... 148, ) == 0x0
 00839  2016   NtOpenSection  (0xe, {24, 96, 0x0, 0, 0,  (0xe, {24, 96, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 00840  2016   NtMapViewOfSection  (152, 148, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ff50000), 0x0, 28672, ) == 0x0
 00841  2016   NtClose  (152, ... ) == 0x0
 00842  2016   NtProtectVirtualMemory  (148, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00843  2016   NtWriteVirtualMemory  (148, 0x7c90d682,  (148, 0x7c90d682, "\350\15Md\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00844  2016   NtProtectVirtualMemory  (148, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00845  2016   NtWriteVirtualMemory  (148, 0x7c90dcfd,  (148, 0x7c90dcfd, "\350\337Fd\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00846  2016   NtProtectVirtualMemory  (148, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00847  2016   NtWriteVirtualMemory  (148, 0x7c90d754,  (148, 0x7c90d754, "\350\217Ld\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00848  2016   NtProtectVirtualMemory  (148, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00849  2016   NtWriteVirtualMemory  (148, 0x7c90d769,  (148, 0x7c90d769, "\350\207Ld\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00850  2016   NtClose  (148, ... ) == 0x0
 00851  2016   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x7a0000), {0, 0}, 20480, ) == 0x0
 00852  2016   NtUnmapViewOfSection  (-1, 0x7a0000, ... ) == 0x0
 00853  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1044, 0}, ... 148, ) == 0x0
 00854  2016   NtOpenSection  (0xe, {24, 96, 0x0, 0, 0,  (0xe, {24, 96, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 00855  2016   NtMapViewOfSection  (152, 148, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00856  2016   NtClose  (152, ... ) == 0x0
 00857  2016   NtProtectVirtualMemory  (148, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00858  2016   NtWriteVirtualMemory  (148, 0x7c90d682,  (148, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00859  2016   NtProtectVirtualMemory  (148, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00860  2016   NtWriteVirtualMemory  (148, 0x7c90dcfd,  (148, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00861  2016   NtProtectVirtualMemory  (148, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00862  2016   NtWriteVirtualMemory  (148, 0x7c90d754,  (148, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00863  2016   NtProtectVirtualMemory  (148, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00864  2016   NtWriteVirtualMemory  (148, 0x7c90d769,  (148, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00865  2016   NtClose  (148, ... ) == 0x0
 00866  2016   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x7a0000), {0, 0}, 20480, ) == 0x0
 00867  2016   NtUnmapViewOfSection  (-1, 0x7a0000, ... ) == 0x0
 00868  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1196, 0}, ... 148, ) == 0x0
 00869  2016   NtOpenSection  (0xe, {24, 96, 0x0, 0, 0,  (0xe, {24, 96, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 00870  2016   NtMapViewOfSection  (152, 148, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00871  2016   NtClose  (152, ... ) == 0x0
 00872  2016   NtProtectVirtualMemory  (148, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00873  2016   NtWriteVirtualMemory  (148, 0x7c90d682,  (148, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00874  2016   NtProtectVirtualMemory  (148, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00875  2016   NtWriteVirtualMemory  (148, 0x7c90dcfd,  (148, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00876  2016   NtProtectVirtualMemory  (148, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00877  2016   NtWriteVirtualMemory  (148, 0x7c90d754,  (148, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00878  2016   NtProtectVirtualMemory  (148, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00879  2016   NtWriteVirtualMemory  (148, 0x7c90d769,  (148, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00880  2016   NtClose  (148, ... ) == 0x0
 00881  2016   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x7a0000), {0, 0}, 20480, ) == 0x0
 00882  2016   NtUnmapViewOfSection  (-1, 0x7a0000, ... ) == 0x0
 00883  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1468, 0}, ... 148, ) == 0x0
 00884  2016   NtOpenSection  (0xe, {24, 96, 0x0, 0, 0,  (0xe, {24, 96, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 00885  2016   NtMapViewOfSection  (152, 148, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00886  2016   NtClose  (152, ... ) == 0x0
 00887  2016   NtProtectVirtualMemory  (148, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00888  2016   NtWriteVirtualMemory  (148, 0x7c90d682,  (148, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00889  2016   NtProtectVirtualMemory  (148, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00890  2016   NtWriteVirtualMemory  (148, 0x7c90dcfd,  (148, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00891  2016   NtProtectVirtualMemory  (148, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00892  2016   NtWriteVirtualMemory  (148, 0x7c90d754,  (148, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00893  2016   NtProtectVirtualMemory  (148, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00894  2016   NtWriteVirtualMemory  (148, 0x7c90d769,  (148, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00895  2016   NtClose  (148, ... ) == 0x0
 00896  2016   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x7a0000), {0, 0}, 20480, ) == 0x0
 00897  2016   NtUnmapViewOfSection  (-1, 0x7a0000, ... ) == 0x0
 00898  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1720, 0}, ... 148, ) == 0x0
 00899  2016   NtOpenSection  (0xe, {24, 96, 0x0, 0, 0,  (0xe, {24, 96, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 00900  2016   NtMapViewOfSection  (152, 148, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00901  2016   NtClose  (152, ... ) == 0x0
 00902  2016   NtProtectVirtualMemory  (148, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00903  2016   NtWriteVirtualMemory  (148, 0x7c90d682,  (148, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00904  2016   NtProtectVirtualMemory  (148, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00905  2016   NtWriteVirtualMemory  (148, 0x7c90dcfd,  (148, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00906  2016   NtProtectVirtualMemory  (148, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00907  2016   NtWriteVirtualMemory  (148, 0x7c90d754,  (148, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00908  2016   NtProtectVirtualMemory  (148, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00909  2016   NtWriteVirtualMemory  (148, 0x7c90d769,  (148, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00910  2016   NtClose  (148, ... ) == 0x0
 00911  2016   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x7a0000), {0, 0}, 20480, ) == 0x0
 00912  2016   NtUnmapViewOfSection  (-1, 0x7a0000, ... ) == 0x0
 00913  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1888, 0}, ... 148, ) == 0x0
 00914  2016   NtOpenSection  (0xe, {24, 96, 0x0, 0, 0,  (0xe, {24, 96, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 00915  2016   NtMapViewOfSection  (152, 148, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00916  2016   NtClose  (152, ... ) == 0x0
 00917  2016   NtProtectVirtualMemory  (148, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00918  2016   NtWriteVirtualMemory  (148, 0x7c90d682,  (148, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00919  2016   NtProtectVirtualMemory  (148, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00920  2016   NtWriteVirtualMemory  (148, 0x7c90dcfd,  (148, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00921  2016   NtProtectVirtualMemory  (148, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00922  2016   NtWriteVirtualMemory  (148, 0x7c90d754,  (148, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00923  2016   NtProtectVirtualMemory  (148, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00924  2016   NtWriteVirtualMemory  (148, 0x7c90d769,  (148, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00925  2016   NtClose  (148, ... ) == 0x0
 00926  2016   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x7a0000), {0, 0}, 20480, ) == 0x0
 00927  2016   NtUnmapViewOfSection  (-1, 0x7a0000, ... ) == 0x0
 00928  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2024, 0}, ... 148, ) == 0x0
 00929  2016   NtOpenSection  (0xe, {24, 96, 0x0, 0, 0,  (0xe, {24, 96, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 00930  2016   NtMapViewOfSection  (152, 148, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00931  2016   NtClose  (152, ... ) == 0x0
 00932  2016   NtProtectVirtualMemory  (148, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00933  2016   NtWriteVirtualMemory  (148, 0x7c90d682,  (148, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00934  2016   NtProtectVirtualMemory  (148, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00935  2016   NtWriteVirtualMemory  (148, 0x7c90dcfd,  (148, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00936  2016   NtProtectVirtualMemory  (148, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00937  2016   NtWriteVirtualMemory  (148, 0x7c90d754,  (148, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00938  2016   NtProtectVirtualMemory  (148, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00939  2016   NtWriteVirtualMemory  (148, 0x7c90d769,  (148, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00940  2016   NtClose  (148, ... ) == 0x0
 00941  2016   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x7a0000), {0, 0}, 20480, ) == 0x0
 00942  2016   NtUnmapViewOfSection  (-1, 0x7a0000, ... ) == 0x0
 00943  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {196, 0}, ... 148, ) == 0x0
 00944  2016   NtOpenSection  (0xe, {24, 96, 0x0, 0, 0,  (0xe, {24, 96, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 00945  2016   NtMapViewOfSection  (152, 148, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00946  2016   NtClose  (152, ... ) == 0x0
 00947  2016   NtProtectVirtualMemory  (148, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00948  2016   NtWriteVirtualMemory  (148, 0x7c90d682,  (148, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00949  2016   NtProtectVirtualMemory  (148, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00950  2016   NtWriteVirtualMemory  (148, 0x7c90dcfd,  (148, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00951  2016   NtProtectVirtualMemory  (148, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00952  2016   NtWriteVirtualMemory  (148, 0x7c90d754,  (148, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00953  2016   NtProtectVirtualMemory  (148, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00954  2016   NtWriteVirtualMemory  (148, 0x7c90d769,  (148, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00955  2016   NtClose  (148, ... ) == 0x0
 00956  2016   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x7a0000), {0, 0}, 20480, ) == 0x0
 00957  2016   NtUnmapViewOfSection  (-1, 0x7a0000, ... ) == 0x0
 00958  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {160, 0}, ... 148, ) == 0x0
 00959  2016   NtOpenSection  (0xe, {24, 96, 0x0, 0, 0,  (0xe, {24, 96, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 00960  2016   NtMapViewOfSection  (152, 148, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00961  2016   NtClose  (152, ... ) == 0x0
 00962  2016   NtProtectVirtualMemory  (148, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00963  2016   NtWriteVirtualMemory  (148, 0x7c90d682,  (148, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00964  2016   NtProtectVirtualMemory  (148, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00965  2016   NtWriteVirtualMemory  (148, 0x7c90dcfd,  (148, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00966  2016   NtProtectVirtualMemory  (148, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00967  2016   NtWriteVirtualMemory  (148, 0x7c90d754,  (148, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00968  2016   NtProtectVirtualMemory  (148, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00969  2016   NtWriteVirtualMemory  (148, 0x7c90d769,  (148, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00970  2016   NtClose  (148, ... ) == 0x0
 00971  2016   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x7a0000), {0, 0}, 20480, ) == 0x0
 00972  2016   NtUnmapViewOfSection  (-1, 0x7a0000, ... ) == 0x0
 00973  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {260, 0}, ... 148, ) == 0x0
 00974  2016   NtOpenSection  (0xe, {24, 96, 0x0, 0, 0,  (0xe, {24, 96, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 00975  2016   NtMapViewOfSection  (152, 148, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00976  2016   NtClose  (152, ... ) == 0x0
 00977  2016   NtProtectVirtualMemory  (148, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00978  2016   NtWriteVirtualMemory  (148, 0x7c90d682,  (148, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00979  2016   NtProtectVirtualMemory  (148, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00980  2016   NtWriteVirtualMemory  (148, 0x7c90dcfd,  (148, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00981  2016   NtProtectVirtualMemory  (148, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00982  2016   NtWriteVirtualMemory  (148, 0x7c90d754,  (148, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00983  2016   NtProtectVirtualMemory  (148, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00984  2016   NtWriteVirtualMemory  (148, 0x7c90d769,  (148, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00985  2016   NtClose  (148, ... ) == 0x0
 00986  2016   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x7a0000), {0, 0}, 20480, ) == 0x0
 00987  2016   NtUnmapViewOfSection  (-1, 0x7a0000, ... ) == 0x0
 00988  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {288, 0}, ... 148, ) == 0x0
 00989  2016   NtOpenSection  (0xe, {24, 96, 0x0, 0, 0,  (0xe, {24, 96, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 00990  2016   NtMapViewOfSection  (152, 148, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 00991  2016   NtClose  (152, ... ) == 0x0
 00992  2016   NtProtectVirtualMemory  (148, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00993  2016   NtWriteVirtualMemory  (148, 0x7c90d682,  (148, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00994  2016   NtProtectVirtualMemory  (148, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00995  2016   NtWriteVirtualMemory  (148, 0x7c90dcfd,  (148, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00996  2016   NtProtectVirtualMemory  (148, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00997  2016   NtWriteVirtualMemory  (148, 0x7c90d754,  (148, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00998  2016   NtProtectVirtualMemory  (148, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00999  2016   NtWriteVirtualMemory  (148, 0x7c90d769,  (148, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01000  2016   NtClose  (148, ... ) == 0x0
 01001  2016   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x7a0000), {0, 0}, 20480, ) == 0x0
 01002  2016   NtUnmapViewOfSection  (-1, 0x7a0000, ... ) == 0x0
 01003  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {412, 0}, ... 148, ) == 0x0
 01004  2016   NtOpenSection  (0xe, {24, 96, 0x0, 0, 0,  (0xe, {24, 96, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 01005  2016   NtMapViewOfSection  (152, 148, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01006  2016   NtClose  (152, ... ) == 0x0
 01007  2016   NtProtectVirtualMemory  (148, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01008  2016   NtWriteVirtualMemory  (148, 0x7c90d682,  (148, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01009  2016   NtProtectVirtualMemory  (148, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01010  2016   NtWriteVirtualMemory  (148, 0x7c90dcfd,  (148, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01011  2016   NtProtectVirtualMemory  (148, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01012  2016   NtWriteVirtualMemory  (148, 0x7c90d754,  (148, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01013  2016   NtProtectVirtualMemory  (148, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01014  2016   NtWriteVirtualMemory  (148, 0x7c90d769,  (148, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01015  2016   NtClose  (148, ... ) == 0x0
 01016  2016   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x7a0000), {0, 0}, 20480, ) == 0x0
 01017  2016   NtUnmapViewOfSection  (-1, 0x7a0000, ... ) == 0x0
 01018  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1408, 0}, ... 148, ) == 0x0
 01019  2016   NtOpenSection  (0xe, {24, 96, 0x0, 0, 0,  (0xe, {24, 96, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 01020  2016   NtMapViewOfSection  (152, 148, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01021  2016   NtClose  (152, ... ) == 0x0
 01022  2016   NtProtectVirtualMemory  (148, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01023  2016   NtWriteVirtualMemory  (148, 0x7c90d682,  (148, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01024  2016   NtProtectVirtualMemory  (148, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01025  2016   NtWriteVirtualMemory  (148, 0x7c90dcfd,  (148, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01026  2016   NtProtectVirtualMemory  (148, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01027  2016   NtWriteVirtualMemory  (148, 0x7c90d754,  (148, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01028  2016   NtProtectVirtualMemory  (148, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01029  2016   NtWriteVirtualMemory  (148, 0x7c90d769,  (148, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01030  2016   NtClose  (148, ... ) == 0x0
 01031  2016   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x7a0000), {0, 0}, 20480, ) == 0x0
 01032  2016   NtUnmapViewOfSection  (-1, 0x7a0000, ... ) == 0x0
 01033  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {556, 0}, ... 148, ) == 0x0
 01034  2016   NtOpenSection  (0xe, {24, 96, 0x0, 0, 0,  (0xe, {24, 96, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 01035  2016   NtMapViewOfSection  (152, 148, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01036  2016   NtClose  (152, ... ) == 0x0
 01037  2016   NtProtectVirtualMemory  (148, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01038  2016   NtWriteVirtualMemory  (148, 0x7c90d682,  (148, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01039  2016   NtProtectVirtualMemory  (148, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01040  2016   NtWriteVirtualMemory  (148, 0x7c90dcfd,  (148, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01041  2016   NtProtectVirtualMemory  (148, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01042  2016   NtWriteVirtualMemory  (148, 0x7c90d754,  (148, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01043  2016   NtProtectVirtualMemory  (148, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01044  2016   NtWriteVirtualMemory  (148, 0x7c90d769,  (148, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01045  2016   NtClose  (148, ... ) == 0x0
 01046  2016   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x7a0000), {0, 0}, 20480, ) == 0x0
 01047  2016   NtUnmapViewOfSection  (-1, 0x7a0000, ... ) == 0x0
 01048  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1204, 0}, ... 148, ) == 0x0
 01049  2016   NtOpenSection  (0xe, {24, 96, 0x0, 0, 0,  (0xe, {24, 96, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 01050  2016   NtMapViewOfSection  (152, 148, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01051  2016   NtClose  (152, ... ) == 0x0
 01052  2016   NtProtectVirtualMemory  (148, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01053  2016   NtWriteVirtualMemory  (148, 0x7c90d682,  (148, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01054  2016   NtProtectVirtualMemory  (148, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01055  2016   NtWriteVirtualMemory  (148, 0x7c90dcfd,  (148, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01056  2016   NtProtectVirtualMemory  (148, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01057  2016   NtWriteVirtualMemory  (148, 0x7c90d754,  (148, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01058  2016   NtProtectVirtualMemory  (148, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01059  2016   NtWriteVirtualMemory  (148, 0x7c90d769,  (148, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01060  2016   NtClose  (148, ... ) == 0x0
 01061  2016   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x7a0000), {0, 0}, 20480, ) == 0x0
 01062  2016   NtUnmapViewOfSection  (-1, 0x7a0000, ... ) == 0x0
 01063  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1452, 0}, ... 148, ) == 0x0
 01064  2016   NtOpenSection  (0xe, {24, 96, 0x0, 0, 0,  (0xe, {24, 96, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 01065  2016   NtMapViewOfSection  (152, 148, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01066  2016   NtClose  (152, ... ) == 0x0
 01067  2016   NtProtectVirtualMemory  (148, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01068  2016   NtWriteVirtualMemory  (148, 0x7c90d682,  (148, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01069  2016   NtProtectVirtualMemory  (148, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01070  2016   NtWriteVirtualMemory  (148, 0x7c90dcfd,  (148, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01071  2016   NtProtectVirtualMemory  (148, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01072  2016   NtWriteVirtualMemory  (148, 0x7c90d754,  (148, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01073  2016   NtProtectVirtualMemory  (148, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01074  2016   NtWriteVirtualMemory  (148, 0x7c90d769,  (148, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01075  2016   NtClose  (148, ... ) == 0x0
 01076  2016   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x7a0000), {0, 0}, 20480, ) == 0x0
 01077  2016   NtUnmapViewOfSection  (-1, 0x7a0000, ... ) == 0x0
 01078  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {784, 0}, ... 148, ) == 0x0
 01079  2016   NtOpenSection  (0xe, {24, 96, 0x0, 0, 0,  (0xe, {24, 96, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 01080  2016   NtMapViewOfSection  (152, 148, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01081  2016   NtClose  (152, ... ) == 0x0
 01082  2016   NtProtectVirtualMemory  (148, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01083  2016   NtWriteVirtualMemory  (148, 0x7c90d682,  (148, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01084  2016   NtProtectVirtualMemory  (148, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01085  2016   NtWriteVirtualMemory  (148, 0x7c90dcfd,  (148, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01086  2016   NtProtectVirtualMemory  (148, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01087  2016   NtWriteVirtualMemory  (148, 0x7c90d754,  (148, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01088  2016   NtProtectVirtualMemory  (148, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01089  2016   NtWriteVirtualMemory  (148, 0x7c90d769,  (148, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01090  2016   NtClose  (148, ... ) == 0x0
 01091  2016   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x7a0000), {0, 0}, 20480, ) == 0x0
 01092  2016   NtUnmapViewOfSection  (-1, 0x7a0000, ... ) == 0x0
 01093  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {488, 0}, ... 148, ) == 0x0
 01094  2016   NtOpenSection  (0xe, {24, 96, 0x0, 0, 0,  (0xe, {24, 96, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 01095  2016   NtMapViewOfSection  (152, 148, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01096  2016   NtClose  (152, ... ) == 0x0
 01097  2016   NtProtectVirtualMemory  (148, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01098  2016   NtWriteVirtualMemory  (148, 0x7c90d682,  (148, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01099  2016   NtProtectVirtualMemory  (148, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01100  2016   NtWriteVirtualMemory  (148, 0x7c90dcfd,  (148, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01101  2016   NtProtectVirtualMemory  (148, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01102  2016   NtWriteVirtualMemory  (148, 0x7c90d754,  (148, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01103  2016   NtProtectVirtualMemory  (148, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01104  2016   NtWriteVirtualMemory  (148, 0x7c90d769,  (148, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01105  2016   NtClose  (148, ... ) == 0x0
 01106  2016   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x7a0000), {0, 0}, 20480, ) == 0x0
 01107  2016   NtUnmapViewOfSection  (-1, 0x7a0000, ... ) == 0x0
 01108  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1208, 0}, ... 148, ) == 0x0
 01109  2016   NtOpenSection  (0xe, {24, 96, 0x0, 0, 0,  (0xe, {24, 96, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 01110  2016   NtMapViewOfSection  (152, 148, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01111  2016   NtClose  (152, ... ) == 0x0
 01112  2016   NtProtectVirtualMemory  (148, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01113  2016   NtWriteVirtualMemory  (148, 0x7c90d682,  (148, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01114  2016   NtProtectVirtualMemory  (148, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01115  2016   NtWriteVirtualMemory  (148, 0x7c90dcfd,  (148, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01116  2016   NtProtectVirtualMemory  (148, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01117  2016   NtWriteVirtualMemory  (148, 0x7c90d754,  (148, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01118  2016   NtProtectVirtualMemory  (148, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01119  2016   NtWriteVirtualMemory  (148, 0x7c90d769,  (148, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01120  2016   NtClose  (148, ... ) == 0x0
 01121  2016   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x7a0000), {0, 0}, 20480, ) == 0x0
 01122  2016   NtUnmapViewOfSection  (-1, 0x7a0000, ... ) == 0x0
 01123  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {168, 0}, ... 148, ) == 0x0
 01124  2016   NtOpenSection  (0xe, {24, 96, 0x0, 0, 0,  (0xe, {24, 96, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 01125  2016   NtMapViewOfSection  (152, 148, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01126  2016   NtClose  (152, ... ) == 0x0
 01127  2016   NtProtectVirtualMemory  (148, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01128  2016   NtWriteVirtualMemory  (148, 0x7c90d682,  (148, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01129  2016   NtProtectVirtualMemory  (148, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01130  2016   NtWriteVirtualMemory  (148, 0x7c90dcfd,  (148, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01131  2016   NtProtectVirtualMemory  (148, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01132  2016   NtWriteVirtualMemory  (148, 0x7c90d754,  (148, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01133  2016   NtProtectVirtualMemory  (148, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01134  2016   NtWriteVirtualMemory  (148, 0x7c90d769,  (148, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01135  2016   NtClose  (148, ... ) == 0x0
 01136  2016   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x7a0000), {0, 0}, 20480, ) == 0x0
 01137  2016   NtUnmapViewOfSection  (-1, 0x7a0000, ... ) == 0x0
 01138  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {764, 0}, ... 148, ) == 0x0
 01139  2016   NtOpenSection  (0xe, {24, 96, 0x0, 0, 0,  (0xe, {24, 96, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 01140  2016   NtMapViewOfSection  (152, 148, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01141  2016   NtClose  (152, ... ) == 0x0
 01142  2016   NtProtectVirtualMemory  (148, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01143  2016   NtWriteVirtualMemory  (148, 0x7c90d682,  (148, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01144  2016   NtProtectVirtualMemory  (148, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01145  2016   NtWriteVirtualMemory  (148, 0x7c90dcfd,  (148, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01146  2016   NtProtectVirtualMemory  (148, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01147  2016   NtWriteVirtualMemory  (148, 0x7c90d754,  (148, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01148  2016   NtProtectVirtualMemory  (148, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01149  2016   NtWriteVirtualMemory  (148, 0x7c90d769,  (148, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01150  2016   NtClose  (148, ... ) == 0x0
 01151  2016   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x7a0000), {0, 0}, 20480, ) == 0x0
 01152  2016   NtUnmapViewOfSection  (-1, 0x7a0000, ... ) == 0x0
 01153  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {824, 0}, ... 148, ) == 0x0
 01154  2016   NtOpenSection  (0xe, {24, 96, 0x0, 0, 0,  (0xe, {24, 96, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 01155  2016   NtMapViewOfSection  (152, 148, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01156  2016   NtClose  (152, ... ) == 0x0
 01157  2016   NtProtectVirtualMemory  (148, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01158  2016   NtWriteVirtualMemory  (148, 0x7c90d682,  (148, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01159  2016   NtProtectVirtualMemory  (148, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01160  2016   NtWriteVirtualMemory  (148, 0x7c90dcfd,  (148, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01161  2016   NtProtectVirtualMemory  (148, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01162  2016   NtWriteVirtualMemory  (148, 0x7c90d754,  (148, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01163  2016   NtProtectVirtualMemory  (148, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01164  2016   NtWriteVirtualMemory  (148, 0x7c90d769,  (148, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01165  2016   NtClose  (148, ... ) == 0x0
 01166  2016   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x7a0000), {0, 0}, 20480, ) == 0x0
 01167  2016   NtUnmapViewOfSection  (-1, 0x7a0000, ... ) == 0x0
 01168  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2020, 0}, ... 148, ) == 0x0
 01169  2016   NtOpenSection  (0xe, {24, 96, 0x0, 0, 0,  (0xe, {24, 96, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 01170  2016   NtMapViewOfSection  (152, 148, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01171  2016   NtClose  (152, ... ) == 0x0
 01172  2016   NtProtectVirtualMemory  (148, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01173  2016   NtWriteVirtualMemory  (148, 0x7c90d682,  (148, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01174  2016   NtProtectVirtualMemory  (148, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01175  2016   NtWriteVirtualMemory  (148, 0x7c90dcfd,  (148, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01176  2016   NtProtectVirtualMemory  (148, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01177  2016   NtWriteVirtualMemory  (148, 0x7c90d754,  (148, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01178  2016   NtProtectVirtualMemory  (148, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01179  2016   NtWriteVirtualMemory  (148, 0x7c90d769,  (148, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01180  2016   NtClose  (148, ... ) == 0x0
 01181  2016   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x7a0000), {0, 0}, 20480, ) == 0x0
 01182  2016   NtUnmapViewOfSection  (-1, 0x7a0000, ... ) == 0x0
 01183  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {896, 0}, ... 148, ) == 0x0
 01184  2016   NtOpenSection  (0xe, {24, 96, 0x0, 0, 0,  (0xe, {24, 96, 0x0, 0, 0, "W32_Virtu"}, ... 152, ) }, ... 152, ) == 0x0
 01185  2016   NtMapViewOfSection  (152, 148, (0x0), 0, 27086, 0x0, 27086, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 28672, ) == 0x0
 01186  2016   NtClose  (152, ... ) == 0x0
 01187  2016   NtProtectVirtualMemory  (148, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01188  2016   NtWriteVirtualMemory  (148, 0x7c90d682,  (148, 0x7c90d682, "\350\15Mi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01189  2016   NtProtectVirtualMemory  (148, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01190  2016   NtWriteVirtualMemory  (148, 0x7c90dcfd,  (148, 0x7c90dcfd, "\350\337Fi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01191  2016   NtProtectVirtualMemory  (148, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01192  2016   NtWriteVirtualMemory  (148, 0x7c90d754,  (148, 0x7c90d754, "\350\217Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01193  2016   NtProtectVirtualMemory  (148, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01194  2016   NtWriteVirtualMemory  (148, 0x7c90d769,  (148, 0x7c90d769, "\350\207Li\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01195  2016   NtClose  (148, ... ) == 0x0
 01196  2016   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x7a0000), {0, 0}, 20480, ) == 0x0
 01197  2016   NtUnmapViewOfSection  (-1, 0x7a0000, ... ) == 0x0
 01198  2016   NtClose  (108, ... ) == 0x0
 01199  2016   NtClose  (100, ... ) == 0x0
 01200  2016   NtOpenKey  (0x1, {24, 20, 0x40, 0, 0,  (0x1, {24, 20, 0x40, 0, 0, "System\CurrentControlSet\Control\ServiceCurrent"}, ... 100, ) }, ... 100, ) == 0x0
 01201  2016   NtQueryValueKey  (100, " (100, "", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) \15\0\0\0"}, 16, ) == 0x0
 01202  2016   NtClose  (100, ... ) == 0x0
 01203  2016   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\DosDevices\pipe\"}, 3, 32, ... 100, {status=0x0, info=1}, ) }, 3, 32, ... 100, {status=0x0, info=1}, ) == 0x0
 01204  2016   NtFsControlFile  (100, 0, 0x0, 0x0, 0x110018,  (100, 0, 0x0, 0x0, 0x110018, "\200.\17\367\377\377\377\377&\0\0\0\1\0n\0e\0t\0\\0N\0t\0C\0o\0n\0t\0r\0o\0l\0P\0i\0p\0e\01\03\0", 52, 0, ... ) , 52, 0, ... ) == STATUS_IO_TIMEOUT
 01205  2016   NtClose  (100, ... ) == 0x0
 01206  2016   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 457824,  (0xc0100080, {24, 0, 0x40, 0, 457824, "\??\pipe\net\NtControlPipe13"}, 0x0, 128, 3, 1, 96, 0, 0, ... ) }, 0x0, 128, 3, 1, 96, 0, 0, ... ) == STATUS_ACCESS_DENIED
 01207  2016   NtTerminateProcess  (0, 0, ... ) == 0x0
 01208  2016   NtFreeVirtualMemory  (-1, (0x780000), 0, 32768, ... (0x780000), 65536, ) == 0x0
 01209  2016   NtClose  (52, ... ) == 0x0
 01210  2016   NtClose  (56, ... ) == 0x0
 01211  2016   NtClose  (64, ... ) == 0x0
 01212  2016   NtClose  (60, ... ) == 0x0
 01213  2016   NtClose  (68, ... ) == 0x0
 01214  2016   NtClose  (72, ... ) == 0x0
 01215  2016   NtClose  (76, ... ) == 0x0
 01216  2016   NtClose  (92, ... ) == 0x0
 01217  2016   NtClose  (88, ... ) == 0x0
 01218  2016   NtClose  (84, ... ) == 0x0
 01219  2016   NtClose  (80, ... ) == 0x0
 01220  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 80, ) }, ... 80, ) == 0x0
 01221  2016   NtQueryValueKey  (80,  (80, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01222  2016   NtClose  (80, ... ) == 0x0
 01223  2016   NtFreeVirtualMemory  (-1, (0x0), 0, 32768, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 01224  2016   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 01225  2016   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 01226  2016   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 01227  2016   NtRequestWaitReplyPort  (28, {20, 48, new_msg, 0, 2089890268, 4096, 2089890433, 2089890440}  (28, {20, 48, new_msg, 0, 2089890268, 4096, 2089890433, 2089890440} "\0\0\0\0\3\0\1\0\240M&\0d\1&\0\0\0\0\0" ... {20, 48, reply, 0, 896, 2016, 81962, 0} "\0\0\0\0\3\0\1\0\0\0\0\0d\1&\0\0\0\0\0" )  ... {20, 48, reply, 0, 896, 2016, 81962, 0}  (28, {20, 48, new_msg, 0, 2089890268, 4096, 2089890433, 2089890440} "\0\0\0\0\3\0\1\0\240M&\0d\1&\0\0\0\0\0" ... {20, 48, reply, 0, 896, 2016, 81962, 0} "\0\0\0\0\3\0\1\0\0\0\0\0d\1&\0\0\0\0\0" )  ) == 0x0
 01228  2016   NtTerminateProcess  (-1, 0, ...
NtAdjustPrivilegesToken(>)	1	NtTestAlert(>)	1	NtSetInformationObject(>)	2	NtQuerySystemInformation(>)	14
NtCallbackReturn(>)	1	NtUserCallNoParam(>)	1	NtTerminateProcess(>)	2	NtUserRegisterClassExWOW(>)	14
NtCreateThread(>)	1	NtUserGetThreadDesktop(>)	1	NtGdiCreateCompatibleDC(>)	3	NtCreateFile(>)	15
NtDelayExecution(>)	1	NtWaitForMultipleObjects(>)	1	NtSetInformationThread(>)	3	NtFreeVirtualMemory(>)	29
NtGdiCreateBitmap(>)	1	NtWriteFile(>)	1	NtQueryInformationToken(>)	4	NtOpenProcess(>)	29
NtGdiInit(>)	1	NtContinue(>)	2	NtQueryVolumeInformationFile(>)	4	NtFlushInstructionCache(>)	31
NtGdiQueryFontAssocInfo(>)	1	NtCreateIoCompletion(>)	2	NtGdiGetStockObject(>)	5	NtOpenKey(>)	37
NtGdiSelectBitmap(>)	1	NtCreateSemaphore(>)	2	NtQuerySection(>)	5	NtUnmapViewOfSection(>)	38
NtOpenKeyedEvent(>)	1	NtDuplicateObject(>)	2	NtDeviceIoControlFile(>)	6	NtOpenSection(>)	45
NtOpenSymbolicLinkObject(>)	1	NtGdiCreateSolidBrush(>)	2	NtFsControlFile(>)	6	NtQueryVirtualMemory(>)	55
NtQueryInformationFile(>)	1	NtOpenDirectoryObject(>)	2	NtQueryInformationProcess(>)	8	NtCreateSection(>)	59
NtQueryObject(>)	1	NtOpenProcessToken(>)	2	NtOpenFile(>)	9	NtAllocateVirtualMemory(>)	78
NtQuerySymbolicLinkObject(>)	1	NtOpenProcessTokenEx(>)	2	NtRequestWaitReplyPort(>)	9	NtMapViewOfSection(>)	84
NtQuerySystemTime(>)	1	NtOpenThreadToken(>)	2	NtUserFindExistingCursorIcon(>)	9	NtWriteVirtualMemory(>)	116
NtRegisterThreadTerminatePort(>)	1	NtOpenThreadTokenEx(>)	2	NtQueryAttributesFile(>)	12	NtProtectVirtualMemory(>)	179
NtResumeThread(>)	1	NtQueryDefaultLocale(>)	2	NtQueryValueKey(>)	12	NtClose(>)	233
NtSecureConnectPort(>)	1	NtReadFile(>)	2	NtCreateEvent(>)	13
NtSetInformationProcess(>)	1	NtSetInformationFile(>)	2