Summary:





NtAddAtom(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtGdiGetStockObject(>)  5 
NtUserGetAtomName(>)  28 


NtCallbackReturn(>)  1 
NtOpenDirectoryObject(>)  2 
NtQueryDefaultUILanguage(>)  6 
NtUserUnregisterClass(>)  28 


NtCreateMutant(>)  1 
NtOpenSymbolicLinkObject(>)  2 
NtSetValueKey(>)  6 
NtCreateEvent(>)  29 


NtCreateProcessEx(>)  1 
NtQueryPerformanceCounter(>)  2 
NtQuerySection(>)  7 
NtOpenProcess(>)  29 


NtCreateSemaphore(>)  1 
NtQuerySymbolicLinkObject(>)  2 
NtQueryVirtualMemory(>)  7 
NtOpenThreadToken(>)  31 


NtEnumerateValueKey(>)  1 
NtReadVirtualMemory(>)  2 
NtSetInformationProcess(>)  7 
NtCreateFile(>)  32 


NtGdiCreateBitmap(>)  1 
NtRegisterThreadTerminatePort(>)  2 
NtUserSystemParametersInfo(>)  7 
NtSetInformationThread(>)  32 


NtGdiInit(>)  1 
NtReleaseMutant(>)  2 
NtEnumerateKey(>)  8 
NtQueryInformationToken(>)  34 


NtGdiQueryFontAssocInfo(>)  1 
NtSetEventBoostPriority(>)  2 
NtQueryVolumeInformationFile(>)  8 
NtUserFindExistingCursorIcon(>)  34 


NtGdiSelectBitmap(>)  1 
NtSetSecurityObject(>)  2 
NtQueryDebugFilterState(>)  9 
NtOpenFile(>)  40 


NtOpenKeyedEvent(>)  1 
NtTestAlert(>)  2 
NtDeviceIoControlFile(>)  10 
NtAllocateVirtualMemory(>)  41 


NtOpenMutant(>)  1 
NtUserWaitForInputIdle(>)  2 
NtRequestWaitReplyPort(>)  10 
NtUserRegisterClassExWOW(>)  42 


NtQueryInformationJobObject(>)  1 
NtCreateThread(>)  3 
NtDelayExecution(>)  11 
NtSetInformationFile(>)  43 


NtQueryInformationThread(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtOpenProcessToken(>)  12 
NtFsControlFile(>)  44 


NtQueryInstallUILanguage(>)  1 
NtResumeThread(>)  3 
NtQueryDefaultLocale(>)  13 
NtUnmapViewOfSection(>)  48 


NtQueryObject(>)  1 
NtSetInformationObject(>)  3 
NtAdjustPrivilegesToken(>)  14 
NtOpenSection(>)  50 


NtQuerySystemTime(>)  1 
NtTerminateProcess(>)  3 
NtReadFile(>)  15 
NtFlushInstructionCache(>)  55 


NtSecureConnectPort(>)  1 
NtWaitForMultipleObjects(>)  3 
NtWriteFile(>)  15 
NtQueryValueKey(>)  66 


NtUserCallNoParam(>)  1 
NtAccessCheck(>)  4 
NtQuerySystemInformation(>)  16 
NtCreateSection(>)  70 


NtUserCallOneParam(>)  1 
NtContinue(>)  4 
NtQueryInformationFile(>)  17 
NtMapViewOfSection(>)  100 


NtUserGetDC(>)  1 
NtDuplicateObject(>)  4 
NtQueryInformationProcess(>)  19 
NtOpenKey(>)  124 


NtUserGetThreadDesktop(>)  1 
NtFreeVirtualMemory(>)  4 
NtQueryDirectoryFile(>)  24 
NtWriteVirtualMemory(>)  124 


NtUserRegisterWindowMessage(>)  1 
NtSetEvent(>)  4 
NtOpenProcessTokenEx(>)  25 
NtProtectVirtualMemory(>)  233 


NtCreateIoCompletion(>)  2 
NtWaitForSingleObject(>)  4 
NtOpenThreadTokenEx(>)  25 
NtClose(>)  374 


NtDuplicateToken(>)  2 
NtCreateKey(>)  5 
NtQueryAttributesFile(>)  28 



Trace:

 00001  2016   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... -2147482756, {status=0x0, info=1}, ) }, 0, 32, ... -2147482756, {status=0x0, info=1}, ) == 0x0
 00002  2016   NtQueryInformationFile  (-2147482756, -135238604, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00003  2016   NtReadFile  (-2147482756, 0, 0, 0, 13474, 0x0, 0, ... {status=0x0, info=13474},  (-2147482756, 0, 0, 0, 13474, 0x0, 0, ... {status=0x0, info=13474}, "\21\0\0\0SCCA\17\0\0\0\2424\0\0P\0A\0C\0K\0E\0D\0.\0E\0X\0E\0\0\0\0\00\366i\201\0\0\0\0\0\0\0\0\20\0\0\0@-\201\367\0@\300\367\30,\201\367x@s\201@-\201\367\241\6\355\11\0\0\0\0\230\0\0\0\34\0\0\0\310\2\0\0\331\2\0\0\364$\0\0\36\14\0\0\301\0\0\1\0\0\0\212\3\0\0\200\14V6\217\260\310\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\01\0\0\0\0\0\0\02\0\0\0\2\0\0\01\0\0\0%\1\0\0f\0\0\05\0\0\0\6\0\0\0V\1\0\0\5\0\0\0\322\0\0\04\0\0\0\4\0\0\0[\1\0\0\3\0\0\0<\1\0\03\0\0\0\4\0\0\0^\1\0\0\4\0\0\0\244\1\0\05\0\0\0\4\0\0\0b\1\0\0\32\0\0\0\20\2\0\03\0\0\0\2\0\0\0|\1\0\0\23\0\0\0x\2\0\02\0\0\0\2\0\0\0\217\1\0\0\7\0\0\0\336\2\0\02\0\0\0\6\0\0\0\226\1\0\0\22\0\0\0D\3\0\05\0\0\0\2\0\0\0\250\1\0\0\14\0\0\0\260\3\0\03\0\0\0\2\0\0\0\264\1\0\0\13\0\0\0\30\4\0\05\0\0\0\2\0\0\0\277\1\0\0*\0\0\0\204\4\0\03\0\0\0\2\0\0\0\351\1\0\0\21\0\0\0\354\4\0\02\0\0\0\2\0\0\0\372\1\0\0\2\0\0\0R\5\0\02\0\0\0\4\0\0\0\374\1\0\0\1\0\0\0\270\5\0\04\0\0\0\4\0\0\0\375\1\0\0\22\0\0\0"\6\0\04\0\0\0\6\0\0\0\17\2\0\0\36\0\0\0\214\6\0\04\0\0\0\2\0\0\0-\2\0\0\13\0\0\0", ) \6\0\04\0\0\0\6\0\0\0\17\2\0\0\36\0\0\0\214\6\0\04\0\0\0\2\0\0\0-\2\0\0\13\0\0\0", ) == 0x0
 00004  2016   NtClose  (-2147482756, ... ) == 0x0
 00005  2016   NtCreateFile  (0x100080, {24, 0, 0x240, 0, 0,  (0x100080, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1"}, 0x0, 0, 7, 1, 32, 0, 0, ... -2147482756, {status=0x0, info=0}, ) }, 0x0, 0, 7, 1, 32, 0, 0, ... -2147482756, {status=0x0, info=0}, ) == 0x0
 00006  2016   NtQueryVolumeInformationFile  (-2147482756, -135238648, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00007  2016   NtClose  (-2147482756, ... ) == 0x0
 00008  2016   NtCreateFile  (0x100180, {24, 0, 0x240, 0, 0,  (0x100180, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1"}, 0x0, 0, 7, 1, 32, 0, 0, ... }, 0x0, 0, 7, 1, 32, 0, 0, ...
 00009  2016   NtContinue  (-135243448, 0, ...
 00008  2016   NtCreateFile  ... -2147482756, {status=0x0, info=1}, ) == 0x0
 00010  2016   NtQueryVolumeInformationFile  (-2147482756, -135238660, 24, Volume, ... {status=0x0, info=18}, ) == 0x0
 00011  2016   NtFsControlFile  (-2147482756, 0, 0x0, 0x0, 0x90120,  (-2147482756, 0, 0x0, 0x0, 0x90120, "\1\0\0\0!\0\0\0H\10\0\0\0\0\1\0\2309\0\0\0\0\2\0\15\1\0\0\0\0\1\0\357\0\0\0\0\3\0X\244\0\0\0\0\4\0\217\10\0\0\0\0\1\0\214;\0\0\0\0\2\0XK\0\0\0\0\3\0f\10\0\0\0\0\1\0Z\10\0\0\0\0\1\0\304\10\0\0\0\0\1\0Y\10\0\0\0\0\1\0C\10\0\0\0\0\1\0/:\0\0\0\0\3\0\235\244\0\0\0\0\3\0\26\11\0\0\0\0\1\0\201\246\0\0\0\0\3\0\224\246\0\0\0\0\3\0@C\0\0\0\0\2\0r\10\0\0\0\0\1\0g\10\0\0\0\0\1\0\2\1\0\0\0\0\1\0o%\0\0\0\0\3\0\243\10\0\0\0\0\1\0q\10\0\0\0\0\1\0p\10\0\0\0\0\1\0@\31\0\0\0\0\1\0\2339\0\0\0\0\1\0\5\0\0\0\0\0\5\0\34\0\0\0\0\0\1\0'\0\0\0\0\0\1\0\210\0\0\0\0\0\1\0\2329\0\0\0\0\1\0", 272, 0, ... {status=0x0, info=0}, 0x0, ) , 272, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00012  2016   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00013  2016   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=1146}, ) == 0x0
 00014  2016   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00015  2016   NtClose  (-2147482764, ... ) == 0x0
 00016  2016   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00017  2016   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=15820}, ) == 0x0
 00018  2016   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00019  2016   NtClose  (-2147482764, ... ) == 0x0
 00020  2016   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00021  2016   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=16366}, ) == 0x0
 00022  2016   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16354}, ) == 0x0
 00023  2016   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16348}, ) == 0x0
 00024  2016   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=16364}, ) == 0x0
 00025  2016   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... {status=0x0, info=11386}, ) == 0x0
 00026  2016   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00027  2016   NtClose  (-2147482764, ... ) == 0x0
 00028  2016   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00029  2016   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=2228}, ) == 0x0
 00030  2016   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00031  2016   NtClose  (-2147482764, ... ) == 0x0
 00032  2016   NtCreateFile  (0x100001, {24, 0, 0x240, 0, 0,  (0x100001, {24, 0, 0x240, 0, 0, "\DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.2982_X-WW_AC3F9C03\"}, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 16417, 0, 0, ... -2147482764, {status=0x0, info=1}, ) == 0x0
 00033  2016   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446847, ... {status=0x0, info=68}, ) == 0x0
 00034  2016   NtQueryDirectoryFile  (-2147482764, 0, 0, 0, -504332288, 16384, Names, 0, 0x0, -518446848, ... ) == STATUS_NO_MORE_FILES
 00035  2016   NtClose  (-2147482764, ... ) == 0x0
 00036  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482764, ... -2147482688, ) == 0x0
 00037  2016   NtClose  (-2147482688, ... ) == 0x0
 00038  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482688, ... -2147482660, ) == 0x0
 00039  2016   NtClose  (-2147482660, ... ) == 0x0
 00040  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482660, ... -2147482656, ) == 0x0
 00041  2016   NtClose  (-2147482656, ... ) == 0x0
 00042  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482656, ... -2147482652, ) == 0x0
 00043  2016   NtClose  (-2147482652, ... ) == 0x0
 00044  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482652, ... -2147482724, ) == 0x0
 00045  2016   NtClose  (-2147482724, ... ) == 0x0
 00046  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482724, ... -2147481452, ) == 0x0
 00047  2016   NtClose  (-2147481452, ... ) == 0x0
 00048  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481452, ... -2147482684, ) == 0x0
 00049  2016   NtClose  (-2147482684, ... ) == 0x0
 00050  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482684, ... -2147482680, ) == 0x0
 00051  2016   NtClose  (-2147482680, ... ) == 0x0
 00052  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482680, ... -2147482760, ) == 0x0
 00053  2016   NtClose  (-2147482760, ... ) == 0x0
 00054  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482760, ... -2147481628, ) == 0x0
 00055  2016   NtClose  (-2147481628, ... ) == 0x0
 00056  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481628, ... -2147481484, ) == 0x0
 00057  2016   NtClose  (-2147481484, ... ) == 0x0
 00058  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481484, ... -2147482104, ) == 0x0
 00059  2016   NtClose  (-2147482104, ... ) == 0x0
 00060  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482104, ... -2147482592, ) == 0x0
 00061  2016   NtClose  (-2147482592, ... ) == 0x0
 00062  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482592, ... -2147481624, ) == 0x0
 00063  2016   NtClose  (-2147481624, ... ) == 0x0
 00064  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481624, ... -2147482676, ) == 0x0
 00065  2016   NtClose  (-2147482676, ... ) == 0x0
 00066  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482676, ... -2147482672, ) == 0x0
 00067  2016   NtClose  (-2147482672, ... ) == 0x0
 00068  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482672, ... -2147482668, ) == 0x0
 00069  2016   NtClose  (-2147482668, ... ) == 0x0
 00070  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482668, ... -2147482664, ) == 0x0
 00071  2016   NtClose  (-2147482664, ... ) == 0x0
 00072  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482664, ... -2147481588, ) == 0x0
 00073  2016   NtClose  (-2147481588, ... ) == 0x0
 00074  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481588, ... -2147481584, ) == 0x0
 00075  2016   NtClose  (-2147481584, ... ) == 0x0
 00076  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481584, ... -2147482692, ) == 0x0
 00077  2016   NtClose  (-2147482692, ... ) == 0x0
 00078  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482692, ... -2147481512, ) == 0x0
 00079  2016   NtClose  (-2147481512, ... ) == 0x0
 00080  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481512, ... -2147481580, ) == 0x0
 00081  2016   NtClose  (-2147481580, ... ) == 0x0
 00082  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481580, ... -2147481552, ) == 0x0
 00083  2016   NtClose  (-2147481552, ... ) == 0x0
 00084  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481552, ... -2147481592, ) == 0x0
 00085  2016   NtClose  (-2147481592, ... ) == 0x0
 00086  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481592, ... -2147481596, ) == 0x0
 00087  2016   NtClose  (-2147481596, ... ) == 0x0
 00088  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147481596, ... -2147482108, ) == 0x0
 00089  2016   NtClose  (-2147482108, ... ) == 0x0
 00090  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 4, 67108864, -2147482108, ... -2147482732, ) == 0x0
 00091  2016   NtClose  (-2147482732, ... ) == 0x0
 00092  2016   NtClose  (-2147482764, ... ) == 0x0
 00093  2016   NtClose  (-2147482688, ... ) == 0x0
 00094  2016   NtClose  (-2147482660, ... ) == 0x0
 00095  2016   NtClose  (-2147482656, ... ) == 0x0
 00096  2016   NtClose  (-2147482652, ... ) == 0x0
 00097  2016   NtClose  (-2147482724, ... ) == 0x0
 00098  2016   NtClose  (-2147481452, ... ) == 0x0
 00099  2016   NtClose  (-2147482684, ... ) == 0x0
 00100  2016   NtClose  (-2147482680, ... ) == 0x0
 00101  2016   NtClose  (-2147482760, ... ) == 0x0
 00102  2016   NtClose  (-2147481628, ... ) == 0x0
 00103  2016   NtClose  (-2147481484, ... ) == 0x0
 00104  2016   NtClose  (-2147482104, ... ) == 0x0
 00105  2016   NtClose  (-2147482592, ... ) == 0x0
 00106  2016   NtClose  (-2147481624, ... ) == 0x0
 00107  2016   NtClose  (-2147482676, ... ) == 0x0
 00108  2016   NtClose  (-2147482672, ... ) == 0x0
 00109  2016   NtClose  (-2147482668, ... ) == 0x0
 00110  2016   NtClose  (-2147482664, ... ) == 0x0
 00111  2016   NtClose  (-2147481588, ... ) == 0x0
 00112  2016   NtClose  (-2147481584, ... ) == 0x0
 00113  2016   NtClose  (-2147482692, ... ) == 0x0
 00114  2016   NtClose  (-2147481512, ... ) == 0x0
 00115  2016   NtClose  (-2147481580, ... ) == 0x0
 00116  2016   NtClose  (-2147481552, ... ) == 0x0
 00117  2016   NtClose  (-2147481592, ... ) == 0x0
 00118  2016   NtClose  (-2147481596, ... ) == 0x0
 00119  2016   NtClose  (-2147482108, ... ) == 0x0
 00120  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482108, ... -2147481596, ) == 0x0
 00121  2016   NtClose  (-2147481596, ... ) == 0x0
 00122  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481596, ... -2147481592, ) == 0x0
 00123  2016   NtClose  (-2147481592, ... ) == 0x0
 00124  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481592, ... -2147481552, ) == 0x0
 00125  2016   NtClose  (-2147481552, ... ) == 0x0
 00126  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481552, ... -2147481580, ) == 0x0
 00127  2016   NtClose  (-2147481580, ... ) == 0x0
 00128  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481580, ... -2147481512, ) == 0x0
 00129  2016   NtClose  (-2147481512, ... ) == 0x0
 00130  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481512, ... -2147482692, ) == 0x0
 00131  2016   NtClose  (-2147482692, ... ) == 0x0
 00132  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482692, ... -2147481584, ) == 0x0
 00133  2016   NtClose  (-2147481584, ... ) == 0x0
 00134  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481584, ... -2147481588, ) == 0x0
 00135  2016   NtClose  (-2147481588, ... ) == 0x0
 00136  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481588, ... -2147482664, ) == 0x0
 00137  2016   NtClose  (-2147482664, ... ) == 0x0
 00138  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482664, ... -2147482668, ) == 0x0
 00139  2016   NtClose  (-2147482668, ... ) == 0x0
 00140  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482668, ... -2147482672, ) == 0x0
 00141  2016   NtClose  (-2147482672, ... ) == 0x0
 00142  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482672, ... -2147482676, ) == 0x0
 00143  2016   NtClose  (-2147482676, ... ) == 0x0
 00144  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482676, ... -2147481624, ) == 0x0
 00145  2016   NtClose  (-2147481624, ... ) == 0x0
 00146  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481624, ... -2147482592, ) == 0x0
 00147  2016   NtClose  (-2147482592, ... ) == 0x0
 00148  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482592, ... -2147482104, ) == 0x0
 00149  2016   NtClose  (-2147482104, ... ) == 0x0
 00150  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482104, ... -2147481484, ) == 0x0
 00151  2016   NtClose  (-2147481484, ... ) == 0x0
 00152  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481484, ... -2147481628, ) == 0x0
 00153  2016   NtClose  (-2147481628, ... ) == 0x0
 00154  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481628, ... -2147482760, ) == 0x0
 00155  2016   NtClose  (-2147482760, ... ) == 0x0
 00156  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482760, ... -2147482680, ) == 0x0
 00157  2016   NtClose  (-2147482680, ... ) == 0x0
 00158  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482680, ... -2147482684, ) == 0x0
 00159  2016   NtClose  (-2147482684, ... ) == 0x0
 00160  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147482684, ... -2147481452, ) == 0x0
 00161  2016   NtClose  (-2147481452, ... ) == 0x0
 00162  2016   NtCreateSection  (0xd, {24, 0, 0x240, 0, 0, 0x0}, 0x0, 16, 16777216, -2147481452, ... -2147482724, ) == 0x0
 00163  2016   NtClose  (-2147482724, ... ) == 0x0
 00164  2016   NtClose  (-2147482108, ... ) == 0x0
 00165  2016   NtClose  (-2147481596, ... ) == 0x0
 00166  2016   NtClose  (-2147481592, ... ) == 0x0
 00167  2016   NtClose  (-2147481552, ... ) == 0x0
 00168  2016   NtClose  (-2147481580, ... ) == 0x0
 00169  2016   NtClose  (-2147481512, ... ) == 0x0
 00170  2016   NtClose  (-2147482692, ... ) == 0x0
 00171  2016   NtClose  (-2147481584, ... ) == 0x0
 00172  2016   NtClose  (-2147481588, ... ) == 0x0
 00173  2016   NtClose  (-2147482664, ... ) == 0x0
 00174  2016   NtClose  (-2147482668, ... ) == 0x0
 00175  2016   NtClose  (-2147482672, ... ) == 0x0
 00176  2016   NtClose  (-2147482676, ... ) == 0x0
 00177  2016   NtClose  (-2147481624, ... ) == 0x0
 00178  2016   NtClose  (-2147482592, ... ) == 0x0
 00179  2016   NtClose  (-2147482104, ... ) == 0x0
 00180  2016   NtClose  (-2147481484, ... ) == 0x0
 00181  2016   NtClose  (-2147481628, ... ) == 0x0
 00182  2016   NtClose  (-2147482760, ... ) == 0x0
 00183  2016   NtClose  (-2147482680, ... ) == 0x0
 00184  2016   NtClose  (-2147482684, ... ) == 0x0
 00185  2016   NtClose  (-2147481452, ... ) == 0x0
 00186  2016   NtClose  (-2147482756, ... ) == 0x0
 00187  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00188  2016   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00189  2016   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00190  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00191  2016   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00192  2016   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00193  2016   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00194  2016   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00195  2016   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00196  2016   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00197  2016   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00198  2016   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00199  2016   NtClose  (12, ... ) == 0x0
 00200  2016   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00201  2016   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00202  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00203  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00204  2016   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00205  2016   NtClose  (16, ... ) == 0x0
 00206  2016   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00207  2016   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00208  2016   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00209  2016   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00210  2016   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00211  2016   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00212  2016   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00213  2016   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18939904}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18939904}, {0, 0, 0}, 200, 44, ) == 0x0
 00214  2016   NtClose  (16, ... ) == 0x0
 00215  2016   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00216  2016   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00217  2016   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00218  2016   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00219  2016   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00220  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6!\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" ... {28, 56, reply, 0, 896, 2016, 81831, 0} "\370\374\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81831, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6!\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" ... {28, 56, reply, 0, 896, 2016, 81831, 0} "\370\374\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6!\1\4\0\0\0" )  ) == 0x0
 00221  2016   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00222  2016   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00223  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00224  2016   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00225  2016   NtClose  (16, ... ) == 0x0
 00226  2016   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00227  2016   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00228  2016   NtClose  (16, ... ) == 0x0
 00229  2016   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00230  2016   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00231  2016   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00232  2016   NtClose  (16, ... ) == 0x0
 00233  2016   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00234  2016   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00235  2016   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00236  2016   NtClose  (16, ... ) == 0x0
 00237  2016   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00238  2016   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00239  2016   NtClose  (16, ... ) == 0x0
 00240  2016   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00241  2016   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00242  2016   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00243  2016   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00244  2016   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6!\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" ... {24, 52, reply, 0, 896, 2016, 81832, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" )  ... {24, 52, reply, 0, 896, 2016, 81832, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6!\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" ... {24, 52, reply, 0, 896, 2016, 81832, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6!\1p\30\0\0" )  ) == 0x0
 00245  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6!\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" ... {28, 56, reply, 0, 896, 2016, 81833, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81833, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6!\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" ... {28, 56, reply, 0, 896, 2016, 81833, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6!\18\6\0\0" )  ) == 0x0
 00246  2016   NtProtectVirtualMemory  (-1, (0x31007000), 73728, 4, ... (0x31007000), 73728, 128, ) == 0x0
 00247  2016   NtProtectVirtualMemory  (-1, (0x31007000), 73728, 128, ... (0x31007000), 73728, 4, ) == 0x0
 00248  2016   NtFlushInstructionCache  (-1, 822112256, 73728, ... ) == 0x0
 00249  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00250  2016   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00251  2016   NtClose  (16, ... ) == 0x0
 00252  2016   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00253  2016   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00254  2016   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00255  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00256  2016   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00257  2016   NtClose  (16, ... ) == 0x0
 00258  2016   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00259  2016   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00260  2016   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00261  2016   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00262  2016   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00263  2016   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00264  2016   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00265  2016   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00266  2016   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00267  2016   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00268  2016   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00269  2016   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00270  2016   NtProtectVirtualMemory  (-1, (0x31007000), 73728, 4, ... (0x31007000), 73728, 64, ) == 0x0
 00271  2016   NtProtectVirtualMemory  (-1, (0x31007000), 73728, 64, ... (0x31007000), 73728, 4, ) == 0x0
 00272  2016   NtFlushInstructionCache  (-1, 822112256, 73728, ... ) == 0x0
 00273  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00274  2016   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00275  2016   NtClose  (16, ... ) == 0x0
 00276  2016   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00277  2016   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00278  2016   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00279  2016   NtProtectVirtualMemory  (-1, (0x31007000), 73728, 4, ... (0x31007000), 73728, 64, ) == 0x0
 00280  2016   NtProtectVirtualMemory  (-1, (0x31007000), 73728, 64, ... (0x31007000), 73728, 4, ) == 0x0
 00281  2016   NtFlushInstructionCache  (-1, 822112256, 73728, ... ) == 0x0
 00282  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00283  2016   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00284  2016   NtClose  (16, ... ) == 0x0
 00285  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00286  2016   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00287  2016   NtClose  (16, ... ) == 0x0
 00288  2016   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00289  2016   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00290  2016   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00291  2016   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00292  2016   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00293  2016   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00294  2016   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00295  2016   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00296  2016   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00297  2016   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00298  2016   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00299  2016   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00300  2016   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00301  2016   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00302  2016   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00303  2016   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00304  2016   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00305  2016   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00306  2016   NtProtectVirtualMemory  (-1, (0x31007000), 73728, 4, ... (0x31007000), 73728, 64, ) == 0x0
 00307  2016   NtProtectVirtualMemory  (-1, (0x31007000), 73728, 64, ... (0x31007000), 73728, 4, ) == 0x0
 00308  2016   NtFlushInstructionCache  (-1, 822112256, 73728, ... ) == 0x0
 00309  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00310  2016   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x42c10000), 0x0, 847872, ) == 0x0
 00311  2016   NtClose  (16, ... ) == 0x0
 00312  2016   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00313  2016   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00314  2016   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00315  2016   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00316  2016   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00317  2016   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00318  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00319  2016   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f60000), 0x0, 483328, ) == 0x0
 00320  2016   NtClose  (16, ... ) == 0x0
 00321  2016   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00322  2016   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00323  2016   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00324  2016   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00325  2016   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00326  2016   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00327  2016   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00328  2016   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00329  2016   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00330  2016   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00331  2016   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00332  2016   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00333  2016   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00334  2016   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00335  2016   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00336  2016   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00337  2016   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00338  2016   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00339  2016   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00340  2016   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00341  2016   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00342  2016   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00343  2016   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00344  2016   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00345  2016   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00346  2016   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00347  2016   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00348  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Normaliz.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00349  2016   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x400000), 0x0, 36864, ) == 0x0
 00350  2016   NtClose  (16, ... ) == 0x0
 00351  2016   NtProtectVirtualMemory  (-1, (0x401000), 160, 4, ... (0x401000), 4096, 32, ) == 0x0
 00352  2016   NtProtectVirtualMemory  (-1, (0x401000), 4096, 32, ... (0x401000), 4096, 4, ) == 0x0
 00353  2016   NtFlushInstructionCache  (-1, 4198400, 160, ... ) == 0x0
 00354  2016   NtProtectVirtualMemory  (-1, (0x401000), 160, 4, ... (0x401000), 4096, 32, ) == 0x0
 00355  2016   NtProtectVirtualMemory  (-1, (0x401000), 4096, 32, ... (0x401000), 4096, 4, ) == 0x0
 00356  2016   NtFlushInstructionCache  (-1, 4198400, 160, ... ) == 0x0
 00357  2016   NtProtectVirtualMemory  (-1, (0x401000), 160, 4, ... (0x401000), 4096, 32, ) == 0x0
 00358  2016   NtProtectVirtualMemory  (-1, (0x401000), 4096, 32, ... (0x401000), 4096, 4, ) == 0x0
 00359  2016   NtFlushInstructionCache  (-1, 4198400, 160, ... ) == 0x0
 00360  2016   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00361  2016   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00362  2016   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00363  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "iertutil.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00364  2016   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x42990000), 0x0, 282624, ) == 0x0
 00365  2016   NtClose  (16, ... ) == 0x0
 00366  2016   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00367  2016   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00368  2016   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00369  2016   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00370  2016   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00371  2016   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00372  2016   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00373  2016   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00374  2016   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00375  2016   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00376  2016   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00377  2016   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00378  2016   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00379  2016   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00380  2016   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00381  2016   NtProtectVirtualMemory  (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0
 00382  2016   NtProtectVirtualMemory  (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0
 00383  2016   NtFlushInstructionCache  (-1, 1117327360, 616, ... ) == 0x0
 00384  2016   NtProtectVirtualMemory  (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0
 00385  2016   NtProtectVirtualMemory  (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0
 00386  2016   NtFlushInstructionCache  (-1, 1119948800, 1452, ... ) == 0x0
 00387  2016   NtProtectVirtualMemory  (-1, (0x31007000), 73728, 4, ... (0x31007000), 73728, 64, ) == 0x0
 00388  2016   NtProtectVirtualMemory  (-1, (0x31007000), 73728, 64, ... (0x31007000), 73728, 4, ) == 0x0
 00389  2016   NtFlushInstructionCache  (-1, 822112256, 73728, ... ) == 0x0
 00390  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00391  2016   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00392  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242572, ... ) }, 1242572, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00393  2016   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00394  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 1242572, ... ) }, 1242572, ... ) == 0x0
 00395  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00396  2016   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 16, ... 28, ) == 0x0
 00397  2016   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00398  2016   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00399  2016   NtQueryInformationToken  (32, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00400  2016   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00401  2016   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 36, ) }, ... 36, ) == 0x0
 00402  2016   NtQueryValueKey  (36,  (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00403  2016   NtClose  (36, ... ) == 0x0
 00404  2016   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00405  2016   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 36, ) == 0x0
 00406  2016   NtQueryInformationToken  (36, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00407  2016   NtClose  (36, ... ) == 0x0
 00408  2016   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00409  2016   NtClose  (32, ... ) == 0x0
 00410  2016   NtClose  (16, ... ) == 0x0
 00411  2016   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00412  2016   NtClose  (28, ... ) == 0x0
 00413  2016   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00414  2016   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00415  2016   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00416  2016   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00417  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241756, ... ) }, 1241756, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00418  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1241756, ... ) }, 1241756, ... ) == 0x0
 00419  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00420  2016   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 16, ) == 0x0
 00421  2016   NtQuerySection  (16, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00422  2016   NtClose  (28, ... ) == 0x0
 00423  2016   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00424  2016   NtClose  (16, ... ) == 0x0
 00425  2016   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00426  2016   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00427  2016   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00428  2016   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00429  2016   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00430  2016   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00431  2016   NtProtectVirtualMemory  (-1, (0x31007000), 73728, 4, ... (0x31007000), 73728, 64, ) == 0x0
 00432  2016   NtProtectVirtualMemory  (-1, (0x31007000), 73728, 64, ... (0x31007000), 73728, 4, ) == 0x0
 00433  2016   NtFlushInstructionCache  (-1, 822112256, 73728, ... ) == 0x0
 00434  2016   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00435  2016   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00436  2016   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00437  2016   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00438  2016   NtClose  (16, ... ) == 0x0
 00439  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00440  2016   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00441  2016   NtClose  (16, ... ) == 0x0
 00442  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00443  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00444  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00445  2016   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00446  2016   NtQueryValueKey  (16,  (16, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00447  2016   NtClose  (16, ... ) == 0x0
 00448  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 16, ) }, ... 16, ) == 0x0
 00449  2016   NtQueryValueKey  (16,  (16, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00450  2016   NtClose  (16, ... ) == 0x0
 00451  2016   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 16, ) }, ... 16, ) == 0x0
 00452  2016   NtSetInformationObject  (16, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00453  2016   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00454  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSVCRT.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00455  2016   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00456  2016   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00457  2016   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00458  2016   NtAllocateVirtualMemory  (-1, 3280896, 0, 8192, 4096, 4, ... 3280896, 8192, ) == 0x0
 00459  2016   NtAllocateVirtualMemory  (-1, 3289088, 0, 4096, 4096, 4, ... 3289088, 4096, ) == 0x0
 00460  2016   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 28, ) }, ... 28, ) == 0x0
 00461  2016   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00462  2016   NtClose  (28, ... ) == 0x0
 00463  2016   NtAllocateVirtualMemory  (-1, 3293184, 0, 4096, 4096, 4, ... 3293184, 4096, ) == 0x0
 00464  2016   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00465  2016   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00466  2016   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00467  2016   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00468  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00469  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00470  2016   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00471  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 256, 1243092, 256, 1242836}  (24, {28, 56, new_msg, 0, 256, 1243092, 256, 1242836} "\210\6!\1\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6!\1$\1\0\0" ... {28, 56, reply, 0, 896, 2016, 81834, 0} "\320G\26\0\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6!\1$\1\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81834, 0}  (24, {28, 56, new_msg, 0, 256, 1243092, 256, 1242836} "\210\6!\1\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6!\1$\1\0\0" ... {28, 56, reply, 0, 896, 2016, 81834, 0} "\320G\26\0\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6!\1$\1\0\0" )  ) == 0x0
 00472  2016   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 28, ) }, ... 28, ) == 0x0
 00473  2016   NtQueryValueKey  (28,  (28, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00474  2016   NtClose  (28, ... ) == 0x0
 00475  2016   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00476  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239420, ... ) }, 1239420, ... ) == 0x0
 00477  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00478  2016   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 32, ) == 0x0
 00479  2016   NtClose  (28, ... ) == 0x0
 00480  2016   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00481  2016   NtClose  (32, ... ) == 0x0
 00482  2016   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00483  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239328, ... ) }, 1239328, ... ) == 0x0
 00484  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00485  2016   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 32, ... 28, ) == 0x0
 00486  2016   NtClose  (32, ... ) == 0x0
 00487  2016   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00488  2016   NtClose  (28, ... ) == 0x0
 00489  2016   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00490  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239636, ... ) }, 1239636, ... ) == 0x0
 00491  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00492  2016   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00493  2016   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00494  2016   NtClose  (28, ... ) == 0x0
 00495  2016   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00496  2016   NtClose  (32, ... ) == 0x0
 00497  2016   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00498  2016   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00499  2016   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00500  2016   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00501  2016   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00502  2016   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00503  2016   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00504  2016   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00505  2016   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00506  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00507  2016   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00508  2016   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00509  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236552, ... ) }, 1236552, ... ) == 0x0
 00510  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00511  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00512  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00513  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Normaliz.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00514  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iertutil.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00515  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WININET.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00516  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00517  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00518  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239956, ... ) }, 1239956, ... ) == 0x0
 00519  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00520  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 32, ) }, ... 32, ) == 0x0
 00521  2016   NtQueryValueKey  (32,  (32, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00522  2016   NtClose  (32, ... ) == 0x0
 00523  2016   NtMapViewOfSection  (-2147482756, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x4e0000), 0x0, 1060864, ) == 0x0
 00524  2016   NtClose  (-2147482756, ... ) == 0x0
 00525  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 32, ) == 0x0
 00526  2016   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00527  2016   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482756, ) == 0x0
 00528  2016   NtQueryInformationToken  (-2147482756, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00529  2016   NtQueryInformationToken  (-2147482756, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00530  2016   NtClose  (-2147482756, ... ) == 0x0
 00531  2016   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3407872, 4096, ) == 0x0
 00532  2016   NtFreeVirtualMemory  (-1, (0x340000), 4096, 32768, ... (0x340000), 4096, ) == 0x0
 00533  2016   NtDuplicateObject  (-1, 28, -1, 0x0, 0, 2, ... 40, ) == 0x0
 00534  2016   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482756, ) }, ... -2147482756, ) == 0x0
 00535  2016   NtQueryValueKey  (-2147482756,  (-2147482756, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00536  2016   NtClose  (-2147482756, ... ) == 0x0
 00537  2016   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482756, ) }, ... -2147482756, ) == 0x0
 00538  2016   NtQueryValueKey  (-2147482756,  (-2147482756, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00539  2016   NtClose  (-2147482756, ... ) == 0x0
 00540  2016   NtQueryDefaultLocale  (0, -135747252, ... ) == 0x0
 00541  2016   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00542  2016   NtUserCallNoParam  (24, ... ) == 0x0
 00543  2016   NtGdiCreateCompatibleDC  (0, ...
 00544  2016   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3407872, 4096, ) == 0x0
 00543  2016   NtGdiCreateCompatibleDC  ... ) == 0x860107ab
 00545  2016   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00546  2016   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00547  2016   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0x870506a2
 00548  2016   NtGdiCreateSolidBrush  (0, 0, ...
 00549  2016   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3473408, 4096, ) == 0x0
 00548  2016   NtGdiCreateSolidBrush  ... ) == 0x1100680
 00550  2016   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00551  2016   NtGdiCreateCompatibleDC  (0, ... ) == 0xf6010687
 00552  2016   NtGdiSelectBitmap  (-167704953, -2029713758, ... ) == 0x185000f
 00553  2016   NtUserGetThreadDesktop  (2016, 0, ... ) == 0x24
 00554  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 44, ) }, ... 44, ) == 0x0
 00555  2016   NtQueryValueKey  (44,  (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00556  2016   NtClose  (44, ... ) == 0x0
 00557  2016   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00558  2016   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 673, 128, 0, ... ) == 0x8177c017
 00559  2016   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00560  2016   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 674, 128, 0, ... ) == 0x8177c01c
 00561  2016   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00562  2016   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 675, 128, 0, ... ) == 0x8177c01e
 00563  2016   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00564  2016   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 676, 128, 0, ... ) == 0x81778002
 00565  2016   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10013
 00566  2016   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 677, 128, 0, ... ) == 0x8177c018
 00567  2016   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00568  2016   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 678, 128, 0, ... ) == 0x8177c01a
 00569  2016   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00570  2016   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 679, 128, 0, ... ) == 0x8177c01d
 00571  2016   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00572  2016   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 681, 128, 0, ... ) == 0x8177c026
 00573  2016   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00574  2016   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 680, 128, 0, ... ) == 0x8177c019
 00575  2016   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x8177c020
 00576  2016   NtUserRegisterClassExWOW  (1241352, 1241448, 1241432, 1241420, 0, 130, 0, ... ) == 0x8177c022
 00577  2016   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x8177c023
 00578  2016   NtUserRegisterClassExWOW  (1241352, 1241448, 1241432, 1241420, 0, 130, 0, ... ) == 0x8177c024
 00579  2016   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x8177c025
 00580  2016   NtCallbackReturn  (0, 0, 0, ...
 00581  2016   NtGdiInit  (... ) == 0x1
 00582  2016   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00583  2016   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00584  2016   NtOpenKey  (0x2000000, {24, 16, 0x40, 0, 0,  (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00585  2016   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 44, ) }, ... 44, ) == 0x0
 00586  2016   NtCreateSemaphore  (0x1f0003, {24, 44, 0x80, 1329368, 0,  (0x1f0003, {24, 44, 0x80, 1329368, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 48, ) }, 0, 2147483647, ... 48, ) == STATUS_OBJECT_NAME_EXISTS
 00587  2016   NtQueryPerformanceCounter  (... {-1451148798, 16}, {3579545, 0}, ) == 0x0
 00588  2016   NtQueryPerformanceCounter  (... {-1451147440, 16}, {3579545, 0}, ) == 0x0
 00589  2016   NtAllocateVirtualMemory  (-1, 1331200, 0, 8192, 4096, 4, ... 1331200, 8192, ) == 0x0
 00590  2016   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00591  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9371648, 1048576, ) == 0x0
 00592  2016   NtAllocateVirtualMemory  (-1, 9371648, 0, 4096, 4096, 4, ... 9371648, 4096, ) == 0x0
 00593  2016   NtAllocateVirtualMemory  (-1, 9375744, 0, 8192, 4096, 4, ... 9375744, 8192, ) == 0x0
 00594  2016   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 52, ) == 0x0
 00595  2016   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1242800,  (0xc0100080, {24, 0, 0x40, 0, 1242800, "\??\WMIDataDevice"}, 0x0, 128, 0, 1, 64, 0, 0, ... 56, {status=0x0, info=0}, ) }, 0x0, 128, 0, 1, 64, 0, 0, ... 56, {status=0x0, info=0}, ) == 0x0
 00596  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 60, ) == 0x0
 00597  2016   NtDeviceIoControlFile  (56, 60, 0x0, 0x12f710, 0x22414c,  (56, 60, 0x0, 0x12f710, 0x22414c, "X\367\22\0\0\0\0\0\1\0\0\0\2\0\0\0\24\0\0\0\34\0\0\0P\0\0\0\0\0\0\0L\0\0\0\0\0\0\0\2\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\20\10\0\0\0\0\0\0\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\0\10\0\0\0\0\0\0\0\0\0\2\0\0\0", 104, 80, ... , 104, 80, ...
 00598  2016   NtOpenKey  (0x82000000, {24, 0, 0x240, 0, 0,  (0x82000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\WMI\Security"}, ... -2147482756, ) }, ... -2147482756, ) == 0x0
 00599  2016   NtQueryValueKey  (-2147482756,  (-2147482756, "DF8480A1-7492-4F45-AB78-1084642581FB", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00600  2016   NtQueryValueKey  (-2147482756,  (-2147482756, "00000000-0000-0000-0000-000000000000", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00601  2016   NtClose  (-2147482756, ... ) == 0x0
 00602  2016   NtClose  (892, ... ) == 0x0
 00597  2016   NtDeviceIoControlFile  ... {status=0x0, info=80},  ... {status=0x0, info=80}, "\330\34\34\341\0\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#u\0l\0t\0\16\0\0\0\0\0\0\0\0\0\2\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\20\10\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00603  2016   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243016,  (0xc0100080, {24, 0, 0x40, 0, 1243016, "\??\WMIDataDevice"}, 0x0, 128, 0, 1, 64, 0, 0, ... 68, {status=0x0, info=0}, ) }, 0x0, 128, 0, 1, 64, 0, 0, ... 68, {status=0x0, info=0}, ) == 0x0
 00604  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 72, ) == 0x0
 00605  2016   NtDuplicateObject  (-1, -1, -1, 0x0, 0, 2, ... 76, ) == 0x0
 00606  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 80, ) == 0x0
 00607  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 84, ) == 0x0
 00608  2016   NtAllocateVirtualMemory  (-1, 9383936, 0, 8192, 4096, 4, ... 9383936, 8192, ) == 0x0
 00609  2016   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 10420224, 1048576, ) == 0x0
 00610  2016   NtAllocateVirtualMemory  (-1, 11460608, 0, 8192, 4096, 4, ... 11460608, 8192, ) == 0x0
 00611  2016   NtProtectVirtualMemory  (-1, (0xaee000), 4096, 260, ... (0xaee000), 4096, 4, ) == 0x0
 00612  2016   NtCreateThread  (0x1f03ff, 0x0, -1, 1242100, 1242044, 1, ... 88, {896, 596}, ) == 0x0
 00613  2016   NtQueryInformationThread  (88, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=896,Tid=596,}, 0x0, ) == 0x0
 00614  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 9372024}  (24, {28, 56, new_msg, 0, 0, 0, 0, 9372024} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0X\0\0\0\200\3\0\0T\2\0\0" ... {28, 56, reply, 0, 896, 2016, 81835, 0} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0X\0\0\0\200\3\0\0T\2\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81835, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 9372024} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0X\0\0\0\200\3\0\0T\2\0\0" ... {28, 56, reply, 0, 896, 2016, 81835, 0} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0X\0\0\0\200\3\0\0T\2\0\0" )  ) == 0x0
 00615  2016   NtResumeThread  (88, ... 1, ) == 0x0
 00616  2016   NtClose  (88, ... ) == 0x0
 00617  2016   NtSetEvent  (72, ... 0x0, ) == 0x0
 00618   596   NtCreateEvent  (0x100003, 0x0, 1, 0, ... 88, ) == 0x0
 00619   596   NtWaitForSingleObject  (88, 0, 0x0, ...
 00620  2016   NtSetEvent  (52, ... 0x0, ) == 0x0
 00621  2016   NtClose  (52, ... ) == 0x0
 00622  2016   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 52, ) == 0x0
 00623  2016   NtAllocateVirtualMemory  (-1, 9392128, 0, 4096, 4096, 4, ... 9392128, 4096, ) == 0x0
 00624  2016   NtDeviceIoControlFile  (56, 60, 0x0, 0x12f710, 0x22414c,  (56, 60, 0x0, 0x12f710, 0x22414c, "X\367\22\0\0\0\0\0\2\0\0\0\2\0\0\0\24\0\0\0\34\0\0\0P\0\0\0\0\0\0\0L\0\0\0\0\0\0\0\2\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\20\10\0\0\0\0\0\0\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\0\10\0\0\0\0\0\0\0\0\0\2\0\0\0", 104, 80, ... , 104, 80, ...
 00625  2016   NtOpenKey  (0x82000000, {24, 0, 0x240, 0, 0,  (0x82000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\WMI\Security"}, ... -2147482756, ) }, ... -2147482756, ) == 0x0
 00626  2016   NtQueryValueKey  (-2147482756,  (-2147482756, "DF8480A1-7492-4F45-AB78-1084642581FB", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00627  2016   NtQueryValueKey  (-2147482756,  (-2147482756, "00000000-0000-0000-0000-000000000000", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00628  2016   NtClose  (-2147482756, ... ) == 0x0
 00629  2016   NtClose  (892, ... ) == 0x0
 00624  2016   NtDeviceIoControlFile  ... {status=0x0, info=80},  ... {status=0x0, info=80}, " \3106\342\0\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344j\0e\0c\0t\0\0\0\0\0\0\0\0\0\2\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\20\10\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00630  2016   NtSetEvent  (72, ... 0x0, ) == 0x0
 00631  2016   NtSetEvent  (52, ... 0x0, ) == 0x0
 00632  2016   NtClose  (52, ... ) == 0x0
 00633  2016   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 00634  2016   NtOpenProcessToken  (-1, 0xa, ... 52, ) == 0x0
 00635  2016   NtDuplicateToken  (52, 0xc, {24, 0, 0x0, 0, 1243284, 0x0}, 0, 2, ... 96, ) == 0x0
 00636  2016   NtClose  (52, ... ) == 0x0
 00637  2016   NtAccessCheck  (1335152, 96, 0x1, 1243360, 1243412, 56, 1243392, ... (0x1), ) == 0x0
 00638  2016   NtClose  (96, ... ) == 0x0
 00639  2016   NtQueryDefaultUILanguage  (1242164, ...
 00640  2016   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00641  2016   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482756, ) == 0x0
 00642  2016   NtQueryInformationToken  (-2147482756, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00643  2016   NtClose  (-2147482756, ... ) == 0x0
 00644  2016   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482756, ) }, ... -2147482756, ) == 0x0
 00645  2016   NtOpenKey  (0x80000000, {24, -2147482756, 0x240, 0, 0,  (0x80000000, {24, -2147482756, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00646  2016   NtOpenKey  (0x80000000, {24, -2147482756, 0x640, 0, 0,  (0x80000000, {24, -2147482756, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0
 00647  2016   NtQueryValueKey  (-2147481452,  (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00648  2016   NtClose  (-2147481452, ... ) == 0x0
 00649  2016   NtClose  (-2147482756, ... ) == 0x0
 00639  2016   NtQueryDefaultUILanguage  ... ) == 0x0
 00650  2016   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00651  2016   NtQueryDefaultUILanguage  (2090319928, ...
 00652  2016   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00653  2016   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482756, ) == 0x0
 00654  2016   NtQueryInformationToken  (-2147482756, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00655  2016   NtClose  (-2147482756, ... ) == 0x0
 00656  2016   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482756, ) }, ... -2147482756, ) == 0x0
 00657  2016   NtOpenKey  (0x80000000, {24, -2147482756, 0x240, 0, 0,  (0x80000000, {24, -2147482756, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00658  2016   NtOpenKey  (0x80000000, {24, -2147482756, 0x640, 0, 0,  (0x80000000, {24, -2147482756, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0
 00659  2016   NtQueryValueKey  (-2147481452,  (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00660  2016   NtClose  (-2147481452, ... ) == 0x0
 00661  2016   NtClose  (-2147482756, ... ) == 0x0
 00651  2016   NtQueryDefaultUILanguage  ... ) == 0x0
 00662  2016   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 00663  2016   NtQueryDefaultLocale  (1, 1240260, ... ) == 0x0
 00664  2016   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00665  2016   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1241296, 1179817, 1241020}  (24, {128, 156, new_msg, 0, 2088850039, 1241296, 1179817, 1241020} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\304\364\22\0\0\0\0\0" ... {128, 156, reply, 0, 896, 2016, 81836, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\304\364\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 896, 2016, 81836, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1241296, 1179817, 1241020} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\304\364\22\0\0\0\0\0" ... {128, 156, reply, 0, 896, 2016, 81836, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\304\364\22\0\0\0\0\0" )  ) == 0x0
 00666  2016   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00667  2016   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00668  2016   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00669  2016   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00670  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1239488, ... ) }, 1239488, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00671  2016   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00672  2016   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00673  2016   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00674  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 1239552, ... ) }, 1239552, ... ) == 0x0
 00675  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 3, 33, ... 96, {status=0x0, info=1}, ) }, 3, 33, ... 96, {status=0x0, info=1}, ) == 0x0
 00676  2016   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00677  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00678  2016   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 100, ) == 0x0
 00679  2016   NtClose  (52, ... ) == 0x0
 00680  2016   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xaf0000), 0x0, 1056768, ) == 0x0
 00681  2016   NtClose  (100, ... ) == 0x0
 00682  2016   NtUnmapViewOfSection  (-1, 0xaf0000, ... ) == 0x0
 00683  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00684  2016   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 100, ... 52, ) == 0x0
 00685  2016   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00686  2016   NtClose  (100, ... ) == 0x0
 00687  2016   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 1060864, ) == 0x0
 00688  2016   NtClose  (52, ... ) == 0x0
 00689  2016   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00690  2016   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00691  2016   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00692  2016   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00693  2016   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00694  2016   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00695  2016   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00696  2016   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00697  2016   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00698  2016   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00699  2016   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00700  2016   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00701  2016   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00702  2016   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00703  2016   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00704  2016   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00705  2016   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00706  2016   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00707  2016   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00708  2016   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00709  2016   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00710  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00711  2016   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1241032, ... ) , 42, 1241032, ... ) == 0x0
 00712  2016   NtQueryDefaultUILanguage  (1239716, ...
 00713  2016   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00714  2016   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482756, ) == 0x0
 00715  2016   NtQueryInformationToken  (-2147482756, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00716  2016   NtClose  (-2147482756, ... ) == 0x0
 00717  2016   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482756, ) }, ... -2147482756, ) == 0x0
 00718  2016   NtOpenKey  (0x80000000, {24, -2147482756, 0x240, 0, 0,  (0x80000000, {24, -2147482756, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00719  2016   NtOpenKey  (0x80000000, {24, -2147482756, 0x640, 0, 0,  (0x80000000, {24, -2147482756, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0
 00720  2016   NtQueryValueKey  (-2147481452,  (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00721  2016   NtClose  (-2147481452, ... ) == 0x0
 00722  2016   NtClose  (-2147482756, ... ) == 0x0
 00712  2016   NtQueryDefaultUILanguage  ... ) == 0x0
 00723  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1238556, ... ) }, 1238556, ... ) == 0x0
 00724  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00725  2016   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 100, ) == 0x0
 00726  2016   NtClose  (52, ... ) == 0x0
 00727  2016   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x370000), 0x0, 4096, ) == 0x0
 00728  2016   NtClose  (100, ... ) == 0x0
 00729  2016   NtUnmapViewOfSection  (-1, 0x370000, ... ) == 0x0
 00730  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1238152, ... ) }, 1238152, ... ) == 0x0
 00731  2016   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238896,  (0x80100080, {24, 0, 0x40, 0, 1238896, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 100, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 100, {status=0x0, info=1}, ) == 0x0
 00732  2016   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 100, ... 52, ) == 0x0
 00733  2016   NtClose  (100, ... ) == 0x0
 00734  2016   NtMapViewOfSection  (52, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x370000), {0, 0}, 4096, ) == 0x0
 00735  2016   NtClose  (52, ... ) == 0x0
 00736  2016   NtUnmapViewOfSection  (-1, 0x370000, ... ) == 0x0
 00737  2016   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00738  2016   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 100, ) == 0x0
 00739  2016   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x370000), 0x0, 4096, ) == 0x0
 00740  2016   NtQueryInformationFile  (52, 1238548, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00741  2016   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00742  2016   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1238848, 1179817, 1238572}  (24, {128, 156, new_msg, 0, 2088850039, 1238848, 1179817, 1238572} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\14\0\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\04\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 896, 2016, 81839, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\14\0\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\04\353\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 896, 2016, 81839, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1238848, 1179817, 1238572} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\14\0\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\04\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 896, 2016, 81839, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\14\0\0\0d\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\04\353\22\0\0\0\0\0" )  ) == 0x0
 00743  2016   NtClose  (52, ... ) == 0x0
 00744  2016   NtClose  (100, ... ) == 0x0
 00745  2016   NtUnmapViewOfSection  (-1, 0x370000, ... ) == 0x0
 00746  2016   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00747  2016   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00748  2016   NtUserSystemParametersInfo  (104, 0, 2001084812, 0, ... ) == 0x1
 00749  2016   NtUserGetDC  (0, ... ) == 0x1010052
 00750  2016   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00751  2016   NtUserSystemParametersInfo  (38, 4, 2001086940, 0, ... ) == 0x1
 00752  2016   NtUserSystemParametersInfo  (66, 12, 1240548, 0, ... ) == 0x1
 00753  2016   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00754  2016   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 100, ) == 0x0
 00755  2016   NtQueryInformationToken  (100, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00756  2016   NtClose  (100, ... ) == 0x0
 00757  2016   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 100, ) }, ... 100, ) == 0x0
 00758  2016   NtOpenProcessToken  (-1, 0x8, ... 52, ) == 0x0
 00759  2016   NtAccessCheck  (1335152, 52, 0x1, 1240380, 1240432, 56, 1240412, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00760  2016   NtClose  (52, ... ) == 0x0
 00761  2016   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "Control Panel\Desktop"}, ... 52, ) }, ... 52, ) == 0x0
 00762  2016   NtQueryValueKey  (52,  (52, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00763  2016   NtClose  (52, ... ) == 0x0
 00764  2016   NtUserSystemParametersInfo  (41, 500, 1240576, 0, ... ) == 0x1
 00765  2016   NtOpenProcessToken  (-1, 0x8, ... 52, ) == 0x0
 00766  2016   NtAccessCheck  (1335152, 52, 0x1, 1240380, 1240432, 56, 1240412, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00767  2016   NtClose  (52, ... ) == 0x0
 00768  2016   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 52, ) }, ... 52, ) == 0x0
 00769  2016   NtQueryValueKey  (52,  (52, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00770  2016   NtClose  (52, ... ) == 0x0
 00771  2016   NtUserSystemParametersInfo  (27, 0, 2001085788, 0, ... ) == 0x1
 00772  2016   NtUserSystemParametersInfo  (102, 0, 2001086828, 0, ... ) == 0x1
 00773  2016   NtClose  (100, ... ) == 0x0
 00774  2016   NtUserSystemParametersInfo  (4130, 0, 1241080, 0, ... ) == 0x1
 00775  2016   NtOpenKey  (0x1, {24, 16, 0x40, 0, 0,  (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 100, ) }, ... 100, ) == 0x0
 00776  2016   NtEnumerateValueKey  (100, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00777  2016   NtClose  (100, ... ) == 0x0
 00778  2016   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00779  2016   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c03b
 00780  2016   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c03d
 00781  2016   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00782  2016   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c03f
 00783  2016   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00784  2016   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c041
 00785  2016   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00786  2016   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c043
 00787  2016   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c045
 00788  2016   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00789  2016   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c047
 00790  2016   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00791  2016   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c049
 00792  2016   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00793  2016   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c04b
 00794  2016   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00795  2016   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c04d
 00796  2016   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00797  2016   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c04f
 00798  2016   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c051
 00799  2016   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00800  2016   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c053
 00801  2016   NtUserFindExistingCursorIcon  (1240324, 1240340, 1240388, ... ) == 0x10011
 00802  2016   NtUserRegisterClassExWOW  (1240268, 1240336, 1240352, 1240368, 0, 384, 0, ... ) == 0x8177c055
 00803  2016   NtUserFindExistingCursorIcon  (1240324, 1240340, 1240388, ... ) == 0x10011
 00804  2016   NtUserRegisterClassExWOW  (1240268, 1240336, 1240352, 1240368, 0, 384, 0, ... ) == 0x8177c057
 00805  2016   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00806  2016   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c059
 00807  2016   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10013
 00808  2016   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c05b
 00809  2016   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00810  2016   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c05d
 00811  2016   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00812  2016   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c05f
 00813  2016   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00814  2016   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c017
 00815  2016   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00816  2016   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c019
 00817  2016   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10013
 00818  2016   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c018
 00819  2016   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00820  2016   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c01a
 00821  2016   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00822  2016   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c01c
 00823  2016   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00824  2016   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c01e
 00825  2016   NtUserFindExistingCursorIcon  (1240320, 1240336, 1240384, ... ) == 0x10011
 00826  2016   NtUserRegisterClassExWOW  (1240320, 1240388, 1240404, 1240420, 0, 384, 0, ... ) == 0x8177c01b
 00827  2016   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00828  2016   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c068
 00829  2016   NtUserFindExistingCursorIcon  (1240328, 1240344, 1240392, ... ) == 0x10011
 00830  2016   NtUserRegisterClassExWOW  (1240272, 1240340, 1240356, 1240372, 0, 384, 0, ... ) == 0x8177c06a
 00831  2016   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00832  2016   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 100, ) == 0x0
 00833  2016   NtQueryInformationToken  (100, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00834  2016   NtClose  (100, ... ) == 0x0
 00835  2016   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 100, ) }, ... 100, ) == 0x0
 00836  2016   NtSetInformationObject  (100, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00837  2016   NtCreateKey  (0x2001f, {24, 100, 0x40, 0, 0,  (0x2001f, {24, 100, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 52, 2, ) }, 0, 0x0, 0, ... 52, 2, ) == 0x0
 00838  2016   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00839  2016   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00840  2016   NtSetEventBoostPriority  (88, ...
 00619   596   NtWaitForSingleObject  ... ) == 0x0
 00841   596   NtTestAlert  (... ) == 0x0
 00842   596   NtContinue  (11468080, 1, ...
 00843   596   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00844   596   NtDeviceIoControlFile  (68, 80, 0x0, 0x77e466a0, 0x228144,  (68, 80, 0x0, 0x77e466a0, 0x228144, "\2\0\0\0\1\0\0\0\\370\342w\0\0\0\0L\0\0\0\0\0\0\0\\0\0\0\0\0\0\0@\0\0\0\0\0\0\0", 40, 4096, ... {status=0x103, info=0}, "", ) , 40, 4096, ... {status=0x103, info=0}, "", ) == 0x103
 00840  2016   NtSetEventBoostPriority  ... ) == 0x0
 00845  2016   NtTestAlert  (... ) == 0x0
 00846  2016   NtContinue  (1244464, 1, ...
 00847  2016   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x31011000,}, 4, ... ) == 0x0
 00848   596   NtWaitForMultipleObjects  (2, (72, 80, ), 1, 1, {1294967296, -1}, ... ) == 0x0
 00849   596   NtDeviceIoControlFile  (68, 84, 0x0, 0x77e46680, 0x228144,  (68, 84, 0x0, 0x77e46680, 0x228144, "\2\0\0\0\1\0\0\0\\370\342w\0\0\0\0L\0\0\0\0\0\0\0\\0\0\0\0\0\0\0@\0\0\0\0\0\0\0", 40, 4096, ... {status=0x103, info=0}, "", ) , 40, 4096, ... {status=0x103, info=0}, "", ) == 0x103
 00850  2016   NtCreateEvent  (0x1f0003, {24, 44, 0x80, 1245092, 0,  (0x1f0003, {24, 44, 0x80, 1245092, 0, "Vx_4"}, 1, 0, ... 104, ) }, 1, 0, ... 104, ) == 0x0
 00851  2016   NtCreateSection  (0xe, {24, 0, 0x40, 1245092, 0,  (0xe, {24, 0, 0x40, 1245092, 0, "\BaseNamedObjects\VtSect"}, {29480, 0}, 64, 134217728, 0, ... 108, ) }, {29480, 0}, 64, 134217728, 0, ... 108, ) == 0x0
 00852  2016   NtMapViewOfSection  (108, -1, (0x0), 0, 29480, 0x0, 29480, 2, 0, 64, ... (0x370000), 0x0, 32768, ) == 0x0
 00853  2016   NtOpenProcessToken  (-1, 0x20, ... 112, ) == 0x0
 00854  2016   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00855   596   NtWaitForMultipleObjects  (2, (72, 84, ), 1, 1, {1294967296, -1}, ...
 00856  2016   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00857  2016   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 116, ) }, ... 116, ) == 0x0
 00858  2016   NtQueryValueKey  (116,  (116, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00859  2016   NtClose  (116, ... ) == 0x0
 00860  2016   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00861  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 116, ) == 0x0
 00862  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 120, ) == 0x0
 00863  2016   NtQuerySystemTime  (... {1417422914, 29929616}, ) == 0x0
 00864  2016   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00865  2016   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 124, ) == 0x0
 00866  2016   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00867  2016   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00868  2016   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00869  2016   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00870  2016   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 128, ) == 0x0
 00871  2016   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 132, ) == 0x0
 00872  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 136, ) }, ... 136, ) == 0x0
 00873  2016   NtOpenKey  (0x20019, {24, 136, 0x40, 0, 0,  (0x20019, {24, 136, 0x40, 0, 0, "ActiveComputerName"}, ... 140, ) }, ... 140, ) == 0x0
 00874  2016   NtQueryValueKey  (140,  (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 00875  2016   NtClose  (140, ... ) == 0x0
 00876  2016   NtClose  (136, ... ) == 0x0
 00877  2016   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 136, ) == 0x0
 00878  2016   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 140, ) == 0x0
 00879  2016   NtDuplicateObject  (-1, 136, -1, 0x0, 0, 2, ... 144, ) == 0x0
 00880  2016   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00881  2016   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00882  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 148, ) == 0x0
 00883  2016   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00884  2016   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00885  2016   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243236,  (0xc0100080, {24, 0, 0x40, 0, 1243236, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 152, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 152, {status=0x0, info=1}, ) == 0x0
 00886  2016   NtSetInformationFile  (152, 1243292, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00887  2016   NtSetInformationFile  (152, 1243280, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00888  2016   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00889  2016   NtWriteFile  (152, 129, 0, 0,  (152, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00890  2016   NtReadFile  (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20k+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 00891  2016   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0,\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20k+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0,\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20k+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 00892  2016   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28 \0"\0Ho\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28\0\0\0\0", ) \0Ho\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28 \0"\0Ho\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28\0\0\0\0", ) == 0x103
 00893  2016   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 00894  2016   NtClose  (148, ... ) == 0x0
 00895  2016   NtClose  (152, ... ) == 0x0
 00896  2016   NtAdjustPrivilegesToken  (112, 0, 1245080, 0, 0, 0, ... ) == 0x0
 00897  2016   NtClose  (112, ... ) == 0x0
 00898  2016   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 3735552, 65536, ) == 0x0
 00899  2016   NtQuerySystemInformation  (ProcessesAndThreads, 65536, ... {system info, class 5, size 500}, 0x0, ) == 0x0
 00900  2016   NtCreateSection  (0xf0007, 0x0, {18400, 0}, 4, 134217728, 0, ... 112, ) == 0x0
 00901  2016   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 00902  2016   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 00903  2016   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 20480, ) == 0x0
 00904  2016   NtFreeVirtualMemory  (-1, (0x390000), 0, 32768, ... (0x390000), 65536, ) == 0x0
 00905  2016   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 00906  2016   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 20480, ) == 0x0
 00907  2016   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00908  2016   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 20480, ) == 0x0
 00909  2016   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00910  2016   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 20480, ) == 0x0
 00911  2016   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00912  2016   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 20480, ) == 0x0
 00913  2016   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00914  2016   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 20480, ) == 0x0
 00915  2016   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00916  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {580, 0}, ... 152, ) == 0x0
 00917  2016   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 148, ) }, ... 148, ) == 0x0
 00918  2016   NtMapViewOfSection  (148, 152, (0x0), 0, 29480, 0x0, 29480, 2, 1048576, 64, ... (0x7ff90000), 0x0, 32768, ) == 0x0
 00919  2016   NtClose  (148, ... ) == 0x0
 00920  2016   NtProtectVirtualMemory  (152, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00921  2016   NtWriteVirtualMemory  (152, 0x7c90d682,  (152, 0x7c90d682, "\350\217Rh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00922  2016   NtProtectVirtualMemory  (152, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00923  2016   NtWriteVirtualMemory  (152, 0x7c90dcfd,  (152, 0x7c90dcfd, "\350aLh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00924  2016   NtProtectVirtualMemory  (152, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00925  2016   NtWriteVirtualMemory  (152, 0x7c90d754,  (152, 0x7c90d754, "\350\21Rh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00926  2016   NtProtectVirtualMemory  (152, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00927  2016   NtWriteVirtualMemory  (152, 0x7c90d769,  (152, 0x7c90d769, "\350\11Rh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00928  2016   NtAllocateVirtualMemory  (152, 0, 0, 1048576, 8192, 4, ... 27852800, 1048576, ) == 0x0
 00929  2016   NtAllocateVirtualMemory  (152, 28893184, 0, 8192, 4096, 4, ... 28893184, 8192, ) == 0x0
 00930  2016   NtProtectVirtualMemory  (152, (0x1b8e000), 4096, 260, ... (0x1b8e000), 4096, 4, ) == 0x0
 00931  2016   NtCreateThread  (0x1f03ff, 0x0, 152, 1243840, 1243784, 1, ... 148, {580, 376}, ) == 0x0
 00932  2016   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\0\0\0D\2\0\0x\1\0\0" ... {28, 56, reply, 0, 896, 2016, 81840, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\0\0\0D\2\0\0x\1\0\0" )  ... {28, 56, reply, 0, 896, 2016, 81840, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\0\0\0D\2\0\0x\1\0\0" ... {28, 56, reply, 0, 896, 2016, 81840, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\224\0\0\0D\2\0\0x\1\0\0" )  ) == 0x0
 00933  2016   NtResumeThread  (148, ... 1, ) == 0x0
 00934  2016   NtDelayExecution  (0, {-100000, -1}, ... ) == 0x0
 00935  2016   NtDelayExecution  (0, {-100000, -1}, ... ) == 0x0
 00936  2016   NtDelayExecution  (0, {-100000, -1}, ... ) == 0x0
 00937  2016   NtDelayExecution  (0, {-100000, -1}, ... ) == 0x0
 00938  2016   NtDelayExecution  (0, {-100000, -1}, ... ) == 0x0
 00939  2016   NtDelayExecution  (0, {-100000, -1}, ... ) == 0x0
 00940  2016   NtDelayExecution  (0, {-100000, -1}, ... ) == 0x0
 00941  2016   NtDelayExecution  (0, {-100000, -1}, ... ) == 0x0
 00942  2016   NtDelayExecution  (0, {-100000, -1}, ... ) == 0x0
 00943  2016   NtDelayExecution  (0, {-100000, -1}, ... ) == 0x0
 00944  2016   NtClose  (152, ... ) == 0x0
 00945  2016   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 20480, ) == 0x0
 00946  2016   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00947  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {640, 0}, ... 152, ) == 0x0
 00948  2016   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 156, ) }, ... 156, ) == 0x0
 00949  2016   NtMapViewOfSection  (156, 152, (0x0), 0, 29480, 0x0, 29480, 2, 1048576, 64, ... (0x7ff90000), 0x0, 32768, ) == 0x0
 00950  2016   NtClose  (156, ... ) == 0x0
 00951  2016   NtProtectVirtualMemory  (152, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00952  2016   NtWriteVirtualMemory  (152, 0x7c90d682,  (152, 0x7c90d682, "\350\217Rh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00953  2016   NtProtectVirtualMemory  (152, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00954  2016   NtWriteVirtualMemory  (152, 0x7c90dcfd,  (152, 0x7c90dcfd, "\350aLh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00955  2016   NtProtectVirtualMemory  (152, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00956  2016   NtWriteVirtualMemory  (152, 0x7c90d754,  (152, 0x7c90d754, "\350\21Rh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00957  2016   NtProtectVirtualMemory  (152, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00958  2016   NtWriteVirtualMemory  (152, 0x7c90d769,  (152, 0x7c90d769, "\350\11Rh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00959  2016   NtClose  (152, ... ) == 0x0
 00960  2016   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 20480, ) == 0x0
 00961  2016   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00962  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {652, 0}, ... 152, ) == 0x0
 00963  2016   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 156, ) }, ... 156, ) == 0x0
 00964  2016   NtMapViewOfSection  (156, 152, (0x0), 0, 29480, 0x0, 29480, 2, 1048576, 64, ... (0x7ff90000), 0x0, 32768, ) == 0x0
 00965  2016   NtClose  (156, ... ) == 0x0
 00966  2016   NtProtectVirtualMemory  (152, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00967  2016   NtWriteVirtualMemory  (152, 0x7c90d682,  (152, 0x7c90d682, "\350\217Rh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00968  2016   NtProtectVirtualMemory  (152, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00969  2016   NtWriteVirtualMemory  (152, 0x7c90dcfd,  (152, 0x7c90dcfd, "\350aLh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00970  2016   NtProtectVirtualMemory  (152, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00971  2016   NtWriteVirtualMemory  (152, 0x7c90d754,  (152, 0x7c90d754, "\350\21Rh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00972  2016   NtProtectVirtualMemory  (152, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00973  2016   NtWriteVirtualMemory  (152, 0x7c90d769,  (152, 0x7c90d769, "\350\11Rh\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00974  2016   NtClose  (152, ... ) == 0x0
 00975  2016   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 20480, ) == 0x0
 00976  2016   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00977  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {816, 0}, ... 152, ) == 0x0
 00978  2016   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 156, ) }, ... 156, ) == 0x0
 00979  2016   NtMapViewOfSection  (156, 152, (0x0), 0, 29480, 0x0, 29480, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 00980  2016   NtClose  (156, ... ) == 0x0
 00981  2016   NtProtectVirtualMemory  (152, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00982  2016   NtWriteVirtualMemory  (152, 0x7c90d682,  (152, 0x7c90d682, "\350\217Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00983  2016   NtProtectVirtualMemory  (152, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00984  2016   NtWriteVirtualMemory  (152, 0x7c90dcfd,  (152, 0x7c90dcfd, "\350aLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00985  2016   NtProtectVirtualMemory  (152, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00986  2016   NtWriteVirtualMemory  (152, 0x7c90d754,  (152, 0x7c90d754, "\350\21Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00987  2016   NtProtectVirtualMemory  (152, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00988  2016   NtWriteVirtualMemory  (152, 0x7c90d769,  (152, 0x7c90d769, "\350\11Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00989  2016   NtClose  (152, ... ) == 0x0
 00990  2016   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 20480, ) == 0x0
 00991  2016   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 00992  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {904, 0}, ... 152, ) == 0x0
 00993  2016   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 156, ) }, ... 156, ) == 0x0
 00994  2016   NtMapViewOfSection  (156, 152, (0x0), 0, 29480, 0x0, 29480, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 00995  2016   NtClose  (156, ... ) == 0x0
 00996  2016   NtProtectVirtualMemory  (152, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 00997  2016   NtWriteVirtualMemory  (152, 0x7c90d682,  (152, 0x7c90d682, "\350\217Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00998  2016   NtProtectVirtualMemory  (152, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 00999  2016   NtWriteVirtualMemory  (152, 0x7c90dcfd,  (152, 0x7c90dcfd, "\350aLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01000  2016   NtProtectVirtualMemory  (152, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01001  2016   NtWriteVirtualMemory  (152, 0x7c90d754,  (152, 0x7c90d754, "\350\21Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01002  2016   NtProtectVirtualMemory  (152, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01003  2016   NtWriteVirtualMemory  (152, 0x7c90d769,  (152, 0x7c90d769, "\350\11Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01004  2016   NtClose  (152, ... ) == 0x0
 01005  2016   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 20480, ) == 0x0
 01006  2016   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01007  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1000, 0}, ... 152, ) == 0x0
 01008  2016   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 156, ) }, ... 156, ) == 0x0
 01009  2016   NtMapViewOfSection  (156, 152, (0x0), 0, 29480, 0x0, 29480, 2, 1048576, 64, ... (0x7ff50000), 0x0, 32768, ) == 0x0
 01010  2016   NtClose  (156, ... ) == 0x0
 01011  2016   NtProtectVirtualMemory  (152, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01012  2016   NtWriteVirtualMemory  (152, 0x7c90d682,  (152, 0x7c90d682, "\350\217Rd\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01013  2016   NtProtectVirtualMemory  (152, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01014  2016   NtWriteVirtualMemory  (152, 0x7c90dcfd,  (152, 0x7c90dcfd, "\350aLd\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01015  2016   NtProtectVirtualMemory  (152, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01016  2016   NtWriteVirtualMemory  (152, 0x7c90d754,  (152, 0x7c90d754, "\350\21Rd\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01017  2016   NtProtectVirtualMemory  (152, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01018  2016   NtWriteVirtualMemory  (152, 0x7c90d769,  (152, 0x7c90d769, "\350\11Rd\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01019  2016   NtClose  (152, ... ) == 0x0
 01020  2016   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 20480, ) == 0x0
 01021  2016   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01022  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1044, 0}, ... 152, ) == 0x0
 01023  2016   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 156, ) }, ... 156, ) == 0x0
 01024  2016   NtMapViewOfSection  (156, 152, (0x0), 0, 29480, 0x0, 29480, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 01025  2016   NtClose  (156, ... ) == 0x0
 01026  2016   NtProtectVirtualMemory  (152, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01027  2016   NtWriteVirtualMemory  (152, 0x7c90d682,  (152, 0x7c90d682, "\350\217Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01028  2016   NtProtectVirtualMemory  (152, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01029  2016   NtWriteVirtualMemory  (152, 0x7c90dcfd,  (152, 0x7c90dcfd, "\350aLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01030  2016   NtProtectVirtualMemory  (152, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01031  2016   NtWriteVirtualMemory  (152, 0x7c90d754,  (152, 0x7c90d754, "\350\21Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01032  2016   NtProtectVirtualMemory  (152, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01033  2016   NtWriteVirtualMemory  (152, 0x7c90d769,  (152, 0x7c90d769, "\350\11Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01034  2016   NtClose  (152, ... ) == 0x0
 01035  2016   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 20480, ) == 0x0
 01036  2016   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01037  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1196, 0}, ... 152, ) == 0x0
 01038  2016   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 156, ) }, ... 156, ) == 0x0
 01039  2016   NtMapViewOfSection  (156, 152, (0x0), 0, 29480, 0x0, 29480, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 01040  2016   NtClose  (156, ... ) == 0x0
 01041  2016   NtProtectVirtualMemory  (152, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01042  2016   NtWriteVirtualMemory  (152, 0x7c90d682,  (152, 0x7c90d682, "\350\217Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01043  2016   NtProtectVirtualMemory  (152, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01044  2016   NtWriteVirtualMemory  (152, 0x7c90dcfd,  (152, 0x7c90dcfd, "\350aLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01045  2016   NtProtectVirtualMemory  (152, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01046  2016   NtWriteVirtualMemory  (152, 0x7c90d754,  (152, 0x7c90d754, "\350\21Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01047  2016   NtProtectVirtualMemory  (152, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01048  2016   NtWriteVirtualMemory  (152, 0x7c90d769,  (152, 0x7c90d769, "\350\11Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01049  2016   NtClose  (152, ... ) == 0x0
 01050  2016   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 20480, ) == 0x0
 01051  2016   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01052  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1468, 0}, ... 152, ) == 0x0
 01053  2016   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 156, ) }, ... 156, ) == 0x0
 01054  2016   NtMapViewOfSection  (156, 152, (0x0), 0, 29480, 0x0, 29480, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 01055  2016   NtClose  (156, ... ) == 0x0
 01056  2016   NtProtectVirtualMemory  (152, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01057  2016   NtWriteVirtualMemory  (152, 0x7c90d682,  (152, 0x7c90d682, "\350\217Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01058  2016   NtProtectVirtualMemory  (152, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01059  2016   NtWriteVirtualMemory  (152, 0x7c90dcfd,  (152, 0x7c90dcfd, "\350aLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01060  2016   NtProtectVirtualMemory  (152, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01061  2016   NtWriteVirtualMemory  (152, 0x7c90d754,  (152, 0x7c90d754, "\350\21Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01062  2016   NtProtectVirtualMemory  (152, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01063  2016   NtWriteVirtualMemory  (152, 0x7c90d769,  (152, 0x7c90d769, "\350\11Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01064  2016   NtClose  (152, ... ) == 0x0
 01065  2016   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 20480, ) == 0x0
 01066  2016   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01067  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1720, 0}, ... 152, ) == 0x0
 01068  2016   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 156, ) }, ... 156, ) == 0x0
 01069  2016   NtMapViewOfSection  (156, 152, (0x0), 0, 29480, 0x0, 29480, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 01070  2016   NtClose  (156, ... ) == 0x0
 01071  2016   NtProtectVirtualMemory  (152, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01072  2016   NtWriteVirtualMemory  (152, 0x7c90d682,  (152, 0x7c90d682, "\350\217Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01073  2016   NtProtectVirtualMemory  (152, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01074  2016   NtWriteVirtualMemory  (152, 0x7c90dcfd,  (152, 0x7c90dcfd, "\350aLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01075  2016   NtProtectVirtualMemory  (152, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01076  2016   NtWriteVirtualMemory  (152, 0x7c90d754,  (152, 0x7c90d754, "\350\21Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01077  2016   NtProtectVirtualMemory  (152, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01078  2016   NtWriteVirtualMemory  (152, 0x7c90d769,  (152, 0x7c90d769, "\350\11Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01079  2016   NtClose  (152, ... ) == 0x0
 01080  2016   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 20480, ) == 0x0
 01081  2016   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01082  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1888, 0}, ... 152, ) == 0x0
 01083  2016   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 156, ) }, ... 156, ) == 0x0
 01084  2016   NtMapViewOfSection  (156, 152, (0x0), 0, 29480, 0x0, 29480, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 01085  2016   NtClose  (156, ... ) == 0x0
 01086  2016   NtProtectVirtualMemory  (152, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01087  2016   NtWriteVirtualMemory  (152, 0x7c90d682,  (152, 0x7c90d682, "\350\217Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01088  2016   NtProtectVirtualMemory  (152, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01089  2016   NtWriteVirtualMemory  (152, 0x7c90dcfd,  (152, 0x7c90dcfd, "\350aLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01090  2016   NtProtectVirtualMemory  (152, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01091  2016   NtWriteVirtualMemory  (152, 0x7c90d754,  (152, 0x7c90d754, "\350\21Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01092  2016   NtProtectVirtualMemory  (152, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01093  2016   NtWriteVirtualMemory  (152, 0x7c90d769,  (152, 0x7c90d769, "\350\11Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01094  2016   NtClose  (152, ... ) == 0x0
 01095  2016   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 20480, ) == 0x0
 01096  2016   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01097  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2024, 0}, ... 152, ) == 0x0
 01098  2016   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 156, ) }, ... 156, ) == 0x0
 01099  2016   NtMapViewOfSection  (156, 152, (0x0), 0, 29480, 0x0, 29480, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 01100  2016   NtClose  (156, ... ) == 0x0
 01101  2016   NtProtectVirtualMemory  (152, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01102  2016   NtWriteVirtualMemory  (152, 0x7c90d682,  (152, 0x7c90d682, "\350\217Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01103  2016   NtProtectVirtualMemory  (152, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01104  2016   NtWriteVirtualMemory  (152, 0x7c90dcfd,  (152, 0x7c90dcfd, "\350aLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01105  2016   NtProtectVirtualMemory  (152, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01106  2016   NtWriteVirtualMemory  (152, 0x7c90d754,  (152, 0x7c90d754, "\350\21Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01107  2016   NtProtectVirtualMemory  (152, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01108  2016   NtWriteVirtualMemory  (152, 0x7c90d769,  (152, 0x7c90d769, "\350\11Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01109  2016   NtClose  (152, ... ) == 0x0
 01110  2016   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 20480, ) == 0x0
 01111  2016   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01112  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {196, 0}, ... 152, ) == 0x0
 01113  2016   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 156, ) }, ... 156, ) == 0x0
 01114  2016   NtMapViewOfSection  (156, 152, (0x0), 0, 29480, 0x0, 29480, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 01115  2016   NtClose  (156, ... ) == 0x0
 01116  2016   NtProtectVirtualMemory  (152, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01117  2016   NtWriteVirtualMemory  (152, 0x7c90d682,  (152, 0x7c90d682, "\350\217Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01118  2016   NtProtectVirtualMemory  (152, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01119  2016   NtWriteVirtualMemory  (152, 0x7c90dcfd,  (152, 0x7c90dcfd, "\350aLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01120  2016   NtProtectVirtualMemory  (152, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01121  2016   NtWriteVirtualMemory  (152, 0x7c90d754,  (152, 0x7c90d754, "\350\21Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01122  2016   NtProtectVirtualMemory  (152, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01123  2016   NtWriteVirtualMemory  (152, 0x7c90d769,  (152, 0x7c90d769, "\350\11Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01124  2016   NtClose  (152, ... ) == 0x0
 01125  2016   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 20480, ) == 0x0
 01126  2016   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01127  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {160, 0}, ... 152, ) == 0x0
 01128  2016   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 156, ) }, ... 156, ) == 0x0
 01129  2016   NtMapViewOfSection  (156, 152, (0x0), 0, 29480, 0x0, 29480, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 01130  2016   NtClose  (156, ... ) == 0x0
 01131  2016   NtProtectVirtualMemory  (152, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01132  2016   NtWriteVirtualMemory  (152, 0x7c90d682,  (152, 0x7c90d682, "\350\217Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01133  2016   NtProtectVirtualMemory  (152, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01134  2016   NtWriteVirtualMemory  (152, 0x7c90dcfd,  (152, 0x7c90dcfd, "\350aLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01135  2016   NtProtectVirtualMemory  (152, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01136  2016   NtWriteVirtualMemory  (152, 0x7c90d754,  (152, 0x7c90d754, "\350\21Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01137  2016   NtProtectVirtualMemory  (152, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01138  2016   NtWriteVirtualMemory  (152, 0x7c90d769,  (152, 0x7c90d769, "\350\11Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01139  2016   NtClose  (152, ... ) == 0x0
 01140  2016   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 20480, ) == 0x0
 01141  2016   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01142  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {260, 0}, ... 152, ) == 0x0
 01143  2016   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 156, ) }, ... 156, ) == 0x0
 01144  2016   NtMapViewOfSection  (156, 152, (0x0), 0, 29480, 0x0, 29480, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 01145  2016   NtClose  (156, ... ) == 0x0
 01146  2016   NtProtectVirtualMemory  (152, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01147  2016   NtWriteVirtualMemory  (152, 0x7c90d682,  (152, 0x7c90d682, "\350\217Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01148  2016   NtProtectVirtualMemory  (152, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01149  2016   NtWriteVirtualMemory  (152, 0x7c90dcfd,  (152, 0x7c90dcfd, "\350aLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01150  2016   NtProtectVirtualMemory  (152, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01151  2016   NtWriteVirtualMemory  (152, 0x7c90d754,  (152, 0x7c90d754, "\350\21Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01152  2016   NtProtectVirtualMemory  (152, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01153  2016   NtWriteVirtualMemory  (152, 0x7c90d769,  (152, 0x7c90d769, "\350\11Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01154  2016   NtClose  (152, ... ) == 0x0
 01155  2016   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 20480, ) == 0x0
 01156  2016   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01157  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {288, 0}, ... 152, ) == 0x0
 01158  2016   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 156, ) }, ... 156, ) == 0x0
 01159  2016   NtMapViewOfSection  (156, 152, (0x0), 0, 29480, 0x0, 29480, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 01160  2016   NtClose  (156, ... ) == 0x0
 01161  2016   NtProtectVirtualMemory  (152, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01162  2016   NtWriteVirtualMemory  (152, 0x7c90d682,  (152, 0x7c90d682, "\350\217Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01163  2016   NtProtectVirtualMemory  (152, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01164  2016   NtWriteVirtualMemory  (152, 0x7c90dcfd,  (152, 0x7c90dcfd, "\350aLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01165  2016   NtProtectVirtualMemory  (152, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01166  2016   NtWriteVirtualMemory  (152, 0x7c90d754,  (152, 0x7c90d754, "\350\21Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01167  2016   NtProtectVirtualMemory  (152, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01168  2016   NtWriteVirtualMemory  (152, 0x7c90d769,  (152, 0x7c90d769, "\350\11Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01169  2016   NtClose  (152, ... ) == 0x0
 01170  2016   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 20480, ) == 0x0
 01171  2016   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01172  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {412, 0}, ... 152, ) == 0x0
 01173  2016   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 156, ) }, ... 156, ) == 0x0
 01174  2016   NtMapViewOfSection  (156, 152, (0x0), 0, 29480, 0x0, 29480, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 01175  2016   NtClose  (156, ... ) == 0x0
 01176  2016   NtProtectVirtualMemory  (152, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01177  2016   NtWriteVirtualMemory  (152, 0x7c90d682,  (152, 0x7c90d682, "\350\217Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01178  2016   NtProtectVirtualMemory  (152, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01179  2016   NtWriteVirtualMemory  (152, 0x7c90dcfd,  (152, 0x7c90dcfd, "\350aLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01180  2016   NtProtectVirtualMemory  (152, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01181  2016   NtWriteVirtualMemory  (152, 0x7c90d754,  (152, 0x7c90d754, "\350\21Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01182  2016   NtProtectVirtualMemory  (152, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01183  2016   NtWriteVirtualMemory  (152, 0x7c90d769,  (152, 0x7c90d769, "\350\11Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01184  2016   NtClose  (152, ... ) == 0x0
 01185  2016   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 20480, ) == 0x0
 01186  2016   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01187  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1408, 0}, ... 152, ) == 0x0
 01188  2016   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 156, ) }, ... 156, ) == 0x0
 01189  2016   NtMapViewOfSection  (156, 152, (0x0), 0, 29480, 0x0, 29480, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 01190  2016   NtClose  (156, ... ) == 0x0
 01191  2016   NtProtectVirtualMemory  (152, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01192  2016   NtWriteVirtualMemory  (152, 0x7c90d682,  (152, 0x7c90d682, "\350\217Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01193  2016   NtProtectVirtualMemory  (152, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01194  2016   NtWriteVirtualMemory  (152, 0x7c90dcfd,  (152, 0x7c90dcfd, "\350aLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01195  2016   NtProtectVirtualMemory  (152, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01196  2016   NtWriteVirtualMemory  (152, 0x7c90d754,  (152, 0x7c90d754, "\350\21Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01197  2016   NtProtectVirtualMemory  (152, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01198  2016   NtWriteVirtualMemory  (152, 0x7c90d769,  (152, 0x7c90d769, "\350\11Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01199  2016   NtClose  (152, ... ) == 0x0
 01200  2016   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 20480, ) == 0x0
 01201  2016   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01202  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {556, 0}, ... 152, ) == 0x0
 01203  2016   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 156, ) }, ... 156, ) == 0x0
 01204  2016   NtMapViewOfSection  (156, 152, (0x0), 0, 29480, 0x0, 29480, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 01205  2016   NtClose  (156, ... ) == 0x0
 01206  2016   NtProtectVirtualMemory  (152, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01207  2016   NtWriteVirtualMemory  (152, 0x7c90d682,  (152, 0x7c90d682, "\350\217Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01208  2016   NtProtectVirtualMemory  (152, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01209  2016   NtWriteVirtualMemory  (152, 0x7c90dcfd,  (152, 0x7c90dcfd, "\350aLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01210  2016   NtProtectVirtualMemory  (152, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01211  2016   NtWriteVirtualMemory  (152, 0x7c90d754,  (152, 0x7c90d754, "\350\21Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01212  2016   NtProtectVirtualMemory  (152, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01213  2016   NtWriteVirtualMemory  (152, 0x7c90d769,  (152, 0x7c90d769, "\350\11Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01214  2016   NtClose  (152, ... ) == 0x0
 01215  2016   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 20480, ) == 0x0
 01216  2016   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01217  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1204, 0}, ... 152, ) == 0x0
 01218  2016   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 156, ) }, ... 156, ) == 0x0
 01219  2016   NtMapViewOfSection  (156, 152, (0x0), 0, 29480, 0x0, 29480, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 01220  2016   NtClose  (156, ... ) == 0x0
 01221  2016   NtProtectVirtualMemory  (152, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01222  2016   NtWriteVirtualMemory  (152, 0x7c90d682,  (152, 0x7c90d682, "\350\217Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01223  2016   NtProtectVirtualMemory  (152, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01224  2016   NtWriteVirtualMemory  (152, 0x7c90dcfd,  (152, 0x7c90dcfd, "\350aLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01225  2016   NtProtectVirtualMemory  (152, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01226  2016   NtWriteVirtualMemory  (152, 0x7c90d754,  (152, 0x7c90d754, "\350\21Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01227  2016   NtProtectVirtualMemory  (152, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01228  2016   NtWriteVirtualMemory  (152, 0x7c90d769,  (152, 0x7c90d769, "\350\11Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01229  2016   NtClose  (152, ... ) == 0x0
 01230  2016   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 20480, ) == 0x0
 01231  2016   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01232  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1452, 0}, ... 152, ) == 0x0
 01233  2016   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 156, ) }, ... 156, ) == 0x0
 01234  2016   NtMapViewOfSection  (156, 152, (0x0), 0, 29480, 0x0, 29480, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 01235  2016   NtClose  (156, ... ) == 0x0
 01236  2016   NtProtectVirtualMemory  (152, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01237  2016   NtWriteVirtualMemory  (152, 0x7c90d682,  (152, 0x7c90d682, "\350\217Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01238  2016   NtProtectVirtualMemory  (152, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01239  2016   NtWriteVirtualMemory  (152, 0x7c90dcfd,  (152, 0x7c90dcfd, "\350aLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01240  2016   NtProtectVirtualMemory  (152, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01241  2016   NtWriteVirtualMemory  (152, 0x7c90d754,  (152, 0x7c90d754, "\350\21Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01242  2016   NtProtectVirtualMemory  (152, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01243  2016   NtWriteVirtualMemory  (152, 0x7c90d769,  (152, 0x7c90d769, "\350\11Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01244  2016   NtClose  (152, ... ) == 0x0
 01245  2016   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 20480, ) == 0x0
 01246  2016   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01247  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {784, 0}, ... 152, ) == 0x0
 01248  2016   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 156, ) }, ... 156, ) == 0x0
 01249  2016   NtMapViewOfSection  (156, 152, (0x0), 0, 29480, 0x0, 29480, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 01250  2016   NtClose  (156, ... ) == 0x0
 01251  2016   NtProtectVirtualMemory  (152, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01252  2016   NtWriteVirtualMemory  (152, 0x7c90d682,  (152, 0x7c90d682, "\350\217Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01253  2016   NtProtectVirtualMemory  (152, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01254  2016   NtWriteVirtualMemory  (152, 0x7c90dcfd,  (152, 0x7c90dcfd, "\350aLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01255  2016   NtProtectVirtualMemory  (152, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01256  2016   NtWriteVirtualMemory  (152, 0x7c90d754,  (152, 0x7c90d754, "\350\21Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01257  2016   NtProtectVirtualMemory  (152, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01258  2016   NtWriteVirtualMemory  (152, 0x7c90d769,  (152, 0x7c90d769, "\350\11Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01259  2016   NtClose  (152, ... ) == 0x0
 01260  2016   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 20480, ) == 0x0
 01261  2016   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01262  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {488, 0}, ... 152, ) == 0x0
 01263  2016   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 156, ) }, ... 156, ) == 0x0
 01264  2016   NtMapViewOfSection  (156, 152, (0x0), 0, 29480, 0x0, 29480, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 01265  2016   NtClose  (156, ... ) == 0x0
 01266  2016   NtProtectVirtualMemory  (152, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01267  2016   NtWriteVirtualMemory  (152, 0x7c90d682,  (152, 0x7c90d682, "\350\217Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01268  2016   NtProtectVirtualMemory  (152, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01269  2016   NtWriteVirtualMemory  (152, 0x7c90dcfd,  (152, 0x7c90dcfd, "\350aLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01270  2016   NtProtectVirtualMemory  (152, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01271  2016   NtWriteVirtualMemory  (152, 0x7c90d754,  (152, 0x7c90d754, "\350\21Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01272  2016   NtProtectVirtualMemory  (152, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01273  2016   NtWriteVirtualMemory  (152, 0x7c90d769,  (152, 0x7c90d769, "\350\11Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01274  2016   NtClose  (152, ... ) == 0x0
 01275  2016   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 20480, ) == 0x0
 01276  2016   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01277  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1208, 0}, ... 152, ) == 0x0
 01278  2016   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 156, ) }, ... 156, ) == 0x0
 01279  2016   NtMapViewOfSection  (156, 152, (0x0), 0, 29480, 0x0, 29480, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 01280  2016   NtClose  (156, ... ) == 0x0
 01281  2016   NtProtectVirtualMemory  (152, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01282  2016   NtWriteVirtualMemory  (152, 0x7c90d682,  (152, 0x7c90d682, "\350\217Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01283  2016   NtProtectVirtualMemory  (152, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01284  2016   NtWriteVirtualMemory  (152, 0x7c90dcfd,  (152, 0x7c90dcfd, "\350aLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01285  2016   NtProtectVirtualMemory  (152, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01286  2016   NtWriteVirtualMemory  (152, 0x7c90d754,  (152, 0x7c90d754, "\350\21Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01287  2016   NtProtectVirtualMemory  (152, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01288  2016   NtWriteVirtualMemory  (152, 0x7c90d769,  (152, 0x7c90d769, "\350\11Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01289  2016   NtClose  (152, ... ) == 0x0
 01290  2016   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 20480, ) == 0x0
 01291  2016   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01292  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {168, 0}, ... 152, ) == 0x0
 01293  2016   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 156, ) }, ... 156, ) == 0x0
 01294  2016   NtMapViewOfSection  (156, 152, (0x0), 0, 29480, 0x0, 29480, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 01295  2016   NtClose  (156, ... ) == 0x0
 01296  2016   NtProtectVirtualMemory  (152, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01297  2016   NtWriteVirtualMemory  (152, 0x7c90d682,  (152, 0x7c90d682, "\350\217Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01298  2016   NtProtectVirtualMemory  (152, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01299  2016   NtWriteVirtualMemory  (152, 0x7c90dcfd,  (152, 0x7c90dcfd, "\350aLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01300  2016   NtProtectVirtualMemory  (152, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01301  2016   NtWriteVirtualMemory  (152, 0x7c90d754,  (152, 0x7c90d754, "\350\21Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01302  2016   NtProtectVirtualMemory  (152, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01303  2016   NtWriteVirtualMemory  (152, 0x7c90d769,  (152, 0x7c90d769, "\350\11Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01304  2016   NtClose  (152, ... ) == 0x0
 01305  2016   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 20480, ) == 0x0
 01306  2016   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01307  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {764, 0}, ... 152, ) == 0x0
 01308  2016   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 156, ) }, ... 156, ) == 0x0
 01309  2016   NtMapViewOfSection  (156, 152, (0x0), 0, 29480, 0x0, 29480, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 01310  2016   NtClose  (156, ... ) == 0x0
 01311  2016   NtProtectVirtualMemory  (152, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01312  2016   NtWriteVirtualMemory  (152, 0x7c90d682,  (152, 0x7c90d682, "\350\217Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01313  2016   NtProtectVirtualMemory  (152, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01314  2016   NtWriteVirtualMemory  (152, 0x7c90dcfd,  (152, 0x7c90dcfd, "\350aLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01315  2016   NtProtectVirtualMemory  (152, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01316  2016   NtWriteVirtualMemory  (152, 0x7c90d754,  (152, 0x7c90d754, "\350\21Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01317  2016   NtProtectVirtualMemory  (152, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01318  2016   NtWriteVirtualMemory  (152, 0x7c90d769,  (152, 0x7c90d769, "\350\11Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01319  2016   NtClose  (152, ... ) == 0x0
 01320  2016   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 20480, ) == 0x0
 01321  2016   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01322  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {824, 0}, ... 152, ) == 0x0
 01323  2016   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 156, ) }, ... 156, ) == 0x0
 01324  2016   NtMapViewOfSection  (156, 152, (0x0), 0, 29480, 0x0, 29480, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 01325  2016   NtClose  (156, ... ) == 0x0
 01326  2016   NtProtectVirtualMemory  (152, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01327  2016   NtWriteVirtualMemory  (152, 0x7c90d682,  (152, 0x7c90d682, "\350\217Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01328  2016   NtProtectVirtualMemory  (152, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01329  2016   NtWriteVirtualMemory  (152, 0x7c90dcfd,  (152, 0x7c90dcfd, "\350aLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01330  2016   NtProtectVirtualMemory  (152, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01331  2016   NtWriteVirtualMemory  (152, 0x7c90d754,  (152, 0x7c90d754, "\350\21Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01332  2016   NtProtectVirtualMemory  (152, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01333  2016   NtWriteVirtualMemory  (152, 0x7c90d769,  (152, 0x7c90d769, "\350\11Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01334  2016   NtClose  (152, ... ) == 0x0
 01335  2016   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 20480, ) == 0x0
 01336  2016   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01337  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {2020, 0}, ... 152, ) == 0x0
 01338  2016   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 156, ) }, ... 156, ) == 0x0
 01339  2016   NtMapViewOfSection  (156, 152, (0x0), 0, 29480, 0x0, 29480, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 01340  2016   NtClose  (156, ... ) == 0x0
 01341  2016   NtProtectVirtualMemory  (152, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01342  2016   NtWriteVirtualMemory  (152, 0x7c90d682,  (152, 0x7c90d682, "\350\217Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01343  2016   NtProtectVirtualMemory  (152, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01344  2016   NtWriteVirtualMemory  (152, 0x7c90dcfd,  (152, 0x7c90dcfd, "\350aLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01345  2016   NtProtectVirtualMemory  (152, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01346  2016   NtWriteVirtualMemory  (152, 0x7c90d754,  (152, 0x7c90d754, "\350\21Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01347  2016   NtProtectVirtualMemory  (152, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01348  2016   NtWriteVirtualMemory  (152, 0x7c90d769,  (152, 0x7c90d769, "\350\11Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01349  2016   NtClose  (152, ... ) == 0x0
 01350  2016   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 20480, ) == 0x0
 01351  2016   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01352  2016   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {896, 0}, ... 152, ) == 0x0
 01353  2016   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 156, ) }, ... 156, ) == 0x0
 01354  2016   NtMapViewOfSection  (156, 152, (0x0), 0, 29480, 0x0, 29480, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 01355  2016   NtClose  (156, ... ) == 0x0
 01356  2016   NtProtectVirtualMemory  (152, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 01357  2016   NtWriteVirtualMemory  (152, 0x7c90d682,  (152, 0x7c90d682, "\350\217Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01358  2016   NtProtectVirtualMemory  (152, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01359  2016   NtWriteVirtualMemory  (152, 0x7c90dcfd,  (152, 0x7c90dcfd, "\350aLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01360  2016   NtProtectVirtualMemory  (152, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01361  2016   NtWriteVirtualMemory  (152, 0x7c90d754,  (152, 0x7c90d754, "\350\21Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01362  2016   NtProtectVirtualMemory  (152, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 01363  2016   NtWriteVirtualMemory  (152, 0x7c90d769,  (152, 0x7c90d769, "\350\11Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 01364  2016   NtClose  (152, ... ) == 0x0
 01365  2016   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 20480, ) == 0x0
 01366  2016   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01367  2016   NtClose  (112, ... ) == 0x0
 01368  2016   NtClose  (104, ... ) == 0x0
 01369  2016   NtQueryVirtualMemory  (-1, 0x31007209, Basic, 28, ... {BaseAddress=0x31007000,AllocationBase=0x31000000,AllocationProtect=0x80,RegionSize=0x1000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 01370  2016   NtContinue  (1244272, 0, ...
 01371  2016   NtCreateEvent  (0x1f0003, {24, 44, 0x80, 1245092, 0,  (0x1f0003, {24, 44, 0x80, 1245092, 0, "Vx_4"}, 1, 0, ... 104, ) }, 1, 0, ... 104, ) == STATUS_OBJECT_NAME_EXISTS
 01372  2016   NtClose  (104, ... ) == 0x0
 01373  2016   NtQueryVirtualMemory  (-1, 0x31007206, Basic, 28, ... {BaseAddress=0x31007000,AllocationBase=0x31000000,AllocationProtect=0x80,RegionSize=0x1000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 01374  2016   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "FTPUPD.EXE"}, 1244828, ... ) }, 1244828, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01375  2016   NtOpenProcessToken  (-1, 0x28, ... 104, ) == 0x0
 01376  2016   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01377  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 112, ) == 0x0
 01378  2016   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01379  2016   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01380  2016   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243056,  (0xc0100080, {24, 0, 0x40, 0, 1243056, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 152, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 152, {status=0x0, info=1}, ) == 0x0
 01381  2016   NtSetInformationFile  (152, 1243112, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01382  2016   NtSetInformationFile  (152, 1243100, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01383  2016   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01384  2016   NtWriteFile  (152, 129, 0, 0,  (152, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01385  2016   NtReadFile  (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20m+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01386  2016   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\376\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20m+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\376\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20m+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01387  2016   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0p\0\0\0\2\0\0\0X\0\0\0\0\0\37\0\0\0\0\0\1xH\376\32\235JO\235\342d\324\312\304\340\3510\02\0\210t\24\0\31\0\0\0\0\0\0\0\30\0\0\0S\0e\0T\0a\0k\0e\0O\0w\0n\0e\0r\0s\0h\0i\0p\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 112, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\1xH\376\32\235JO\235\342d\324\312\304\340\351\0\0\0\0", ) , 112, 1024, ... {status=0x103, info=48},  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0p\0\0\0\2\0\0\0X\0\0\0\0\0\37\0\0\0\0\0\1xH\376\32\235JO\235\342d\324\312\304\340\3510\02\0\210t\24\0\31\0\0\0\0\0\0\0\30\0\0\0S\0e\0T\0a\0k\0e\0O\0w\0n\0e\0r\0s\0h\0i\0p\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 112, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\1xH\376\32\235JO\235\342d\324\312\304\340\351\0\0\0\0", ) , ) == 0x103
 01388  2016   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\1xH\376\32\235JO\235\342d\324\312\304\340\351", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\1xH\376\32\235JO\235\342d\324\312\304\340\351", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01389  2016   NtClose  (112, ... ) == 0x0
 01390  2016   NtClose  (152, ... ) == 0x0
 01391  2016   NtAdjustPrivilegesToken  (104, 0, 1244900, 0, 0, 0, ... ) == 0x0
 01392  2016   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01393  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 152, ) == 0x0
 01394  2016   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01395  2016   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01396  2016   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243056,  (0xc0100080, {24, 0, 0x40, 0, 1243056, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 01397  2016   NtSetInformationFile  (112, 1243112, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01398  2016   NtSetInformationFile  (112, 1243100, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01399  2016   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01400  2016   NtWriteFile  (112, 129, 0, 0,  (112, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01401  2016   NtReadFile  (112, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (112, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20n+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01402  2016   NtFsControlFile  (112, 129, 0x0, 0x0, 0x11c017,  (112, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\376\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20n+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (112, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\376\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20n+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01403  2016   NtFsControlFile  (112, 129, 0x0, 0x0, 0x11c017,  (112, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0d\0\0\0\2\0\0\0L\0\0\0\0\0\37\0\0\0\0\0.t\201\271\16\305\352A\2679V\220\326\355\16\23$\0&\0Ho\24\0\23\0\0\0\0\0\0\0\22\0\0\0S\0e\0R\0e\0s\0t\0o\0r\0e\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 100, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0.t\201\271\16\305\352A\2679V\220\326\355\16\23\0\0\0\0", ) , 100, 1024, ... {status=0x103, info=48},  (112, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0d\0\0\0\2\0\0\0L\0\0\0\0\0\37\0\0\0\0\0.t\201\271\16\305\352A\2679V\220\326\355\16\23$\0&\0Ho\24\0\23\0\0\0\0\0\0\0\22\0\0\0S\0e\0R\0e\0s\0t\0o\0r\0e\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 100, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0.t\201\271\16\305\352A\2679V\220\326\355\16\23\0\0\0\0", ) , ) == 0x103
 01404  2016   NtFsControlFile  (112, 129, 0x0, 0x0, 0x11c017,  (112, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0.t\201\271\16\305\352A\2679V\220\326\355\16\23", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\22\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (112, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0.t\201\271\16\305\352A\2679V\220\326\355\16\23", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\22\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01405  2016   NtClose  (152, ... ) == 0x0
 01406  2016   NtClose  (112, ... ) == 0x0
 01407  2016   NtAdjustPrivilegesToken  (104, 0, 1244900, 0, 0, 0, ... ) == 0x0
 01408  2016   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01409  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 112, ) == 0x0
 01410  2016   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01411  2016   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01412  2016   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243056,  (0xc0100080, {24, 0, 0x40, 0, 1243056, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 152, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 152, {status=0x0, info=1}, ) == 0x0
 01413  2016   NtSetInformationFile  (152, 1243112, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01414  2016   NtSetInformationFile  (152, 1243100, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01415  2016   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01416  2016   NtWriteFile  (152, 129, 0, 0,  (152, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01417  2016   NtReadFile  (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20o+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01418  2016   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\376\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20o+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\376\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20o+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01419  2016   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0b\0\0\0\2\0\0\0J\0\0\0\0\0\37\0\0\0\0\07\237y\212\234J\353N\250\27\371L\264\213S-"\0$\0Ho\24\0\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0B\0a\0c\0k\0u\0p\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 98, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\07\237y\212\234J\353N\250\27\371L\264\213S-\0\0\0\0", ) \0$\0Ho\24\0\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0B\0a\0c\0k\0u\0p\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0b\0\0\0\2\0\0\0J\0\0\0\0\0\37\0\0\0\0\07\237y\212\234J\353N\250\27\371L\264\213S-"\0$\0Ho\24\0\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0B\0a\0c\0k\0u\0p\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 98, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\07\237y\212\234J\353N\250\27\371L\264\213S-\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\07\237y\212\234J\353N\250\27\371L\264\213S-\0\0\0\0", ) == 0x103
 01420  2016   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\07\237y\212\234J\353N\250\27\371L\264\213S-", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\07\237y\212\234J\353N\250\27\371L\264\213S-", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01421  2016   NtClose  (112, ... ) == 0x0
 01422  2016   NtClose  (152, ... ) == 0x0
 01423  2016   NtAdjustPrivilegesToken  (104, 0, 1244900, 0, 0, 0, ... ) == 0x0
 01424  2016   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01425  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 152, ) == 0x0
 01426  2016   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01427  2016   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01428  2016   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243056,  (0xc0100080, {24, 0, 0x40, 0, 1243056, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 01429  2016   NtSetInformationFile  (112, 1243112, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01430  2016   NtSetInformationFile  (112, 1243100, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01431  2016   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01432  2016   NtWriteFile  (112, 129, 0, 0,  (112, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01433  2016   NtReadFile  (112, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (112, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20p+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01434  2016   NtFsControlFile  (112, 129, 0x0, 0x0, 0x11c017,  (112, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\376\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20p+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (112, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\376\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20p+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01435  2016   NtFsControlFile  (112, 129, 0x0, 0x0, 0x11c017,  (112, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0n\0\0\0\2\0\0\0V\0\0\0\0\0\37\0\0\0\0\0y\6"\211\5\277_A\252\250\245\310d\34\17\354.\00\0\240:\24\0\30\0\0\0\0\0\0\0\27\0\0\0S\0e\0C\0h\0a\0n\0g\0e\0N\0o\0t\0i\0f\0y\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 110, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0y\6"\211\5\277_A\252\250\245\310d\34\17\354\0\0\0\0", ) \211\5\277_A\252\250\245\310d\34\17\354.\00\0\240:\24\0\30\0\0\0\0\0\0\0\27\0\0\0S\0e\0C\0h\0a\0n\0g\0e\0N\0o\0t\0i\0f\0y\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (112, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0n\0\0\0\2\0\0\0V\0\0\0\0\0\37\0\0\0\0\0y\6"\211\5\277_A\252\250\245\310d\34\17\354.\00\0\240:\24\0\30\0\0\0\0\0\0\0\27\0\0\0S\0e\0C\0h\0a\0n\0g\0e\0N\0o\0t\0i\0f\0y\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 110, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0y\6"\211\5\277_A\252\250\245\310d\34\17\354\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0y\6 (112, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0n\0\0\0\2\0\0\0V\0\0\0\0\0\37\0\0\0\0\0y\6"\211\5\277_A\252\250\245\310d\34\17\354.\00\0\240:\24\0\30\0\0\0\0\0\0\0\27\0\0\0S\0e\0C\0h\0a\0n\0g\0e\0N\0o\0t\0i\0f\0y\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 110, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0y\6"\211\5\277_A\252\250\245\310d\34\17\354\0\0\0\0", ) , ) == 0x103
 01436  2016   NtFsControlFile  (112, 129, 0x0, 0x0, 0x11c017,  (112, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0y\6"\211\5\277_A\252\250\245\310d\34\17\354", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\27\0\0\0\0\0\0\0\0\0\0\0", ) \211\5\277_A\252\250\245\310d\34\17\354 (112, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0y\6"\211\5\277_A\252\250\245\310d\34\17\354", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\27\0\0\0\0\0\0\0\0\0\0\0", ) \5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\27\0\0\0\0\0\0\0\0\0\0\0", ) == 0x103
 01437  2016   NtClose  (152, ... ) == 0x0
 01438  2016   NtClose  (112, ... ) == 0x0
 01439  2016   NtAdjustPrivilegesToken  (104, 0, 1244900, 0, 0, 0, ... ) == 0x0
 01440  2016   NtQueryInformationToken  (104, User, 100, ... {token info, class 1, size 36}, 36, ) == 0x0
 01441  2016   NtClose  (104, ... ) == 0x0
 01442  2016   NtOpenFile  (0x80000, {24, 12, 0x40, 0, 0,  (0x80000, {24, 12, 0x40, 0, 0, "FTPUPD.EXE"}, 7, 2097152, ... ) }, 7, 2097152, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01443  2016   NtOpenFile  (0x40000, {24, 12, 0x40, 0, 0,  (0x40000, {24, 12, 0x40, 0, 0, "FTPUPD.EXE"}, 7, 2097152, ... ) }, 7, 2097152, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01444  2016   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "FTPUPD.EXE"}, 1244828, ... ) }, 1244828, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01445  2016   NtOpenFile  (0x10080, {24, 12, 0x40, 0, 0,  (0x10080, {24, 12, 0x40, 0, 0, "ftpupd.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01446  2016   NtCreateMutant  (0x1f0001, {24, 44, 0x80, 0, 0,  (0x1f0001, {24, 44, 0x80, 0, 0, "uterm13"}, 1, ... 104, ) }, 1, ... 104, ) == 0x0
 01447  2016   NtOpenProcessToken  (-1, 0x20, ... 112, ) == 0x0
 01448  2016   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01449  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 152, ) == 0x0
 01450  2016   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01451  2016   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01452  2016   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243232,  (0xc0100080, {24, 0, 0x40, 0, 1243232, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 156, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 156, {status=0x0, info=1}, ) == 0x0
 01453  2016   NtSetInformationFile  (156, 1243288, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01454  2016   NtSetInformationFile  (156, 1243276, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01455  2016   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01456  2016   NtWriteFile  (156, 129, 0, 0,  (156, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01457  2016   NtReadFile  (156, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (156, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20q+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01458  2016   NtFsControlFile  (156, 129, 0x0, 0x0, 0x11c017,  (156, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20q+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (156, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20q+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01459  2016   NtFsControlFile  (156, 129, 0x0, 0x0, 0x11c017,  (156, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\367"N}\323XAC\252\21H\231\344K\241\364 \0"\0Ho\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\367"N}\323XAC\252\21H\231\344K\241\364\0\0\0\0", ) N}\323XAC\252\21H\231\344K\241\364 \0 (156, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\367"N}\323XAC\252\21H\231\344K\241\364 \0"\0Ho\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\367"N}\323XAC\252\21H\231\344K\241\364\0\0\0\0", ) , 96, 1024, ... {status=0x103, info=48},  (156, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\367"N}\323XAC\252\21H\231\344K\241\364 \0"\0Ho\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\367"N}\323XAC\252\21H\231\344K\241\364\0\0\0\0", ) N}\323XAC\252\21H\231\344K\241\364\0\0\0\0", ) == 0x103
 01460  2016   NtFsControlFile  (156, 129, 0x0, 0x0, 0x11c017,  (156, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\367"N}\323XAC\252\21H\231\344K\241\364", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) N}\323XAC\252\21H\231\344K\241\364 (156, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\367"N}\323XAC\252\21H\231\344K\241\364", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) \5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) == 0x103
 01461  2016   NtClose  (152, ... ) == 0x0
 01462  2016   NtClose  (156, ... ) == 0x0
 01463  2016   NtAdjustPrivilegesToken  (112, 0, 1245084, 16, 0, 0, ... ) == 0x0
 01464  2016   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 156, ) }, ... 156, ) == 0x0
 01465  2016   NtQueryValueKey  (156,  (156, "Windows Security Manager", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01466  2016   NtClose  (156, ... ) == 0x0
 01467  2016   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 156, ) }, ... 156, ) == 0x0
 01468  2016   NtQueryValueKey  (156,  (156, "Disk Defragmenter", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01469  2016   NtClose  (156, ... ) == 0x0
 01470  2016   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 156, ) }, ... 156, ) == 0x0
 01471  2016   NtQueryValueKey  (156,  (156, "System Restore Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01472  2016   NtClose  (156, ... ) == 0x0
 01473  2016   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 156, ) }, ... 156, ) == 0x0
 01474  2016   NtQueryValueKey  (156,  (156, "Bot Loader", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01475  2016   NtClose  (156, ... ) == 0x0
 01476  2016   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 156, ) }, ... 156, ) == 0x0
 01477  2016   NtQueryValueKey  (156,  (156, "SysTray", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01478  2016   NtClose  (156, ... ) == 0x0
 01479  2016   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 156, ) }, ... 156, ) == 0x0
 01480  2016   NtQueryValueKey  (156,  (156, "WinUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01481  2016   NtClose  (156, ... ) == 0x0
 01482  2016   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 156, ) }, ... 156, ) == 0x0
 01483  2016   NtQueryValueKey  (156,  (156, "Windows Update Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01484  2016   NtClose  (156, ... ) == 0x0
 01485  2016   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 156, ) }, ... 156, ) == 0x0
 01486  2016   NtQueryValueKey  (156,  (156, "avserve.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01487  2016   NtClose  (156, ... ) == 0x0
 01488  2016   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 156, ) }, ... 156, ) == 0x0
 01489  2016   NtQueryValueKey  (156,  (156, "avserve2.exeUpdate Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01490  2016   NtClose  (156, ... ) == 0x0
 01491  2016   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 156, ) }, ... 156, ) == 0x0
 01492  2016   NtQueryValueKey  (156,  (156, "MS Config v13", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01493  2016   NtClose  (156, ... ) == 0x0
 01494  2016   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "Software\Microsoft\Wireless"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01495  2016   NtCreateKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "Software\Microsoft\Wireless"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01496  2016   NtSetInformationFile  (-2147482448, -135748592, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01497  2016   NtSetInformationFile  (-2147482448, -135749060, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01498  2016   NtSetInformationFile  (-2147482448, -135748876, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01499  2016   NtSetInformationFile  (-2147482448, -135748688, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01495  2016   NtCreateKey  ... 156, 1, ) == 0x0
 01500  2016   NtSetValueKey  (156,  (156, "ID", 0, 1, "y\0e\0z\0t\0y\0v\0q\0d\0p\0r\0l\0h\0s\0i\0x\0\0\0", 32, ... , 0, 1,  (156, "ID", 0, 1, "y\0e\0z\0t\0y\0v\0q\0d\0p\0r\0l\0h\0s\0i\0x\0\0\0", 32, ... , 32, ...
 01501  2016   NtSetInformationFile  (-2147482448, -135748192, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01500  2016   NtSetValueKey  ... ) == 0x0
 01502  2016   NtClose  (156, ... ) == 0x0
 01503  2016   NtOpenKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 156, ) }, ... 156, ) == 0x0
 01504  2016   NtQueryValueKey  (156,  (156, "Windows Update", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01505  2016   NtClose  (156, ... ) == 0x0
 01506  2016   NtCreateKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "Software\Microsoft\Wireless"}, 0, 0x0, 0, ... 156, 2, ) }, 0, 0x0, 0, ... 156, 2, ) == 0x0
 01507  2016   NtSetValueKey  (156,  (156, "Client", 0, 1, "1\0\0\0", 4, ... , 0, 1,  (156, "Client", 0, 1, "1\0\0\0", 4, ... , 4, ...
 01508  2016   NtSetInformationFile  (-2147482448, -135748240, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01507  2016   NtSetValueKey  ... ) == 0x0
 01509  2016   NtClose  (156, ... ) == 0x0
 01510  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 1243240, ... ) }, 1243240, ... ) == 0x0
 01511  2016   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 7, 2113568, ... 156, {status=0x0, info=1}, ) }, 7, 2113568, ... 156, {status=0x0, info=1}, ) == 0x0
 01512  2016   NtSetInformationFile  (156, 1243216, 40, Basic, ... ) == STATUS_ACCESS_DENIED
 01513  2016   NtClose  (156, ... ) == 0x0
 01514  2016   NtOpenProcessToken  (-1, 0x28, ... 156, ) == 0x0
 01515  2016   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01516  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 152, ) == 0x0
 01517  2016   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01518  2016   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01519  2016   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1241468,  (0xc0100080, {24, 0, 0x40, 0, 1241468, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 160, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 160, {status=0x0, info=1}, ) == 0x0
 01520  2016   NtSetInformationFile  (160, 1241524, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01521  2016   NtSetInformationFile  (160, 1241512, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01522  2016   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01523  2016   NtWriteFile  (160, 129, 0, 0,  (160, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01524  2016   NtReadFile  (160, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (160, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20r+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01525  2016   NtFsControlFile  (160, 129, 0x0, 0x0, 0x11c017,  (160, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0D\370\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20r+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (160, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0D\370\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20r+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01526  2016   NtFsControlFile  (160, 129, 0x0, 0x0, 0x11c017,  (160, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0p\0\0\0\2\0\0\0X\0\0\0\0\0\37\0\0\0\0\0X\33\236\13\236WsB\202\210\263w\277\373\354\3370\02\0\210t\24\0\31\0\0\0\0\0\0\0\30\0\0\0S\0e\0T\0a\0k\0e\0O\0w\0n\0e\0r\0s\0h\0i\0p\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 112, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0X\33\236\13\236WsB\202\210\263w\277\373\354\337\0\0\0\0", ) , 112, 1024, ... {status=0x103, info=48},  (160, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0p\0\0\0\2\0\0\0X\0\0\0\0\0\37\0\0\0\0\0X\33\236\13\236WsB\202\210\263w\277\373\354\3370\02\0\210t\24\0\31\0\0\0\0\0\0\0\30\0\0\0S\0e\0T\0a\0k\0e\0O\0w\0n\0e\0r\0s\0h\0i\0p\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 112, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0X\33\236\13\236WsB\202\210\263w\277\373\354\337\0\0\0\0", ) , ) == 0x103
 01527  2016   NtFsControlFile  (160, 129, 0x0, 0x0, 0x11c017,  (160, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0X\33\236\13\236WsB\202\210\263w\277\373\354\337", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (160, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0X\33\236\13\236WsB\202\210\263w\277\373\354\337", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01528  2016   NtClose  (152, ... ) == 0x0
 01529  2016   NtClose  (160, ... ) == 0x0
 01530  2016   NtAdjustPrivilegesToken  (156, 0, 1243312, 0, 0, 0, ... ) == 0x0
 01531  2016   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01532  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 160, ) == 0x0
 01533  2016   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01534  2016   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01535  2016   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1241468,  (0xc0100080, {24, 0, 0x40, 0, 1241468, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 152, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 152, {status=0x0, info=1}, ) == 0x0
 01536  2016   NtSetInformationFile  (152, 1241524, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01537  2016   NtSetInformationFile  (152, 1241512, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01538  2016   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01539  2016   NtWriteFile  (152, 129, 0, 0,  (152, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01540  2016   NtReadFile  (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20s+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01541  2016   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0D\370\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20s+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0D\370\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20s+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01542  2016   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0d\0\0\0\2\0\0\0L\0\0\0\0\0\37\0\0\0\0\0\252\366\254\341x\227XM\215\230\305\25-\27\256H$\0&\0Ho\24\0\23\0\0\0\0\0\0\0\22\0\0\0S\0e\0R\0e\0s\0t\0o\0r\0e\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 100, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\252\366\254\341x\227XM\215\230\305\25-\27\256H\0\0\0\0", ) , 100, 1024, ... {status=0x103, info=48},  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0d\0\0\0\2\0\0\0L\0\0\0\0\0\37\0\0\0\0\0\252\366\254\341x\227XM\215\230\305\25-\27\256H$\0&\0Ho\24\0\23\0\0\0\0\0\0\0\22\0\0\0S\0e\0R\0e\0s\0t\0o\0r\0e\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 100, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\252\366\254\341x\227XM\215\230\305\25-\27\256H\0\0\0\0", ) , ) == 0x103
 01543  2016   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\252\366\254\341x\227XM\215\230\305\25-\27\256H", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\22\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\252\366\254\341x\227XM\215\230\305\25-\27\256H", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\22\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01544  2016   NtClose  (160, ... ) == 0x0
 01545  2016   NtClose  (152, ... ) == 0x0
 01546  2016   NtAdjustPrivilegesToken  (156, 0, 1243312, 0, 0, 0, ... ) == 0x0
 01547  2016   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01548  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 152, ) == 0x0
 01549  2016   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01550  2016   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01551  2016   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1241468,  (0xc0100080, {24, 0, 0x40, 0, 1241468, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 160, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 160, {status=0x0, info=1}, ) == 0x0
 01552  2016   NtSetInformationFile  (160, 1241524, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01553  2016   NtSetInformationFile  (160, 1241512, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01554  2016   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01555  2016   NtWriteFile  (160, 129, 0, 0,  (160, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01556  2016   NtReadFile  (160, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (160, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20t+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01557  2016   NtFsControlFile  (160, 129, 0x0, 0x0, 0x11c017,  (160, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0D\370\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20t+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (160, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0D\370\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20t+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01558  2016   NtFsControlFile  (160, 129, 0x0, 0x0, 0x11c017,  (160, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0b\0\0\0\2\0\0\0J\0\0\0\0\0\37\0\0\0\0\0\261\303v\367g\6\1N\203gPm\311O)["\0$\0Ho\24\0\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0B\0a\0c\0k\0u\0p\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 98, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\261\303v\367g\6\1N\203gPm\311O)[\0\0\0\0", ) \0$\0Ho\24\0\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0B\0a\0c\0k\0u\0p\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (160, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0b\0\0\0\2\0\0\0J\0\0\0\0\0\37\0\0\0\0\0\261\303v\367g\6\1N\203gPm\311O)["\0$\0Ho\24\0\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0B\0a\0c\0k\0u\0p\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 98, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\261\303v\367g\6\1N\203gPm\311O)[\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\261\303v\367g\6\1N\203gPm\311O)[\0\0\0\0", ) == 0x103
 01559  2016   NtFsControlFile  (160, 129, 0x0, 0x0, 0x11c017,  (160, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\261\303v\367g\6\1N\203gPm\311O)[", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (160, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\261\303v\367g\6\1N\203gPm\311O)[", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01560  2016   NtClose  (152, ... ) == 0x0
 01561  2016   NtClose  (160, ... ) == 0x0
 01562  2016   NtAdjustPrivilegesToken  (156, 0, 1243312, 0, 0, 0, ... ) == 0x0
 01563  2016   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01564  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 160, ) == 0x0
 01565  2016   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01566  2016   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01567  2016   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1241468,  (0xc0100080, {24, 0, 0x40, 0, 1241468, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 152, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 152, {status=0x0, info=1}, ) == 0x0
 01568  2016   NtSetInformationFile  (152, 1241524, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01569  2016   NtSetInformationFile  (152, 1241512, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01570  2016   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01571  2016   NtWriteFile  (152, 129, 0, 0,  (152, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01572  2016   NtReadFile  (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20u+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01573  2016   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0D\370\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20u+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0D\370\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20u+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01574  2016   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0n\0\0\0\2\0\0\0V\0\0\0\0\0\37\0\0\0\0\0\323Qv{{kdE\276\24\250\200.\243j\276.\00\0\240:\24\0\30\0\0\0\0\0\0\0\27\0\0\0S\0e\0C\0h\0a\0n\0g\0e\0N\0o\0t\0i\0f\0y\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 110, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\323Qv{{kdE\276\24\250\200.\243j\276\0\0\0\0", ) , 110, 1024, ... {status=0x103, info=48},  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0n\0\0\0\2\0\0\0V\0\0\0\0\0\37\0\0\0\0\0\323Qv{{kdE\276\24\250\200.\243j\276.\00\0\240:\24\0\30\0\0\0\0\0\0\0\27\0\0\0S\0e\0C\0h\0a\0n\0g\0e\0N\0o\0t\0i\0f\0y\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 110, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\323Qv{{kdE\276\24\250\200.\243j\276\0\0\0\0", ) , ) == 0x103
 01575  2016   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\323Qv{{kdE\276\24\250\200.\243j\276", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\27\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\323Qv{{kdE\276\24\250\200.\243j\276", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\27\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01576  2016   NtClose  (160, ... ) == 0x0
 01577  2016   NtClose  (152, ... ) == 0x0
 01578  2016   NtAdjustPrivilegesToken  (156, 0, 1243312, 0, 0, 0, ... ) == 0x0
 01579  2016   NtQueryInformationToken  (156, User, 100, ... {token info, class 1, size 36}, 36, ) == 0x0
 01580  2016   NtClose  (156, ... ) == 0x0
 01581  2016   NtOpenFile  (0x80000, {24, 0, 0x40, 0, 0,  (0x80000, {24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 7, 2097152, ... 156, {status=0x0, info=1}, ) }, 7, 2097152, ... 156, {status=0x0, info=1}, ) == 0x0
 01582  2016   NtSetSecurityObject  (156, 1, {1, 0, 0x4, 2147102164, 0, 0, 0}, ... ) == STATUS_ACCESS_DENIED
 01583  2016   NtClose  (156, ... ) == 0x0
 01584  2016   NtOpenFile  (0x40000, {24, 0, 0x40, 0, 0,  (0x40000, {24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 7, 2097152, ... 156, {status=0x0, info=1}, ) }, 7, 2097152, ... 156, {status=0x0, info=1}, ) == 0x0
 01585  2016   NtSetSecurityObject  (156, 4, {1, 0, 0x4, 2147102164, 0, 0, 0}, ... ) == 0x0
 01586  2016   NtClose  (156, ... ) == 0x0
 01587  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 1243240, ... ) }, 1243240, ... ) == 0x0
 01588  2016   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\U:\WORK\PACKED.EXE"}, 7, 2113568, ... 156, {status=0x0, info=1}, ) }, 7, 2113568, ... 156, {status=0x0, info=1}, ) == 0x0
 01589  2016   NtSetInformationFile  (156, 1243216, 40, Basic, ... ) == STATUS_ACCESS_DENIED
 01590  2016   NtClose  (156, ... ) == 0x0
 01591  2016   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243488,  (0x80100080, {24, 0, 0x40, 0, 1243488, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 156, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 156, {status=0x0, info=1}, ) == 0x0
 01592  2016   NtQueryInformationFile  (156, 1243924, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01593  2016   NtQueryInformationFile  (156, 1243840, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01594  2016   NtQueryInformationFile  (156, 1243656, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01595  2016   NtAllocateVirtualMemory  (-1, 1347584, 0, 8192, 4096, 4, ... 1347584, 8192, ) == 0x0
 01596  2016   NtQueryInformationFile  (156, 1346256, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01597  2016   NtQueryInformationFile  (156, 1242104, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01598  2016   NtQueryInformationFile  (156, 1242380, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01599  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\YEBUQPY.EXE"}, 1241576, ... ) }, 1241576, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01600  2016   NtOpenProcessToken  (-1, 0x28, ... 152, ) == 0x0
 01601  2016   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01602  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 160, ) == 0x0
 01603  2016   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01604  2016   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01605  2016   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1239804,  (0xc0100080, {24, 0, 0x40, 0, 1239804, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 164, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 164, {status=0x0, info=1}, ) == 0x0
 01606  2016   NtSetInformationFile  (164, 1239860, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01607  2016   NtSetInformationFile  (164, 1239848, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01608  2016   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01609  2016   NtWriteFile  (164, 129, 0, 0,  (164, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01610  2016   NtReadFile  (164, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (164, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20v+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01611  2016   NtFsControlFile  (164, 129, 0x0, 0x0, 0x11c017,  (164, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\304\361\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20v+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (164, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\304\361\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20v+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01612  2016   NtFsControlFile  (164, 129, 0x0, 0x0, 0x11c017,  (164, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0p\0\0\0\2\0\0\0X\0\0\0\0\0\37\0\0\0\0\0\204v\6\203\262C\32F\210\231\322\305\374\260\16w0\02\0\210t\24\0\31\0\0\0\0\0\0\0\30\0\0\0S\0e\0T\0a\0k\0e\0O\0w\0n\0e\0r\0s\0h\0i\0p\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 112, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\204v\6\203\262C\32F\210\231\322\305\374\260\16w\0\0\0\0", ) , 112, 1024, ... {status=0x103, info=48},  (164, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0p\0\0\0\2\0\0\0X\0\0\0\0\0\37\0\0\0\0\0\204v\6\203\262C\32F\210\231\322\305\374\260\16w0\02\0\210t\24\0\31\0\0\0\0\0\0\0\30\0\0\0S\0e\0T\0a\0k\0e\0O\0w\0n\0e\0r\0s\0h\0i\0p\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 112, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\204v\6\203\262C\32F\210\231\322\305\374\260\16w\0\0\0\0", ) , ) == 0x103
 01613  2016   NtFsControlFile  (164, 129, 0x0, 0x0, 0x11c017,  (164, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\204v\6\203\262C\32F\210\231\322\305\374\260\16w", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (164, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\204v\6\203\262C\32F\210\231\322\305\374\260\16w", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01614  2016   NtClose  (160, ... ) == 0x0
 01615  2016   NtClose  (164, ... ) == 0x0
 01616  2016   NtAdjustPrivilegesToken  (152, 0, 1241648, 0, 0, 0, ... ) == 0x0
 01617  2016   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01618  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 164, ) == 0x0
 01619  2016   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01620  2016   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01621  2016   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1239804,  (0xc0100080, {24, 0, 0x40, 0, 1239804, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 160, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 160, {status=0x0, info=1}, ) == 0x0
 01622  2016   NtSetInformationFile  (160, 1239860, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01623  2016   NtSetInformationFile  (160, 1239848, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01624  2016   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01625  2016   NtWriteFile  (160, 129, 0, 0,  (160, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01626  2016   NtReadFile  (160, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (160, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20w+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01627  2016   NtFsControlFile  (160, 129, 0x0, 0x0, 0x11c017,  (160, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\304\361\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20w+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (160, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\304\361\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20w+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01628  2016   NtFsControlFile  (160, 129, 0x0, 0x0, 0x11c017,  (160, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0d\0\0\0\2\0\0\0L\0\0\0\0\0\37\0\0\0\0\0:\341\25\375%\246\352B\204\366\320\272\346s\342G$\0&\0Ho\24\0\23\0\0\0\0\0\0\0\22\0\0\0S\0e\0R\0e\0s\0t\0o\0r\0e\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 100, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0:\341\25\375%\246\352B\204\366\320\272\346s\342G\0\0\0\0", ) , 100, 1024, ... {status=0x103, info=48},  (160, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0d\0\0\0\2\0\0\0L\0\0\0\0\0\37\0\0\0\0\0:\341\25\375%\246\352B\204\366\320\272\346s\342G$\0&\0Ho\24\0\23\0\0\0\0\0\0\0\22\0\0\0S\0e\0R\0e\0s\0t\0o\0r\0e\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 100, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0:\341\25\375%\246\352B\204\366\320\272\346s\342G\0\0\0\0", ) , ) == 0x103
 01629  2016   NtFsControlFile  (160, 129, 0x0, 0x0, 0x11c017,  (160, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0:\341\25\375%\246\352B\204\366\320\272\346s\342G", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\22\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (160, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0:\341\25\375%\246\352B\204\366\320\272\346s\342G", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\22\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01630  2016   NtClose  (164, ... ) == 0x0
 01631  2016   NtClose  (160, ... ) == 0x0
 01632  2016   NtAdjustPrivilegesToken  (152, 0, 1241648, 0, 0, 0, ... ) == 0x0
 01633  2016   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01634  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 160, ) == 0x0
 01635  2016   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01636  2016   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01637  2016   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1239804,  (0xc0100080, {24, 0, 0x40, 0, 1239804, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 164, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 164, {status=0x0, info=1}, ) == 0x0
 01638  2016   NtSetInformationFile  (164, 1239860, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01639  2016   NtSetInformationFile  (164, 1239848, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01640  2016   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01641  2016   NtWriteFile  (164, 129, 0, 0,  (164, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01642  2016   NtReadFile  (164, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (164, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20x+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01643  2016   NtFsControlFile  (164, 129, 0x0, 0x0, 0x11c017,  (164, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\304\361\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20x+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (164, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\304\361\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20x+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01644  2016   NtFsControlFile  (164, 129, 0x0, 0x0, 0x11c017,  (164, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0b\0\0\0\2\0\0\0J\0\0\0\0\0\37\0\0\0\0\0\6\213\11[C\213\241L\276\303\213\220\2204\7\231"\0$\0Ho\24\0\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0B\0a\0c\0k\0u\0p\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 98, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\6\213\11[C\213\241L\276\303\213\220\2204\7\231\0\0\0\0", ) \0$\0Ho\24\0\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0B\0a\0c\0k\0u\0p\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (164, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0b\0\0\0\2\0\0\0J\0\0\0\0\0\37\0\0\0\0\0\6\213\11[C\213\241L\276\303\213\220\2204\7\231"\0$\0Ho\24\0\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0B\0a\0c\0k\0u\0p\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 98, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\6\213\11[C\213\241L\276\303\213\220\2204\7\231\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\6\213\11[C\213\241L\276\303\213\220\2204\7\231\0\0\0\0", ) == 0x103
 01645  2016   NtFsControlFile  (164, 129, 0x0, 0x0, 0x11c017,  (164, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\6\213\11[C\213\241L\276\303\213\220\2204\7\231", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (164, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\6\213\11[C\213\241L\276\303\213\220\2204\7\231", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01646  2016   NtClose  (160, ... ) == 0x0
 01647  2016   NtClose  (164, ... ) == 0x0
 01648  2016   NtAdjustPrivilegesToken  (152, 0, 1241648, 0, 0, 0, ... ) == 0x0
 01649  2016   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01650  2016   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 164, ) == 0x0
 01651  2016   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01652  2016   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01653  2016   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1239804,  (0xc0100080, {24, 0, 0x40, 0, 1239804, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 160, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 160, {status=0x0, info=1}, ) == 0x0
 01654  2016   NtSetInformationFile  (160, 1239860, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01655  2016   NtSetInformationFile  (160, 1239848, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01656  2016   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01657  2016   NtWriteFile  (160, 129, 0, 0,  (160, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01658  2016   NtReadFile  (160, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (160, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20y+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01659  2016   NtFsControlFile  (160, 129, 0x0, 0x0, 0x11c017,  (160, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\304\361\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20y+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (160, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\304\361\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20y+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01660  2016   NtFsControlFile  (160, 129, 0x0, 0x0, 0x11c017,  (160, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0n\0\0\0\2\0\0\0V\0\0\0\0\0\37\0\0\0\0\0\347\326\315lv\242\333N\201\354M\352\300h&\31.\00\0\240:\24\0\30\0\0\0\0\0\0\0\27\0\0\0S\0e\0C\0h\0a\0n\0g\0e\0N\0o\0t\0i\0f\0y\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 110, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\347\326\315lv\242\333N\201\354M\352\300h&\31\0\0\0\0", ) , 110, 1024, ... {status=0x103, info=48},  (160, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0n\0\0\0\2\0\0\0V\0\0\0\0\0\37\0\0\0\0\0\347\326\315lv\242\333N\201\354M\352\300h&\31.\00\0\240:\24\0\30\0\0\0\0\0\0\0\27\0\0\0S\0e\0C\0h\0a\0n\0g\0e\0N\0o\0t\0i\0f\0y\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 110, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\347\326\315lv\242\333N\201\354M\352\300h&\31\0\0\0\0", ) , ) == 0x103
 01661  2016   NtFsControlFile  (160, 129, 0x0, 0x0, 0x11c017,  (160, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\347\326\315lv\242\333N\201\354M\352\300h&\31", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\27\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (160, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\347\326\315lv\242\333N\201\354M\352\300h&\31", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\27\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01662  2016   NtClose  (164, ... ) == 0x0
 01663  2016   NtClose  (160, ... ) == 0x0
 01664  2016   NtAdjustPrivilegesToken  (152, 0, 1241648, 0, 0, 0, ... ) == 0x0
 01665  2016   NtQueryInformationToken  (152, User, 100, ... {token info, class 1, size 36}, 36, ) == 0x0
 01666  2016   NtClose  (152, ... ) == 0x0
 01667  2016   NtOpenFile  (0x80000, {24, 0, 0x40, 0, 0,  (0x80000, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\YEBUQPY.EXE"}, 7, 2097152, ... ) }, 7, 2097152, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01668  2016   NtOpenFile  (0x40000, {24, 0, 0x40, 0, 0,  (0x40000, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\YEBUQPY.EXE"}, 7, 2097152, ... ) }, 7, 2097152, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01669  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\YEBUQPY.EXE"}, 1241576, ... ) }, 1241576, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01670  2016   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1242256,  (0x40110080, {24, 0, 0x40, 0, 1242256, "\??\C:\WINDOWS\system32\yebuqpy.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01671  2016   NtClose  (-2147482756, ... ) == 0x0
 01670  2016   NtCreateFile  ... 152, {status=0x0, info=2}, ) == 0x0
 01672  2016   NtQueryVolumeInformationFile  (152, 1242408, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01673  2016   NtQueryInformationFile  (152, 1241992, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01674  2016   NtQueryVolumeInformationFile  (156, 1242408, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01675  2016   NtSetInformationFile  (152, 1242308, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01676  2016   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 156, ... 160, ) == 0x0
 01677  2016   NtMapViewOfSection  (160, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x390000), {0, 0}, 61440, ) == 0x0
 01678  2016   NtClose  (160, ... ) == 0x0
 01679  2016   NtWriteFile  (152, 0, 0, 0,  (152, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0fn\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0I\3538\210\15\212V\333\15\212V\333\15\212V\333\216\226X\333\17\212V\333\345\225R\333\17\212V\333\15\212V\333\12\212V\333\15\212W\333[\212V\333o\225E\333\4\212V\333\345\225]\333\7\212V\333Rich\15\212V\333\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\240\240\240\240\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0 \0\0\0\20\0\0\0@\0\0\0\20\1\0\0P\0\0\0p\0\0\0\0\01\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\220\1\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0p\0\0h\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0UPX0\0\0\0\0\0@\0\0\0\20\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 60928, 0x0, 0, ... {status=0x0, info=60928}, ) , 60928, 0x0, 0, ... {status=0x0, info=60928}, ) == 0x0
 01680  2016   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01681  2016   NtSetInformationFile  (152, 1243656, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01682  2016   NtClose  (156, ... ) == 0x0
 01683  2016   NtClose  (152, ... ) == 0x0
 01684  2016   NtCreateKey  (0xf003f, {24, 16, 0x40, 0, 0,  (0xf003f, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, 0, 0x0, 0, ... 152, 2, ) }, 0, 0x0, 0, ... 152, 2, ) == 0x0
 01685  2016   NtSetValueKey  (152,  (152, "Windows Update", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0y\0e\0b\0u\0q\0p\0y\0.\0e\0x\0e\0\0\0", 64, ... , 0, 1,  (152, "Windows Update", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0y\0e\0b\0u\0q\0p\0y\0.\0e\0x\0e\0\0\0", 64, ... , 64, ...
 01686  2016   NtSetInformationFile  (-2147482448, -135747792, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01687  2016   NtSetInformationFile  (-2147482448, -135747884, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01685  2016   NtSetValueKey  ... ) == 0x0
 01688  2016   NtClose  (152, ... ) == 0x0
 01689  2016   NtClose  (104, ... ) == 0x0
 01690  2016   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 01691  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\yebuqpy.exe"}, 1240876, ... ) }, 1240876, ... ) == 0x0
 01692  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\yebuqpy.exe"}, 1241612, ... ) }, 1241612, ... ) == 0x0
 01693  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\YEBUQPY.EXE"}, 1241528, ... ) }, 1241528, ... ) == 0x0
 01694  2016   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\YEBUQPY.EXE"}, 7, 2113568, ... 104, {status=0x0, info=1}, ) }, 7, 2113568, ... 104, {status=0x0, info=1}, ) == 0x0
 01695  2016   NtSetInformationFile  (104, 1241504, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01696  2016   NtClose  (104, ... ) == 0x0
 01697  2016   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1241512,  (0xc0100080, {24, 0, 0x40, 0, 1241512, "\??\C:\WINDOWS\SYSTEM32\YEBUQPY.EXE"}, 0x0, 0, 1, 1, 96, 0, 0, ... 104, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 96, 0, 0, ... 104, {status=0x0, info=1}, ) == 0x0
 01698  2016   NtQueryInformationFile  (104, 1241564, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01699  2016   NtQueryInformationFile  (104, 1241564, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01700  2016   NtCreateSection  (0xf0007, 0x0, {60928, 0}, 4, 134217728, 104, ... 152, ) == 0x0
 01701  2016   NtMapViewOfSection  (152, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 61440, ) == 0x0
 01702  2016   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01703  2016   NtClose  (152, ... ) == 0x0
 01704  2016   NtSetInformationFile  (104, 1241568, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01705  2016   NtClose  (104, ... ) == 0x0
 01706  2016   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\SYSTEM32\YEBUQPY.EXE"}, 7, 2113568, ... 104, {status=0x0, info=1}, ) }, 7, 2113568, ... 104, {status=0x0, info=1}, ) == 0x0
 01707  2016   NtSetInformationFile  (104, 1241508, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01708  2016   NtClose  (104, ... ) == 0x0
 01709  2016   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\yebuqpy.exe"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 01710  2016   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 104, ... 152, ) == 0x0
 01711  2016   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01712  2016   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 156, ) }, ... 156, ) == 0x0
 01713  2016   NtQueryValueKey  (156,  (156, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01714  2016   NtClose  (156, ... ) == 0x0
 01715  2016   NtQueryVolumeInformationFile  (104, 1240888, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01716  2016   NtOpenMutant  (0x120001, {24, 44, 0x0, 0, 0,  (0x120001, {24, 44, 0x0, 0, 0, "ShimCacheMutex"}, ... 156, ) }, ... 156, ) == 0x0
 01717  2016   NtWaitForSingleObject  (156, 0, {-1000000, -1}, ... ) == 0x0
 01718  2016   NtOpenSection  (0x2, {24, 44, 0x0, 0, 0,  (0x2, {24, 44, 0x0, 0, 0, "ShimSharedMemory"}, ... 160, ) }, ... 160, ) == 0x0
 01719  2016   NtMapViewOfSection  (160, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 57344, ) == 0x0
 01720  2016   NtReleaseMutant  (156, ... 0x0, ) == 0x0
 01721  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238820, ... ) }, 1238820, ... ) == 0x0
 01722  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 164, {status=0x0, info=1}, ) }, 5, 96, ... 164, {status=0x0, info=1}, ) == 0x0
 01723  2016   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 164, ... 168, ) == 0x0
 01724  2016   NtClose  (164, ... ) == 0x0
 01725  2016   NtMapViewOfSection  (168, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3a0000), 0x0, 126976, ) == 0x0
 01726  2016   NtClose  (168, ... ) == 0x0
 01727  2016   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 01728  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1239128, ... ) }, 1239128, ... ) == 0x0
 01729  2016   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 168, {status=0x0, info=1}, ) }, 5, 96, ... 168, {status=0x0, info=1}, ) == 0x0
 01730  2016   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 168, ... 164, ) == 0x0
 01731  2016   NtQuerySection  (164, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01732  2016   NtClose  (168, ... ) == 0x0
 01733  2016   NtMapViewOfSection  (164, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77b40000), 0x0, 139264, ) == 0x0
 01734  2016   NtClose  (164, ... ) == 0x0
 01735  2016   NtProtectVirtualMemory  (-1, (0x77b41000), 524, 4, ... (0x77b41000), 4096, 32, ) == 0x0
 01736  2016   NtProtectVirtualMemory  (-1, (0x77b41000), 4096, 32, ... (0x77b41000), 4096, 4, ) == 0x0
 01737  2016   NtFlushInstructionCache  (-1, 2008289280, 524, ... ) == 0x0
 01738  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Apphelp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01739  2016   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 164, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 164, {status=0x0, info=1}, ) == 0x0
 01740  2016   NtQueryInformationFile  (164, 1239144, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01741  2016   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 164, ... 168, ) == 0x0
 01742  2016   NtMapViewOfSection  (168, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xaf0000), 0x0, 1191936, ) == 0x0
 01743  2016   NtQueryInformationFile  (164, 1239244, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01744  2016   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01745  2016   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01746  2016   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01747  2016   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\WPA\TabletPC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01748  2016   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\SYSTEM\WPA\MediaCenter"}, ... 172, ) }, ... 172, ) == 0x0
 01749  2016   NtQueryValueKey  (172,  (172, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 256, ... TitleIdx=0, Type=4, Data= (172, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01750  2016   NtClose  (172, ... ) == 0x0
 01751  2016   NtCreateFile  (0x120116, {24, 0, 0x40, 0, 0,  (0x120116, {24, 0, 0x40, 0, 0, "\Device\NamedPipe\ShimViewer"}, 0x0, 128, 0, 1, 0, 0, 0, ... ) }, 0x0, 128, 0, 1, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01752  2016   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 172, {status=0x0, info=1}, ) }, 3, 16417, ... 172, {status=0x0, info=1}, ) == 0x0
 01753  2016   NtQueryDirectoryFile  (172, 0, 0, 0, 1236840, 616, BothDirectory, 1,  (172, 0, 0, 0, 1236840, 616, BothDirectory, 1, "yebuqpy.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 01754  2016   NtClose  (172, ... ) == 0x0
 01755  2016   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01756  2016   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01757  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\yebuqpy.exe"}, 1237216, ... ) }, 1237216, ... ) == 0x0
 01758  2016   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 172, {status=0x0, info=1}, ) }, 3, 16417, ... 172, {status=0x0, info=1}, ) == 0x0
 01759  2016   NtQueryDirectoryFile  (172, 0, 0, 0, 1236644, 616, BothDirectory, 1,  (172, 0, 0, 0, 1236644, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01760  2016   NtClose  (172, ... ) == 0x0
 01761  2016   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 172, {status=0x0, info=1}, ) }, 3, 16417, ... 172, {status=0x0, info=1}, ) == 0x0
 01762  2016   NtQueryDirectoryFile  (172, 0, 0, 0, 1236644, 616, BothDirectory, 1,  (172, 0, 0, 0, 1236644, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01763  2016   NtClose  (172, ... ) == 0x0
 01764  2016   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 172, {status=0x0, info=1}, ) }, 3, 16417, ... 172, {status=0x0, info=1}, ) == 0x0
 01765  2016   NtQueryDirectoryFile  (172, 0, 0, 0, 1236644, 616, BothDirectory, 1,  (172, 0, 0, 0, 1236644, 616, BothDirectory, 1, "yebuqpy.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 01766  2016   NtClose  (172, ... ) == 0x0
 01767  2016   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01768  2016   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01769  2016   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01770  2016   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01771  2016   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01772  2016   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 172, ) == 0x0
 01773  2016   NtQueryInformationToken  (172, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01774  2016   NtClose  (172, ... ) == 0x0
 01775  2016   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01776  2016   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\yebuqpy.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01777  2016   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01778  2016   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01779  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\yebuqpy.exe"}, 1238468, ... ) }, 1238468, ... ) == 0x0
 01780  2016   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 172, {status=0x0, info=1}, ) }, 3, 16417, ... 172, {status=0x0, info=1}, ) == 0x0
 01781  2016   NtQueryDirectoryFile  (172, 0, 0, 0, 1237896, 616, BothDirectory, 1,  (172, 0, 0, 0, 1237896, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01782  2016   NtClose  (172, ... ) == 0x0
 01783  2016   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 172, {status=0x0, info=1}, ) }, 3, 16417, ... 172, {status=0x0, info=1}, ) == 0x0
 01784  2016   NtQueryDirectoryFile  (172, 0, 0, 0, 1237896, 616, BothDirectory, 1,  (172, 0, 0, 0, 1237896, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01785  2016   NtClose  (172, ... ) == 0x0
 01786  2016   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 172, {status=0x0, info=1}, ) }, 3, 16417, ... 172, {status=0x0, info=1}, ) == 0x0
 01787  2016   NtQueryDirectoryFile  (172, 0, 0, 0, 1237896, 616, BothDirectory, 1,  (172, 0, 0, 0, 1237896, 616, BothDirectory, 1, "yebuqpy.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 01788  2016   NtClose  (172, ... ) == 0x0
 01789  2016   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01790  2016   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01791  2016   NtWaitForSingleObject  (156, 0, {-1000000, -1}, ... ) == 0x0
 01792  2016   NtQueryVolumeInformationFile  (104, 1239124, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01793  2016   NtQueryInformationFile  (104, 1239104, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01794  2016   NtQueryInformationFile  (104, 1239144, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01795  2016   NtReleaseMutant  (156, ... 0x0, ) == 0x0
 01796  2016   NtUnmapViewOfSection  (-1, 0xaf0000, ... ) == 0x0
 01797  2016   NtClose  (168, ... ) == 0x0
 01798  2016   NtClose  (164, ... ) == 0x0
 01799  2016   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01800  2016   NtOpenProcessToken  (-1, 0xa, ... 164, ) == 0x0
 01801  2016   NtQueryInformationToken  (164, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 01802  2016   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01803  2016   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 168, ) }, ... 168, ) == 0x0
 01804  2016   NtQueryValueKey  (168,  (168, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (168, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01805  2016   NtQueryValueKey  (168,  (168, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (168, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01806  2016   NtClose  (168, ... ) == 0x0
 01807  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01808  2016   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 168, ) }, ... 168, ) == 0x0
 01809  2016   NtQueryValueKey  (168,  (168, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01810  2016   NtClose  (168, ... ) == 0x0
 01811  2016   NtQueryDefaultLocale  (1, 1240316, ... ) == 0x0
 01812  2016   NtQueryDefaultLocale  (1, 1240316, ... ) == 0x0
 01813  2016   NtQueryDefaultLocale  (1, 1240316, ... ) == 0x0
 01814  2016   NtQueryDefaultLocale  (1, 1240316, ... ) == 0x0
 01815  2016   NtQueryDefaultLocale  (1, 1240316, ... ) == 0x0
 01816  2016   NtQueryDefaultLocale  (1, 1240316, ... ) == 0x0
 01817  2016   NtQueryDefaultLocale  (1, 1240316, ... ) == 0x0
 01818  2016   NtQueryDefaultLocale  (1, 1240316, ... ) == 0x0
 01819  2016   NtQueryDefaultLocale  (1, 1240316, ... ) == 0x0
 01820  2016   NtQueryDefaultLocale  (1, 1240316, ... ) == 0x0
 01821  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 168, ) }, ... 168, ) == 0x0
 01822  2016   NtEnumerateKey  (168, 0, Basic, 280, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name= (168, 0, Basic, 280, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 01823  2016   NtOpenKey  (0x20019, {24, 168, 0x40, 0, 0,  (0x20019, {24, 168, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 172, ) }, ... 172, ) == 0x0
 01824  2016   NtQueryValueKey  (172,  (172, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (172, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 01825  2016   NtQueryValueKey  (172,  (172, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (172, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01826  2016   NtClose  (172, ... ) == 0x0
 01827  2016   NtEnumerateKey  (168, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01828  2016   NtClose  (168, ... ) == 0x0
 01829  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... 168, ) }, ... 168, ) == 0x0
 01830  2016   NtEnumerateKey  (168, 0, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (168, 0, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{349d35ab-37b5-462f-9b89-edd5fbde1328}"}, 92, ) }, 92, ) == 0x0
 01831  2016   NtOpenKey  (0x20019, {24, 168, 0x40, 0, 0,  (0x20019, {24, 168, 0x40, 0, 0, "{349d35ab-37b5-462f-9b89-edd5fbde1328}"}, ... 172, ) }, ... 172, ) == 0x0
 01832  2016   NtQueryValueKey  (172,  (172, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="^\2530O\225zI\211j\0l\341\25@\25"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (172, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="^\2530O\225zI\211j\0l\341\25@\25"}, 28, ) }, 28, ) == 0x0
 01833  2016   NtQueryValueKey  (172,  (172, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (172, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01834  2016   NtQueryValueKey  (172,  (172, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\13\3\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (172, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\13\3\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01835  2016   NtQueryValueKey  (172,  (172, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (172, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01836  2016   NtClose  (172, ... ) == 0x0
 01837  2016   NtEnumerateKey  (168, 1, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (168, 1, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}"}, 92, ) }, 92, ) == 0x0
 01838  2016   NtOpenKey  (0x20019, {24, 168, 0x40, 0, 0,  (0x20019, {24, 168, 0x40, 0, 0, "{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}"}, ... 172, ) }, ... 172, ) == 0x0
 01839  2016   NtQueryValueKey  (172,  (172, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="g\260\324\2134:?\323\274\351\334dg\4\363\224"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (172, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="g\260\324\2134:?\323\274\351\334dg\4\363\224"}, 28, ) }, 28, ) == 0x0
 01840  2016   NtQueryValueKey  (172,  (172, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (172, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01841  2016   NtQueryValueKey  (172,  (172, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\5\2\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (172, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\5\2\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01842  2016   NtQueryValueKey  (172,  (172, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (172, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01843  2016   NtClose  (172, ... ) == 0x0
 01844  2016   NtEnumerateKey  (168, 2, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (168, 2, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}"}, 92, ) }, 92, ) == 0x0
 01845  2016   NtOpenKey  (0x20019, {24, 168, 0x40, 0, 0,  (0x20019, {24, 168, 0x40, 0, 0, "{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}"}, ... 172, ) }, ... 172, ) == 0x0
 01846  2016   NtQueryValueKey  (172,  (172, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="2x\2\334\376\370\310\223\334\212\260\6\335\204}\35"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (172, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="2x\2\334\376\370\310\223\334\212\260\6\335\204}\35"}, 28, ) }, 28, ) == 0x0
 01847  2016   NtQueryValueKey  (172,  (172, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (172, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01848  2016   NtQueryValueKey  (172,  (172, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\226\3\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (172, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\226\3\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01849  2016   NtQueryValueKey  (172,  (172, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (172, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01850  2016   NtClose  (172, ... ) == 0x0
 01851  2016   NtEnumerateKey  (168, 3, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (168, 3, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{94e3e076-8f53-42a5-8411-085bcc18a68d}"}, 92, ) }, 92, ) == 0x0
 01852  2016   NtOpenKey  (0x20019, {24, 168, 0x40, 0, 0,  (0x20019, {24, 168, 0x40, 0, 0, "{94e3e076-8f53-42a5-8411-085bcc18a68d}"}, ... 172, ) }, ... 172, ) == 0x0
 01853  2016   NtQueryValueKey  (172,  (172, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="\275\232*\333B\353\330V\16%\16M\370\26/g"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (172, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="\275\232*\333B\353\330V\16%\16M\370\26/g"}, 28, ) }, 28, ) == 0x0
 01854  2016   NtQueryValueKey  (172,  (172, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (172, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01855  2016   NtQueryValueKey  (172,  (172, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\345\0\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (172, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\345\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01856  2016   NtQueryValueKey  (172,  (172, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (172, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01857  2016   NtClose  (172, ... ) == 0x0
 01858  2016   NtEnumerateKey  (168, 4, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (168, 4, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}"}, 92, ) }, 92, ) == 0x0
 01859  2016   NtOpenKey  (0x20019, {24, 168, 0x40, 0, 0,  (0x20019, {24, 168, 0x40, 0, 0, "{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}"}, ... 172, ) }, ... 172, ) == 0x0
 01860  2016   NtQueryValueKey  (172,  (172, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="8k\10_\204\354\366i\323k\225j"\300\36\200"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (172, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="8k\10_\204\354\366i\323k\225j"\300\36\200"}, 28, ) \300\36\200"}, 28, ) == 0x0
 01861  2016   NtQueryValueKey  (172,  (172, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (172, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 01862  2016   NtQueryValueKey  (172,  (172, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="r\1\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (172, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="r\1\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 01863  2016   NtQueryValueKey  (172,  (172, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (172, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01864  2016   NtClose  (172, ... ) == 0x0
 01865  2016   NtEnumerateKey  (168, 5, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01866  2016   NtClose  (168, ... ) == 0x0
 01867  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01868  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01869  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01870  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01871  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01872  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01873  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01874  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01875  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01876  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01877  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01878  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01879  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01880  2016   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01881  2016   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01882  2016   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01883  2016   NtClose  (168, ... ) == 0x0
 01884  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01885  2016   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01886  2016   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01887  2016   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01888  2016   NtClose  (168, ... ) == 0x0
 01889  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01890  2016   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01891  2016   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01892  2016   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01893  2016   NtClose  (168, ... ) == 0x0
 01894  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01895  2016   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01896  2016   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01897  2016   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01898  2016   NtClose  (168, ... ) == 0x0
 01899  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01900  2016   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01901  2016   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01902  2016   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01903  2016   NtClose  (168, ... ) == 0x0
 01904  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01905  2016   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01906  2016   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01907  2016   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01908  2016   NtClose  (168, ... ) == 0x0
 01909  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01910  2016   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01911  2016   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01912  2016   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01913  2016   NtClose  (168, ... ) == 0x0
 01914  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01915  2016   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01916  2016   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01917  2016   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01918  2016   NtClose  (168, ... ) == 0x0
 01919  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01920  2016   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01921  2016   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01922  2016   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01923  2016   NtClose  (168, ... ) == 0x0
 01924  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01925  2016   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01926  2016   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01927  2016   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01928  2016   NtClose  (168, ... ) == 0x0
 01929  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01930  2016   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01931  2016   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01932  2016   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01933  2016   NtClose  (168, ... ) == 0x0
 01934  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01935  2016   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01936  2016   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01937  2016   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01938  2016   NtClose  (168, ... ) == 0x0
 01939  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01940  2016   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01941  2016   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01942  2016   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01943  2016   NtClose  (168, ... ) == 0x0
 01944  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01945  2016   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01946  2016   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01947  2016   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01948  2016   NtClose  (168, ... ) == 0x0
 01949  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01950  2016   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01951  2016   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01952  2016   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01953  2016   NtClose  (168, ... ) == 0x0
 01954  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01955  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 168, ) }, ... 168, ) == 0x0
 01956  2016   NtQueryValueKey  (168,  (168, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (168, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (168, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 01957  2016   NtClose  (168, ... ) == 0x0
 01958  2016   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01959  2016   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01960  2016   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01961  2016   NtClose  (168, ... ) == 0x0
 01962  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01963  2016   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01964  2016   NtOpenProcessToken  (-1, 0xa, ... 168, ) == 0x0
 01965  2016   NtDuplicateToken  (168, 0xc, {24, 0, 0x0, 0, 1240748, 0x0}, 0, 2, ... 172, ) == 0x0
 01966  2016   NtClose  (168, ... ) == 0x0
 01967  2016   NtAccessCheck  (1354000, 172, 0x1, 1240824, 1240876, 56, 1240856, ... (0x1), ) == 0x0
 01968  2016   NtClose  (172, ... ) == 0x0
 01969  2016   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 172, ) }, ... 172, ) == 0x0
 01970  2016   NtQueryValueKey  (172,  (172, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (172, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01971  2016   NtClose  (172, ... ) == 0x0
 01972  2016   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 172, ) }, ... 172, ) == 0x0
 01973  2016   NtQuerySymbolicLinkObject  (172, ...  (172, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01974  2016   NtClose  (172, ... ) == 0x0
 01975  2016   NtQueryVolumeInformationFile  (104, 1238580, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01976  2016   NtQueryInformationFile  (104, 1238696, 528, Name, ... {status=0x0, info=62}, ) == 0x0
 01977  2016   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01978  2016   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01979  2016   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\yebuqpy.exe"}, 1237868, ... ) }, 1237868, ... ) == 0x0
 01980  2016   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 172, {status=0x0, info=1}, ) }, 3, 16417, ... 172, {status=0x0, info=1}, ) == 0x0
 01981  2016   NtQueryDirectoryFile  (172, 0, 0, 0, 1237296, 616, BothDirectory, 1,  (172, 0, 0, 0, 1237296, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01982  2016   NtClose  (172, ... ) == 0x0
 01983  2016   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 172, {status=0x0, info=1}, ) }, 3, 16417, ... 172, {status=0x0, info=1}, ) == 0x0
 01984  2016   NtQueryDirectoryFile  (172, 0, 0, 0, 1237296, 616, BothDirectory, 1,  (172, 0, 0, 0, 1237296, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01985  2016   NtClose  (172, ... ) == 0x0
 01986  2016   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 172, {status=0x0, info=1}, ) }, 3, 16417, ... 172, {status=0x0, info=1}, ) == 0x0
 01987  2016   NtQueryDirectoryFile  (172, 0, 0, 0, 1237296, 616, BothDirectory, 1,  (172, 0, 0, 0, 1237296, 616, BothDirectory, 1, "yebuqpy.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 01988  2016   NtClose  (172, ... ) == 0x0
 01989  2016   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01990  2016   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01991  2016   NtQueryInformationFile  (104, 1240736, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01992  2016   NtCreateSection  (0xf0005, 0x0, {60928, 0}, 2, 134217728, 104, ... 172, ) == 0x0
 01993  2016   NtMapViewOfSection  (172, -1, (0x0), 0, 0, {0, 0}, 60928, 1, 0, 2, ... (0x3a0000), {0, 0}, 61440, ) == 0x0
 01994  2016   NtClose  (172, ... ) == 0x0
 01995  2016   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01996  2016   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 172, ) == 0x0
 01997  2016   NtQueryInformationToken  (172, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01998  2016   NtClose  (172, ... ) == 0x0
 01999  2016   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 172, ) }, ... 172, ) == 0x0
 02000  2016   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 168, ) }, ... 168, ) == 0x0
 02001  2016   NtClose  (172, ... ) == 0x0
 02002  2016   NtQueryValueKey  (168,  (168, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02003  2016   NtQueryValueKey  (168,  (168, "Cache", Partial, 174, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 174, ) , Partial, 174, ... TitleIdx=0, Type=1, Data= (168, "Cache", Partial, 174, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 174, ) }, 174, ) == 0x0
 02004  2016   NtClose  (168, ... ) == 0x0
 02005  2016   NtUnmapViewOfSection  (-1, 0x3a0000, ... ) == 0x0
 02006  2016   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 3801088, 4096, ) == 0x0
 02007  2016   NtAllocateVirtualMemory  (-1, 3801088, 0, 4096, 4096, 4, ... 3801088, 4096, ) == 0x0
 02008  2016   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 168, ) }, ... 168, ) == 0x0
 02009  2016   NtQueryValueKey  (168,  (168, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02010  2016   NtClose  (168, ... ) == 0x0
 02011  2016   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02012  2016   NtQueryInformationToken  (164, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 02013  2016   NtQueryInformationToken  (164, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 02014  2016   NtClose  (164, ... ) == 0x0
 02015  2016   NtQuerySection  (152, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02016  2016   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yebuqpy.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02017  2016   NtQuerySystemInformation  (71, 4, ... {system info, class 71, size 4}, 0x0, ) == 0x0
 02018  2016   NtCreateProcessEx  (1242660, 2035711, 0, -1, 0, 152, 0, 0, 0, ... ) == 0x0
 02019  2016   NtOpenSection  (0xe, {24, 0, 0x40, 0, 0,  (0xe, {24, 0, 0x40, 0, 0, "\BaseNamedObjects\VtSect"}, ... 168, ) }, ... 168, ) == 0x0
 02020  2016   NtMapViewOfSection  (168, 164, (0x0), 0, 29480, 0x0, 29480, 2, 1048576, 64, ... (0x7ffa0000), 0x0, 32768, ) == 0x0
 02021  2016   NtClose  (168, ... ) == 0x0
 02022  2016   NtProtectVirtualMemory  (164, (0x7c90d682), 5, 64, ... (0x7c90d000), 4096, 32, ) == 0x0
 02023  2016   NtWriteVirtualMemory  (164, 0x7c90d682,  (164, 0x7c90d682, "\350\217Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 02024  2016   NtProtectVirtualMemory  (164, (0x7c90dcfd), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 02025  2016   NtWriteVirtualMemory  (164, 0x7c90dcfd,  (164, 0x7c90dcfd, "\350aLi\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 02026  2016   NtProtectVirtualMemory  (164, (0x7c90d754), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 02027  2016   NtWriteVirtualMemory  (164, 0x7c90d754,  (164, 0x7c90d754, "\350\21Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 02028  2016   NtProtectVirtualMemory  (164, (0x7c90d769), 5, 64, ... (0x7c90d000), 4096, 64, ) == 0x0
 02029  2016   NtWriteVirtualMemory  (164, 0x7c90d769,  (164, 0x7c90d769, "\350\11Ri\3", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 02030  2016   NtQueryInformationProcess  (164, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffde000,AffinityMask=0x1,BasePriority=8,Pid=1736,ParentPid=896,}, 0x0, ) == 0x0
 02031  2016   NtReadVirtualMemory  (164, 0x7ffde008, 4, ...  (164, 0x7ffde008, 4, ... "\0\0\01", 0x0, ) , 0x0, ) == 0x0
 02032  2016   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\yebuqpy.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02033  2016   NtAllocateVirtualMemory  (-1, 1355776, 0, 8192, 4096, 4, ... 1355776, 8192, ) == 0x0
 02034  2016   NtReadVirtualMemory  (164, 0x31000000, 4096, ...  (164, 0x31000000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0fn\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0I\3538\210\15\212V\333\15\212V\333\15\212V\333\216\226X\333\17\212V\333\345\225R\333\17\212V\333\15\212V\333\12\212V\333\15\212W\333[\212V\333o\225E\333\4\212V\333\345\225]\333\7\212V\333Rich\15\212V\333\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\240\240\240\240\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0 \0\0\0\20\0\0\0@\0\0\0\20\1\0\0P\0\0\0p\0\0\0\0\01\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\220\1\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0p\0\0h\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0UPX0\0\0\0\0\0@\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 02035  2016   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02036  2016   NtQueryInformationProcess  (164, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffde000,AffinityMask=0x1,BasePriority=8,Pid=1736,ParentPid=896,}, 0x0, ) == 0x0
 02037  2016   NtAllocateVirtualMemory  (-1, 0, 0, 2420, 4096, 4, ... 3866624, 4096, ) == 0x0
 02038  2016   NtAllocateVirtualMemory  (164, 0, 0, 6432, 4096, 4, ... 65536, 8192, ) == 0x0
 02039  2016   NtWriteVirtualMemory  (164, 0x10000,  (164, 0x10000, "=\0A\0:\0=\0A\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0s\0c\0r\0i\0p\0t\0s\0\0\0=\0U\0:\0=\0U\0:\0\\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0R\0O\0O\0T\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0L\0I\0B\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\0", 6432, ... 0x0, ) , 6432, ... 0x0, ) == 0x0
 02040  2016   NtAllocateVirtualMemory  (164, 0, 0, 2420, 4096, 4, ... 131072, 4096, ) == 0x0
 02041  2016   NtWriteVirtualMemory  (164, 0x20000,  (164, 0x20000, "\0\20\0\0t\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0\26\0\10\2\220\2\0\0\0\0\0\0\364\3\366\3\230\4\0\0>\0@\0\220\10\0\0>\0@\0\320\10\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0>\0@\0\20\11\0\0\36\0 \0P\11\0\0\0\0\2\0p\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 2420, ... 0x0, ) , 2420, ... 0x0, ) == 0x0
 02042  2016   NtWriteVirtualMemory  (164, 0x7ffde010,  (164, 0x7ffde010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02043  2016   NtWriteVirtualMemory  (164, 0x7ffde1e8,  (164, 0x7ffde1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02044  2016   NtFreeVirtualMemory  (-1, (0x3b0000), 0, 32768, ... (0x3b0000), 4096, ) == 0x0
 02045  2016   NtAllocateVirtualMemory  (164, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 02046  2016   NtAllocateVirtualMemory  (164, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 02047  2016   NtProtectVirtualMemory  (164, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 02048  2016   NtCreateThread  (0x1f03ff, 0x0, 164, 1242668, 1242332, 1, ... 168, {1736, 320}, ) == 0x0
 02049  2016   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 69, 1346256, -2146434944, 1244536}  (24, {168, 196, new_msg, 0, 69, 1346256, -2146434944, 1244536} "\0\0\0\0\0\0\1\0\377\377\377\377\0\0\0\0\247\0\0\0\250\0\0\0\310\6\0\0@\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\20\0\0|\371\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\375\177\0\0\0\0\0\0\24\0\326z\202|" ... {168, 196, reply, 0, 896, 2016, 81887, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\244\0\0\0\250\0\0\0\310\6\0\0@\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\20\0\0|\371\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\375\177\0\0\0\0\0\0\24\0\326z\202|" )  ... {168, 196, reply, 0, 896, 2016, 81887, 0}  (24, {168, 196, new_msg, 0, 69, 1346256, -2146434944, 1244536} "\0\0\0\0\0\0\1\0\377\377\377\377\0\0\0\0\247\0\0\0\250\0\0\0\310\6\0\0@\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\20\0\0|\371\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\375\177\0\0\0\0\0\0\24\0\326z\202|" ... {168, 196, reply, 0, 896, 2016, 81887, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\244\0\0\0\250\0\0\0\310\6\0\0@\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\20\0\0|\371\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\375\177\0\0\0\0\0\0\24\0\326z\202|" )  ) == 0x0
 02050  2016   NtResumeThread  (168, ... 1, ) == 0x0
 02051  2016   NtClose  (104, ... ) == 0x0
 02052  2016   NtClose  (152, ... ) == 0x0
 02053  2016   NtQueryInformationProcess  (164, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffde000,AffinityMask=0x1,BasePriority=8,Pid=1736,ParentPid=896,}, 0x0, ) == 0x0
 02054  2016   NtUserWaitForInputIdle  (1736, 30000, 0, ...
 02055  2016   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 152, ) == 0x0
 02056  2016   NtClose  (152, ... ) == 0x0
 02054  2016   NtUserWaitForInputIdle  ... ) == 0x0
 02057  2016   NtClose  (164, ... ) == 0x0
 02058  2016   NtClose  (168, ... ) == 0x0
 02059  2016   NtDelayExecution  (0, {-5000000, -1}, ... ) == 0x0
 02060  2016   NtTerminateProcess  (0, 0, ...
 00855   596   NtWaitForMultipleObjects  ... ) == 0xc0
 02060  2016   NtTerminateProcess  ... ) == 0x0
 02061  2016   NtUserGetAtomName  (49211, 1243564, ... ) == 0xf
 02062  2016   NtUserUnregisterClass  (1243624, 2000486400, 1243612, ... ) == 0x1
 02063  2016   NtUserGetAtomName  (49213, 1243564, ... ) == 0xd
 02064  2016   NtUserUnregisterClass  (1243624, 2000486400, 1243612, ... ) == 0x1
 02065  2016   NtUserGetAtomName  (49215, 1243564, ... ) == 0x10
 02066  2016   NtUserUnregisterClass  (1243624, 2000486400, 1243612, ... ) == 0x1
 02067  2016   NtUserGetAtomName  (49217, 1243564, ... ) == 0x12
 02068  2016   NtUserUnregisterClass  (1243624, 2000486400, 1243612, ... ) == 0x1
 02069  2016   NtUserGetAtomName  (49219, 1243564, ... ) == 0xd
 02070  2016   NtUserUnregisterClass  (1243624, 2000486400, 1243612, ... ) == 0x1
 02071  2016   NtUserGetAtomName  (49221, 1243564, ... ) == 0xb
 02072  2016   NtUserUnregisterClass  (1243624, 2000486400, 1243612, ... ) == 0x1
 02073  2016   NtUserGetAtomName  (49223, 1243564, ... ) == 0xf
 02074  2016   NtUserUnregisterClass  (1243624, 2000486400, 1243612, ... ) == 0x1
 02075  2016   NtUserGetAtomName  (49225, 1243564, ... ) == 0xd
 02076  2016   NtUserUnregisterClass  (1243624, 2000486400, 1243612, ... ) == 0x1
 02077  2016   NtUserGetAtomName  (49227, 1243564, ... ) == 0x11
 02078  2016   NtUserUnregisterClass  (1243624, 2000486400, 1243612, ... ) == 0x1
 02079  2016   NtUserGetAtomName  (49229, 1243564, ... ) == 0xf
 02080  2016   NtUserUnregisterClass  (1243624, 2000486400, 1243612, ... ) == 0x1
 02081  2016   NtUserGetAtomName  (49231, 1243564, ... ) == 0x11
 02082  2016   NtUserUnregisterClass  (1243624, 2000486400, 1243612, ... ) == 0x1
 02083  2016   NtUserGetAtomName  (49233, 1243564, ... ) == 0xf
 02084  2016   NtUserUnregisterClass  (1243624, 2000486400, 1243612, ... ) == 0x1
 02085  2016   NtUserGetAtomName  (49235, 1243564, ... ) == 0xc
 02086  2016   NtUserUnregisterClass  (1243624, 2000486400, 1243612, ... ) == 0x1
 02087  2016   NtUserGetAtomName  (49237, 1243556, ... ) == 0xd
 02088  2016   NtUserUnregisterClass  (1243616, 2000486400, 1243604, ... ) == 0x1
 02089  2016   NtUserGetAtomName  (49239, 1243556, ... ) == 0x11
 02090  2016   NtUserUnregisterClass  (1243616, 2000486400, 1243604, ... ) == 0x1
 02091  2016   NtUserGetAtomName  (49241, 1243564, ... ) == 0xc
 02092  2016   NtUserUnregisterClass  (1243624, 2000486400, 1243612, ... ) == 0x1
 02093  2016   NtUserGetAtomName  (49243, 1243564, ... ) == 0xe
 02094  2016   NtUserUnregisterClass  (1243624, 2000486400, 1243612, ... ) == 0x1
 02095  2016   NtUserGetAtomName  (49245, 1243564, ... ) == 0x8
 02096  2016   NtUserUnregisterClass  (1243624, 2000486400, 1243612, ... ) == 0x1
 02097  2016   NtUserGetAtomName  (49247, 1243564, ... ) == 0xd
 02098  2016   NtUserUnregisterClass  (1243624, 2000486400, 1243612, ... ) == 0x1
 02099  2016   NtUserGetAtomName  (49175, 1243564, ... ) == 0x6
 02100  2016   NtUserUnregisterClass  (1243624, 2000486400, 1243612, ... ) == 0x1
 02101  2016   NtUserGetAtomName  (49177, 1243564, ... ) == 0x6
 02102  2016   NtUserUnregisterClass  (1243624, 2000486400, 1243612, ... ) == 0x1
 02103  2016   NtUserGetAtomName  (49176, 1243564, ... ) == 0x4
 02104  2016   NtUserUnregisterClass  (1243624, 2000486400, 1243612, ... ) == 0x1
 02105  2016   NtUserGetAtomName  (49178, 1243564, ... ) == 0x7
 02106  2016   NtUserUnregisterClass  (1243624, 2000486400, 1243612, ... ) == 0x1
 02107  2016   NtUserGetAtomName  (49180, 1243564, ... ) == 0x8
 02108  2016   NtUserUnregisterClass  (1243624, 2000486400, 1243612, ... ) == 0x1
 02109  2016   NtUserGetAtomName  (49182, 1243564, ... ) == 0x9
 02110  2016   NtUserUnregisterClass  (1243624, 2000486400, 1243612, ... ) == 0x1
 02111  2016   NtUserGetAtomName  (49179, 1243556, ... ) == 0x9
 02112  2016   NtUserUnregisterClass  (1243616, 2000486400, 1243604, ... ) == 0x1
 02113  2016   NtUserGetAtomName  (49256, 1243564, ... ) == 0x7
 02114  2016   NtUserUnregisterClass  (1243624, 2000486400, 1243612, ... ) == 0x1
 02115  2016   NtUserGetAtomName  (49258, 1243564, ... ) == 0xd
 02116  2016   NtUserUnregisterClass  (1243624, 2000486400, 1243612, ... ) == 0x1
 02117  2016   NtUnmapViewOfSection  (-1, 0x380000, ... ) == 0x0
 02118  2016   NtDeviceIoControlFile  (56, 60, 0x0, 0x12fad0, 0x22415c,  (56, 60, 0x0, 0x12fad0, 0x22415c, "U\4\376\14\272\223\15D\243\376U9s\320\267#@\0\0\0\0\0\0\0\10 \217\0\306\205\337w", 32, 32, ... {status=0x0, info=32}, "U\4\376\14\272\223\15D\243\376U9s\320\267#@\0\0\0\0\0\0\0\10 \217\0\306\205\337w", ) , 32, 32, ... {status=0x0, info=32},  (56, 60, 0x0, 0x12fad0, 0x22415c, "U\4\376\14\272\223\15D\243\376U9s\320\267#@\0\0\0\0\0\0\0\10 \217\0\306\205\337w", 32, 32, ... {status=0x0, info=32}, "U\4\376\14\272\223\15D\243\376U9s\320\267#@\0\0\0\0\0\0\0\10 \217\0\306\205\337w", ) , ) == 0x0
 02119  2016   NtDeviceIoControlFile  (56, 60, 0x0, 0x12fa98, 0x228168,  (56, 60, 0x0, 0x12fa98, 0x228168, "@\0\0\0\0\0\0\0", 8, 0, ... {status=0x0, info=0}, 0x0, ) , 8, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02120  2016   NtDeviceIoControlFile  (56, 60, 0x0, 0x12fad0, 0x22415c,  (56, 60, 0x0, 0x12fad0, 0x22415c, "\254\253\177yX{\226G\271$\325\21x\245\234\344\\0\0\0\0\0\0\0\10 \217\0\306\205\337w", 32, 32, ... {status=0x0, info=32}, "\254\253\177yX{\226G\271$\325\21x\245\234\344\\0\0\0\0\0\0\0\10 \217\0\306\205\337w", ) , 32, 32, ... {status=0x0, info=32},  (56, 60, 0x0, 0x12fad0, 0x22415c, "\254\253\177yX{\226G\271$\325\21x\245\234\344\\0\0\0\0\0\0\0\10 \217\0\306\205\337w", 32, 32, ... {status=0x0, info=32}, "\254\253\177yX{\226G\271$\325\21x\245\234\344\\0\0\0\0\0\0\0\10 \217\0\306\205\337w", ) , ) == 0x0
 02121  2016   NtDeviceIoControlFile  (56, 60, 0x0, 0x12fa98, 0x228168,  (56, 60, 0x0, 0x12fa98, 0x228168, "\\0\0\0\0\0\0\0", 8, 0, ... {status=0x0, info=0}, 0x0, ) , 8, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 02122  2016   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 02123  2016   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 02124  2016   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 02125  2016   NtClose  (48, ... ) == 0x0
 02126  2016   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 48, ) }, ... 48, ) == 0x0
 02127  2016   NtQueryValueKey  (48,  (48, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02128  2016   NtClose  (48, ... ) == 0x0
 02129  2016   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 02130  2016   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 02131  2016   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 02132  2016   NtClose  (56, ... ) == 0x0
 02133  2016   NtFreeVirtualMemory  (-1, (0x3a0000), 4096, 32768, ... (0x3a0000), 4096, ) == 0x0
 02134  2016   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 2089871292, 1310720, 1244460, 0}  (24, {20, 48, new_msg, 0, 2089871292, 1310720, 1244460, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 896, 2016, 81932, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 896, 2016, 81932, 0}  (24, {20, 48, new_msg, 0, 2089871292, 1310720, 1244460, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 896, 2016, 81932, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02135  2016   NtTerminateProcess  (-1, 0, ...