Summary:


NtCallbackReturn(>)  1 
NtOpenMutant(>)  1 
NtTestAlert(>)  1 
NtGdiGetStockObject(>)  5 

NtContinue(>)  1 
NtOpenProcessToken(>)  1 
NtUserCallNoParam(>)  1 
NtQuerySystemInformation(>)  6 

NtCreateEvent(>)  1 
NtOpenProcessTokenEx(>)  1 
NtUserGetThreadDesktop(>)  1 
NtProtectVirtualMemory(>)  8 

NtCreateSection(>)  1 
NtOpenSymbolicLinkObject(>)  1 
NtFreeVirtualMemory(>)  2 
NtQueryValueKey(>)  9 

NtDuplicateObject(>)  1 
NtOpenThreadTokenEx(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtUserFindExistingCursorIcon(>)  9 

NtFsControlFile(>)  1 
NtQueryAttributesFile(>)  1 
NtQueryDefaultLocale(>)  2 
NtMapViewOfSection(>)  10 

NtGdiCreateBitmap(>)  1 
NtQueryObject(>)  1 
NtQueryVirtualMemory(>)  2 
NtAllocateVirtualMemory(>)  11 

NtGdiInit(>)  1 
NtQuerySection(>)  1 
NtSetInformationObject(>)  2 
NtOpenSection(>)  11 

NtGdiQueryFontAssocInfo(>)  1 
NtQuerySymbolicLinkObject(>)  1 
NtTerminateProcess(>)  2 
NtDelayExecution(>)  12 

NtGdiSelectBitmap(>)  1 
NtQueryVolumeInformationFile(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtOpenKey(>)  12 

NtOpenDirectoryObject(>)  1 
NtRegisterThreadTerminatePort(>)  1 
NtQueryInformationToken(>)  3 
NtUserRegisterClassExWOW(>)  15 

NtOpenFile(>)  1 
NtSecureConnectPort(>)  1 
NtFlushInstructionCache(>)  4 
NtClose(>)  22 

NtOpenKeyedEvent(>)  1 
NtSetInformationThread(>)  1 
NtRequestWaitReplyPort(>)  4 

Trace:
 00001   416   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   416   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   416   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   416   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   416   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   416   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   416   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   416   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   416   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   416   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   416   NtClose  (12, ... ) == 0x0
 00014   416   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   416   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   416   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   416   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   416   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   416   NtClose  (16, ... ) == 0x0
 00021   416   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   416   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   416   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18481152}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18481152}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   416   NtClose  (16, ... ) == 0x0
 00026   416   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   416   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   416   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   416   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   416   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 408, 416, 1523, 0} "\20\311\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ... {28, 56, reply, 0, 408, 416, 1523, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 408, 416, 1523, 0} "\20\311\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ) == 0x0
 00032   416   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   416   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   416   NtClose  (16, ... ) == 0x0
 00036   416   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00037   416   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00038   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00039   416   NtClose  (28, ... ) == 0x0
 00040   416   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00041   416   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00042   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00043   416   NtClose  (28, ... ) == 0x0
 00044   416   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00045   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00046   416   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00047   416   NtClose  (28, ... ) == 0x0
 00048   416   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00049   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00050   416   NtClose  (28, ... ) == 0x0
 00051   416   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00052   416   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00053   416   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   416   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 408, 416, 1532, 0} "(\261\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ... {28, 56, reply, 0, 408, 416, 1532, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 408, 416, 1532, 0} "(\261\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ) == 0x0
 00055   416   NtProtectVirtualMemory  (-1, (0x407000), 4096, 4, ... (0x407000), 4096, 8, ) == 0x0
 00056   416   NtProtectVirtualMemory  (-1, (0x407000), 4096, 8, ... (0x407000), 4096, 4, ) == 0x0
 00057   416   NtFlushInstructionCache  (-1, 4222976, 4096, ... ) == 0x0
 00058   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00059   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00060   416   NtClose  (28, ... ) == 0x0
 00061   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00062   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00063   416   NtClose  (28, ... ) == 0x0
 00064   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00065   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00066   416   NtClose  (28, ... ) == 0x0
 00067   416   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00068   416   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00069   416   NtClose  (28, ... ) == 0x0
 00070   416   NtProtectVirtualMemory  (-1, (0x407000), 4096, 4, ... (0x407000), 4096, 4, ) == 0x0
 00071   416   NtProtectVirtualMemory  (-1, (0x407000), 4096, 4, ... (0x407000), 4096, 4, ) == 0x0
 00072   416   NtFlushInstructionCache  (-1, 4222976, 4096, ... ) == 0x0
 00073   416   NtProtectVirtualMemory  (-1, (0x407000), 4096, 4, ... (0x407000), 4096, 4, ) == 0x0
 00074   416   NtProtectVirtualMemory  (-1, (0x407000), 4096, 4, ... (0x407000), 4096, 4, ) == 0x0
 00075   416   NtFlushInstructionCache  (-1, 4222976, 4096, ... ) == 0x0
 00076   416   NtProtectVirtualMemory  (-1, (0x407000), 4096, 4, ... (0x407000), 4096, 4, ) == 0x0
 00077   416   NtProtectVirtualMemory  (-1, (0x407000), 4096, 4, ... (0x407000), 4096, 4, ) == 0x0
 00078   416   NtFlushInstructionCache  (-1, 4222976, 4096, ... ) == 0x0
 00079   416   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00080   416   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00081   416   NtClose  (28, ... ) == 0x0
 00082   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00083   416   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00084   416   NtClose  (28, ... ) == 0x0
 00085   416   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00086   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00087   416   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00088   416   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00089   416   NtClose  (28, ... ) == 0x0
 00090   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00091   416   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00092   416   NtClose  (28, ... ) == 0x0
 00093   416   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00094   416   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00095   416   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00096   416   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00097   416   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\32\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 408, 416, 1555, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\32\1$\1\0\0" )  ... {28, 56, reply, 0, 408, 416, 1555, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\32\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 408, 416, 1555, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\32\1$\1\0\0" )  ) == 0x0
 00098   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00099   416   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x410000), 0x0, 1060864, ) == 0x0
 00100   416   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00101   416   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00102   416   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482012, ) == 0x0
 00103   416   NtQueryInformationToken  (-2147482012, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00104   416   NtQueryInformationToken  (-2147482012, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00105   416   NtClose  (-2147482012, ... ) == 0x0
 00106   416   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00107   416   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00108   416   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00109   416   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482012, ) }, ... -2147482012, ) == 0x0
 00110   416   NtQueryValueKey  (-2147482012,  (-2147482012, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00111   416   NtClose  (-2147482012, ... ) == 0x0
 00112   416   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482012, ) }, ... -2147482012, ) == 0x0
 00113   416   NtQueryValueKey  (-2147482012,  (-2147482012, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00114   416   NtClose  (-2147482012, ... ) == 0x0
 00115   416   NtQueryDefaultLocale  (0, -136148468, ... ) == 0x0
 00116   416   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00117   416   NtUserCallNoParam  (24, ... ) == 0x0
 00118   416   NtGdiCreateCompatibleDC  (0, ...
 00119   416   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00118   416   NtGdiCreateCompatibleDC  ... ) == 0xe010451
 00120   416   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00121   416   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00122   416   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0xb050458
 00123   416   NtGdiCreateSolidBrush  (0, 0, ...
 00124   416   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8519680, 4096, ) == 0x0
 00123   416   NtGdiCreateSolidBrush  ... ) == 0x810045b
 00125   416   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00126   416   NtGdiCreateCompatibleDC  (0, ... ) == 0x601045c
 00127   416   NtGdiSelectBitmap  (100729948, 184878168, ... ) == 0x185000f
 00128   416   NtUserGetThreadDesktop  (416, 0, ... ) == 0x2c
 00129   416   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00130   416   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00131   416   NtClose  (52, ... ) == 0x0
 00132   416   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00133   416   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017
 00134   416   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00135   416   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c
 00136   416   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00137   416   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e
 00138   416   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00139   416   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002
 00140   416   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00141   416   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018
 00142   416   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00143   416   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a
 00144   416   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00145   416   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810dc01d
 00146   416   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00147   416   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810dc026
 00148   416   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00149   416   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019
 00150   416   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc020
 00151   416   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc022
 00152   416   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc023
 00153   416   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc024
 00154   416   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ...
 00155   416   NtAllocateVirtualMemory  (-1, 5484544, 0, 4096, 4096, 32, ... 5484544, 4096, ) == 0x0
 00154   416   NtUserRegisterClassExWOW  ... ) == 0x810dc025
 00156   416   NtCallbackReturn  (0, 0, 0, ...
 00157   416   NtGdiInit  (... ) == 0x1
 00158   416   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00159   416   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00160   416   NtTestAlert  (... ) == 0x0
 00161   416   NtContinue  (1244464, 1, ...
 00162   416   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x403e78,}, 4, ... ) == 0x0
 00163   416   NtDelayExecution  (0, {-20000, -1}, ... ) == 0x0
 00164   416   NtDelayExecution  (0, {-20000, -1}, ... ) == 0x0
 00165   416   NtDelayExecution  (0, {-20000, -1}, ... ) == 0x0
 00166   416   NtDelayExecution  (0, {-20000, -1}, ... ) == 0x0
 00167   416   NtDelayExecution  (0, {-20000, -1}, ... ) == 0x0
 00168   416   NtDelayExecution  (0, {-20000, -1}, ... ) == 0x0
 00169   416   NtDelayExecution  (0, {-20000, -1}, ... ) == 0x0
 00170   416   NtDelayExecution  (0, {-20000, -1}, ... ) == 0x0
 00171   416   NtDelayExecution  (0, {-20000, -1}, ... ) == 0x0
 00172   416   NtDelayExecution  (0, {-20000, -1}, ... ) == 0x0
 00173   416   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00174   416   NtQueryValueKey  (52,  (52, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00175   416   NtClose  (52, ... ) == 0x0
 00176   416   NtDelayExecution  (0, {-1500000, -1}, ... ) == 0x0
 00177   416   NtDelayExecution  (0, {-1500000, -1}, ... ) == 0x0
 00178   416   NtTerminateProcess  (0, 0, ... ) == 0x0
 00179   416   NtFreeVirtualMemory  (-1, (0x0), 0, 32768, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 00180   416   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 2147344384, 2011701568, 27016, 0}  (24, {20, 48, new_msg, 0, 2147344384, 2011701568, 27016, 0} "\0\0\0\0\3\0\1\0\244\376\22\0\0\0Is\0\0\0\0" ... {20, 48, reply, 0, 408, 416, 1565, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0Is\0\0\0\0" )  ... {20, 48, reply, 0, 408, 416, 1565, 0}  (24, {20, 48, new_msg, 0, 2147344384, 2011701568, 27016, 0} "\0\0\0\0\3\0\1\0\244\376\22\0\0\0Is\0\0\0\0" ... {20, 48, reply, 0, 408, 416, 1565, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0Is\0\0\0\0" )  ) == 0x0
 00181   416   NtTerminateProcess  (-1, 0, ...
 00182   416   NtClose  (44, ... ) == 0x0
NtCallbackReturn(>)	1	NtOpenMutant(>)	1	NtTestAlert(>)	1	NtGdiGetStockObject(>)	5
NtContinue(>)	1	NtOpenProcessToken(>)	1	NtUserCallNoParam(>)	1	NtQuerySystemInformation(>)	6
NtCreateEvent(>)	1	NtOpenProcessTokenEx(>)	1	NtUserGetThreadDesktop(>)	1	NtProtectVirtualMemory(>)	8
NtCreateSection(>)	1	NtOpenSymbolicLinkObject(>)	1	NtFreeVirtualMemory(>)	2	NtQueryValueKey(>)	9
NtDuplicateObject(>)	1	NtOpenThreadTokenEx(>)	1	NtGdiCreateSolidBrush(>)	2	NtUserFindExistingCursorIcon(>)	9
NtFsControlFile(>)	1	NtQueryAttributesFile(>)	1	NtQueryDefaultLocale(>)	2	NtMapViewOfSection(>)	10
NtGdiCreateBitmap(>)	1	NtQueryObject(>)	1	NtQueryVirtualMemory(>)	2	NtAllocateVirtualMemory(>)	11
NtGdiInit(>)	1	NtQuerySection(>)	1	NtSetInformationObject(>)	2	NtOpenSection(>)	11
NtGdiQueryFontAssocInfo(>)	1	NtQuerySymbolicLinkObject(>)	1	NtTerminateProcess(>)	2	NtDelayExecution(>)	12
NtGdiSelectBitmap(>)	1	NtQueryVolumeInformationFile(>)	1	NtGdiCreateCompatibleDC(>)	3	NtOpenKey(>)	12
NtOpenDirectoryObject(>)	1	NtRegisterThreadTerminatePort(>)	1	NtQueryInformationToken(>)	3	NtUserRegisterClassExWOW(>)	15
NtOpenFile(>)	1	NtSecureConnectPort(>)	1	NtFlushInstructionCache(>)	4	NtClose(>)	22
NtOpenKeyedEvent(>)	1	NtSetInformationThread(>)	1	NtRequestWaitReplyPort(>)	4