Summary:
NtAddAtom(>) | 1 | NtSecureConnectPort(>) | 1 | NtUserCallNoParam(>) | 3 | NtQueryDirectoryFile(>) | 14 |
NtCallbackReturn(>) | 1 | NtSetInformationThread(>) | 1 | NtUserCallOneParam(>) | 3 | NtUnmapViewOfSection(>) | 15 |
NtConnectPort(>) | 1 | NtUserCreateWindowEx(>) | 1 | NtUserGetWindowDC(>) | 3 | NtQueryDebugFilterState(>) | 16 |
NtCreateMutant(>) | 1 | NtUserGetAtomName(>) | 1 | NtUserRegisterWindowMessage(>) | 3 | NtQueryInformationToken(>) | 17 |
NtCreateThread(>) | 1 | NtUserGetDC(>) | 1 | NtWaitForMultipleObjects(>) | 3 | NtQueryInformationFile(>) | 19 |
NtDelayExecution(>) | 1 | NtUserGetGUIThreadInfo(>) | 1 | NtAccessCheck(>) | 4 | NtCreateFile(>) | 22 |
NtDuplicateToken(>) | 1 | NtUserGetObjectInformation(>) | 1 | NtContinue(>) | 4 | NtDeviceIoControlFile(>) | 22 |
NtEnumerateValueKey(>) | 1 | NtUserGetProcessWindowStation(>) | 1 | NtCreateSemaphore(>) | 4 | NtOpenSection(>) | 29 |
NtGdiCreateBitmap(>) | 1 | NtUserGetThreadDesktop(>) | 1 | NtSetEvent(>) | 4 | NtQueryDefaultLocale(>) | 30 |
NtGdiInit(>) | 1 | NtDuplicateObject(>) | 2 | NtGdiGetStockObject(>) | 5 | NtOpenFile(>) | 35 |
NtGdiQueryFontAssocInfo(>) | 1 | NtFsControlFile(>) | 2 | NtFreeVirtualMemory(>) | 7 | NtQueryAttributesFile(>) | 36 |
NtGdiSelectBitmap(>) | 1 | NtGdiCreateSolidBrush(>) | 2 | NtOpenProcessToken(>) | 7 | NtQueryVirtualMemory(>) | 36 |
NtNotifyChangeKey(>) | 1 | NtGdiHfontCreate(>) | 2 | NtQueryInformationProcess(>) | 7 | NtQueryValueKey(>) | 46 |
NtOpenEvent(>) | 1 | NtOpenDirectoryObject(>) | 2 | NtQueryVolumeInformationFile(>) | 8 | NtAllocateVirtualMemory(>) | 47 |
NtOpenKeyedEvent(>) | 1 | NtOpenThreadToken(>) | 2 | NtSetValueKey(>) | 8 | NtMapViewOfSection(>) | 48 |
NtOpenProcess(>) | 1 | NtRegisterThreadTerminatePort(>) | 2 | NtCreateEvent(>) | 9 | NtUserFindExistingCursorIcon(>) | 50 |
NtOpenSymbolicLinkObject(>) | 1 | NtSetEventBoostPriority(>) | 2 | NtCreateKey(>) | 9 | NtUserRegisterClassExWOW(>) | 62 |
NtQueryFullAttributesFile(>) | 1 | NtSetInformationProcess(>) | 2 | NtQueryDefaultUILanguage(>) | 10 | NtCreateSection(>) | 75 |
NtQueryInformationThread(>) | 1 | NtTestAlert(>) | 2 | NtQuerySection(>) | 10 | NtQuerySystemInformation(>) | 78 |
NtQueryInstallUILanguage(>) | 1 | NtWaitForSingleObject(>) | 2 | NtSetInformationFile(>) | 10 | NtReadFile(>) | 79 |
NtQueryObject(>) | 1 | NtWriteFile(>) | 2 | NtRequestWaitReplyPort(>) | 12 | NtOpenKey(>) | 90 |
NtQuerySymbolicLinkObject(>) | 1 | NtGdiCreateCompatibleDC(>) | 3 | NtUserSystemParametersInfo(>) | 12 | NtFlushInstructionCache(>) | 110 |
NtRaiseException(>) | 1 | NtQueryPerformanceCounter(>) | 3 | NtOpenProcessTokenEx(>) | 13 | NtProtectVirtualMemory(>) | 227 |
NtResumeThread(>) | 1 | NtSetInformationObject(>) | 3 | NtOpenThreadTokenEx(>) | 13 | NtClose(>) | 265 |
, 80, ... ) , 0, 3, (-2147482756, "Seed", 0, 3, "y\3633w\340\224\243R2\213\252\264\375\231\266\315\12\221x2\3775.\305]\317.\337"_tp\254\7Kf\234r\370/\316\252F\200o.q"\323\377, 80, ... ) _tp\254\7Kf\234r\370/\316\252F\200o.q (-2147482756, "Seed", 0, 3, "y\3633w\340\224\243R2\213\252\264\375\231\266\315\12\221x2\3775.\305]\317.\337"_tp\254\7Kf\234r\370/\316\252F\200o.q"\323\377, 80, ... ) , 80, ... ) == 0x0 01511 896 NtClose (-2147482756, ... ) == 0x0 01501 896 NtDeviceIoControlFile ... {status=0x0, info=256}, ... {status=0x0, info=256}, "\201\223\213\346\331\33j\206v\335\4\277\221&t\17m\13\326\370\210\11\340\275\245P\300/\234|,\253\363\222\2L\256\272\314\271E\275\364\15\2048\255\202\377]w\230{G\3564\241i7\371bN\312S-\301\303\2418\200\364Df\27]\20\260\203\12'!\266\34pHp\331_\264\4\207\257\245LJ\372\262\374_\24\344?\2417\15\205/\230yEA\242w\25\316\256\2\310m\3\240\2725\260\240W\241G\217a1\3?KW\372}wTw\341\247\273\255\3455gt\355\224/:\35\225\275\363w\261\272\3\217\350\233\13:\324\306\263X\231\207@\225B\330\204\205\205e\373@\256|\366*\30\355\1\203El\360\244\370\227\34\206,a\2771;&\305e\302\14\233(\16\222\16l\374W\2138l|\310u@\326\336\213\325\310W\230\377F\37\237P=\240<\201\334\36\227\17.S\20)\236\24\345j\346\327\374\225\335\321", ) , ) == 0x0 01512 896 NtDeviceIoControlFile (52, 0, 0x0, 0x0, 0x390008, (52, 0, 0x0, 0x0, 0x390008, "\255\377)\264t)\341\306\355\261\273\372\\23\37\313_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25\232\234\221\373\12\202R\34I\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ... 01513 896 NtQuerySystemInformation (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0 01514 896 NtQuerySystemInformation (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0 01515 896 NtQuerySystemInformation (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0 01516 896 NtQuerySystemInformation (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0 01517 896 NtQuerySystemInformation (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0 01518 896 NtQuerySystemInformation (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0 01519 896 NtQuerySystemInformation (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH 01520 896 NtCreateKey (0x2, {24, 0, 0x240, 0, 0, (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482756, 2, ) }, 0, 0x0, 0, ... -2147482756, 2, ) == 0x0 01521 896 NtSetValueKey (-2147482756, (-2147482756, "Seed", 0, 3, "\247]\376^\20Q\270\10\310\332\366F\314\267]\376\266Y\16\225V\360&\234\306C\222\361iJ\253\237\314y\331\234LR9\271\276\300\11\233\370^\267\203\34>\326\267/\352\351nm0P\15(\L\361_\353E\222\22\235\370\363\2644\273\34\315\17\260\224", 80, ... ) , 0, 3, (-2147482756, "Seed", 0, 3, "\247]\376^\20Q\270\10\310\332\366F\314\267]\376\266Y\16\225V\360&\234\306C\222\361iJ\253\237\314y\331\234LR9\271\276\300\11\233\370^\267\203\34>\326\267/\352\351nm0P\15(\L\361_\353E\222\22\235\370\363\2644\273\34\315\17\260\224", 80, ... ) , 80, ... ) == 0x0 01522 896 NtClose (-2147482756, ... ) == 0x0 01512 896 NtDeviceIoControlFile ... {status=0x0, info=256}, ... {status=0x0, info=256}, "\225\213\345S}9"\330\2016\234\11a\234\351\232t\275'\227a\376J\371\215\306\235 \232\212\372\236\253\237W\362{*\252I\0~\364\177|\342N\273\211?\206\27U\14\243\1k\273\24\260\251\11\25qUs\216\250yvl\254L\237I\351\241\2705f\250\30\3\200@\241\307)}\36\337\21\234\322\35\32\304n\15\3\275_\236\350\35\15\31\0\214!\263\32\213K\10qW\200\26\342\27\234\236\6\12\254\\22g\271c\273\241\336\240\331\225\242\343\277+g\\226\216\201+\323\210B@\241\221c\351\303\253\322\345P\0\276\32\220\365\261\337$\241kQ\0\254\237\243\0\35@\354\342\377\34="\11\364\310d\23\335\253<\376>\263\3144\263\330T\35{\206\350e\372e\341\366]\217\244\357{si\341\346-b\212\250D\243@\256vc\345\2\6/\352\210EH\31\220ab\2548\234\16C\326Zw\266\376\276\17\370\364us", ) \330\2016\234\11a\234\351\232t\275'\227a\376J\371\215\306\235 \232\212\372\236\253\237W\362{*\252I\0~\364\177|\342N\273\211?\206\27U\14\243\1k\273\24\260\251\11\25qUs\216\250yvl\254L\237I\351\241\2705f\250\30\3\200@\241\307)}\36\337\21\234\322\35\32\304n\15\3\275_\236\350\35\15\31\0\214!\263\32\213K\10qW\200\26\342\27\234\236\6\12\254\\22g\271c\273\241\336\240\331\225\242\343\277+g\\226\216\201+\323\210B@\241\221c\351\303\253\322\345P\0\276\32\220\365\261\337$\241kQ\0\254\237\243\0\35@\354\342\377\34= ... {status=0x0, info=256}, "\225\213\345S}9"\330\2016\234\11a\234\351\232t\275'\227a\376J\371\215\306\235 \232\212\372\236\253\237W\362{*\252I\0~\364\177|\342N\273\211?\206\27U\14\243\1k\273\24\260\251\11\25qUs\216\250yvl\254L\237I\351\241\2705f\250\30\3\200@\241\307)}\36\337\21\234\322\35\32\304n\15\3\275_\236\350\35\15\31\0\214!\263\32\213K\10qW\200\26\342\27\234\236\6\12\254\\22g\271c\273\241\336\240\331\225\242\343\277+g\\226\216\201+\323\210B@\241\221c\351\303\253\322\345P\0\276\32\220\365\261\337$\241kQ\0\254\237\243\0\35@\354\342\377\34="\11\364\310d\23\335\253<\376>\263\3144\263\330T\35{\206\350e\372e\341\366]\217\244\357{si\341\346-b\212\250D\243@\256vc\345\2\6/\352\210EH\31\220ab\2548\234\16C\326Zw\266\376\276\17\370\364us", ) , ) == 0x0 01523 896 NtDeviceIoControlFile (52, 0, 0x0, 0x0, 0x390008, (52, 0, 0x0, 0x0, 0x390008, "\255\377)\264t)\341\306\355\261\273\372\\23\37\313_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25\232\234\221\373\12\202R\34I\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ... 01524 896 NtQuerySystemInformation (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0 01525 896 NtQuerySystemInformation (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0 01526 896 NtQuerySystemInformation (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0 01527 896 NtQuerySystemInformation (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0 01528 896 NtQuerySystemInformation (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0 01529 896 NtQuerySystemInformation (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0 01530 896 NtQuerySystemInformation (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH 01531 896 NtCreateKey (0x2, {24, 0, 0x240, 0, 0, (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482756, 2, ) }, 0, 0x0, 0, ... -2147482756, 2, ) == 0x0 01532 896 NtSetValueKey (-2147482756, (-2147482756, "Seed", 0, 3, "tX\326T\236YXz\300\333\317\213\3N\320\236\356\247\367<\37\225@W*\231\376\232|t\252'zds\226eW4J\365\17\333u\4R\3279\347\6\377\345\5\2649j\14\227\2208\250\2174f \226\2\311\312\301\253\377I\24\306d[\201\13*", 80, ... ) , 0, 3, (-2147482756, "Seed", 0, 3, "tX\326T\236YXz\300\333\317\213\3N\320\236\356\247\367<\37\225@W*\231\376\232|t\252'zds\226eW4J\365\17\333u\4R\3279\347\6\377\345\5\2649j\14\227\2208\250\2174f \226\2\311\312\301\253\377I\24\306d[\201\13*", 80, ... ) , 80, ... ) == 0x0 01533 896 NtClose (-2147482756, ... ) == 0x0 01523 896 NtDeviceIoControlFile ... {status=0x0, info=256}, ... {status=0x0, info=256}, "N\245\371y\355b\330\204Y\230\1\375~\26\345'W\\235=\244y~\211Y\340\375\243\1\303\220%\342\15\265\335\7\371_\325\256\346O\202\213\270\352\314\213#\245\256\355yu\302\365\0\227\271x\242%}\301\200\332W\265\323\3350\215\340\247\37\363\243\221\244n\357\311\347g\226\343\36\10\0h5\20q\375\363-)F\5\302\2073\22.\243\317O\216\271)\316\336\216~\277\4\245\221\272\370Z*r\356l1\25\245|\324\207b\360:\302x\277#L]r\356\230[\2031\3\326v\331\237\360\242\244\301S#EL\244\347\37V\2336d\300O\301\270\276\265\352\304P\237\322\326\212\3775\3\372w\361[\30F\221>B5\275\334\15\371\7\205\345\3713;S\242\212r\351\252\371$T\177\323\257\277\3455{\252\364\23\32\212\313\230,t\275\350\231\0\256k\33<\222\11V\305ET,\304\231\307\20Sv\13\327\376\306Wz\354", ) , ) == 0x0 01534 896 NtDeviceIoControlFile (52, 0, 0x0, 0x0, 0x390008, (52, 0, 0x0, 0x0, 0x390008, "\255\377)\264t)\341\306\355\261\273\372\\23\37\313_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25\232\234\221\373\12\202R\34I\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ... 01535 896 NtQuerySystemInformation (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0 01536 896 NtQuerySystemInformation (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0 01537 896 NtQuerySystemInformation (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0 01538 896 NtQuerySystemInformation (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0 01539 896 NtQuerySystemInformation (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0 01540 896 NtQuerySystemInformation (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0 01541 896 NtQuerySystemInformation (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH 01542 896 NtCreateKey (0x2, {24, 0, 0x240, 0, 0, (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482756, 2, ) }, 0, 0x0, 0, ... -2147482756, 2, ) == 0x0 01543 896 NtSetValueKey (-2147482756, (-2147482756, "Seed", 0, 3, "\36\16;s\214\233?\364t\262\234s?0\25d8v\240\276\240\7$I\36pM\355\324j\376\323\236\305\24`gH4\311\256\243Nao\2365\314\206\250\16wa\305R\201\6\2617m\267\16\364-.\230s\331\312*\10\263\215\30\205\235\241S;)", 80, ... ) , 0, 3, (-2147482756, "Seed", 0, 3, "\36\16;s\214\233?\364t\262\234s?0\25d8v\240\276\240\7$I\36pM\355\324j\376\323\236\305\24`gH4\311\256\243Nao\2365\314\206\250\16wa\305R\201\6\2617m\267\16\364-.\230s\331\312*\10\263\215\30\205\235\241S;)", 80, ... ) , 80, ... ) == 0x0 01544 896 NtClose (-2147482756, ... ) == 0x0 01534 896 NtDeviceIoControlFile ... {status=0x0, info=256}, ... {status=0x0, info=256}, "\336#\230\345&\223\313c\304\23\334\260\320\316\373\212\321>V\375\262j\336\277\10btv\301+\235\271o\306\374U\263\3315\304&\323\220z\345%[\370\344\203j\273\201\210\201\310\337\1\20e\236\314C4\250\\256\222E\331\243\267\12\244\345\325T\3227\35\377\346\34\360\222WR\265\20\336\353\371V8\325gHa_\363\10\255G\242t\230\342\340\236\217$Eu\376c\210|\2\366I\13\347\273\31\324\243\351\210iVxS)\32\350Rv5\346d\341\33\24\374RL\12\271{\374\331V\250#\241\256\254\16\201\20\24[ \211\372\366\301\331D\211)\260vl\26\324\211\344\3\376.>\202\231hj;:P\275<\272.\214\241\X\336\304\226\316\375\215G\224\245\340\223\357\334\3=\36hy\224\37_r)\13\270\364\210\316\336\356\207\204\341\23<\21\2272u\314\25\346\307\374K\25\7\227\4t6\346\6t57Br\273", ) , ) == 0x0 01545 896 NtDeviceIoControlFile (52, 0, 0x0, 0x0, 0x390008, (52, 0, 0x0, 0x0, 0x390008, "\255\377)\264t)\341\306\355\261\273\372\\23\37\313_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25\232\234\221\373\12\202R\34I\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ... 01546 896 NtQuerySystemInformation (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0 01547 896 NtQuerySystemInformation (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0 01548 896 NtQuerySystemInformation (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0 01549 896 NtQuerySystemInformation (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0 01550 896 NtQuerySystemInformation (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0 01551 896 NtQuerySystemInformation (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0 01552 896 NtQuerySystemInformation (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH 01553 896 NtCreateKey (0x2, {24, 0, 0x240, 0, 0, (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482756, 2, ) }, 0, 0x0, 0, ... -2147482756, 2, ) == 0x0 01554 896 NtSetValueKey (-2147482756, (-2147482756, "Seed", 0, 3, "\355^B\277\334\21\376a\204\5\12-h\20\317!\264\241\304)k{\315e\344\4o\207\244\233\206\311N\302\251\25\211`\21\315R\13\350h\3\361T\242\30\202\347B\347Dp\12\353\207\340g\332Y\346\357\1\246\24\27\205$\233\372\25$d\233\370T!\24", 80, ... ) , 0, 3, (-2147482756, "Seed", 0, 3, "\355^B\277\334\21\376a\204\5\12-h\20\317!\264\241\304)k{\315e\344\4o\207\244\233\206\311N\302\251\25\211`\21\315R\13\350h\3\361T\242\30\202\347B\347Dp\12\353\207\340g\332Y\346\357\1\246\24\27\205$\233\372\25$d\233\370T!\24", 80, ... ) , 80, ... ) == 0x0 01555 896 NtClose (-2147482756, ... ) == 0x0 01545 896 NtDeviceIoControlFile ... {status=0x0, info=256}, ... {status=0x0, info=256}, "\272hmUq\340\224\312\361\241\346\30\327u\256>\352}|\226\302/\257B\257\12\314\305\32\2674\321\227\246\13 7\363\321qe \376\271\256C\214\314;\2\313\2613\334\314\326\231=\2729\340\253%2\25\244\371f\353\22F\314\345$\260\216\261\246\250\200\6"\311\33\2349\365\11&M3\276\212\27\316\255?o\314\206\276Y\354H;\2278!\31\25\341\247"\220t\346\355e/Q\303l\317sV\0\274O\235\355\347F\262\363y\332\370\215\241\3777\261\205\333\0\224\302*\177\305\224\4\1G\3372FN\20\205\26\366\2077\24\20\372\353\301\26t\233u+\341g\326\304\214\305\256\347\210\200%\265^\1\14\36\317m7\255\34B\317\313;q\304\217\356!\3277\362\257\357\310e\220v=\253\\235\325~\250*\215^\320\2269\322&\340\34_w\253\357:\266k\352\243%Tj(\30\4\23775\360\321\315J\246\307J", ) \311\33\2349\365\11&M3\276\212\27\316\255?o\314\206\276Y\354H;\2278!\31\25\341\247 ... {status=0x0, info=256}, "\272hmUq\340\224\312\361\241\346\30\327u\256>\352}|\226\302/\257B\257\12\314\305\32\2674\321\227\246\13 7\363\321qe \376\271\256C\214\314;\2\313\2613\334\314\326\231=\2729\340\253%2\25\244\371f\353\22F\314\345$\260\216\261\246\250\200\6"\311\33\2349\365\11&M3\276\212\27\316\255?o\314\206\276Y\354H;\2278!\31\25\341\247"\220t\346\355e/Q\303l\317sV\0\274O\235\355\347F\262\363y\332\370\215\241\3777\261\205\333\0\224\302*\177\305\224\4\1G\3372FN\20\205\26\366\2077\24\20\372\353\301\26t\233u+\341g\326\304\214\305\256\347\210\200%\265^\1\14\36\317m7\255\34B\317\313;q\304\217\356!\3277\362\257\357\310e\220v=\253\\235\325~\250*\215^\320\2269\322&\340\34_w\253\357:\266k\352\243%Tj(\30\4\23775\360\321\315J\246\307J", ) , ) == 0x0 01556 896 NtClose (140, ... ) == 0x0 01557 896 NtOpenFile (0x100020, {24, 0, 0x42, 0, 0, (0x100020, {24, 0, 0x42, 0, 0, "\??\u:\work\"}, 3, 33, ... 140, {status=0x0, info=1}, ) }, 3, 33, ... 140, {status=0x0, info=1}, ) == 0x0 01558 896 NtQueryVolumeInformationFile (140, 1238992, 8, Device, ... {status=0x0, info=8}, ) == 0x0 01559 896 NtClose (12, ... ) == 0x0 01560 896 NtOpenFile (0x10080, {24, 0, 0x40, 0, 0, (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\logon.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01561 896 NtCreateFile (0x80100080, {24, 0, 0x40, 0, 1238156, (0x80100080, {24, 0, 0x40, 0, 1238156, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) == 0x0 01562 896 NtQueryInformationFile (12, 1238592, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0 01563 896 NtQueryInformationFile (12, 1238508, 24, Standard, ... {status=0x0, info=24}, ) == 0x0 01564 896 NtQueryInformationFile (12, 1238324, 40, Basic, ... {status=0x0, info=40}, ) == 0x0 01565 896 NtAllocateVirtualMemory (-1, 1372160, 0, 8192, 4096, 4, ... 1372160, 8192, ) == 0x0 01566 896 NtQueryInformationFile (12, 1370088, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0 01567 896 NtQueryInformationFile (12, 1236772, 40, Basic, ... {status=0x0, info=40}, ) == 0x0 01568 896 NtQueryInformationFile (12, 1237048, 4, Ea, ... {status=0x0, info=4}, ) == 0x0 01569 896 NtCreateFile (0x40110080, {24, 0, 0x40, 0, 1236924, (0x40110080, {24, 0, 0x40, 0, 1236924, "\??\C:\WINDOWS\system32\logon.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ... 01570 896 NtClose (-2147482756, ... ) == 0x0 01569 896 NtCreateFile ... 136, {status=0x0, info=2}, ) == 0x0 01571 896 NtQueryVolumeInformationFile (136, 1237076, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0 01572 896 NtQueryInformationFile (136, 1236660, 40, Basic, ... {status=0x0, info=40}, ) == 0x0 01573 896 NtQueryVolumeInformationFile (12, 1237076, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0 01574 896 NtSetInformationFile (136, 1236976, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0 01575 896 NtCreateSection (0xf001f, 0x0, 0x0, 2, 134217728, 12, ... 144, ) == 0x0 01576 896 NtMapViewOfSection (144, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3c0000), {0, 0}, 57344, ) == 0x0 01577 896 NtClose (144, ... ) == 0x0 01578 896 NtWriteFile (136, 0, 0, 0, (136, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\343^ \16\247?N]\247?N]\247?N]\371\35E]\245?N]\334#B]\244?N]$7\23]\253?N]$#@]\241?N]\310 J]\244?N]\310 E]\246?N]\247?O]\2?N]\221\31X]\230?N]Rich\247?N]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\2\0<\360\337F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0\0\0\0\0\320\0\0\0\0\2\0\201\217\4\0\0\20\0\0\0\20\2\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\240\4\0\0\4\0\0\242\307\1\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\30\300\3\0\240\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.dfg\0\0\0\0\0\260\3\0", 56687, 0x0, 0, ... {status=0x0, info=56687}, ) , 56687, 0x0, 0, ... {status=0x0, info=56687}, ) == 0x0 01579 896 NtUnmapViewOfSection (-1, 0x3c0000, ... ) == 0x0 01580 896 NtSetInformationFile (136, 1238324, 40, Basic, ... {status=0x0, info=0}, ) == 0x0 01581 896 NtClose (12, ... ) == 0x0 01582 896 NtClose (136, ... ) == 0x0 01583 896 NtOpenFile (0x100100, {24, 0, 0x40, 0, 0, (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\logon.exe"}, 7, 2113568, ... 136, {status=0x0, info=1}, ) }, 7, 2113568, ... 136, {status=0x0, info=1}, ) == 0x0 01584 896 NtSetInformationFile (136, 1239244, 40, Basic, ... {status=0x0, info=0}, ) == 0x0 01585 896 NtClose (136, ... ) == 0x0 01586 896 NtOpenFile (0x100100, {24, 0, 0x40, 0, 0, (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\logon.exe"}, 7, 2113568, ... 136, {status=0x0, info=1}, ) }, 7, 2113568, ... 136, {status=0x0, info=1}, ) == 0x0 01587 896 NtSetInformationFile (136, 1239244, 40, Basic, ... {status=0x0, info=0}, ) == 0x0 01588 896 NtClose (136, ... ) == 0x0 01589 896 NtCreateFile (0x80100080, {24, 0, 0x40, 0, 1238952, (0x80100080, {24, 0, 0x40, 0, 1238952, "\??\C:\WINDOWS\explorer.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 136, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 136, {status=0x0, info=1}, ) == 0x0 01590 896 NtQueryInformationFile (136, 1239004, 40, Basic, ... {status=0x0, info=40}, ) == 0x0 01591 896 NtClose (136, ... ) == 0x0 01592 896 NtCreateFile (0x40100080, {24, 0, 0x40, 0, 1238952, (0x40100080, {24, 0, 0x40, 0, 1238952, "\??\C:\WINDOWS\system32\logon.exe"}, 0x0, 128, 2, 1, 96, 0, 0, ... 136, {status=0x0, info=1}, ) }, 0x0, 128, 2, 1, 96, 0, 0, ... 136, {status=0x0, info=1}, ) == 0x0 01593 896 NtSetInformationFile (136, 1239004, 40, Basic, ... {status=0x0, info=0}, ) == 0x0 01594 896 NtClose (136, ... ) == 0x0 01595 896 NtOpenFile (0x10080, {24, 140, 0x40, 0, 0, (0x10080, {24, 140, 0x40, 0, 0, "xipe.bat"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01596 896 NtCreateFile (0x40100080, {24, 140, 0x40, 0, 1239200, (0x40100080, {24, 140, 0x40, 0, 1239200, "xipe.bat"}, 0x0, 0, 0, 5, 96, 0, 0, ... 136, {status=0x0, info=2}, ) }, 0x0, 0, 0, 5, 96, 0, 0, ... 136, {status=0x0, info=2}, ) == 0x0 01597 896 NtWriteFile (136, 0, 0, 0, (136, 0, 0, 0, "@echo off\15\12:deleteagain\15\12del /A:H /F packed.exe\15\12del /F packed.exe\15\12if exist packed.exe goto deleteagain\15\12del xipe.bat\15\12", 120, 0x0, 0, ... {status=0x0, info=120}, ) , 120, 0x0, 0, ... {status=0x0, info=120}, ) == 0x0 01598 896 NtClose (136, ... ) == 0x0 01599 896 NtOpenKey (0x9, {24, 16, 0x40, 0, 0, (0x9, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01600 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1232480, ... ) }, 1232480, ... ) == 0x0 01601 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 136, {status=0x0, info=1}, ) }, 5, 96, ... 136, {status=0x0, info=1}, ) == 0x0 01602 896 NtCreateSection (0xe, 0x0, 0x0, 16, 134217728, 136, ... 12, ) == 0x0 01603 896 NtClose (136, ... ) == 0x0 01604 896 NtMapViewOfSection (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xb30000), 0x0, 401408, ) == 0x0 01605 896 NtClose (12, ... ) == 0x0 01606 896 NtUnmapViewOfSection (-1, 0xb30000, ... ) == 0x0 01607 896 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 01608 896 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 01609 896 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 01610 896 NtAllocateVirtualMemory (-1, 1380352, 0, 16384, 4096, 4, ... 1380352, 16384, ) == 0x0 01611 896 NtUserRegisterClassExWOW (1234088, 1234156, 1234172, 1234188, 0, 384, 0, ... ) == 0x8177c038 01612 896 NtUserGetAtomName (49208, 1233416, ... ) == 0x15 01613 896 NtUserCreateWindowEx (0, 49208, 49208, (0, 49208, 49208, "OleMainThreadWndName", -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 2001600512, 0, 1073742848, 0, ... , -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 2001600512, 0, 1073742848, 0, ... 01614 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1230888, ... ) }, 1230888, ... ) == 0x0 01615 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 12, {status=0x0, info=1}, ) }, 5, 96, ... 12, {status=0x0, info=1}, ) == 0x0 01616 896 NtCreateSection (0xe, 0x0, 0x0, 16, 134217728, 12, ... 136, ) == 0x0 01617 896 NtClose (12, ... ) == 0x0 01618 896 NtMapViewOfSection (136, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3c0000), 0x0, 221184, ) == 0x0 01619 896 NtClose (136, ... ) == 0x0 01620 896 NtUnmapViewOfSection (-1, 0x3c0000, ... ) == 0x0 01621 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1231196, ... ) }, 1231196, ... ) == 0x0 01622 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 136, {status=0x0, info=1}, ) }, 5, 96, ... 136, {status=0x0, info=1}, ) == 0x0 01623 896 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 136, ... 12, ) == 0x0 01624 896 NtQuerySection (12, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 01625 896 NtClose (136, ... ) == 0x0 01626 896 NtMapViewOfSection (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 229376, ) == 0x0 01627 896 NtClose (12, ... ) == 0x0 01628 896 NtProtectVirtualMemory (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0 01629 896 NtProtectVirtualMemory (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0 01630 896 NtFlushInstructionCache (-1, 1524043776, 1300, ... ) == 0x0 01631 896 NtProtectVirtualMemory (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0 01632 896 NtProtectVirtualMemory (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0 01633 896 NtFlushInstructionCache (-1, 1524043776, 1300, ... ) == 0x0 01634 896 NtProtectVirtualMemory (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0 01635 896 NtProtectVirtualMemory (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0 01636 896 NtFlushInstructionCache (-1, 1524043776, 1300, ... ) == 0x0 01637 896 NtProtectVirtualMemory (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0 01638 896 NtProtectVirtualMemory (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0 01639 896 NtFlushInstructionCache (-1, 1524043776, 1300, ... ) == 0x0 01640 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uxtheme.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01641 896 NtUserGetWindowDC (0, ... ) == 0x1010054 01642 896 NtUserCallOneParam (16842836, 57, ... ) == 0x1 01643 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01644 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 12, ) == 0x0 01645 896 NtQueryInformationToken (12, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01646 896 NtClose (12, ... ) == 0x0 01647 896 NtAllocateVirtualMemory (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0 01648 896 NtOpenKey (0x2001f, {24, 0, 0x640, 0, 0, (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 12, ) }, ... 12, ) == 0x0 01649 896 NtOpenKey (0x1, {24, 12, 0x40, 0, 0, (0x1, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 136, ) }, ... 136, ) == 0x0 01650 896 NtQueryValueKey (136, (136, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01651 896 NtClose (136, ... ) == 0x0 01652 896 NtClose (12, ... ) == 0x0 01653 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01654 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 12, ) == 0x0 01655 896 NtQueryInformationToken (12, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01656 896 NtClose (12, ... ) == 0x0 01657 896 NtOpenKey (0x20019, {24, 0, 0x640, 0, 0, (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 12, ) }, ... 12, ) == 0x0 01658 896 NtOpenKey (0x1, {24, 12, 0x40, 0, 0, (0x1, {24, 12, 0x40, 0, 0, "Control Panel\Desktop"}, ... 136, ) }, ... 136, ) == 0x0 01659 896 NtQueryValueKey (136, (136, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01660 896 NtClose (136, ... ) == 0x0 01661 896 NtClose (12, ... ) == 0x0 01662 896 NtUserGetProcessWindowStation (... ) == 0x1c 01663 896 NtUserGetObjectInformation (28, 2, 1232984, 64, 1232980, ... ) == 0x1 01664 896 NtUserGetGUIThreadInfo (896, 1233004, ... ) == 0x1 01665 896 NtConnectPort ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1232848, 64, ... 12, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1232848, 64, ... 12, 0x0, 0x0, 0x0, 64, ) == 0x0 01666 896 NtRequestWaitReplyPort (12, {32, 56, new_msg, 0, 0, 0, 0, 0} (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1252, 896, 81851, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ) ... {32, 56, reply, 0, 1252, 896, 81851, 0} (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1252, 896, 81851, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ) ) == 0x0 01667 896 NtRequestWaitReplyPort (12, {32, 56, new_msg, 0, 0, 0, 0, 0} (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1252, 896, 81852, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ) ... {32, 56, reply, 0, 1252, 896, 81852, 0} (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1252, 896, 81852, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ) ) == 0x0 01668 896 NtUserCallNoParam (29, ... 01669 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1230244, ... ) }, 1230244, ... ) == 0x0 01668 896 NtUserCallNoParam ... ) == 0x0 01670 896 NtUserSystemParametersInfo (41, 0, 1524240760, 0, ... ) == 0x1 01671 896 NtGdiHfontCreate (1232372, 356, 0, 0, 1332232, ... ) == 0x640a0596 01672 896 NtGdiHfontCreate (1232372, 356, 0, 0, 1332224, ... ) == 0x740a05de 01673 896 NtRequestWaitReplyPort (12, {32, 56, new_msg, 0, 0, 0, 0, 0} (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1252, 896, 81853, 0} "\0\0\0\0\0\0\0\0\210\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ) ... {32, 56, reply, 0, 1252, 896, 81853, 0} (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1252, 896, 81853, 0} "\0\0\0\0\0\0\0\0\210\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ) ) == 0x0 01674 896 NtMapViewOfSection (136, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xb30000), {0, 0}, 327680, ) == 0x0 01675 896 NtUserGetWindowDC (0, ... ) == 0x1010054 01676 896 NtUserCallOneParam (16842836, 57, ... ) == 0x1 01677 896 NtUserGetWindowDC (0, ... ) == 0x1010054 01678 896 NtQueryVirtualMemory (-1, 0x416dba, Basic, 28, ... {BaseAddress=0x416000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x18000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0 01679 896 NtQueryVirtualMemory (-1, 0x417298, Basic, 28, ... {BaseAddress=0x417000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x17000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0 01680 896 NtRaiseException (1232112, 1232136, 0, ... 01226 1480 NtWaitForMultipleObjects ... ) == 0xc0 01681 896 NtFlushInstructionCache (-1, 0, 0, ... ) == 0x0