Summary:


NtContinue(>)  1 
NtOpenThreadTokenEx(>)  1 
NtSetInformationObject(>)  1 
NtQueryVirtualMemory(>)  3 

NtFsControlFile(>)  1 
NtQueryDefaultLocale(>)  1 
NtCreateSection(>)  2 
NtProtectVirtualMemory(>)  4 

NtOpenDirectoryObject(>)  1 
NtQueryObject(>)  1 
NtOpenFile(>)  2 
NtOpenKey(>)  5 

NtOpenKeyedEvent(>)  1 
NtQuerySymbolicLinkObject(>)  1 
NtQueryAttributesFile(>)  2 
NtMapViewOfSection(>)  6 

NtOpenMutant(>)  1 
NtQueryVolumeInformationFile(>)  1 
NtQueryInformationToken(>)  2 
NtOpenSection(>)  8 

NtOpenProcessToken(>)  1 
NtRaiseHardError(>)  1 
NtQuerySection(>)  2 
NtQuerySystemInformation(>)  12 

NtOpenProcessTokenEx(>)  1 
NtRegisterThreadTerminatePort(>)  1 
NtQueryValueKey(>)  2 
NtAllocateVirtualMemory(>)  13 

NtOpenSymbolicLinkObject(>)  1 
NtSecureConnectPort(>)  1 
NtRequestWaitReplyPort(>)  2 
NtClose(>)  13 


Trace:
 00001   420   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   420   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005   420   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00006   420   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007   420   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00008   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00010   420   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00011   420   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00012   420   NtAllocateVirtualMemory  (-1, 0, 0, 131008, 8192, 4, ... 2424832, 131072, ) == 0x0
 00013   420   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00014   420   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00015   420   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00016   420   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00017   420   NtClose  (12, ... ) == 0x0
 00018   420   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00019   420   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00020   420   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00021   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00022   420   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00023   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "verifier.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00024   420   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\verifier.dll"}, 1241964, ... ) }, 1241964, ... ) == 0x0
 00025   420   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\verifier.dll"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00026   420   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 16, ... 20, ) == 0x0
 00027   420   NtQuerySection  (20, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00028   420   NtOpenProcessToken  (-1, 0x8, ... 24, ) == 0x0
 00029   420   NtQueryInformationToken  (24, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00030   420   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00031   420   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 28, ) }, ... 28, ) == 0x0
 00032   420   NtQueryValueKey  (28,  (28, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (28, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00033   420   NtClose  (28, ... ) == 0x0
 00034   420   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00035   420   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 28, ) == 0x0
 00036   420   NtQueryInformationToken  (28, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00037   420   NtClose  (28, ... ) == 0x0
 00038   420   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00039   420   NtClose  (24, ... ) == 0x0
 00040   420   NtClose  (16, ... ) == 0x0
 00041   420   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad10000), 0x0, 286720, ) == 0x0
 00042   420   NtClose  (20, ... ) == 0x0
 00043   420   NtProtectVirtualMemory  (-1, (0x418000), 500, 4, ... (0x418000), 4096, 2, ) == 0x0
 00044   420   NtProtectVirtualMemory  (-1, (0x418000), 4096, 2, ... (0x418000), 4096, 8, ) == 0x0
 00045   420   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 20, ) }, ... 20, ) == 0x0
 00046   420   NtMapViewOfSection  (20, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00047   420   NtClose  (20, ... ) == 0x0
 00048   420   NtProtectVirtualMemory  (-1, (0x77e61000), 1544, 4, ... (0x77e61000), 4096, 32, ) == 0x0
 00049   420   NtProtectVirtualMemory  (-1, (0x77e61000), 4096, 32, ... (0x77e61000), 4096, 4, ) == 0x0
 00050   420   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00051   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00052   420   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 20, ) == 0x0
 00053   420   NtSecureConnectPort  ( ("\Windows\ApiPort", {1242120, 2, 1, 1}, {24, 20, 0, 65536, 0, 0}, 1322728, {12, 0, 0}, 1242016, 44, ... 24, {24, 20, 0, 65536, 2555904, 18415616}, {0, 0, 0}, 200, 44, ) , {1242120, 2, 1, 1}, {24, 20, 0, 65536, 0, 0}, 1322728, {12, 0, 0}, 1242016, 44, ... 24, {24, 20, 0, 65536, 2555904, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00054   420   NtClose  (20, ... ) == 0x0
 00055   420   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00056   420   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00057   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00058   420   NtQueryVirtualMemory  (-1, 0x270000, Basic, 28, ... {BaseAddress=0x270000,AllocationBase=0x270000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00059   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00060   420   NtQueryVirtualMemory  (-1, 0x270000, Basic, 28, ... {BaseAddress=0x270000,AllocationBase=0x270000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00061   420   NtAllocateVirtualMemory  (-1, 2555904, 0, 4096, 4096, 4, ... 2555904, 4096, ) == 0x0
 00062   420   NtAllocateVirtualMemory  (-1, 0, 0, 131008, 8192, 4, ... 2621440, 131072, ) == 0x0
 00063   420   NtAllocateVirtualMemory  (-1, 2621440, 0, 4096, 4096, 4, ... 2621440, 4096, ) == 0x0
 00064   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 1242596, 0, 1523652760}  (24, {28, 56, new_msg, 0, 0, 1242596, 0, 1523652760} "\230\14\31\1\0\0\0\0\0\20\0\0\3\0\0\0\1\0\0\0\254\14\31\1\4\0\0\0" ... {28, 56, reply, 0, 408, 420, 1477, 0} "\210z\27\0\0\0\0\0\0\0\0\0\3\0\0\0\1\0\0\0\254\14\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 408, 420, 1477, 0}  (24, {28, 56, new_msg, 0, 0, 1242596, 0, 1523652760} "\230\14\31\1\0\0\0\0\0\20\0\0\3\0\0\0\1\0\0\0\254\14\31\1\4\0\0\0" ... {28, 56, reply, 0, 408, 420, 1477, 0} "\210z\27\0\0\0\0\0\0\0\0\0\3\0\0\0\1\0\0\0\254\14\31\1\4\0\0\0" )  ) == 0x0
 00065   420   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00066   420   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 20, ) }, ... 20, ) == 0x0
 00067   420   NtQueryValueKey  (20,  (20, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (20, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00068   420   NtClose  (20, ... ) == 0x0
 00069   420   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 20, ) }, ... 20, ) == 0x0
 00070   420   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00071   420   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00072   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00073   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2a0000), 0x0, 90112, ) == 0x0
 00074   420   NtClose  (28, ... ) == 0x0
 00075   420   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00076   420   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00077   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00078   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 212992, ) == 0x0
 00079   420   NtClose  (28, ... ) == 0x0
 00080   420   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00081   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00082   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x300000), 0x0, 266240, ) == 0x0
 00083   420   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00084   420   NtClose  (28, ... ) == 0x0
 00085   420   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00086   420   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00087   420   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x350000), 0x0, 24576, ) == 0x0
 00088   420   NtClose  (28, ... ) == 0x0
 00089   420   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00090   420   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00091   420   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00092   420   NtAllocateVirtualMemory  (-1, 2560000, 0, 4096, 4096, 4, ... 2560000, 4096, ) == 0x0
 00093   420   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025344, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025344, 0} "\320\14\31\1\0\0\0\0\321\272\321\272\321\272\321\272\2\0\0\0\344\14\31\18\6\0\0" ... {28, 56, reply, 0, 408, 420, 1478, 0} "H\322\26\0\0\0\0\0\0\0\0\0\321\272\321\272\2\0\0\0\344\14\31\18\6\0\0" )  ... {28, 56, reply, 0, 408, 420, 1478, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025344, 0} "\320\14\31\1\0\0\0\0\321\272\321\272\321\272\321\272\2\0\0\0\344\14\31\18\6\0\0" ... {28, 56, reply, 0, 408, 420, 1478, 0} "H\322\26\0\0\0\0\0\0\0\0\0\321\272\321\272\2\0\0\0\344\14\31\18\6\0\0" )  ) == 0x0
 00094   420   NtContinue  (1241840, 0, ...
 00095   420   NtRaiseHardError  (-1073741499, 1, 0, 1244328, 1, 1244316, ...
NtContinue(>)	1	NtOpenThreadTokenEx(>)	1	NtSetInformationObject(>)	1	NtQueryVirtualMemory(>)	3
NtFsControlFile(>)	1	NtQueryDefaultLocale(>)	1	NtCreateSection(>)	2	NtProtectVirtualMemory(>)	4
NtOpenDirectoryObject(>)	1	NtQueryObject(>)	1	NtOpenFile(>)	2	NtOpenKey(>)	5
NtOpenKeyedEvent(>)	1	NtQuerySymbolicLinkObject(>)	1	NtQueryAttributesFile(>)	2	NtMapViewOfSection(>)	6
NtOpenMutant(>)	1	NtQueryVolumeInformationFile(>)	1	NtQueryInformationToken(>)	2	NtOpenSection(>)	8
NtOpenProcessToken(>)	1	NtRaiseHardError(>)	1	NtQuerySection(>)	2	NtQuerySystemInformation(>)	12
NtOpenProcessTokenEx(>)	1	NtRegisterThreadTerminatePort(>)	1	NtQueryValueKey(>)	2	NtAllocateVirtualMemory(>)	13
NtOpenSymbolicLinkObject(>)	1	NtSecureConnectPort(>)	1	NtRequestWaitReplyPort(>)	2	NtClose(>)	13