Summary:


NtCallbackReturn(>)  1 
NtQueryVolumeInformationFile(>)  1 
NtQueryVirtualMemory(>)  2 
NtRequestWaitReplyPort(>)  4 

NtCreateEvent(>)  1 
NtReadFile(>)  1 
NtSetInformationObject(>)  2 
NtGdiGetStockObject(>)  5 

NtDuplicateObject(>)  1 
NtRegisterThreadTerminatePort(>)  1 
NtTerminateProcess(>)  2 
NtOpenFile(>)  5 

NtFsControlFile(>)  1 
NtSecureConnectPort(>)  1 
NtUnmapViewOfSection(>)  2 
NtQueryInformationToken(>)  6 

NtGdiCreateBitmap(>)  1 
NtSetInformationThread(>)  1 
NtWriteFile(>)  2 
NtQuerySystemInformation(>)  6 

NtGdiInit(>)  1 
NtTestAlert(>)  1 
NtCreateSection(>)  3 
NtUserFindExistingCursorIcon(>)  9 

NtGdiQueryFontAssocInfo(>)  1 
NtUserCallNoParam(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtOpenSection(>)  11 

NtGdiSelectBitmap(>)  1 
NtUserGetThreadDesktop(>)  1 
NtOpenProcessTokenEx(>)  3 
NtQueryValueKey(>)  11 

NtOpenDirectoryObject(>)  1 
NtContinue(>)  2 
NtOpenThreadTokenEx(>)  3 
NtAllocateVirtualMemory(>)  12 

NtOpenKeyedEvent(>)  1 
NtFreeVirtualMemory(>)  2 
NtQueryDefaultLocale(>)  3 
NtMapViewOfSection(>)  12 

NtOpenMutant(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtSetInformationFile(>)  3 
NtProtectVirtualMemory(>)  12 

NtOpenSymbolicLinkObject(>)  1 
NtOpenProcessToken(>)  2 
NtCreateFile(>)  4 
NtUserRegisterClassExWOW(>)  15 

NtQueryInstallUILanguage(>)  1 
NtQueryDefaultUILanguage(>)  2 
NtFlushInstructionCache(>)  4 
NtOpenKey(>)  18 

NtQueryObject(>)  1 
NtQueryInformationFile(>)  2 
NtQueryAttributesFile(>)  4 
NtClose(>)  37 

NtQuerySymbolicLinkObject(>)  1 
NtQuerySection(>)  2 
NtQueryDebugFilterState(>)  4 

Trace:
 00001   516   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   516   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   516   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   516   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   516   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   516   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   516   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   516   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   516   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   516   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   516   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   516   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   516   NtClose  (12, ... ) == 0x0
 00014   516   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   516   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   516   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   516   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   516   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   516   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   516   NtClose  (16, ... ) == 0x0
 00021   516   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   516   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   516   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   516   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18481152}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18481152}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   516   NtClose  (16, ... ) == 0x0
 00026   516   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   516   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   516   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   516   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   516   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 504, 516, 1535, 0} " \214\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ... {28, 56, reply, 0, 504, 516, 1535, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 504, 516, 1535, 0} " \214\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ) == 0x0
 00032   516   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   516   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   516   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   516   NtClose  (16, ... ) == 0x0
 00036   516   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   516   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   516   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   516   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   516   NtClose  (28, ... ) == 0x0
 00041   516   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   516   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   516   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   516   NtClose  (28, ... ) == 0x0
 00045   516   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   516   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   516   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   516   NtClose  (28, ... ) == 0x0
 00049   516   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   516   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   516   NtClose  (28, ... ) == 0x0
 00052   516   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   516   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   516   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 504, 516, 1562, 0} "\230G\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ... {28, 56, reply, 0, 504, 516, 1562, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 504, 516, 1562, 0} "\230G\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ) == 0x0
 00056   516   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00057   516   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00058   516   NtClose  (28, ... ) == 0x0
 00059   516   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   516   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00061   516   NtClose  (28, ... ) == 0x0
 00062   516   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   516   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00064   516   NtClose  (28, ... ) == 0x0
 00065   516   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   516   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00067   516   NtClose  (28, ... ) == 0x0
 00068   516   NtProtectVirtualMemory  (-1, (0x418000), 4096, 4, ... (0x418000), 4096, 2, ) == 0x0
 00069   516   NtProtectVirtualMemory  (-1, (0x418000), 4096, 2, ... (0x418000), 4096, 4, ) == 0x0
 00070   516   NtFlushInstructionCache  (-1, 4292608, 4096, ... ) == 0x0
 00071   516   NtProtectVirtualMemory  (-1, (0x418000), 4096, 4, ... (0x418000), 4096, 2, ) == 0x0
 00072   516   NtProtectVirtualMemory  (-1, (0x418000), 4096, 2, ... (0x418000), 4096, 4, ) == 0x0
 00073   516   NtFlushInstructionCache  (-1, 4292608, 4096, ... ) == 0x0
 00074   516   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00075   516   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00076   516   NtClose  (28, ... ) == 0x0
 00077   516   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00078   516   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00079   516   NtClose  (28, ... ) == 0x0
 00080   516   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00081   516   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00082   516   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00083   516   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00084   516   NtClose  (28, ... ) == 0x0
 00085   516   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00086   516   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00087   516   NtClose  (28, ... ) == 0x0
 00088   516   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00089   516   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00090   516   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00091   516   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00092   516   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\32\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 504, 516, 1565, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\32\1$\1\0\0" )  ... {28, 56, reply, 0, 504, 516, 1565, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\32\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 504, 516, 1565, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\32\1$\1\0\0" )  ) == 0x0
 00093   516   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00094   516   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x420000), 0x0, 1060864, ) == 0x0
 00095   516   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00096   516   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00097   516   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00098   516   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00099   516   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00100   516   NtClose  (-2147482020, ... ) == 0x0
 00101   516   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00102   516   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00103   516   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00104   516   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00105   516   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00106   516   NtClose  (-2147482020, ... ) == 0x0
 00107   516   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00108   516   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00109   516   NtClose  (-2147482020, ... ) == 0x0
 00110   516   NtQueryDefaultLocale  (0, -136377844, ... ) == 0x0
 00111   516   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00112   516   NtUserCallNoParam  (24, ... ) == 0x0
 00113   516   NtGdiCreateCompatibleDC  (0, ...
 00114   516   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00113   516   NtGdiCreateCompatibleDC  ... ) == 0xe010451
 00115   516   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00116   516   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00117   516   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0xb050458
 00118   516   NtGdiCreateSolidBrush  (0, 0, ...
 00119   516   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8585216, 4096, ) == 0x0
 00118   516   NtGdiCreateSolidBrush  ... ) == 0x810045b
 00120   516   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00121   516   NtGdiCreateCompatibleDC  (0, ... ) == 0x601045c
 00122   516   NtGdiSelectBitmap  (100729948, 184878168, ... ) == 0x185000f
 00123   516   NtUserGetThreadDesktop  (516, 0, ... ) == 0x2c
 00124   516   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00125   516   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00126   516   NtClose  (52, ... ) == 0x0
 00127   516   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00128   516   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810cc017
 00129   516   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00130   516   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810cc01c
 00131   516   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00132   516   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810cc01e
 00133   516   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00134   516   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810c8002
 00135   516   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00136   516   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810cc018
 00137   516   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00138   516   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810cc01a
 00139   516   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00140   516   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810cc01d
 00141   516   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00142   516   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810cc026
 00143   516   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00144   516   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810cc019
 00145   516   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810cc020
 00146   516   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810cc022
 00147   516   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810cc023
 00148   516   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810cc024
 00149   516   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ...
 00150   516   NtAllocateVirtualMemory  (-1, 5550080, 0, 4096, 4096, 32, ... 5550080, 4096, ) == 0x0
 00149   516   NtUserRegisterClassExWOW  ... ) == 0x810cc025
 00151   516   NtCallbackReturn  (0, 0, 0, ...
 00152   516   NtGdiInit  (... ) == 0x1
 00153   516   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00154   516   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00155   516   NtTestAlert  (... ) == 0x0
 00156   516   NtContinue  (1244464, 1, ...
 00157   516   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x401000,}, 4, ... ) == 0x0
 00158   516   NtProtectVirtualMemory  (-1, (0x401000), 53248, 64, ... (0x401000), 53248, 128, ) == 0x0
 00159   516   NtProtectVirtualMemory  (-1, (0x40e000), 4096, 64, ... (0x40e000), 4096, 2, ) == 0x0
 00160   516   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00161   516   NtQueryValueKey  (52,  (52, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00162   516   NtClose  (52, ... ) == 0x0
 00163   516   NtProtectVirtualMemory  (-1, (0x400000), 4096, 4, ... (0x400000), 4096, 2, ) == 0x0
 00164   516   NtProtectVirtualMemory  (-1, (0x400000), 4096, 2, ... (0x400000), 4096, 4, ) == 0x0
 00165   516   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\yayaxut.dll"}, 7, 2113568, ... ) }, 7, 2113568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00166   516   NtQueryDefaultUILanguage  (2013024600, ...
 00167   516   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00168   516   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00169   516   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00170   516   NtClose  (-2147482020, ... ) == 0x0
 00171   516   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00172   516   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00173   516   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00174   516   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00175   516   NtClose  (-2147482032, ... ) == 0x0
 00176   516   NtClose  (-2147482020, ... ) == 0x0
 00166   516   NtQueryDefaultUILanguage  ... ) == 0x0
 00177   516   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00178   516   NtQueryDefaultLocale  (1, 1244036, ... ) == 0x0
 00179   516   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1244128,  (0x40100080, {24, 0, 0x40, 0, 1244128, "\??\C:\WINDOWS\System32\yayaxut.dll"}, 0x0, 128, 1, 5, 96, 0, 0, ... }, 0x0, 128, 1, 5, 96, 0, 0, ...
 00180   516   NtClose  (-2147482020, ... ) == 0x0
 00179   516   NtCreateFile  ... 52, {status=0x0, info=2}, ) == 0x0
 00181   516   NtWriteFile  (52, 0, 0, 0,  (52, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\1\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\224\35\361F\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\12\0@\0\0\0\20\0\0\0\320\0\0\0\20\0\0\0\340\0\0\0 \1\0\0\0\0\20\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0@\1\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0 "\1\0\304\0\0\0H0\1\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\344"\1\0\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 34304, 0x0, 0, ... {status=0x0, info=34304}, ) \1\0\304\0\0\0H0\1\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\344 (52, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\1\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\224\35\361F\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\12\0@\0\0\0\20\0\0\0\320\0\0\0\20\0\0\0\340\0\0\0 \1\0\0\0\0\20\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0@\1\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0 "\1\0\304\0\0\0H0\1\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\344"\1\0\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 34304, 0x0, 0, ... {status=0x0, info=34304}, ) , 34304, 0x0, 0, ... {status=0x0, info=34304}, ) == 0x0
 00182   516   NtClose  (52, ... ) == 0x0
 00183   516   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243844,  (0x80100080, {24, 0, 0x40, 0, 1243844, "\??\u:\work\packed.exe"}, 0x0, 0, 3, 1, 96, 0, 0, ... 52, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 52, {status=0x0, info=1}, ) == 0x0
 00184   516   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1243844,  (0x40100080, {24, 0, 0x40, 0, 1243844, "\??\C:\WINDOWS\System32\yayaxut.dll"}, 0x0, 0, 3, 1, 96, 0, 0, ... 56, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 56, {status=0x0, info=1}, ) == 0x0
 00185   516   NtQueryInformationFile  (52, 1243904, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00186   516   NtSetInformationFile  (52, 1243936, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00187   516   NtReadFile  (52, 0, 0, 0, 16, 0x0, 0, ... {status=0x0, info=13},  (52, 0, 0, 0, 16, 0x0, 0, ... {status=0x0, info=13}, "67604\0\0\0\0\0\0\0\0", ) , ) == 0x0
 00188   516   NtQueryInformationFile  (56, 1243904, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00189   516   NtSetInformationFile  (56, 1243936, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00190   516   NtWriteFile  (56, 0, 0, 0,  (56, 0, 0, 0, "67604\0\0\0\0\0\0\0\0", 13, 0x0, 0, ... {status=0x0, info=13}, ) , 13, 0x0, 0, ... {status=0x0, info=13}, ) == 0x0
 00191   516   NtClose  (52, ... ) == 0x0
 00192   516   NtClose  (56, ... ) == 0x0
 00193   516   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\yayaxut.dll"}, 1241996, ... ) }, 1241996, ... ) == 0x0
 00194   516   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\yayaxut.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00195   516   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 52, ) == 0x0
 00196   516   NtClose  (56, ... ) == 0x0
 00197   516   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x840000), 0x0, 36864, ) == 0x0
 00198   516   NtClose  (52, ... ) == 0x0
 00199   516   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00200   516   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\yayaxut.dll"}, 1242312, ... ) }, 1242312, ... ) == 0x0
 00201   516   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\yayaxut.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00202   516   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 52, ... 56, ) == 0x0
 00203   516   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00204   516   NtOpenProcessToken  (-1, 0x8, ... 60, ) == 0x0
 00205   516   NtQueryInformationToken  (60, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00206   516   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00207   516   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 64, ) }, ... 64, ) == 0x0
 00208   516   NtQueryValueKey  (64,  (64, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (64, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00209   516   NtClose  (64, ... ) == 0x0
 00210   516   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00211   516   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00212   516   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00213   516   NtClose  (64, ... ) == 0x0
 00214   516   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00215   516   NtClose  (60, ... ) == 0x0
 00216   516   NtClose  (52, ... ) == 0x0
 00217   516   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x10000000), 0x0, 81920, ) == 0x0
 00218   516   NtClose  (56, ... ) == 0x0
 00219   516   NtProtectVirtualMemory  (-1, (0x10013000), 4096, 4, ... (0x10013000), 4096, 2, ) == 0x0
 00220   516   NtProtectVirtualMemory  (-1, (0x10013000), 4096, 2, ... (0x10013000), 4096, 4, ) == 0x0
 00221   516   NtFlushInstructionCache  (-1, 268513280, 4096, ... ) == 0x0
 00222   516   NtProtectVirtualMemory  (-1, (0x10013000), 4096, 4, ... (0x10013000), 4096, 2, ) == 0x0
 00223   516   NtProtectVirtualMemory  (-1, (0x10013000), 4096, 2, ... (0x10013000), 4096, 4, ) == 0x0
 00224   516   NtFlushInstructionCache  (-1, 268513280, 4096, ... ) == 0x0
 00225   516   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00226   516   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00227   516   NtContinue  (1240560, 0, ...
 00228   516   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00229   516   NtUnmapViewOfSection  (-1, 0x10000000, ... ) == 0x0
 00230   516   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00231   516   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 7, 2113568, ... 56, {status=0x0, info=1}, ) }, 7, 2113568, ... 56, {status=0x0, info=1}, ) == 0x0
 00232   516   NtSetInformationFile  (56, 1243580, 40, Basic, ... ) == STATUS_ACCESS_DENIED
 00233   516   NtClose  (56, ... ) == 0x0
 00234   516   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1243604, ... ) }, 1243604, ... ) == 0x0
 00235   516   NtTerminateProcess  (0, 0, ... ) == 0x0
 00236   516   NtFreeVirtualMemory  (-1, (0x0), 0, 32768, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 00237   516   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 2147348480, 2012568899, 2011780604, 2013024552}  (24, {20, 48, new_msg, 0, 2147348480, 2012568899, 2011780604, 2013024552} "\0\0\0\0\3\0\1\0\342\\365w\30f\355w\0\0\0\0" ... {20, 48, reply, 0, 504, 516, 1575, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\30f\355w\0\0\0\0" )  ... {20, 48, reply, 0, 504, 516, 1575, 0}  (24, {20, 48, new_msg, 0, 2147348480, 2012568899, 2011780604, 2013024552} "\0\0\0\0\3\0\1\0\342\\365w\30f\355w\0\0\0\0" ... {20, 48, reply, 0, 504, 516, 1575, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\30f\355w\0\0\0\0" )  ) == 0x0
 00238   516   NtTerminateProcess  (-1, 0, ...
 00239   516   NtClose  (44, ... ) == 0x0
NtCallbackReturn(>)	1	NtQueryVolumeInformationFile(>)	1	NtQueryVirtualMemory(>)	2	NtRequestWaitReplyPort(>)	4
NtCreateEvent(>)	1	NtReadFile(>)	1	NtSetInformationObject(>)	2	NtGdiGetStockObject(>)	5
NtDuplicateObject(>)	1	NtRegisterThreadTerminatePort(>)	1	NtTerminateProcess(>)	2	NtOpenFile(>)	5
NtFsControlFile(>)	1	NtSecureConnectPort(>)	1	NtUnmapViewOfSection(>)	2	NtQueryInformationToken(>)	6
NtGdiCreateBitmap(>)	1	NtSetInformationThread(>)	1	NtWriteFile(>)	2	NtQuerySystemInformation(>)	6
NtGdiInit(>)	1	NtTestAlert(>)	1	NtCreateSection(>)	3	NtUserFindExistingCursorIcon(>)	9
NtGdiQueryFontAssocInfo(>)	1	NtUserCallNoParam(>)	1	NtGdiCreateCompatibleDC(>)	3	NtOpenSection(>)	11
NtGdiSelectBitmap(>)	1	NtUserGetThreadDesktop(>)	1	NtOpenProcessTokenEx(>)	3	NtQueryValueKey(>)	11
NtOpenDirectoryObject(>)	1	NtContinue(>)	2	NtOpenThreadTokenEx(>)	3	NtAllocateVirtualMemory(>)	12
NtOpenKeyedEvent(>)	1	NtFreeVirtualMemory(>)	2	NtQueryDefaultLocale(>)	3	NtMapViewOfSection(>)	12
NtOpenMutant(>)	1	NtGdiCreateSolidBrush(>)	2	NtSetInformationFile(>)	3	NtProtectVirtualMemory(>)	12
NtOpenSymbolicLinkObject(>)	1	NtOpenProcessToken(>)	2	NtCreateFile(>)	4	NtUserRegisterClassExWOW(>)	15
NtQueryInstallUILanguage(>)	1	NtQueryDefaultUILanguage(>)	2	NtFlushInstructionCache(>)	4	NtOpenKey(>)	18
NtQueryObject(>)	1	NtQueryInformationFile(>)	2	NtQueryAttributesFile(>)	4	NtClose(>)	37
NtQuerySymbolicLinkObject(>)	1	NtQuerySection(>)	2	NtQueryDebugFilterState(>)	4