Summary:


NtCallbackReturn(>)  1 
NtQueryObject(>)  1 
NtOpenProcessToken(>)  2 
NtUserFindExistingCursorIcon(>)  9 

NtCreateEvent(>)  1 
NtQuerySection(>)  1 
NtOpenProcessTokenEx(>)  2 
NtQuerySystemInformation(>)  13 

NtCreateSection(>)  1 
NtQuerySymbolicLinkObject(>)  1 
NtOpenThreadTokenEx(>)  2 
NtMapViewOfSection(>)  14 

NtDuplicateObject(>)  1 
NtQueryVolumeInformationFile(>)  1 
NtQueryDefaultLocale(>)  2 
NtProtectVirtualMemory(>)  14 

NtFsControlFile(>)  1 
NtRegisterThreadTerminatePort(>)  1 
NtQueryVirtualMemory(>)  2 
NtOpenSection(>)  15 

NtGdiCreateBitmap(>)  1 
NtSecureConnectPort(>)  1 
NtSetInformationThread(>)  2 
NtQueryValueKey(>)  15 

NtGdiInit(>)  1 
NtTestAlert(>)  1 
NtTerminateProcess(>)  2 
NtUserRegisterClassExWOW(>)  15 

NtGdiQueryFontAssocInfo(>)  1 
NtUserCallNoParam(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtAllocateVirtualMemory(>)  16 

NtGdiSelectBitmap(>)  1 
NtUserGetThreadDesktop(>)  1 
NtSetInformationObject(>)  3 
NtWaitForSingleObject(>)  19 

NtOpenEvent(>)  1 
NtUserRegisterWindowMessage(>)  1 
NtRequestWaitReplyPort(>)  4 
NtContinue(>)  20 

NtOpenFile(>)  1 
NtDelayExecution(>)  2 
NtGdiGetStockObject(>)  5 
NtOpenKey(>)  22 

NtOpenKeyedEvent(>)  1 
NtFreeVirtualMemory(>)  2 
NtQueryInformationToken(>)  5 
NtClose(>)  31 

NtOpenMutant(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtFlushInstructionCache(>)  7 
NtReleaseMutant(>)  38 

NtOpenSymbolicLinkObject(>)  1 
NtOpenDirectoryObject(>)  2 
NtQueryAttributesFile(>)  7 

Trace:
 00001   448   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   448   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   448   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   448   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   448   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   448   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   448   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   448   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   448   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   448   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   448   NtClose  (12, ... ) == 0x0
 00014   448   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   448   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   448   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   448   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   448   NtClose  (16, ... ) == 0x0
 00021   448   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   448   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   448   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   448   NtClose  (16, ... ) == 0x0
 00026   448   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   448   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   448   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   448   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   448   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 436, 448, 1487, 0} "\0\346\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 436, 448, 1487, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 436, 448, 1487, 0} "\0\346\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   448   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   448   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   448   NtClose  (16, ... ) == 0x0
 00036   448   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00037   448   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00038   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00039   448   NtClose  (28, ... ) == 0x0
 00040   448   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00041   448   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00042   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00043   448   NtClose  (28, ... ) == 0x0
 00044   448   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00045   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00046   448   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00047   448   NtClose  (28, ... ) == 0x0
 00048   448   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00049   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00050   448   NtClose  (28, ... ) == 0x0
 00051   448   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00052   448   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00053   448   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   448   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 436, 448, 1490, 0} "\260.\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 436, 448, 1490, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 436, 448, 1490, 0} "\260.\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00055   448   NtProtectVirtualMemory  (-1, (0x40b000), 4096, 4, ... (0x40b000), 4096, 8, ) == 0x0
 00056   448   NtProtectVirtualMemory  (-1, (0x40b000), 4096, 8, ... (0x40b000), 4096, 4, ) == 0x0
 00057   448   NtFlushInstructionCache  (-1, 4239360, 4096, ... ) == 0x0
 00058   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00059   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00060   448   NtClose  (28, ... ) == 0x0
 00061   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00062   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00063   448   NtClose  (28, ... ) == 0x0
 00064   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00065   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00066   448   NtClose  (28, ... ) == 0x0
 00067   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00068   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00069   448   NtClose  (28, ... ) == 0x0
 00070   448   NtProtectVirtualMemory  (-1, (0x40b000), 4096, 4, ... (0x40b000), 4096, 4, ) == 0x0
 00071   448   NtProtectVirtualMemory  (-1, (0x40b000), 4096, 4, ... (0x40b000), 4096, 4, ) == 0x0
 00072   448   NtFlushInstructionCache  (-1, 4239360, 4096, ... ) == 0x0
 00073   448   NtProtectVirtualMemory  (-1, (0x40b000), 4096, 4, ... (0x40b000), 4096, 4, ) == 0x0
 00074   448   NtProtectVirtualMemory  (-1, (0x40b000), 4096, 4, ... (0x40b000), 4096, 4, ) == 0x0
 00075   448   NtFlushInstructionCache  (-1, 4239360, 4096, ... ) == 0x0
 00076   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "oleaut32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00077   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00078   448   NtClose  (28, ... ) == 0x0
 00079   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.DLL"}, ... 28, ) }, ... 28, ) == 0x0
 00080   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00081   448   NtClose  (28, ... ) == 0x0
 00082   448   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 28, ) }, ... 28, ) == 0x0
 00083   448   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00084   448   NtClose  (28, ... ) == 0x0
 00085   448   NtProtectVirtualMemory  (-1, (0x40b000), 4096, 4, ... (0x40b000), 4096, 4, ) == 0x0
 00086   448   NtProtectVirtualMemory  (-1, (0x40b000), 4096, 4, ... (0x40b000), 4096, 4, ) == 0x0
 00087   448   NtFlushInstructionCache  (-1, 4239360, 4096, ... ) == 0x0
 00088   448   NtProtectVirtualMemory  (-1, (0x40b000), 4096, 4, ... (0x40b000), 4096, 4, ) == 0x0
 00089   448   NtProtectVirtualMemory  (-1, (0x40b000), 4096, 4, ... (0x40b000), 4096, 4, ) == 0x0
 00090   448   NtFlushInstructionCache  (-1, 4239360, 4096, ... ) == 0x0
 00091   448   NtProtectVirtualMemory  (-1, (0x40b000), 4096, 4, ... (0x40b000), 4096, 4, ) == 0x0
 00092   448   NtProtectVirtualMemory  (-1, (0x40b000), 4096, 4, ... (0x40b000), 4096, 4, ) == 0x0
 00093   448   NtFlushInstructionCache  (-1, 4239360, 4096, ... ) == 0x0
 00094   448   NtProtectVirtualMemory  (-1, (0x40b000), 4096, 4, ... (0x40b000), 4096, 4, ) == 0x0
 00095   448   NtProtectVirtualMemory  (-1, (0x40b000), 4096, 4, ... (0x40b000), 4096, 4, ) == 0x0
 00096   448   NtFlushInstructionCache  (-1, 4239360, 4096, ... ) == 0x0
 00097   448   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00098   448   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00099   448   NtClose  (28, ... ) == 0x0
 00100   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00101   448   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00102   448   NtClose  (28, ... ) == 0x0
 00103   448   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00104   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00105   448   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00106   448   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00107   448   NtClose  (28, ... ) == 0x0
 00108   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00109   448   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00110   448   NtClose  (28, ... ) == 0x0
 00111   448   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00112   448   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00113   448   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00114   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00115   448   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\31\1\0\0\0\0\314\4\23\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 436, 448, 1493, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 436, 448, 1493, 0}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\31\1\0\0\0\0\314\4\23\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 436, 448, 1493, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00116   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00117   448   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x430000), 0x0, 1060864, ) == 0x0
 00118   448   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00119   448   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00120   448   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00121   448   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00122   448   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00123   448   NtClose  (-2147482020, ... ) == 0x0
 00124   448   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00125   448   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00126   448   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00127   448   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00128   448   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00129   448   NtClose  (-2147482020, ... ) == 0x0
 00130   448   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00131   448   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00132   448   NtClose  (-2147482020, ... ) == 0x0
 00133   448   NtQueryDefaultLocale  (0, -133527028, ... ) == 0x0
 00134   448   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00135   448   NtUserCallNoParam  (24, ... ) == 0x0
 00136   448   NtGdiCreateCompatibleDC  (0, ...
 00137   448   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00136   448   NtGdiCreateCompatibleDC  ... ) == 0x1501031f
 00138   448   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00139   448   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00140   448   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x13050402
 00141   448   NtGdiCreateSolidBrush  (0, 0, ...
 00142   448   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8650752, 4096, ) == 0x0
 00141   448   NtGdiCreateSolidBrush  ... ) == 0xe100408
 00143   448   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00144   448   NtGdiCreateCompatibleDC  (0, ... ) == 0x39010416
 00145   448   NtGdiSelectBitmap  (956367894, 319095810, ... ) == 0x185000f
 00146   448   NtUserGetThreadDesktop  (448, 0, ... ) == 0x2c
 00147   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00148   448   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00149   448   NtClose  (52, ... ) == 0x0
 00150   448   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00151   448   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017
 00152   448   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00153   448   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c
 00154   448   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00155   448   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e
 00156   448   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00157   448   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002
 00158   448   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00159   448   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018
 00160   448   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00161   448   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a
 00162   448   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00163   448   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810dc01d
 00164   448   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00165   448   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810dc026
 00166   448   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00167   448   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019
 00168   448   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ...
 00169   448   NtAllocateVirtualMemory  (-1, 5599232, 0, 4096, 4096, 32, ... 5599232, 4096, ) == 0x0
 00168   448   NtUserRegisterClassExWOW  ... ) == 0x810dc020
 00170   448   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc022
 00171   448   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc023
 00172   448   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc024
 00173   448   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc025
 00174   448   NtCallbackReturn  (0, 0, 0, ...
 00175   448   NtGdiInit  (... ) == 0x1
 00176   448   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00177   448   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00178   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00179   448   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8716288, 65536, ) == 0x0
 00180   448   NtAllocateVirtualMemory  (-1, 8716288, 0, 4096, 4096, 4, ... 8716288, 4096, ) == 0x0
 00181   448   NtAllocateVirtualMemory  (-1, 8720384, 0, 8192, 4096, 4, ... 8720384, 8192, ) == 0x0
 00182   448   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 52, ) }, ... 52, ) == 0x0
 00183   448   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x860000), 0x0, 12288, ) == 0x0
 00184   448   NtClose  (52, ... ) == 0x0
 00185   448   NtAllocateVirtualMemory  (-1, 8728576, 0, 4096, 4096, 4, ... 8728576, 4096, ) == 0x0
 00186   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00187   448   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00188   448   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00189   448   NtQueryValueKey  (52,  (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00190   448   NtClose  (52, ... ) == 0x0
 00191   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00192   448   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00193   448   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00194   448   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00195   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 52, ) }, ... 52, ) == 0x0
 00196   448   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00197   448   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00198   448   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00199   448   NtClose  (52, ... ) == 0x0
 00200   448   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 52, ) }, ... 52, ) == 0x0
 00201   448   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00202   448   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00203   448   NtClose  (52, ... ) == 0x0
 00204   448   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00205   448   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00206   448   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00207   448   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00208   448   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00209   448   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00210   448   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 56, ) }, ... 56, ) == 0x0
 00211   448   NtQueryValueKey  (56,  (56, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00212   448   NtClose  (56, ... ) == 0x0
 00213   448   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00214   448   NtTestAlert  (... ) == 0x0
 00215   448   NtContinue  (1244464, 1, ...
 00216   448   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x4081b0,}, 4, ... ) == 0x0
 00217   448   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00218   448   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 56, ) == 0x0
 00219   448   NtQueryInformationToken  (56, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00220   448   NtClose  (56, ... ) == 0x0
 00221   448   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 56, ) }, ... 56, ) == 0x0
 00222   448   NtSetInformationObject  (56, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00223   448   NtOpenKey  (0xf0019, {24, 56, 0x40, 0, 0,  (0xf0019, {24, 56, 0x40, 0, 0, "Software\Borland\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00224   448   NtOpenKey  (0xf0019, {24, 28, 0x40, 0, 0,  (0xf0019, {24, 28, 0x40, 0, 0, "Software\Borland\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00225   448   NtOpenKey  (0xf0019, {24, 56, 0x40, 0, 0,  (0xf0019, {24, 56, 0x40, 0, 0, "Software\Borland\Delphi\Locales"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00226   448   NtOpenProcessToken  (-1, 0x8, ... 60, ) == 0x0
 00227   448   NtQueryInformationToken  (60, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00228   448   NtClose  (60, ... ) == 0x0
 00229   448   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00230   448   NtReleaseMutant  (16, ...
 00231   448   NtContinue  (-133529464, 0, ...
 00230   448   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00232   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.ENU"}, 1242228, ... ) }, 1242228, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00233   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.ENU"}, 1241868, ... ) }, 1241868, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00234   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.ENU.DLL"}, 1241868, ... ) }, 1241868, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00235   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.EN"}, 1242228, ... ) }, 1242228, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00236   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.EN"}, 1241868, ... ) }, 1241868, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00237   448   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.EN.DLL"}, 1241868, ... ) }, 1241868, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00238   448   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00239   448   NtReleaseMutant  (16, ...
 00240   448   NtContinue  (-133529464, 0, ...
 00239   448   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00241   448   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00242   448   NtReleaseMutant  (16, ...
 00243   448   NtContinue  (-133529464, 0, ...
 00242   448   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00244   448   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00245   448   NtReleaseMutant  (16, ...
 00246   448   NtContinue  (-133529464, 0, ...
 00245   448   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00247   448   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00248   448   NtReleaseMutant  (16, ...
 00249   448   NtContinue  (-133529464, 0, ...
 00248   448   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00250   448   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00251   448   NtReleaseMutant  (16, ...
 00252   448   NtContinue  (-133529464, 0, ...
 00251   448   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00253   448   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00254   448   NtReleaseMutant  (16, ...
 00255   448   NtContinue  (-133529464, 0, ...
 00254   448   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00256   448   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00257   448   NtReleaseMutant  (16, ...
 00258   448   NtContinue  (-133529464, 0, ...
 00257   448   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00259   448   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00260   448   NtReleaseMutant  (16, ...
 00261   448   NtContinue  (-133529464, 0, ...
 00260   448   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00262   448   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00263   448   NtReleaseMutant  (16, ...
 00264   448   NtContinue  (-133529464, 0, ...
 00263   448   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00265   448   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00266   448   NtReleaseMutant  (16, ...
 00267   448   NtContinue  (-133529464, 0, ...
 00266   448   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00268   448   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00269   448   NtReleaseMutant  (16, ...
 00270   448   NtContinue  (-133529464, 0, ...
 00269   448   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00271   448   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00272   448   NtReleaseMutant  (16, ...
 00273   448   NtContinue  (-133529464, 0, ...
 00272   448   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00274   448   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00275   448   NtReleaseMutant  (16, ...
 00276   448   NtContinue  (-133529464, 0, ...
 00275   448   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00277   448   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00278   448   NtReleaseMutant  (16, ...
 00279   448   NtContinue  (-133529464, 0, ...
 00278   448   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00280   448   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00281   448   NtReleaseMutant  (16, ...
 00282   448   NtContinue  (-133529464, 0, ...
 00281   448   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00283   448   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00284   448   NtReleaseMutant  (16, ...
 00285   448   NtContinue  (-133529464, 0, ...
 00284   448   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00286   448   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00287   448   NtReleaseMutant  (16, ...
 00288   448   NtContinue  (-133529464, 0, ...
 00287   448   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00289   448   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00290   448   NtReleaseMutant  (16, ...
 00291   448   NtContinue  (-133529464, 0, ...
 00290   448   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00292   448   NtDelayExecution  (0, {-1500000, -1}, ... ) == 0x0
 00293   448   NtDelayExecution  (0, {-1500000, -1}, ... ) == 0x0
 00294   448   NtTerminateProcess  (0, 0, ... ) == 0x0
 00295   448   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 00296   448   NtFreeVirtualMemory  (-1, (0x0), 0, 32768, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 00297   448   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1245016, 0, 2012550835, 1329624}  (24, {20, 48, new_msg, 0, 1245016, 0, 2012550835, 1329624} "\0\0\0\0\3\0\1\0\215\26\365w\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 436, 448, 1520, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 436, 448, 1520, 0}  (24, {20, 48, new_msg, 0, 1245016, 0, 2012550835, 1329624} "\0\0\0\0\3\0\1\0\215\26\365w\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 436, 448, 1520, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00298   448   NtTerminateProcess  (-1, 0, ...
 00299   448   NtClose  (44, ... ) == 0x0
NtCallbackReturn(>)	1	NtQueryObject(>)	1	NtOpenProcessToken(>)	2	NtUserFindExistingCursorIcon(>)	9
NtCreateEvent(>)	1	NtQuerySection(>)	1	NtOpenProcessTokenEx(>)	2	NtQuerySystemInformation(>)	13
NtCreateSection(>)	1	NtQuerySymbolicLinkObject(>)	1	NtOpenThreadTokenEx(>)	2	NtMapViewOfSection(>)	14
NtDuplicateObject(>)	1	NtQueryVolumeInformationFile(>)	1	NtQueryDefaultLocale(>)	2	NtProtectVirtualMemory(>)	14
NtFsControlFile(>)	1	NtRegisterThreadTerminatePort(>)	1	NtQueryVirtualMemory(>)	2	NtOpenSection(>)	15
NtGdiCreateBitmap(>)	1	NtSecureConnectPort(>)	1	NtSetInformationThread(>)	2	NtQueryValueKey(>)	15
NtGdiInit(>)	1	NtTestAlert(>)	1	NtTerminateProcess(>)	2	NtUserRegisterClassExWOW(>)	15
NtGdiQueryFontAssocInfo(>)	1	NtUserCallNoParam(>)	1	NtGdiCreateCompatibleDC(>)	3	NtAllocateVirtualMemory(>)	16
NtGdiSelectBitmap(>)	1	NtUserGetThreadDesktop(>)	1	NtSetInformationObject(>)	3	NtWaitForSingleObject(>)	19
NtOpenEvent(>)	1	NtUserRegisterWindowMessage(>)	1	NtRequestWaitReplyPort(>)	4	NtContinue(>)	20
NtOpenFile(>)	1	NtDelayExecution(>)	2	NtGdiGetStockObject(>)	5	NtOpenKey(>)	22
NtOpenKeyedEvent(>)	1	NtFreeVirtualMemory(>)	2	NtQueryInformationToken(>)	5	NtClose(>)	31
NtOpenMutant(>)	1	NtGdiCreateSolidBrush(>)	2	NtFlushInstructionCache(>)	7	NtReleaseMutant(>)	38
NtOpenSymbolicLinkObject(>)	1	NtOpenDirectoryObject(>)	2	NtQueryAttributesFile(>)	7