Summary:





NtAccessCheck(>)  1 
NtQueryDebugFilterState(>)  1 
NtQuerySection(>)  2 
NtQueryAttributesFile(>)  6 


NtCallbackReturn(>)  1 
NtQueryInstallUILanguage(>)  1 
NtQueryVirtualMemory(>)  2 
NtOpenFile(>)  8 


NtContinue(>)  1 
NtQueryObject(>)  1 
NtSetInformationObject(>)  2 
NtQueryInformationToken(>)  8 


NtCreateEvent(>)  1 
NtQuerySymbolicLinkObject(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtQuerySystemInformation(>)  8 


NtDuplicateObject(>)  1 
NtQueryVolumeInformationFile(>)  1 
NtOpenProcessToken(>)  3 
NtOpenSection(>)  13 


NtFreeVirtualMemory(>)  1 
NtRaiseException(>)  1 
NtQueryDefaultLocale(>)  3 
NtQueryValueKey(>)  14 


NtFsControlFile(>)  1 
NtRegisterThreadTerminatePort(>)  1 
NtQueryInformationProcess(>)  3 
NtMapViewOfSection(>)  16 


NtGdiCreateBitmap(>)  1 
NtSecureConnectPort(>)  1 
NtUnmapViewOfSection(>)  3 
NtAllocateVirtualMemory(>)  20 


NtGdiInit(>)  1 
NtSetInformationProcess(>)  1 
NtQueryDefaultUILanguage(>)  4 
NtFlushInstructionCache(>)  23 


NtGdiQueryFontAssocInfo(>)  1 
NtSetInformationThread(>)  1 
NtUserSystemParametersInfo(>)  4 
NtUserFindExistingCursorIcon(>)  25 


NtGdiSelectBitmap(>)  1 
NtTestAlert(>)  1 
NtCreateSection(>)  5 
NtOpenKey(>)  32 


NtOpenDirectoryObject(>)  1 
NtUserCallNoParam(>)  1 
NtGdiGetStockObject(>)  5 
NtUserRegisterClassExWOW(>)  33 


NtOpenKeyedEvent(>)  1 
NtUserGetThreadDesktop(>)  1 
NtOpenProcessTokenEx(>)  5 
NtProtectVirtualMemory(>)  44 


NtOpenProcess(>)  1 
NtUserRegisterWindowMessage(>)  1 
NtOpenThreadTokenEx(>)  5 
NtClose(>)  47 


NtOpenSymbolicLinkObject(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtRequestWaitReplyPort(>)  5 



Trace:

 00001  1556   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002  1556   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003  1556   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004  1556   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005  1556   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00006  1556   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007  1556   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00008  1556   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009  1556   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00010  1556   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00011  1556   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00012  1556   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00013  1556   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00014  1556   NtClose  (12, ... ) == 0x0
 00015  1556   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00016  1556   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00017  1556   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018  1556   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019  1556   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00020  1556   NtClose  (16, ... ) == 0x0
 00021  1556   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00022  1556   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00023  1556   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00024  1556   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00025  1556   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00026  1556   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00027  1556   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00028  1556   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00029  1556   NtClose  (16, ... ) == 0x0
 00030  1556   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00031  1556   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00032  1556   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00033  1556   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00034  1556   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00035  1556   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 1480, 1556, 57959, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 1480, 1556, 57959, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 1480, 1556, 57959, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00036  1556   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00037  1556   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00038  1556   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00039  1556   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00040  1556   NtClose  (16, ... ) == 0x0
 00041  1556   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00042  1556   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00043  1556   NtClose  (16, ... ) == 0x0
 00044  1556   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00045  1556   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00046  1556   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00047  1556   NtClose  (16, ... ) == 0x0
 00048  1556   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00049  1556   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00050  1556   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00051  1556   NtClose  (16, ... ) == 0x0
 00052  1556   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00053  1556   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00054  1556   NtClose  (16, ... ) == 0x0
 00055  1556   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00056  1556   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00057  1556   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058  1556   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00059  1556   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 1480, 1556, 57960, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ... {24, 52, reply, 0, 1480, 1556, 57960, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 1480, 1556, 57960, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ) == 0x0
 00060  1556   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 1480, 1556, 57961, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 1480, 1556, 57961, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 1480, 1556, 57961, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00061  1556   NtProtectVirtualMemory  (-1, (0x514000), 4096, 4, ... (0x514000), 4096, 8, ) == 0x0
 00062  1556   NtProtectVirtualMemory  (-1, (0x514000), 4096, 8, ... (0x514000), 4096, 4, ) == 0x0
 00063  1556   NtFlushInstructionCache  (-1, 5324800, 4096, ... ) == 0x0
 00064  1556   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00065  1556   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5d090000), 0x0, 630784, ) == 0x0
 00066  1556   NtClose  (16, ... ) == 0x0
 00067  1556   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00068  1556   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00069  1556   NtClose  (16, ... ) == 0x0
 00070  1556   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00071  1556   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00072  1556   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00073  1556   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00074  1556   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00075  1556   NtClose  (16, ... ) == 0x0
 00076  1556   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00077  1556   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00078  1556   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00079  1556   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00080  1556   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00081  1556   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00082  1556   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00083  1556   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00084  1556   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00085  1556   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00086  1556   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00087  1556   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00088  1556   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00089  1556   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00090  1556   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00091  1556   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00092  1556   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00093  1556   NtClose  (16, ... ) == 0x0
 00094  1556   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00095  1556   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00096  1556   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00097  1556   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00098  1556   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00099  1556   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00100  1556   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00101  1556   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00102  1556   NtClose  (16, ... ) == 0x0
 00103  1556   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00104  1556   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00105  1556   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00106  1556   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00107  1556   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00108  1556   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00109  1556   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00110  1556   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00111  1556   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00112  1556   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00113  1556   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00114  1556   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00115  1556   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00116  1556   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00117  1556   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00118  1556   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00119  1556   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00120  1556   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00121  1556   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00122  1556   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00123  1556   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00124  1556   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00125  1556   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00126  1556   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00127  1556   NtProtectVirtualMemory  (-1, (0x514000), 4096, 4, ... (0x514000), 4096, 4, ) == 0x0
 00128  1556   NtProtectVirtualMemory  (-1, (0x514000), 4096, 4, ... (0x514000), 4096, 4, ) == 0x0
 00129  1556   NtFlushInstructionCache  (-1, 5324800, 4096, ... ) == 0x0
 00130  1556   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00131  1556   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00132  1556   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00133  1556   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00134  1556   NtClose  (16, ... ) == 0x0
 00135  1556   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00136  1556   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00137  1556   NtClose  (16, ... ) == 0x0
 00138  1556   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00139  1556   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00140  1556   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00141  1556   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00142  1556   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00143  1556   NtQueryValueKey  (16,  (16, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00144  1556   NtClose  (16, ... ) == 0x0
 00145  1556   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 16, ) }, ... 16, ) == 0x0
 00146  1556   NtQueryValueKey  (16,  (16, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00147  1556   NtClose  (16, ... ) == 0x0
 00148  1556   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 16, ) }, ... 16, ) == 0x0
 00149  1556   NtSetInformationObject  (16, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00150  1556   NtOpenKey  (0x20019, {24, 16, 0x40, 0, 0,  (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00151  1556   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00152  1556   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00153  1556   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242016, 2090320424, 1242052, 1242044}  (24, {28, 56, new_msg, 0, 1242016, 2090320424, 1242052, 1242044} "\210\6\31\1\0\0\0\0\0\0\0\0\30\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 1480, 1556, 57962, 0} "\320G\26\0\0\0\0\0\0\0\0\0\30\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 1480, 1556, 57962, 0}  (24, {28, 56, new_msg, 0, 1242016, 2090320424, 1242052, 1242044} "\210\6\31\1\0\0\0\0\0\0\0\0\30\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 1480, 1556, 57962, 0} "\320G\26\0\0\0\0\0\0\0\0\0\30\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00154  1556   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00155  1556   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 28, ) }, ... 28, ) == 0x0
 00156  1556   NtQueryValueKey  (28,  (28, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00157  1556   NtClose  (28, ... ) == 0x0
 00158  1556   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00159  1556   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239420, ... ) }, 1239420, ... ) == 0x0
 00160  1556   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00161  1556   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 32, ) == 0x0
 00162  1556   NtClose  (28, ... ) == 0x0
 00163  1556   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x620000), 0x0, 110592, ) == 0x0
 00164  1556   NtClose  (32, ... ) == 0x0
 00165  1556   NtUnmapViewOfSection  (-1, 0x620000, ... ) == 0x0
 00166  1556   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239328, ... ) }, 1239328, ... ) == 0x0
 00167  1556   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00168  1556   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 32, ... 28, ) == 0x0
 00169  1556   NtClose  (32, ... ) == 0x0
 00170  1556   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x620000), 0x0, 110592, ) == 0x0
 00171  1556   NtClose  (28, ... ) == 0x0
 00172  1556   NtUnmapViewOfSection  (-1, 0x620000, ... ) == 0x0
 00173  1556   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239636, ... ) }, 1239636, ... ) == 0x0
 00174  1556   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00175  1556   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00176  1556   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00177  1556   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00178  1556   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00179  1556   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00180  1556   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00181  1556   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00182  1556   NtClose  (40, ... ) == 0x0
 00183  1556   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00184  1556   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00185  1556   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00186  1556   NtClose  (40, ... ) == 0x0
 00187  1556   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00188  1556   NtClose  (36, ... ) == 0x0
 00189  1556   NtClose  (28, ... ) == 0x0
 00190  1556   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00191  1556   NtClose  (32, ... ) == 0x0
 00192  1556   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00193  1556   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00194  1556   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00195  1556   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00196  1556   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00197  1556   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00198  1556   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00199  1556   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00200  1556   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00201  1556   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00202  1556   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00203  1556   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00204  1556   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236552, ... ) }, 1236552, ... ) == 0x0
 00205  1556   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00206  1556   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00207  1556   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00208  1556   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\COMCTL32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00209  1556   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239956, ... ) }, 1239956, ... ) == 0x0
 00210  1556   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00211  1556   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 32, ) }, ... 32, ) == 0x0
 00212  1556   NtQueryValueKey  (32,  (32, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00213  1556   NtClose  (32, ... ) == 0x0
 00214  1556   NtMapViewOfSection  (-2147482740, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x620000), 0x0, 1060864, ) == 0x0
 00215  1556   NtClose  (-2147482740, ... ) == 0x0
 00216  1556   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 32, ) == 0x0
 00217  1556   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00218  1556   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482740, ) == 0x0
 00219  1556   NtQueryInformationToken  (-2147482740, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00220  1556   NtQueryInformationToken  (-2147482740, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00221  1556   NtClose  (-2147482740, ... ) == 0x0
 00222  1556   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00223  1556   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00224  1556   NtDuplicateObject  (-1, 28, -1, 0x0, 0, 2, ... 40, ) == 0x0
 00225  1556   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00226  1556   NtQueryValueKey  (-2147482740,  (-2147482740, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00227  1556   NtClose  (-2147482740, ... ) == 0x0
 00228  1556   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00229  1556   NtQueryValueKey  (-2147482740,  (-2147482740, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00230  1556   NtClose  (-2147482740, ... ) == 0x0
 00231  1556   NtQueryDefaultLocale  (0, -139609780, ... ) == 0x0
 00232  1556   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00233  1556   NtUserCallNoParam  (24, ... ) == 0x0
 00234  1556   NtGdiCreateCompatibleDC  (0, ...
 00235  1556   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00234  1556   NtGdiCreateCompatibleDC  ... ) == 0xee0105b0
 00236  1556   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00237  1556   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00238  1556   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0x76050581
 00239  1556   NtGdiCreateSolidBrush  (0, 0, ...
 00240  1556   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 10682368, 4096, ) == 0x0
 00239  1556   NtGdiCreateSolidBrush  ... ) == 0xa51003d2
 00241  1556   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00242  1556   NtGdiCreateCompatibleDC  (0, ... ) == 0x5201039b
 00243  1556   NtGdiSelectBitmap  (1375798171, 1980040577, ... ) == 0x185000f
 00244  1556   NtUserGetThreadDesktop  (1556, 0, ... ) == 0x24
 00245  1556   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 44, ) }, ... 44, ) == 0x0
 00246  1556   NtQueryValueKey  (44,  (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00247  1556   NtClose  (44, ... ) == 0x0
 00248  1556   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00249  1556   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 673, 128, 0, ... ) == 0x8174c017
 00250  1556   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00251  1556   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 674, 128, 0, ... ) == 0x8174c01c
 00252  1556   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00253  1556   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 675, 128, 0, ... ) == 0x8174c01e
 00254  1556   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00255  1556   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 676, 128, 0, ... ) == 0x81748002
 00256  1556   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10013
 00257  1556   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 677, 128, 0, ... ) == 0x8174c018
 00258  1556   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00259  1556   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 678, 128, 0, ... ) == 0x8174c01a
 00260  1556   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00261  1556   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 679, 128, 0, ... ) == 0x8174c01d
 00262  1556   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00263  1556   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 681, 128, 0, ... ) == 0x8174c026
 00264  1556   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00265  1556   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 680, 128, 0, ... ) == 0x8174c019
 00266  1556   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x8174c020
 00267  1556   NtUserRegisterClassExWOW  (1241352, 1241448, 1241432, 1241420, 0, 130, 0, ... ) == 0x8174c022
 00268  1556   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x8174c023
 00269  1556   NtUserRegisterClassExWOW  (1241352, 1241448, 1241432, 1241420, 0, 130, 0, ... ) == 0x8174c024
 00270  1556   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x8174c025
 00271  1556   NtCallbackReturn  (0, 0, 0, ...
 00272  1556   NtGdiInit  (... ) == 0x1
 00273  1556   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00274  1556   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00275  1556   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00276  1556   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10747904, 65536, ) == 0x0
 00277  1556   NtAllocateVirtualMemory  (-1, 10747904, 0, 4096, 4096, 4, ... 10747904, 4096, ) == 0x0
 00278  1556   NtAllocateVirtualMemory  (-1, 10752000, 0, 8192, 4096, 4, ... 10752000, 8192, ) == 0x0
 00279  1556   NtAllocateVirtualMemory  (-1, 10760192, 0, 4096, 4096, 4, ... 10760192, 4096, ) == 0x0
 00280  1556   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 44, ) }, ... 44, ) == 0x0
 00281  1556   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa50000), 0x0, 12288, ) == 0x0
 00282  1556   NtClose  (44, ... ) == 0x0
 00283  1556   NtAllocateVirtualMemory  (-1, 10764288, 0, 4096, 4096, 4, ... 10764288, 4096, ) == 0x0
 00284  1556   NtQueryDefaultUILanguage  (1241688, ...
 00285  1556   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00286  1556   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 00287  1556   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00288  1556   NtClose  (-2147482740, ... ) == 0x0
 00289  1556   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00290  1556   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00291  1556   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 00292  1556   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00293  1556   NtClose  (-2147481328, ... ) == 0x0
 00294  1556   NtClose  (-2147482740, ... ) == 0x0
 00284  1556   NtQueryDefaultUILanguage  ... ) == 0x0
 00295  1556   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\COMCTL32.dll"}, 1, 96, ... 44, {status=0x0, info=1}, ) }, 1, 96, ... 44, {status=0x0, info=1}, ) == 0x0
 00296  1556   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 44, ... 48, ) == 0x0
 00297  1556   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xa60000), 0x0, 618496, ) == 0x0
 00298  1556   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\COMCTL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00299  1556   NtQueryDefaultUILanguage  (2090319928, ...
 00300  1556   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00301  1556   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 00302  1556   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00303  1556   NtClose  (-2147482740, ... ) == 0x0
 00304  1556   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00305  1556   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00306  1556   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 00307  1556   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00308  1556   NtClose  (-2147481328, ... ) == 0x0
 00309  1556   NtClose  (-2147482740, ... ) == 0x0
 00299  1556   NtQueryDefaultUILanguage  ... ) == 0x0
 00310  1556   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 00311  1556   NtQueryDefaultLocale  (1, 1239784, ... ) == 0x0
 00312  1556   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\COMCTL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00313  1556   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1240820, 1179817, 1240544}  (24, {128, 156, new_msg, 0, 2088850039, 1240820, 1179817, 1240544} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6\31\1,\0\0\0\377\377\377\377\0\0\0\0\340q\255\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6\31\1\0\0\0\0\0\0\0\0\350\362\22\0\0\0\0\0" ... {128, 156, reply, 0, 1480, 1556, 57972, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6\31\1,\0\0\0\377\377\377\377\0\0\0\0\340q\255\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6\31\1\0\0\0\0\0\0\0\0\350\362\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1480, 1556, 57972, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1240820, 1179817, 1240544} "\210\6\31\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6\31\1,\0\0\0\377\377\377\377\0\0\0\0\340q\255\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6\31\1\0\0\0\0\0\0\0\0\350\362\22\0\0\0\0\0" ... {128, 156, reply, 0, 1480, 1556, 57972, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6\31\1,\0\0\0\377\377\377\377\0\0\0\0\340q\255\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6\31\1\0\0\0\0\0\0\0\0\350\362\22\0\0\0\0\0" )  ) == 0x0
 00314  1556   NtClose  (44, ... ) == 0x0
 00315  1556   NtClose  (48, ... ) == 0x0
 00316  1556   NtUnmapViewOfSection  (-1, 0xa60000, ... ) == 0x0
 00317  1556   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00318  1556   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {1480, 0}, ... 48, ) == 0x0
 00319  1556   NtQueryInformationProcess  (48, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00320  1556   NtClose  (48, ... ) == 0x0
 00321  1556   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00322  1556   NtUserSystemParametersInfo  (104, 0, 1561338260, 0, ... ) == 0x1
 00323  1556   NtUserSystemParametersInfo  (38, 4, 1561337988, 0, ... ) == 0x1
 00324  1556   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00325  1556   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 48, ) == 0x0
 00326  1556   NtQueryInformationToken  (48, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00327  1556   NtClose  (48, ... ) == 0x0
 00328  1556   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 48, ) }, ... 48, ) == 0x0
 00329  1556   NtOpenProcessToken  (-1, 0x8, ... 44, ) == 0x0
 00330  1556   NtAccessCheck  (1329168, 44, 0x1, 1242880, 1242932, 56, 1242912, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00331  1556   NtClose  (44, ... ) == 0x0
 00332  1556   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Control Panel\Desktop"}, ... 44, ) }, ... 44, ) == 0x0
 00333  1556   NtQueryValueKey  (44,  (44, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00334  1556   NtClose  (44, ... ) == 0x0
 00335  1556   NtUserSystemParametersInfo  (41, 500, 1243060, 0, ... ) == 0x1
 00336  1556   NtUserSystemParametersInfo  (102, 0, 1561338280, 0, ... ) == 0x1
 00337  1556   NtClose  (48, ... ) == 0x0
 00338  1556   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00339  1556   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00340  1556   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8174c03b
 00341  1556   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8174c03d
 00342  1556   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00343  1556   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8174c03f
 00344  1556   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00345  1556   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8174c041
 00346  1556   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00347  1556   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8174c043
 00348  1556   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8174c045
 00349  1556   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00350  1556   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8174c047
 00351  1556   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00352  1556   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8174c049
 00353  1556   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00354  1556   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8174c04b
 00355  1556   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00356  1556   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8174c04d
 00357  1556   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00358  1556   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8174c04f
 00359  1556   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8174c051
 00360  1556   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00361  1556   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8174c053
 00362  1556   NtUserFindExistingCursorIcon  (1242808, 1242824, 1242872, ... ) == 0x10011
 00363  1556   NtUserRegisterClassExWOW  (1242752, 1242820, 1242836, 1242852, 0, 384, 0, ... ) == 0x8174c055
 00364  1556   NtUserFindExistingCursorIcon  (1242808, 1242824, 1242872, ... ) == 0x10011
 00365  1556   NtUserRegisterClassExWOW  (1242752, 1242820, 1242836, 1242852, 0, 384, 0, ... ) == 0x8174c057
 00366  1556   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00367  1556   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8174c059
 00368  1556   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10013
 00369  1556   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8174c05b
 00370  1556   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00371  1556   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8174c05d
 00372  1556   NtUserFindExistingCursorIcon  (1242812, 1242828, 1242876, ... ) == 0x10011
 00373  1556   NtUserRegisterClassExWOW  (1242756, 1242824, 1242840, 1242856, 0, 384, 0, ... ) == 0x8174c05f
 00374  1556   NtTestAlert  (... ) == 0x0
 00375  1556   NtContinue  (1244464, 1, ...
 00376  1556   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x583000,}, 4, ... ) == 0x0
 00377  1556   NtRaiseException  (1244380, 1244408, 0, ...
 00378  1556   NtFlushInstructionCache  (-1, 0, 0, ... ) == 0x0