Summary:


NtContinue(>)  1 
NtQueryAttributesFile(>)  1 
NtTestAlert(>)  1 
NtQuerySystemInformation(>)  6 

NtCreateSection(>)  1 
NtQueryDefaultLocale(>)  1 
NtFlushInstructionCache(>)  2 
NtSetInformationFile(>)  6 

NtFreeVirtualMemory(>)  1 
NtQueryInformationFile(>)  1 
NtOpenFile(>)  2 
NtMapViewOfSection(>)  8 

NtFsControlFile(>)  1 
NtQueryObject(>)  1 
NtQueryInformationToken(>)  2 
NtQueryValueKey(>)  8 

NtOpenDirectoryObject(>)  1 
NtQueryPerformanceCounter(>)  1 
NtQueryVirtualMemory(>)  2 
NtOpenKey(>)  9 

NtOpenKeyedEvent(>)  1 
NtQuerySection(>)  1 
NtTerminateProcess(>)  2 
NtOpenSection(>)  10 

NtOpenMutant(>)  1 
NtQuerySymbolicLinkObject(>)  1 
NtCreateKey(>)  3 
NtAllocateVirtualMemory(>)  11 

NtOpenProcessToken(>)  1 
NtQueryVolumeInformationFile(>)  1 
NtRequestWaitReplyPort(>)  3 
NtClose(>)  20 

NtOpenProcessTokenEx(>)  1 
NtRegisterThreadTerminatePort(>)  1 
NtSetInformationObject(>)  3 

NtOpenSymbolicLinkObject(>)  1 
NtSecureConnectPort(>)  1 
NtProtectVirtualMemory(>)  4 

NtOpenThreadTokenEx(>)  1 

Trace:
 00001   408   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   408   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   408   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   408   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   408   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   408   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   408   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   408   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   408   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   408   NtClose  (12, ... ) == 0x0
 00014   408   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   408   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   408   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   408   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   408   NtClose  (16, ... ) == 0x0
 00021   408   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   408   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   408   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   408   NtClose  (16, ... ) == 0x0
 00026   408   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   408   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   408   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   408   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   408   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 404, 408, 1496, 0} "h\0\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 404, 408, 1496, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 404, 408, 1496, 0} "h\0\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   408   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   408   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   408   NtClose  (16, ... ) == 0x0
 00036   408   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   408   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   408   NtClose  (28, ... ) == 0x0
 00041   408   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   408   NtClose  (28, ... ) == 0x0
 00045   408   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   408   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   408   NtClose  (28, ... ) == 0x0
 00049   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   408   NtClose  (28, ... ) == 0x0
 00052   408   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   408   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 404, 408, 1498, 0} "\220E\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 404, 408, 1498, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 404, 408, 1498, 0} "\220E\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   408   NtProtectVirtualMemory  (-1, (0x406000), 252, 4, ... (0x406000), 4096, 2, ) == 0x0
 00057   408   NtProtectVirtualMemory  (-1, (0x406000), 4096, 2, ... (0x406000), 4096, 4, ) == 0x0
 00058   408   NtFlushInstructionCache  (-1, 4218880, 252, ... ) == 0x0
 00059   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00061   408   NtClose  (28, ... ) == 0x0
 00062   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00064   408   NtClose  (28, ... ) == 0x0
 00065   408   NtProtectVirtualMemory  (-1, (0x406000), 252, 4, ... (0x406000), 4096, 2, ) == 0x0
 00066   408   NtProtectVirtualMemory  (-1, (0x406000), 4096, 2, ... (0x406000), 4096, 4, ) == 0x0
 00067   408   NtFlushInstructionCache  (-1, 4218880, 252, ... ) == 0x0
 00068   408   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00069   408   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00070   408   NtClose  (28, ... ) == 0x0
 00071   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00072   408   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00073   408   NtClose  (28, ... ) == 0x0
 00074   408   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00075   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00076   408   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00077   408   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00078   408   NtClose  (28, ... ) == 0x0
 00079   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00080   408   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00081   408   NtClose  (28, ... ) == 0x0
 00082   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00083   408   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00084   408   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00085   408   NtTestAlert  (... ) == 0x0
 00086   408   NtContinue  (1244464, 1, ...
 00087   408   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x4011a9,}, 4, ... ) == 0x0
 00088   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00089   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00090   408   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00091   408   NtAllocateVirtualMemory  (-1, 3280896, 0, 8192, 4096, 4, ... 3280896, 8192, ) == 0x0
 00092   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 32, ) }, ... 32, ) == 0x0
 00093   408   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00094   408   NtClose  (32, ... ) == 0x0
 00095   408   NtQueryPerformanceCounter  (... {100198608, 0}, {3579545, 0}, ) == 0x0
 00096   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00097   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 32, ) == 0x0
 00098   408   NtQueryInformationToken  (32, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00099   408   NtClose  (32, ... ) == 0x0
 00100   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 32, ) }, ... 32, ) == 0x0
 00101   408   NtSetInformationObject  (32, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00102   408   NtCreateKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main"}, 0, 0x0, 0, ... 36, 2, ) }, 0, 0x0, 0, ... 36, 2, ) == 0x0
 00103   408   NtSetValueKey  (36,  (36, "Start Page", 0, 1, "h\0t\0t\0p\0:\0/\0/\0w\0w\0w\0.\0o\0p\0e\0n\0a\0r\0t\0i\0c\0l\0e\0s\0.\0i\0n\0f\0o\0\0\0", 58, ... , 0, 1,  (36, "Start Page", 0, 1, "h\0t\0t\0p\0:\0/\0/\0w\0w\0w\0.\0o\0p\0e\0n\0a\0r\0t\0i\0c\0l\0e\0s\0.\0i\0n\0f\0o\0\0\0", 58, ... , 58, ...
 00104   408   NtSetInformationFile  (-2147482732, -135051468, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00105   408   NtSetInformationFile  (-2147482732, -135051504, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00106   408   NtSetInformationFile  (-2147482732, -135051536, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00103   408   NtSetValueKey  ... ) == 0x0
 00107   408   NtOpenFile  (0x110080, {24, 0, 0x40, 0, 0,  (0x110080, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 7, 2113568, ... 40, {status=0x0, info=1}, ) }, 7, 2113568, ... 40, {status=0x0, info=1}, ) == 0x0
 00108   408   NtQueryInformationFile  (40, 1244020, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 00109   408   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 44, 0x0, ) }, 0, 0x0, 0, ... 44, 0x0, ) == 0x0
 00110   408   NtQueryValueKey  (44,  (44, "PendingFileRenameOperations2", Partial, 1024, ... ) , Partial, 1024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00111   408   NtClose  (44, ... ) == 0x0
 00112   408   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 44, 0x0, ) }, 0, 0x0, 0, ... 44, 0x0, ) == 0x0
 00113   408   NtQueryValueKey  (44,  (44, "PendingFileRenameOperations", Partial, 1024, ... ) , Partial, 1024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00114   408   NtSetValueKey  (44,  (44, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0u\0:\0\\0w\0o\0r\0k\0\\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0\0\0\0\0\0\0", 50, ... , 0, 7,  (44, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0u\0:\0\\0w\0o\0r\0k\0\\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0\0\0\0\0\0\0", 50, ... , 50, ...
 00115   408   NtSetInformationFile  (-2147482844, -135051468, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00116   408   NtSetInformationFile  (-2147482844, -135051560, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00117   408   NtSetInformationFile  (-2147482844, -135051964, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00114   408   NtSetValueKey  ... ) == 0x0
 00118   408   NtClose  (44, ... ) == 0x0
 00119   408   NtClose  (40, ... ) == 0x0
 00120   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 40, ) }, ... 40, ) == 0x0
 00121   408   NtQueryValueKey  (40,  (40, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00122   408   NtClose  (40, ... ) == 0x0
 00123   408   NtTerminateProcess  (0, 0, ... ) == 0x0
 00124   408   NtFreeVirtualMemory  (-1, (0x0), 0, 32768, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 00125   408   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 0, 0, 0, 0}  (24, {20, 48, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 404, 408, 1509, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 404, 408, 1509, 0}  (24, {20, 48, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 404, 408, 1509, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00126   408   NtTerminateProcess  (-1, 0, ...
NtContinue(>)	1	NtQueryAttributesFile(>)	1	NtTestAlert(>)	1	NtQuerySystemInformation(>)	6
NtCreateSection(>)	1	NtQueryDefaultLocale(>)	1	NtFlushInstructionCache(>)	2	NtSetInformationFile(>)	6
NtFreeVirtualMemory(>)	1	NtQueryInformationFile(>)	1	NtOpenFile(>)	2	NtMapViewOfSection(>)	8
NtFsControlFile(>)	1	NtQueryObject(>)	1	NtQueryInformationToken(>)	2	NtQueryValueKey(>)	8
NtOpenDirectoryObject(>)	1	NtQueryPerformanceCounter(>)	1	NtQueryVirtualMemory(>)	2	NtOpenKey(>)	9
NtOpenKeyedEvent(>)	1	NtQuerySection(>)	1	NtTerminateProcess(>)	2	NtOpenSection(>)	10
NtOpenMutant(>)	1	NtQuerySymbolicLinkObject(>)	1	NtCreateKey(>)	3	NtAllocateVirtualMemory(>)	11
NtOpenProcessToken(>)	1	NtQueryVolumeInformationFile(>)	1	NtRequestWaitReplyPort(>)	3	NtClose(>)	20
NtOpenProcessTokenEx(>)	1	NtRegisterThreadTerminatePort(>)	1	NtSetInformationObject(>)	3
NtOpenSymbolicLinkObject(>)	1	NtSecureConnectPort(>)	1	NtProtectVirtualMemory(>)	4
NtOpenThreadTokenEx(>)	1