Summary:


NtCallbackReturn(>)  1 
NtOpenMutant(>)  1 
NtTestAlert(>)  1 
NtGdiGetStockObject(>)  5 

NtContinue(>)  1 
NtOpenProcessToken(>)  1 
NtUserCallNoParam(>)  1 
NtQuerySystemInformation(>)  6 

NtCreateEvent(>)  1 
NtOpenProcessTokenEx(>)  1 
NtUserGetThreadDesktop(>)  1 
NtProtectVirtualMemory(>)  8 

NtCreateSection(>)  1 
NtOpenSymbolicLinkObject(>)  1 
NtFreeVirtualMemory(>)  2 
NtQueryValueKey(>)  9 

NtDuplicateObject(>)  1 
NtOpenThreadTokenEx(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtUserFindExistingCursorIcon(>)  9 

NtFsControlFile(>)  1 
NtQueryAttributesFile(>)  1 
NtQueryDefaultLocale(>)  2 
NtMapViewOfSection(>)  10 

NtGdiCreateBitmap(>)  1 
NtQueryObject(>)  1 
NtQueryVirtualMemory(>)  2 
NtAllocateVirtualMemory(>)  11 

NtGdiInit(>)  1 
NtQuerySection(>)  1 
NtSetInformationObject(>)  2 
NtOpenSection(>)  11 

NtGdiQueryFontAssocInfo(>)  1 
NtQuerySymbolicLinkObject(>)  1 
NtTerminateProcess(>)  2 
NtDelayExecution(>)  12 

NtGdiSelectBitmap(>)  1 
NtQueryVolumeInformationFile(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtOpenKey(>)  12 

NtOpenDirectoryObject(>)  1 
NtRegisterThreadTerminatePort(>)  1 
NtQueryInformationToken(>)  3 
NtUserRegisterClassExWOW(>)  15 

NtOpenFile(>)  1 
NtSecureConnectPort(>)  1 
NtFlushInstructionCache(>)  4 
NtClose(>)  22 

NtOpenKeyedEvent(>)  1 
NtSetInformationThread(>)  1 
NtRequestWaitReplyPort(>)  4 

Trace:
 00001   284   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   284   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   284   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   284   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   284   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   284   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   284   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   284   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   284   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   284   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   284   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   284   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   284   NtClose  (12, ... ) == 0x0
 00014   284   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   284   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   284   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   284   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   284   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   284   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   284   NtClose  (16, ... ) == 0x0
 00021   284   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   284   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   284   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   284   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   284   NtClose  (16, ... ) == 0x0
 00026   284   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   284   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   284   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   284   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   284   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   284   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 280, 284, 1424, 0} "`\323\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 280, 284, 1424, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 280, 284, 1424, 0} "`\323\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   284   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   284   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   284   NtClose  (16, ... ) == 0x0
 00036   284   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00037   284   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00038   284   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00039   284   NtClose  (28, ... ) == 0x0
 00040   284   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00041   284   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00042   284   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00043   284   NtClose  (28, ... ) == 0x0
 00044   284   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00045   284   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00046   284   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00047   284   NtClose  (28, ... ) == 0x0
 00048   284   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00049   284   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00050   284   NtClose  (28, ... ) == 0x0
 00051   284   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00052   284   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00053   284   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   284   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 280, 284, 1431, 0} "\370\323\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 280, 284, 1431, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 280, 284, 1431, 0} "\370\323\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00055   284   NtProtectVirtualMemory  (-1, (0x407000), 4096, 4, ... (0x407000), 4096, 8, ) == 0x0
 00056   284   NtProtectVirtualMemory  (-1, (0x407000), 4096, 8, ... (0x407000), 4096, 4, ) == 0x0
 00057   284   NtFlushInstructionCache  (-1, 4222976, 4096, ... ) == 0x0
 00058   284   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00059   284   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00060   284   NtClose  (28, ... ) == 0x0
 00061   284   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00062   284   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00063   284   NtClose  (28, ... ) == 0x0
 00064   284   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00065   284   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00066   284   NtClose  (28, ... ) == 0x0
 00067   284   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00068   284   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00069   284   NtClose  (28, ... ) == 0x0
 00070   284   NtProtectVirtualMemory  (-1, (0x407000), 4096, 4, ... (0x407000), 4096, 4, ) == 0x0
 00071   284   NtProtectVirtualMemory  (-1, (0x407000), 4096, 4, ... (0x407000), 4096, 4, ) == 0x0
 00072   284   NtFlushInstructionCache  (-1, 4222976, 4096, ... ) == 0x0
 00073   284   NtProtectVirtualMemory  (-1, (0x407000), 4096, 4, ... (0x407000), 4096, 4, ) == 0x0
 00074   284   NtProtectVirtualMemory  (-1, (0x407000), 4096, 4, ... (0x407000), 4096, 4, ) == 0x0
 00075   284   NtFlushInstructionCache  (-1, 4222976, 4096, ... ) == 0x0
 00076   284   NtProtectVirtualMemory  (-1, (0x407000), 4096, 4, ... (0x407000), 4096, 4, ) == 0x0
 00077   284   NtProtectVirtualMemory  (-1, (0x407000), 4096, 4, ... (0x407000), 4096, 4, ) == 0x0
 00078   284   NtFlushInstructionCache  (-1, 4222976, 4096, ... ) == 0x0
 00079   284   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00080   284   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00081   284   NtClose  (28, ... ) == 0x0
 00082   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00083   284   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00084   284   NtClose  (28, ... ) == 0x0
 00085   284   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00086   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00087   284   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00088   284   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00089   284   NtClose  (28, ... ) == 0x0
 00090   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00091   284   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00092   284   NtClose  (28, ... ) == 0x0
 00093   284   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00094   284   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00095   284   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00096   284   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00097   284   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\31\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 280, 284, 1435, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 280, 284, 1435, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\31\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 280, 284, 1435, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00098   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00099   284   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x410000), 0x0, 1060864, ) == 0x0
 00100   284   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00101   284   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00102   284   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00103   284   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00104   284   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00105   284   NtClose  (-2147482020, ... ) == 0x0
 00106   284   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00107   284   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00108   284   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00109   284   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00110   284   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00111   284   NtClose  (-2147482020, ... ) == 0x0
 00112   284   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00113   284   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00114   284   NtClose  (-2147482020, ... ) == 0x0
 00115   284   NtQueryDefaultLocale  (0, -136246772, ... ) == 0x0
 00116   284   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00117   284   NtUserCallNoParam  (24, ... ) == 0x0
 00118   284   NtGdiCreateCompatibleDC  (0, ...
 00119   284   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00118   284   NtGdiCreateCompatibleDC  ... ) == 0x5010412
 00120   284   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00121   284   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00122   284   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x2050415
 00123   284   NtGdiCreateSolidBrush  (0, 0, ...
 00124   284   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8519680, 4096, ) == 0x0
 00123   284   NtGdiCreateSolidBrush  ... ) == 0x1100416
 00125   284   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00126   284   NtGdiCreateCompatibleDC  (0, ... ) == 0x1010417
 00127   284   NtGdiSelectBitmap  (16843799, 33883157, ... ) == 0x185000f
 00128   284   NtUserGetThreadDesktop  (284, 0, ... ) == 0x2c
 00129   284   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00130   284   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00131   284   NtClose  (52, ... ) == 0x0
 00132   284   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00133   284   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810ec017
 00134   284   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00135   284   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810ec01c
 00136   284   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00137   284   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810ec01e
 00138   284   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00139   284   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810e8002
 00140   284   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00141   284   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810ec018
 00142   284   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00143   284   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810ec01a
 00144   284   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00145   284   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810ec01d
 00146   284   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00147   284   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810ec026
 00148   284   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00149   284   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810ec019
 00150   284   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ...
 00151   284   NtAllocateVirtualMemory  (-1, 5468160, 0, 4096, 4096, 32, ... 5468160, 4096, ) == 0x0
 00150   284   NtUserRegisterClassExWOW  ... ) == 0x810ec020
 00152   284   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810ec022
 00153   284   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810ec023
 00154   284   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810ec024
 00155   284   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810ec025
 00156   284   NtCallbackReturn  (0, 0, 0, ...
 00157   284   NtGdiInit  (... ) == 0x1
 00158   284   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00159   284   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00160   284   NtTestAlert  (... ) == 0x0
 00161   284   NtContinue  (1244464, 1, ...
 00162   284   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x403e78,}, 4, ... ) == 0x0
 00163   284   NtDelayExecution  (0, {-20000, -1}, ... ) == 0x0
 00164   284   NtDelayExecution  (0, {-20000, -1}, ... ) == 0x0
 00165   284   NtDelayExecution  (0, {-20000, -1}, ... ) == 0x0
 00166   284   NtDelayExecution  (0, {-20000, -1}, ... ) == 0x0
 00167   284   NtDelayExecution  (0, {-20000, -1}, ... ) == 0x0
 00168   284   NtDelayExecution  (0, {-20000, -1}, ... ) == 0x0
 00169   284   NtDelayExecution  (0, {-20000, -1}, ... ) == 0x0
 00170   284   NtDelayExecution  (0, {-20000, -1}, ... ) == 0x0
 00171   284   NtDelayExecution  (0, {-20000, -1}, ... ) == 0x0
 00172   284   NtDelayExecution  (0, {-20000, -1}, ... ) == 0x0
 00173   284   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00174   284   NtQueryValueKey  (52,  (52, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00175   284   NtClose  (52, ... ) == 0x0
 00176   284   NtDelayExecution  (0, {-1500000, -1}, ... ) == 0x0
 00177   284   NtDelayExecution  (0, {-1500000, -1}, ... ) == 0x0
 00178   284   NtTerminateProcess  (0, 0, ... ) == 0x0
 00179   284   NtFreeVirtualMemory  (-1, (0x0), 0, 32768, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 00180   284   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 2147344384, 2011701568, 27016, 0}  (24, {20, 48, new_msg, 0, 2147344384, 2011701568, 27016, 0} "\0\0\0\0\3\0\1\0\244\376\22\0\0\0Is\0\0\0\0" ... {20, 48, reply, 0, 280, 284, 1512, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0Is\0\0\0\0" )  ... {20, 48, reply, 0, 280, 284, 1512, 0}  (24, {20, 48, new_msg, 0, 2147344384, 2011701568, 27016, 0} "\0\0\0\0\3\0\1\0\244\376\22\0\0\0Is\0\0\0\0" ... {20, 48, reply, 0, 280, 284, 1512, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0Is\0\0\0\0" )  ) == 0x0
 00181   284   NtTerminateProcess  (-1, 0, ...
 00182   284   NtClose  (44, ... ) == 0x0
NtCallbackReturn(>)	1	NtOpenMutant(>)	1	NtTestAlert(>)	1	NtGdiGetStockObject(>)	5
NtContinue(>)	1	NtOpenProcessToken(>)	1	NtUserCallNoParam(>)	1	NtQuerySystemInformation(>)	6
NtCreateEvent(>)	1	NtOpenProcessTokenEx(>)	1	NtUserGetThreadDesktop(>)	1	NtProtectVirtualMemory(>)	8
NtCreateSection(>)	1	NtOpenSymbolicLinkObject(>)	1	NtFreeVirtualMemory(>)	2	NtQueryValueKey(>)	9
NtDuplicateObject(>)	1	NtOpenThreadTokenEx(>)	1	NtGdiCreateSolidBrush(>)	2	NtUserFindExistingCursorIcon(>)	9
NtFsControlFile(>)	1	NtQueryAttributesFile(>)	1	NtQueryDefaultLocale(>)	2	NtMapViewOfSection(>)	10
NtGdiCreateBitmap(>)	1	NtQueryObject(>)	1	NtQueryVirtualMemory(>)	2	NtAllocateVirtualMemory(>)	11
NtGdiInit(>)	1	NtQuerySection(>)	1	NtSetInformationObject(>)	2	NtOpenSection(>)	11
NtGdiQueryFontAssocInfo(>)	1	NtQuerySymbolicLinkObject(>)	1	NtTerminateProcess(>)	2	NtDelayExecution(>)	12
NtGdiSelectBitmap(>)	1	NtQueryVolumeInformationFile(>)	1	NtGdiCreateCompatibleDC(>)	3	NtOpenKey(>)	12
NtOpenDirectoryObject(>)	1	NtRegisterThreadTerminatePort(>)	1	NtQueryInformationToken(>)	3	NtUserRegisterClassExWOW(>)	15
NtOpenFile(>)	1	NtSecureConnectPort(>)	1	NtFlushInstructionCache(>)	4	NtClose(>)	22
NtOpenKeyedEvent(>)	1	NtSetInformationThread(>)	1	NtRequestWaitReplyPort(>)	4