Summary:


NtContinue(>)  1 
NtQueryAttributesFile(>)  1 
NtSetInformationObject(>)  1 
NtRequestWaitReplyPort(>)  3 

NtCreateFile(>)  1 
NtQueryDefaultLocale(>)  1 
NtSetInformationThread(>)  1 
NtOpenKey(>)  4 

NtCreateSection(>)  1 
NtQueryInformationToken(>)  1 
NtTestAlert(>)  1 
NtSetInformationFile(>)  4 

NtFlushInstructionCache(>)  1 
NtQueryObject(>)  1 
NtOpenFile(>)  2 
NtMapViewOfSection(>)  6 

NtFsControlFile(>)  1 
NtQueryPerformanceCounter(>)  1 
NtProtectVirtualMemory(>)  2 
NtQuerySystemInformation(>)  6 

NtOpenDirectoryObject(>)  1 
NtQuerySection(>)  1 
NtQueryInformationFile(>)  2 
NtOpenSection(>)  8 

NtOpenKeyedEvent(>)  1 
NtQuerySymbolicLinkObject(>)  1 
NtQueryVirtualMemory(>)  2 
NtAllocateVirtualMemory(>)  12 

NtOpenMutant(>)  1 
NtReadFile(>)  1 
NtQueryVolumeInformationFile(>)  2 
NtClose(>)  13 

NtOpenProcessToken(>)  1 
NtRegisterThreadTerminatePort(>)  1 
NtTerminateProcess(>)  2 

NtOpenSymbolicLinkObject(>)  1 
NtSecureConnectPort(>)  1 

Trace:
 00001   460   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   460   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   460   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   460   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   460   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   460   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   460   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   460   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   460   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   460   NtClose  (12, ... ) == 0x0
 00014   460   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   460   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   460   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   460   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   460   NtClose  (16, ... ) == 0x0
 00021   460   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   460   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   460   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   460   NtClose  (16, ... ) == 0x0
 00026   460   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   460   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   460   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   460   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 448, 460, 1484, 0} "\300\330\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 448, 460, 1484, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 448, 460, 1484, 0} "\300\330\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   460   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   460   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   460   NtClose  (16, ... ) == 0x0
 00036   460   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   460   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   460   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   460   NtClose  (28, ... ) == 0x0
 00041   460   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   460   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   460   NtClose  (28, ... ) == 0x0
 00045   460   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   460   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   460   NtClose  (28, ... ) == 0x0
 00049   460   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   460   NtClose  (28, ... ) == 0x0
 00052   460   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   460   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   460   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 448, 460, 1486, 0} "8\244\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 448, 460, 1486, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 448, 460, 1486, 0} "8\244\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   460   NtProtectVirtualMemory  (-1, (0x408000), 268, 4, ... (0x408000), 4096, 2, ) == 0x0
 00057   460   NtProtectVirtualMemory  (-1, (0x408000), 4096, 2, ... (0x408000), 4096, 4, ) == 0x0
 00058   460   NtFlushInstructionCache  (-1, 4227072, 268, ... ) == 0x0
 00059   460   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00060   460   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00061   460   NtClose  (28, ... ) == 0x0
 00062   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00063   460   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00064   460   NtClose  (28, ... ) == 0x0
 00065   460   NtTestAlert  (... ) == 0x0
 00066   460   NtContinue  (1244464, 1, ...
 00067   460   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x401e7f,}, 4, ... ) == 0x0
 00068   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00069   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00070   460   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00071   460   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00072   460   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 28, ) }, ... 28, ) == 0x0
 00073   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00074   460   NtClose  (28, ... ) == 0x0
 00075   460   NtAllocateVirtualMemory  (-1, 3280896, 0, 4096, 4096, 4, ... 3280896, 4096, ) == 0x0
 00076   460   NtQueryPerformanceCounter  (... {93331369, 0}, {3579545, 0}, ) == 0x0
 00077   460   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 7, 2113568, ... 28, {status=0x0, info=1}, ) }, 7, 2113568, ... 28, {status=0x0, info=1}, ) == 0x0
 00078   460   NtSetInformationFile  (28, 1243876, 40, Basic, ... ) == STATUS_ACCESS_DENIED
 00079   460   NtClose  (28, ... ) == 0x0
 00080   460   NtCreateFile  (0x80100080, {24, 0, 0x42, 0, 1243744,  (0x80100080, {24, 0, 0x42, 0, 1243744, "\??\u:\work\packed.exe"}, 0x0, 128, 3, 1, 96, 0, 0, ... 28, {status=0x0, info=1}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 28, {status=0x0, info=1}, ) == 0x0
 00081   460   NtQueryVolumeInformationFile  (28, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00082   460   NtQueryInformationFile  (28, 1243536, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00083   460   NtSetInformationFile  (28, 1243568, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00084   460   NtQueryInformationFile  (28, 1243544, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 00085   460   NtSetInformationFile  (28, 1243544, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00086   460   NtSetInformationFile  (28, 1243552, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00087   460   NtAllocateVirtualMemory  (-1, 3284992, 0, 8192, 4096, 4, ... 3284992, 8192, ) == 0x0
 00088   460   NtReadFile  (28, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=1024},  (28, 0, 0, 0, 4096, 0x0, 0, ... {status=0x0, info=1024}, "\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341\37\341", ) , ) == 0x0
 00089   460   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 32, ) }, ... 32, ) == 0x0
 00090   460   NtQueryValueKey  (32,  (32, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00091   460   NtClose  (32, ... ) == 0x0
 00092   460   NtTerminateProcess  (0, 0, ... ) == 0x0
 00093   460   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1600019804, 3276800, 8, 104}  (24, {20, 48, new_msg, 0, 1600019804, 3276800, 8, 104} "\0\0\0\0\3\0\1\0\0\02\0P\72\0\0\0\0\0" ... {20, 48, reply, 0, 448, 460, 1492, 0} "\0\0\0\0\3\0\1\0\0\0\0\0P\72\0\0\0\0\0" )  ... {20, 48, reply, 0, 448, 460, 1492, 0}  (24, {20, 48, new_msg, 0, 1600019804, 3276800, 8, 104} "\0\0\0\0\3\0\1\0\0\02\0P\72\0\0\0\0\0" ... {20, 48, reply, 0, 448, 460, 1492, 0} "\0\0\0\0\3\0\1\0\0\0\0\0P\72\0\0\0\0\0" )  ) == 0x0
 00094   460   NtTerminateProcess  (-1, 0, ...
NtContinue(>)	1	NtQueryAttributesFile(>)	1	NtSetInformationObject(>)	1	NtRequestWaitReplyPort(>)	3
NtCreateFile(>)	1	NtQueryDefaultLocale(>)	1	NtSetInformationThread(>)	1	NtOpenKey(>)	4
NtCreateSection(>)	1	NtQueryInformationToken(>)	1	NtTestAlert(>)	1	NtSetInformationFile(>)	4
NtFlushInstructionCache(>)	1	NtQueryObject(>)	1	NtOpenFile(>)	2	NtMapViewOfSection(>)	6
NtFsControlFile(>)	1	NtQueryPerformanceCounter(>)	1	NtProtectVirtualMemory(>)	2	NtQuerySystemInformation(>)	6
NtOpenDirectoryObject(>)	1	NtQuerySection(>)	1	NtQueryInformationFile(>)	2	NtOpenSection(>)	8
NtOpenKeyedEvent(>)	1	NtQuerySymbolicLinkObject(>)	1	NtQueryVirtualMemory(>)	2	NtAllocateVirtualMemory(>)	12
NtOpenMutant(>)	1	NtReadFile(>)	1	NtQueryVolumeInformationFile(>)	2	NtClose(>)	13
NtOpenProcessToken(>)	1	NtRegisterThreadTerminatePort(>)	1	NtTerminateProcess(>)	2
NtOpenSymbolicLinkObject(>)	1	NtSecureConnectPort(>)	1