Summary:


NtContinue(>)  1 
NtQueryAttributesFile(>)  1 
NtTestAlert(>)  1 
NtSetInformationFile(>)  5 

NtCreateSection(>)  1 
NtQueryDefaultLocale(>)  1 
NtFlushInstructionCache(>)  2 
NtQuerySystemInformation(>)  6 

NtFreeVirtualMemory(>)  1 
NtQueryInformationFile(>)  1 
NtOpenFile(>)  2 
NtMapViewOfSection(>)  8 

NtFsControlFile(>)  1 
NtQueryObject(>)  1 
NtQueryInformationToken(>)  2 
NtQueryValueKey(>)  8 

NtOpenDirectoryObject(>)  1 
NtQueryPerformanceCounter(>)  1 
NtQueryVirtualMemory(>)  2 
NtOpenKey(>)  9 

NtOpenKeyedEvent(>)  1 
NtQuerySection(>)  1 
NtTerminateProcess(>)  2 
NtOpenSection(>)  10 

NtOpenMutant(>)  1 
NtQuerySymbolicLinkObject(>)  1 
NtCreateKey(>)  3 
NtAllocateVirtualMemory(>)  11 

NtOpenProcessToken(>)  1 
NtQueryVolumeInformationFile(>)  1 
NtRequestWaitReplyPort(>)  3 
NtClose(>)  20 

NtOpenProcessTokenEx(>)  1 
NtRegisterThreadTerminatePort(>)  1 
NtSetInformationObject(>)  3 

NtOpenSymbolicLinkObject(>)  1 
NtSecureConnectPort(>)  1 
NtProtectVirtualMemory(>)  4 

NtOpenThreadTokenEx(>)  1 

Trace:
 00001   432   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   432   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   432   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   432   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   432   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   432   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   432   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   432   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   432   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   432   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   432   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   432   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   432   NtClose  (12, ... ) == 0x0
 00014   432   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   432   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   432   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   432   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   432   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   432   NtClose  (16, ... ) == 0x0
 00021   432   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   432   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   432   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   432   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18743296}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18743296}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   432   NtClose  (16, ... ) == 0x0
 00026   432   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   432   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   432   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   432   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   432   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   432   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\36\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\36\1\4\0\0\0" ... {28, 56, reply, 0, 416, 432, 1520, 0} "8\354\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\36\1\4\0\0\0" )  ... {28, 56, reply, 0, 416, 432, 1520, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\36\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\36\1\4\0\0\0" ... {28, 56, reply, 0, 416, 432, 1520, 0} "8\354\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\36\1\4\0\0\0" )  ) == 0x0
 00032   432   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   432   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   432   NtClose  (16, ... ) == 0x0
 00036   432   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   432   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   432   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   432   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   432   NtClose  (28, ... ) == 0x0
 00041   432   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   432   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   432   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   432   NtClose  (28, ... ) == 0x0
 00045   432   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   432   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   432   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   432   NtClose  (28, ... ) == 0x0
 00049   432   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   432   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   432   NtClose  (28, ... ) == 0x0
 00052   432   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   432   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   432   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   432   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\36\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\36\18\6\0\0" ... {28, 56, reply, 0, 416, 432, 1523, 0} "\370\251\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\36\18\6\0\0" )  ... {28, 56, reply, 0, 416, 432, 1523, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\36\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\36\18\6\0\0" ... {28, 56, reply, 0, 416, 432, 1523, 0} "\370\251\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\36\18\6\0\0" )  ) == 0x0
 00056   432   NtProtectVirtualMemory  (-1, (0x405000), 216, 4, ... (0x405000), 4096, 2, ) == 0x0
 00057   432   NtProtectVirtualMemory  (-1, (0x405000), 4096, 2, ... (0x405000), 4096, 4, ) == 0x0
 00058   432   NtFlushInstructionCache  (-1, 4214784, 216, ... ) == 0x0
 00059   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   432   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00061   432   NtClose  (28, ... ) == 0x0
 00062   432   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   432   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00064   432   NtClose  (28, ... ) == 0x0
 00065   432   NtProtectVirtualMemory  (-1, (0x405000), 216, 4, ... (0x405000), 4096, 2, ) == 0x0
 00066   432   NtProtectVirtualMemory  (-1, (0x405000), 4096, 2, ... (0x405000), 4096, 4, ) == 0x0
 00067   432   NtFlushInstructionCache  (-1, 4214784, 216, ... ) == 0x0
 00068   432   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00069   432   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00070   432   NtClose  (28, ... ) == 0x0
 00071   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00072   432   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00073   432   NtClose  (28, ... ) == 0x0
 00074   432   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00075   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00076   432   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00077   432   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00078   432   NtClose  (28, ... ) == 0x0
 00079   432   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00080   432   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00081   432   NtClose  (28, ... ) == 0x0
 00082   432   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00083   432   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00084   432   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00085   432   NtTestAlert  (... ) == 0x0
 00086   432   NtContinue  (1244464, 1, ...
 00087   432   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x4010ed,}, 4, ... ) == 0x0
 00088   432   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00089   432   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00090   432   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00091   432   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 32, ) }, ... 32, ) == 0x0
 00092   432   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00093   432   NtClose  (32, ... ) == 0x0
 00094   432   NtAllocateVirtualMemory  (-1, 3280896, 0, 4096, 4096, 4, ... 3280896, 4096, ) == 0x0
 00095   432   NtQueryPerformanceCounter  (... {99137743, 0}, {3579545, 0}, ) == 0x0
 00096   432   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00097   432   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 32, ) == 0x0
 00098   432   NtQueryInformationToken  (32, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00099   432   NtClose  (32, ... ) == 0x0
 00100   432   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 32, ) }, ... 32, ) == 0x0
 00101   432   NtSetInformationObject  (32, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00102   432   NtCreateKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main"}, 0, 0x0, 0, ... 36, 2, ) }, 0, 0x0, 0, ... 36, 2, ) == 0x0
 00103   432   NtSetValueKey  (36,  (36, "Start Page", 0, 1, "h\0t\0t\0p\0:\0/\0/\0w\0w\0w\0.\0o\0p\0e\0n\0a\0r\0t\0i\0c\0l\0e\0s\0.\0i\0n\0f\0o\0\0\0", 58, ... , 0, 1,  (36, "Start Page", 0, 1, "h\0t\0t\0p\0:\0/\0/\0w\0w\0w\0.\0o\0p\0e\0n\0a\0r\0t\0i\0c\0l\0e\0s\0.\0i\0n\0f\0o\0\0\0", 58, ... , 58, ...
 00104   432   NtSetInformationFile  (-2147482700, -134441164, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00105   432   NtSetInformationFile  (-2147482700, -134441232, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00103   432   NtSetValueKey  ... ) == 0x0
 00106   432   NtOpenFile  (0x110080, {24, 0, 0x40, 0, 0,  (0x110080, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 7, 2113568, ... 40, {status=0x0, info=1}, ) }, 7, 2113568, ... 40, {status=0x0, info=1}, ) == 0x0
 00107   432   NtQueryInformationFile  (40, 1244024, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 00108   432   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 44, 0x0, ) }, 0, 0x0, 0, ... 44, 0x0, ) == 0x0
 00109   432   NtQueryValueKey  (44,  (44, "PendingFileRenameOperations2", Partial, 1024, ... ) , Partial, 1024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00110   432   NtClose  (44, ... ) == 0x0
 00111   432   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 44, 0x0, ) }, 0, 0x0, 0, ... 44, 0x0, ) == 0x0
 00112   432   NtQueryValueKey  (44,  (44, "PendingFileRenameOperations", Partial, 1024, ... ) , Partial, 1024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00113   432   NtSetValueKey  (44,  (44, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0u\0:\0\\0w\0o\0r\0k\0\\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0\0\0\0\0\0\0", 50, ... , 0, 7,  (44, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0u\0:\0\\0w\0o\0r\0k\0\\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0\0\0\0\0\0\0", 50, ... , 50, ...
 00114   432   NtSetInformationFile  (-2147482844, -134441164, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00115   432   NtSetInformationFile  (-2147482844, -134441256, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00116   432   NtSetInformationFile  (-2147482844, -134441660, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00113   432   NtSetValueKey  ... ) == 0x0
 00117   432   NtClose  (44, ... ) == 0x0
 00118   432   NtClose  (40, ... ) == 0x0
 00119   432   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 40, ) }, ... 40, ) == 0x0
 00120   432   NtQueryValueKey  (40,  (40, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00121   432   NtClose  (40, ... ) == 0x0
 00122   432   NtTerminateProcess  (0, 0, ... ) == 0x0
 00123   432   NtFreeVirtualMemory  (-1, (0x0), 0, 32768, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 00124   432   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1600019804, 3276800, 8, 104}  (24, {20, 48, new_msg, 0, 1600019804, 3276800, 8, 104} "\0\0\0\0\3\0\1\0\0\02\0P\72\0\0\0\0\0" ... {20, 48, reply, 0, 416, 432, 1536, 0} "\0\0\0\0\3\0\1\0\0\0\0\0P\72\0\0\0\0\0" )  ... {20, 48, reply, 0, 416, 432, 1536, 0}  (24, {20, 48, new_msg, 0, 1600019804, 3276800, 8, 104} "\0\0\0\0\3\0\1\0\0\02\0P\72\0\0\0\0\0" ... {20, 48, reply, 0, 416, 432, 1536, 0} "\0\0\0\0\3\0\1\0\0\0\0\0P\72\0\0\0\0\0" )  ) == 0x0
 00125   432   NtTerminateProcess  (-1, 0, ...
NtContinue(>)	1	NtQueryAttributesFile(>)	1	NtTestAlert(>)	1	NtSetInformationFile(>)	5
NtCreateSection(>)	1	NtQueryDefaultLocale(>)	1	NtFlushInstructionCache(>)	2	NtQuerySystemInformation(>)	6
NtFreeVirtualMemory(>)	1	NtQueryInformationFile(>)	1	NtOpenFile(>)	2	NtMapViewOfSection(>)	8
NtFsControlFile(>)	1	NtQueryObject(>)	1	NtQueryInformationToken(>)	2	NtQueryValueKey(>)	8
NtOpenDirectoryObject(>)	1	NtQueryPerformanceCounter(>)	1	NtQueryVirtualMemory(>)	2	NtOpenKey(>)	9
NtOpenKeyedEvent(>)	1	NtQuerySection(>)	1	NtTerminateProcess(>)	2	NtOpenSection(>)	10
NtOpenMutant(>)	1	NtQuerySymbolicLinkObject(>)	1	NtCreateKey(>)	3	NtAllocateVirtualMemory(>)	11
NtOpenProcessToken(>)	1	NtQueryVolumeInformationFile(>)	1	NtRequestWaitReplyPort(>)	3	NtClose(>)	20
NtOpenProcessTokenEx(>)	1	NtRegisterThreadTerminatePort(>)	1	NtSetInformationObject(>)	3
NtOpenSymbolicLinkObject(>)	1	NtSecureConnectPort(>)	1	NtProtectVirtualMemory(>)	4
NtOpenThreadTokenEx(>)	1