Good morning everbody,
here is the trace (made by
http://www.bindview.com/Services/RAZOR/ ... readme.cfm). But I can't interpret this text (I'm stupid
) ... can someone help me please? What's going wrong in my application?
[quote]
1 1580 1312 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\test.exe"}, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
2 1580 1312 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\test.exe"}, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
3 1580 1312 NtCreateEvent (0x100003, 0x0, 1, 0, ... 8, ) == 0x0
4 1580 1312 NtCreateEvent (0x100003, 0x0, 1, 0, ... 12, ) == 0x0
5 1580 1312 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0x1ff04,LowestPhysicalPage=0x2,HighestPhysicalPage=0x1ff76,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
6 1580 1312 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 2293760, 1048576, ) == 0x0
7 1580 1312 NtAllocateVirtualMemory (-1, 2293760, 0, 4096, 4096, 4, ... 2293760, 4096, ) == 0x0
8 1580 1312 NtCreateEvent (0x100003, 0x0, 1, 0, ... 16, ) == 0x0
9 1580 1312 NtAllocateVirtualMemory (-1, 2297856, 0, 8192, 4096, 4, ... 2297856, 8192, ) == 0x0
10 1580 1312 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\test.exe"}, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
11 1580 1312 NtOpenDirectoryObject (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 20, ) == 0x0
12 1580 1312 NtOpenSymbolicLinkObject (0x1, {24, 20, 0x40, 0, 0, "KnownDllPath"}, ... 24, ) == 0x0
13 1580 1312 NtQuerySymbolicLinkObject (24, ... "C:\WINNT\system32", 0x0, ) == 0x0
14 1580 1312 NtClose (24, ... ) == 0x0
15 1580 1312 NtFsControlFile (0, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_HANDLE
16 1580 1312 NtFsControlFile (0, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_HANDLE
17 1580 1312 NtOpenFile (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\Release\"}, 3, 33, ... 24, {status=0x0, info=1}, ) == 0x0
18 1580 1312 NtQueryVolumeInformationFile (24, 2292012, 8, Device, ... {status=0x0, info=8}, ) == 0x0
19 1580 1312 NtOpenSection (0xe, {24, 20, 0x40, 0, 0, "ADVAPI32.DLL"}, ... 28, ) == 0x0
20 1580 1312 NtMapViewOfSection (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x79350000), 0x0, 413696, ) == 0x0
21 1580 1312 NtClose (28, ... ) == 0x0
22 1580 1312 NtOpenSection (0xe, {24, 20, 0x40, 0, 0, "KERNEL32.dll"}, ... 28, ) == 0x0
23 1580 1312 NtMapViewOfSection (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 786432, ) == 0x0
24 1580 1312 NtClose (28, ... ) == 0x0
25 1580 1312 NtProtectVirtualMemory (-1, (0x77e71000), 1328, 4, ... (0x77e71000), 4096, 32, ) == 0x0
26 1580 1312 NtProtectVirtualMemory (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
27 1580 1312 NtFlushInstructionCache (-1, 2011631616, 1328, ... ) == 0x0
28 1580 1312 NtProtectVirtualMemory (-1, (0x79351000), 1448, 4, ... (0x79351000), 4096, 32, ) == 0x0
29 1580 1312 NtProtectVirtualMemory (-1, (0x79351000), 4096, 32, ... (0x79351000), 4096, 4, ) == 0x0
30 1580 1312 NtFlushInstructionCache (-1, 2033520640, 1448, ... ) == 0x0
31 1580 1312 NtProtectVirtualMemory (-1, (0x79351000), 1448, 4, ... (0x79351000), 4096, 32, ) == 0x0
32 1580 1312 NtProtectVirtualMemory (-1, (0x79351000), 4096, 32, ... (0x79351000), 4096, 4, ) == 0x0
33 1580 1312 NtFlushInstructionCache (-1, 2033520640, 1448, ... ) == 0x0
34 1580 1312 NtOpenSection (0xe, {24, 20, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) == 0x0
35 1580 1312 NtMapViewOfSection (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d20000), 0x0, 491520, ) == 0x0
36 1580 1312 NtClose (28, ... ) == 0x0
37 1580 1312 NtProtectVirtualMemory (-1, (0x77d21000), 788, 4, ... (0x77d21000), 4096, 32, ) == 0x0
38 1580 1312 NtProtectVirtualMemory (-1, (0x77d21000), 4096, 32, ... (0x77d21000), 4096, 4, ) == 0x0
39 1580 1312 NtFlushInstructionCache (-1, 2010255360, 788, ... ) == 0x0
40 1580 1312 NtProtectVirtualMemory (-1, (0x77d21000), 788, 4, ... (0x77d21000), 4096, 32, ) == 0x0
41 1580 1312 NtProtectVirtualMemory (-1, (0x77d21000), 4096, 32, ... (0x77d21000), 4096, 4, ) == 0x0
42 1580 1312 NtFlushInstructionCache (-1, 2010255360, 788, ... ) == 0x0
43 1580 1312 NtProtectVirtualMemory (-1, (0x77d21000), 788, 4, ... (0x77d21000), 4096, 32, ) == 0x0
44 1580 1312 NtProtectVirtualMemory (-1, (0x77d21000), 4096, 32, ... (0x77d21000), 4096, 4, ) == 0x0
45 1580 1312 NtFlushInstructionCache (-1, 2010255360, 788, ... ) == 0x0
46 1580 1312 NtProtectVirtualMemory (-1, (0x79351000), 1448, 4, ... (0x79351000), 4096, 32, ) == 0x0
47 1580 1312 NtProtectVirtualMemory (-1, (0x79351000), 4096, 32, ... (0x79351000), 4096, 4, ) == 0x0
48 1580 1312 NtFlushInstructionCache (-1, 2033520640, 1448, ... ) == 0x0
49 1580 1312 NtProtectVirtualMemory (-1, (0x698000), 16312, 4, ... (0x698000), 16384, 8, ) == 0x0
50 1580 1312 NtProtectVirtualMemory (-1, (0x698000), 16384, 8, ... (0x698000), 16384, 4, ) == 0x0
51 1580 1312 NtFlushInstructionCache (-1, 6914048, 16312, ... ) == 0x0
52 1580 1312 NtOpenSection (0xe, {24, 20, 0x40, 0, 0, "COMCTL32.DLL"}, ... 28, ) == 0x0
53 1580 1312 NtMapViewOfSection (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71710000), 0x0, 540672, ) == 0x0
54 1580 1312 NtClose (28, ... ) == 0x0
55 1580 1312 NtProtectVirtualMemory (-1, (0x71711000), 1460, 4, ... (0x71711000), 4096, 32, ) == 0x0
56 1580 1312 NtProtectVirtualMemory (-1, (0x71711000), 4096, 32, ... (0x71711000), 4096, 4, ) == 0x0
57 1580 1312 NtFlushInstructionCache (-1, 1903235072, 1460, ... ) == 0x0
58 1580 1312 NtOpenSection (0xe, {24, 20, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) == 0x0
59 1580 1312 NtMapViewOfSection (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f40000), 0x0, 258048, ) == 0x0
60 1580 1312 NtClose (28, ... ) == 0x0
61 1580 1312 NtProtectVirtualMemory (-1, (0x77f41000), 448, 4, ... (0x77f41000), 4096, 32, ) == 0x0
62 1580 1312 NtProtectVirtualMemory (-1, (0x77f41000), 4096, 32, ... (0x77f41000), 4096, 4, ) == 0x0
63 1580 1312 NtFlushInstructionCache (-1, 2012483584, 448, ... ) == 0x0
64 1580 1312 NtProtectVirtualMemory (-1, (0x77f41000), 448, 4, ... (0x77f41000), 4096, 32, ) == 0x0
65 1580 1312 NtProtectVirtualMemory (-1, (0x77f41000), 4096, 32, ... (0x77f41000), 4096, 4, ) == 0x0
66 1580 1312 NtFlushInstructionCache (-1, 2012483584, 448, ... ) == 0x0
67 1580 1312 NtOpenSection (0xe, {24, 20, 0x40, 0, 0, "USER32.dll"}, ... 28, ) == 0x0
68 1580 1312 NtMapViewOfSection (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e00000), 0x0, 430080, ) == 0x0
69 1580 1312 NtClose (28, ... ) == 0x0
70 1580 1312 NtProtectVirtualMemory (-1, (0x77e01000), 1200, 4, ... (0x77e01000), 4096, 32, ) == 0x0
71 1580 1312 NtProtectVirtualMemory (-1, (0x77e01000), 4096, 32, ... (0x77e01000), 4096, 4, ) == 0x0
72 1580 1312 NtFlushInstructionCache (-1, 2011172864, 1200, ... ) == 0x0
73 1580 1312 NtProtectVirtualMemory (-1, (0x77e01000), 1200, 4, ... (0x77e01000), 4096, 32, ) == 0x0
74 1580 1312 NtProtectVirtualMemory (-1, (0x77e01000), 4096, 32, ... (0x77e01000), 4096, 4, ) == 0x0
75 1580 1312 NtFlushInstructionCache (-1, 2011172864, 1200, ... ) == 0x0
76 1580 1312 NtProtectVirtualMemory (-1, (0x77e01000), 1200, 4, ... (0x77e01000), 4096, 32, ) == 0x0
77 1580 1312 NtProtectVirtualMemory (-1, (0x77e01000), 4096, 32, ... (0x77e01000), 4096, 4, ) == 0x0
78 1580 1312 NtFlushInstructionCache (-1, 2011172864, 1200, ... ) == 0x0
79 1580 1312 NtProtectVirtualMemory (-1, (0x77f41000), 448, 4, ... (0x77f41000), 4096, 32, ) == 0x0
80 1580 1312 NtProtectVirtualMemory (-1, (0x77f41000), 4096, 32, ... (0x77f41000), 4096, 4, ) == 0x0
81 1580 1312 NtFlushInstructionCache (-1, 2012483584, 448, ... ) == 0x0
82 1580 1312 NtProtectVirtualMemory (-1, (0x71711000), 1460, 4, ... (0x71711000), 4096, 32, ) == 0x0
83 1580 1312 NtProtectVirtualMemory (-1, (0x71711000), 4096, 32, ... (0x71711000), 4096, 4, ) == 0x0
84 1580 1312 NtFlushInstructionCache (-1, 1903235072, 1460, ... ) == 0x0
85 1580 1312 NtProtectVirtualMemory (-1, (0x71711000), 1460, 4, ... (0x71711000), 4096, 32, ) == 0x0
86 1580 1312 NtProtectVirtualMemory (-1, (0x71711000), 4096, 32, ... (0x71711000), 4096, 4, ) == 0x0
87 1580 1312 NtFlushInstructionCache (-1, 1903235072, 1460, ... ) == 0x0
88 1580 1312 NtProtectVirtualMemory (-1, (0x71711000), 1460, 4, ... (0x71711000), 4096, 32, ) == 0x0
89 1580 1312 NtProtectVirtualMemory (-1, (0x71711000), 4096, 32, ... (0x71711000), 4096, 4, ) == 0x0
90 1580 1312 NtFlushInstructionCache (-1, 1903235072, 1460, ... ) == 0x0
91 1580 1312 NtProtectVirtualMemory (-1, (0x71711000), 1460, 4, ... (0x71711000), 4096, 32, ) == 0x0
92 1580 1312 NtProtectVirtualMemory (-1, (0x71711000), 4096, 32, ... (0x71711000), 4096, 4, ) == 0x0
93 1580 1312 NtFlushInstructionCache (-1, 1903235072, 1460, ... ) == 0x0
94 1580 1312 NtProtectVirtualMemory (-1, (0x698000), 16312, 4, ... (0x698000), 16384, 4, ) == 0x0
95 1580 1312 NtProtectVirtualMemory (-1, (0x698000), 16384, 4, ... (0x698000), 16384, 4, ) == 0x0
96 1580 1312 NtFlushInstructionCache (-1, 6914048, 16312, ... ) == 0x0
97 1580 1312 NtOpenSection (0xe, {24, 20, 0x40, 0, 0, "COMDLG32.DLL"}, ... 28, ) == 0x0
98 1580 1312 NtMapViewOfSection (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b00000), 0x0, 258048, ) == 0x0
99 1580 1312 NtClose (28, ... ) == 0x0
100 1580 1312 NtOpenSection (0xe, {24, 20, 0x40, 0, 0, "SHLWAPI.DLL"}, ... 28, ) == 0x0
101 1580 1312 NtMapViewOfSection (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772a0000), 0x0, 417792, ) == 0x0
102 1580 1312 NtClose (28, ... ) == 0x0
103 1580 1312 NtProtectVirtualMemory (-1, (0x772a1000), 2040, 4, ... (0x772a1000), 4096, 32, ) == 0x0
104 1580 1312 NtProtectVirtualMemory (-1, (0x772a1000), 4096, 32, ... (0x772a1000), 4096, 4, ) == 0x0
105 1580 1312 NtFlushInstructionCache (-1, 1999245312, 2040, ... ) == 0x0
106 1580 1312 NtProtectVirtualMemory (-1, (0x772a1000), 2040, 4, ... (0x772a1000), 4096, 32, ) == 0x0
107 1580 1312 NtProtectVirtualMemory (-1, (0x772a1000), 4096, 32, ... (0x772a1000), 4096, 4, ) == 0x0
108 1580 1312 NtFlushInstructionCache (-1, 1999245312, 2040, ... ) == 0x0
109 1580 1312 NtProtectVirtualMemory (-1, (0x772a1000), 2040, 4, ... (0x772a1000), 4096, 32, ) == 0x0
110 1580 1312 NtProtectVirtualMemory (-1, (0x772a1000), 4096, 32, ... (0x772a1000), 4096, 4, ) == 0x0
111 1580 1312 NtFlushInstructionCache (-1, 1999245312, 2040, ... ) == 0x0
112 1580 1312 NtOpenSection (0xe, {24, 20, 0x40, 0, 0, "msvcrt.dll"}, ... 28, ) == 0x0
113 1580 1312 NtMapViewOfSection (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x78000000), 0x0, 282624, ) == 0x0
114 1580 1312 NtClose (28, ... ) == 0x0
115 1580 1312 NtProtectVirtualMemory (-1, (0x78032000), 564, 4, ... (0x78032000), 4096, 2, ) == 0x0
116 1580 1312 NtProtectVirtualMemory (-1, (0x78032000), 4096, 2, ... (0x78032000), 4096, 4, ) == 0x0
117 1580 1312 NtFlushInstructionCache (-1, 2013470720, 564, ... ) == 0x0
118 1580 1312 NtProtectVirtualMemory (-1, (0x772a1000), 2040, 4, ... (0x772a1000), 4096, 32, ) == 0x0
119 1580 1312 NtProtectVirtualMemory (-1, (0x772a1000), 4096, 32, ... (0x772a1000), 4096, 4, ) == 0x0
120 1580 1312 NtFlushInstructionCache (-1, 1999245312, 2040, ... ) == 0x0
121 1580 1312 NtProtectVirtualMemory (-1, (0x772a1000), 2040, 4, ... (0x772a1000), 4096, 32, ) == 0x0
122 1580 1312 NtProtectVirtualMemory (-1, (0x772a1000), 4096, 32, ... (0x772a1000), 4096, 4, ) == 0x0
123 1580 1312 NtFlushInstructionCache (-1, 1999245312, 2040, ... ) == 0x0
124 1580 1312 NtProtectVirtualMemory (-1, (0x76b01000), 1444, 4, ... (0x76b01000), 4096, 32, ) == 0x0
125 1580 1312 NtProtectVirtualMemory (-1, (0x76b01000), 4096, 32, ... (0x76b01000), 4096, 4, ) == 0x0
126 1580 1312 NtFlushInstructionCache (-1, 1991249920, 1444, ... ) == 0x0
127 1580 1312 NtProtectVirtualMemory (-1, (0x76b01000), 1444, 4, ... (0x76b01000), 4096, 32, ) == 0x0
128 1580 1312 NtProtectVirtualMemory (-1, (0x76b01000), 4096, 32, ... (0x76b01000), 4096, 4, ) == 0x0
129 1580 1312 NtFlushInstructionCache (-1, 1991249920, 1444, ... ) == 0x0
130 1580 1312 NtProtectVirtualMemory (-1, (0x76b01000), 1444, 4, ... (0x76b01000), 4096, 32, ) == 0x0
131 1580 1312 NtProtectVirtualMemory (-1, (0x76b01000), 4096, 32, ... (0x76b01000), 4096, 4, ) == 0x0
132 1580 1312 NtFlushInstructionCache (-1, 1991249920, 1444, ... ) == 0x0
133 1580 1312 NtProtectVirtualMemory (-1, (0x76b01000), 1444, 4, ... (0x76b01000), 4096, 32, ) == 0x0
134 1580 1312 NtProtectVirtualMemory (-1, (0x76b01000), 4096, 32, ... (0x76b01000), 4096, 4, ) == 0x0
135 1580 1312 NtFlushInstructionCache (-1, 1991249920, 1444, ... ) == 0x0
136 1580 1312 NtProtectVirtualMemory (-1, (0x76b01000), 1444, 4, ... (0x76b01000), 4096, 32, ) == 0x0
137 1580 1312 NtProtectVirtualMemory (-1, (0x76b01000), 4096, 32, ... (0x76b01000), 4096, 4, ) == 0x0
138 1580 1312 NtFlushInstructionCache (-1, 1991249920, 1444, ... ) == 0x0
139 1580 1312 NtProtectVirtualMemory (-1, (0x76b01000), 1444, 4, ... (0x76b01000), 4096, 32, ) == 0x0
140 1580 1312 NtProtectVirtualMemory (-1, (0x76b01000), 4096, 32, ... (0x76b01000), 4096, 4, ) == 0x0
141 1580 1312 NtFlushInstructionCache (-1, 1991249920, 1444, ... ) == 0x0
142 1580 1312 NtOpenSection (0xe, {24, 20, 0x40, 0, 0, "SHELL32.DLL"}, ... 28, ) == 0x0
143 1580 1312 NtMapViewOfSection (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7cf90000), 0x0, 2473984, ) == 0x0
144 1580 1312 NtClose (28, ... ) == 0x0
145 1580 1312 NtProtectVirtualMemory (-1, (0x7cf91000), 3832, 4, ... (0x7cf91000), 4096, 32, ) == 0x0
146 1580 1312 NtProtectVirtualMemory (-1, (0x7cf91000), 4096, 32, ... (0x7cf91000), 4096, 4, ) == 0x0
147 1580 1312 NtFlushInstructionCache (-1, 2096697344, 3832, ... ) == 0x0
148 1580 1312 NtProtectVirtualMemory (-1, (0x7cf91000), 3832, 4, ... (0x7cf91000), 4096, 32, ) == 0x0
149 1580 1312 NtProtectVirtualMemory (-1, (0x7cf91000), 4096, 32, ... (0x7cf91000), 4096, 4, ) == 0x0
150 1580 1312 NtFlushInstructionCache (-1, 2096697344, 3832, ... ) == 0x0
151 1580 1312 NtProtectVirtualMemory (-1, (0x7cf91000), 3832, 4, ... (0x7cf91000), 4096, 32, ) == 0x0
152 1580 1312 NtProtectVirtualMemory (-1, (0x7cf91000), 4096, 32, ... (0x7cf91000), 4096, 4, ) == 0x0
153 1580 1312 NtFlushInstructionCache (-1, 2096697344, 3832, ... ) == 0x0
154 1580 1312 NtProtectVirtualMemory (-1, (0x7cf91000), 3832, 4, ... (0x7cf91000), 4096, 32, ) == 0x0
155 1580 1312 NtProtectVirtualMemory (-1, (0x7cf91000), 4096, 32, ... (0x7cf91000), 4096, 4, ) == 0x0
156 1580 1312 NtFlushInstructionCache (-1, 2096697344, 3832, ... ) == 0x0
157 1580 1312 NtProtectVirtualMemory (-1, (0x7cf91000), 3832, 4, ... (0x7cf91000), 4096, 32, ) == 0x0
158 1580 1312 NtProtectVirtualMemory (-1, (0x7cf91000), 4096, 32, ... (0x7cf91000), 4096, 4, ) == 0x0
159 1580 1312 NtFlushInstructionCache (-1, 2096697344, 3832, ... ) == 0x0
160 1580 1312 NtProtectVirtualMemory (-1, (0x7cf91000), 3832, 4, ... (0x7cf91000), 4096, 32, ) == 0x0
161 1580 1312 NtProtectVirtualMemory (-1, (0x7cf91000), 4096, 32, ... (0x7cf91000), 4096, 4, ) == 0x0
162 1580 1312 NtFlushInstructionCache (-1, 2096697344, 3832, ... ) == 0x0
163 1580 1312 NtProtectVirtualMemory (-1, (0x7cf91000), 3832, 4, ... (0x7cf91000), 4096, 32, ) == 0x0
164 1580 1312 NtProtectVirtualMemory (-1, (0x7cf91000), 4096, 32, ... (0x7cf91000), 4096, 4, ) == 0x0
165 1580 1312 NtFlushInstructionCache (-1, 2096697344, 3832, ... ) == 0x0
166 1580 1312 NtProtectVirtualMemory (-1, (0x76b01000), 1444, 4, ... (0x76b01000), 4096, 32, ) == 0x0
167 1580 1312 NtProtectVirtualMemory (-1, (0x76b01000), 4096, 32, ... (0x76b01000), 4096, 4, ) == 0x0
168 1580 1312 NtFlushInstructionCache (-1, 1991249920, 1444, ... ) == 0x0
169 1580 1312 NtProtectVirtualMemory (-1, (0x76b01000), 1444, 4, ... (0x76b01000), 4096, 32, ) == 0x0
170 1580 1312 NtProtectVirtualMemory (-1, (0x76b01000), 4096, 32, ... (0x76b01000), 4096, 4, ) == 0x0
171 1580 1312 NtFlushInstructionCache (-1, 1991249920, 1444, ... ) == 0x0
172 1580 1312 NtProtectVirtualMemory (-1, (0x698000), 16312, 4, ... (0x698000), 16384, 4, ) == 0x0
173 1580 1312 NtProtectVirtualMemory (-1, (0x698000), 16384, 4, ... (0x698000), 16384, 4, ) == 0x0
174 1580 1312 NtFlushInstructionCache (-1, 6914048, 16312, ... ) == 0x0
175 1580 1312 NtProtectVirtualMemory (-1, (0x698000), 16312, 4, ... (0x698000), 16384, 4, ) == 0x0
176 1580 1312 NtProtectVirtualMemory (-1, (0x698000), 16384, 4, ... (0x698000), 16384, 4, ) == 0x0
177 1580 1312 NtFlushInstructionCache (-1, 6914048, 16312, ... ) == 0x0
178 1580 1312 NtProtectVirtualMemory (-1, (0x698000), 16312, 4, ... (0x698000), 16384, 4, ) == 0x0
179 1580 1312 NtProtectVirtualMemory (-1, (0x698000), 16384, 4, ... (0x698000), 16384, 4, ) == 0x0
180 1580 1312 NtFlushInstructionCache (-1, 6914048, 16312, ... ) == 0x0
181 1580 1312 NtProtectVirtualMemory (-1, (0x698000), 16312, 4, ... (0x698000), 16384, 4, ) == 0x0
182 1580 1312 NtProtectVirtualMemory (-1, (0x698000), 16384, 4, ... (0x698000), 16384, 4, ) == 0x0
183 1580 1312 NtFlushInstructionCache (-1, 6914048, 16312, ... ) == 0x0
184 1580 1312 NtProtectVirtualMemory (-1, (0x698000), 16312, 4, ... (0x698000), 16384, 4, ) == 0x0
185 1580 1312 NtProtectVirtualMemory (-1, (0x698000), 16384, 4, ... (0x698000), 16384, 4, ) == 0x0
186 1580 1312 NtFlushInstructionCache (-1, 6914048, 16312, ... ) == 0x0
187 1580 1312 NtOpenSection (0xe, {24, 20, 0x40, 0, 0, "OLE32.dll"}, ... 28, ) == 0x0
188 1580 1312 NtMapViewOfSection (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7ce80000), 0x0, 1052672, ) == 0x0
189 1580 1312 NtClose (28, ... ) == 0x0
190 1580 1312 NtProtectVirtualMemory (-1, (0x7ce81000), 2016, 4, ... (0x7ce81000), 4096, 32, ) == 0x0
191 1580 1312 NtProtectVirtualMemory (-1, (0x7ce81000), 4096, 32, ... (0x7ce81000), 4096, 4, ) == 0x0
192 1580 1312 NtFlushInstructionCache (-1, 2095583232, 2016, ... ) == 0x0
193 1580 1312 NtProtectVirtualMemory (-1, (0x7ce81000), 2016, 4, ... (0x7ce81000), 4096, 32, ) == 0x0
194 1580 1312 NtProtectVirtualMemory (-1, (0x7ce81000), 4096, 32, ... (0x7ce81000), 4096, 4, ) == 0x0
195 1580 1312 NtFlushInstructionCache (-1, 2095583232, 2016, ... ) == 0x0
196 1580 1312 NtProtectVirtualMemory (-1, (0x7ce81000), 2016, 4, ... (0x7ce81000), 4096, 32, ) == 0x0
197 1580 1312 NtProtectVirtualMemory (-1, (0x7ce81000), 4096, 32, ... (0x7ce81000), 4096, 4, ) == 0x0
198 1580 1312 NtFlushInstructionCache (-1, 2095583232, 2016, ... ) == 0x0
199 1580 1312 NtProtectVirtualMemory (-1, (0x7ce81000), 2016, 4, ... (0x7ce81000), 4096, 32, ) == 0x0
200 1580 1312 NtProtectVirtualMemory (-1, (0x7ce81000), 4096, 32, ... (0x7ce81000), 4096, 4, ) == 0x0
201 1580 1312 NtFlushInstructionCache (-1, 2095583232, 2016, ... ) == 0x0
202 1580 1312 NtProtectVirtualMemory (-1, (0x7ce81000), 2016, 4, ... (0x7ce81000), 4096, 32, ) == 0x0
203 1580 1312 NtProtectVirtualMemory (-1, (0x7ce81000), 4096, 32, ... (0x7ce81000), 4096, 4, ) == 0x0
204 1580 1312 NtFlushInstructionCache (-1, 2095583232, 2016, ... ) == 0x0
205 1580 1312 NtProtectVirtualMemory (-1, (0x7ce81000), 2016, 4, ... (0x7ce81000), 4096, 32, ) == 0x0
206 1580 1312 NtProtectVirtualMemory (-1, (0x7ce81000), 4096, 32, ... (0x7ce81000), 4096, 4, ) == 0x0
207 1580 1312 NtFlushInstructionCache (-1, 2095583232, 2016, ... ) == 0x0
208 1580 1312 NtProtectVirtualMemory (-1, (0x698000), 16312, 4, ... (0x698000), 16384, 4, ) == 0x0
209 1580 1312 NtProtectVirtualMemory (-1, (0x698000), 16384, 4, ... (0x698000), 16384, 4, ) == 0x0
210 1580 1312 NtFlushInstructionCache (-1, 6914048, 16312, ... ) == 0x0
211 1580 1312 NtOpenSection (0xe, {24, 20, 0x40, 0, 0, "OLEAUT32.DLL"}, ... 28, ) == 0x0
212 1580 1312 NtMapViewOfSection (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x779a0000), 0x0, 634880, ) == 0x0
213 1580 1312 NtClose (28, ... ) == 0x0
214 1580 1312 NtProtectVirtualMemory (-1, (0x779a2000), 1092, 4, ... (0x779a2000), 4096, 32, ) == 0x0
215 1580 1312 NtProtectVirtualMemory (-1, (0x779a2000), 4096, 32, ... (0x779a2000), 4096, 4, ) == 0x0
216 1580 1312 NtFlushInstructionCache (-1, 2006589440, 1092, ... ) == 0x0
217 1580 1312 NtProtectVirtualMemory (-1, (0x779a2000), 1092, 4, ... (0x779a2000), 4096, 32, ) == 0x0
218 1580 1312 NtProtectVirtualMemory (-1, (0x779a2000), 4096, 32, ... (0x779a2000), 4096, 4, ) == 0x0
219 1580 1312 NtFlushInstructionCache (-1, 2006589440, 1092, ... ) == 0x0
220 1580 1312 NtProtectVirtualMemory (-1, (0x779a2000), 1092, 4, ... (0x779a2000), 4096, 32, ) == 0x0
221 1580 1312 NtProtectVirtualMemory (-1, (0x779a2000), 4096, 32, ... (0x779a2000), 4096, 4, ) == 0x0
222 1580 1312 NtFlushInstructionCache (-1, 2006589440, 1092, ... ) == 0x0
223 1580 1312 NtProtectVirtualMemory (-1, (0x779a2000), 1092, 4, ... (0x779a2000), 4096, 32, ) == 0x0
224 1580 1312 NtProtectVirtualMemory (-1, (0x779a2000), 4096, 32, ... (0x779a2000), 4096, 4, ) == 0x0
225 1580 1312 NtFlushInstructionCache (-1, 2006589440, 1092, ... ) == 0x0
226 1580 1312 NtProtectVirtualMemory (-1, (0x779a2000), 1092, 4, ... (0x779a2000), 4096, 32, ) == 0x0
227 1580 1312 NtProtectVirtualMemory (-1, (0x779a2000), 4096, 32, ... (0x779a2000), 4096, 4, ) == 0x0
228 1580 1312 NtFlushInstructionCache (-1, 2006589440, 1092, ... ) == 0x0
229 1580 1312 NtProtectVirtualMemory (-1, (0x698000), 16312, 4, ... (0x698000), 16384, 4, ) == 0x0
230 1580 1312 NtProtectVirtualMemory (-1, (0x698000), 16384, 4, ... (0x698000), 16384, 4, ) == 0x0
231 1580 1312 NtFlushInstructionCache (-1, 6914048, 16312, ... ) == 0x0
232 1580 1312 NtProtectVirtualMemory (-1, (0x698000), 16312, 4, ... (0x698000), 16384, 4, ) == 0x0
233 1580 1312 NtProtectVirtualMemory (-1, (0x698000), 16384, 4, ... (0x698000), 16384, 4, ) == 0x0
234 1580 1312 NtFlushInstructionCache (-1, 6914048, 16312, ... ) == 0x0
235 1580 1312 NtProtectVirtualMemory (-1, (0x698000), 16312, 4, ... (0x698000), 16384, 4, ) == 0x0
236 1580 1312 NtProtectVirtualMemory (-1, (0x698000), 16384, 4, ... (0x698000), 16384, 4, ) == 0x0
237 1580 1312 NtFlushInstructionCache (-1, 6914048, 16312, ... ) == 0x0
238 1580 1312 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\test.exe"}, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
239 1580 1312 NtQuerySystemInformation (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
240 1580 1312 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0x1ff04,LowestPhysicalPage=0x2,HighestPhysicalPage=0x1ff76,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
241 1580 1312 NtCreateSection (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 28, ) == 0x0
242 1580 1312 NtSecureConnectPort ("\Windows\ApiPort", {2291924, 2, 1, 1}, {24, 28, 0, 65536, 0, 0}, 2303352, {12, 0, 0}, 2291024, 40, ... 36, {24, 28, 0, 65536, 3342336, 106430464}, {0, 0, 0}, 168, 40, ) == 0x0
243 1580 1312 NtClose (28, ... ) == 0x0
244 1580 1312 NtQueryObject (36, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
245 1580 1312 NtSetInformationObject (36, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
246 1580 1312 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0x1ff04,LowestPhysicalPage=0x2,HighestPhysicalPage=0x1ff76,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
247 1580 1312 NtQueryVirtualMemory (-1, 0x330000, Basic, 28, ... {BaseAddress=0x330000,AllocationBase=0x330000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
248 1580 1312 NtAllocateVirtualMemory (-1, 3342336, 0, 4096, 4096, 4, ... 3342336, 4096, ) == 0x0
249 1580 1312 NtCreateEvent (0x100003, 0x0, 1, 0, ... 28, ) == 0x0
250 1580 1312 NtRequestWaitReplyPort (36, {28, 52, new_msg, 0, 2304092, 2291908, 2005728608, 2005448265} "\210\6X\6\0\0\0\0\314'#\0\264\212\13}\1\0\0\0\234\6X\6\4\0\0\0" ... {28, 52, reply, 0, 1580, 1312, 42228, 0} "\270\264\26\0\0\0\0\0\0\0\0\0\264\212\13}\1\0\0\0\234\6X\6\4\0\0\0" ) == 0x0
251 1580 1312 NtRegisterThreadTerminatePort (36, ... ) == 0x0
252 1580 1312 NtFsControlFile (24, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
253 1580 1312 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, "\??\C:\Release\test.exe.Local"}, 2291284, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
254 1580 1312 NtAllocateVirtualMemory (-1, 2306048, 0, 4096, 4096, 4, ... 2306048, 4096, ) == 0x0
255 1580 1312 NtOpenSection (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 40, ) == 0x0
256 1580 1312 NtMapViewOfSection (40, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x340000), 0x0, 90112, ) == 0x0
257 1580 1312 NtClose (40, ... ) == 0x0
258 1580 1312 NtQueryDefaultLocale (0, 2012002528, ... ) == 0x0
259 1580 1312 NtOpenSection (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 40, ) == 0x0
260 1580 1312 NtMapViewOfSection (40, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x360000), 0x0, 192512, ) == 0x0
261 1580 1312 NtClose (40, ... ) == 0x0
262 1580 1312 NtOpenSection (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 40, ) == 0x0
263 1580 1312 NtMapViewOfSection (40, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x390000), 0x0, 266240, ) == 0x0
264 1580 1312 NtQuerySection (40, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
265 1580 1312 NtClose (40, ... ) == 0x0
266 1580 1312 NtOpenSection (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 40, ) == 0x0
267 1580 1312 NtMapViewOfSection (40, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x3e0000), 0x0, 16384, ) == 0x0
268 1580 1312 NtClose (40, ... ) == 0x0
269 1580 1312 NtQueryVirtualMemory (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
270* 1580 1312 NtAllocateVirtualMemory (-1, 2281472, 0, 4096, 4096, 260, ... 2281472, 4096, ) == 0x0
271 1580 1312 NtOpenSection (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000407"}, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
272 1580 1312 NtAllocateVirtualMemory (-1, 3346432, 0, 8192, 4096, 4, ... 3346432, 8192, ) == 0x0
273 1580 1312 NtRequestWaitReplyPort (36, {24, 48, new_msg, 0, 0, 0, 0, 4063292} "\210\6X\6\32\0\1\0\0\0\0\0\0\0\0\0\234\6X\6p\30\0\0" ... {24, 48, reply, 0, 1580, 1312, 42229, 0} "(v\27\0\32\0\1\0\0\0\0\0\0\0\0\0\234\6X\6p\30\0\0" ) == 0x0
274 1580 1312 NtRequestWaitReplyPort (36, {28, 52, new_msg, 0, 2289044, 2290180, 2012002496, 2005726016} "\210\6X\6\0\0\0\0\6\0\0\0\0\0\0\0\2\0\0\0\234\6X\68\6\0\0" ... {28, 52, reply, 0, 1580, 1312, 42230, 0} "(v\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6X\68\6\0\0" ) == 0x0
275 1580 1312 NtAllocateVirtualMemory (-1, 2310144, 0, 4096, 4096, 4, ... 2310144, 4096, ) == 0x0
276 1580 1312 NtAllocateVirtualMemory (-1, 2314240, 0, 8192, 4096, 4, ... 2314240, 8192, ) == 0x0
277 1580 1312 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 40, ) == 0x0
278 1580 1312 NtQueryValueKey (40, "SafeDllSearchMode", Partial, 16, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) == 0x0
279 1580 1312 NtClose (40, ... ) == 0x0
280 1580 1312 NtOpenProcessToken (-1, 0x8, ... 40, ) == 0x0
281 1580 1312 NtQueryInformationToken (40, RestrictedSids, 0, ... ) == STATUS_BUFFER_TOO_SMALL
282 1580 1312 NtQueryInformationToken (40, RestrictedSids, 4, ... {token info, class 11, size 4}, 4, ) == 0x0
283 1580 1312 NtClose (40, ... ) == 0x0
284 1580 1312 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 40, ) == 0x0
285 1580 1312 NtQueryValueKey (40, "LeakTrack", Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
286 1580 1312 NtClose (40, ... ) == 0x0
287 1580 1312 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 40, ) == 0x0
288 1580 1312 NtOpenKey (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
289 1580 1312 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0x1ff04,LowestPhysicalPage=0x2,HighestPhysicalPage=0x1ff76,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
290 1580 1312 NtRequestWaitReplyPort (36, {28, 52, new_msg, 0, 0, 0, 0, 2011996704} "\210\6X\6\0\0\0\0`\374\214w7o\210w\3\0\0\0\234\6X\6\4\1\0\0" ... {28, 52, reply, 0, 1580, 1312, 42231, 0} "\30S\26\0\0\0\0\0\0\0\0\07o\210w\3\0\0\0\234\6X\6\4\1\0\0" ) == 0x0
291 1580 1312 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
292* 1580 1312 NtMapViewOfSection (44, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x770000), 0x0, 274432, ) == 0x0
293* 1580 1312 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 48, ) == 0x0
294* 1580 1312 NtQueryObject (48, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
295* 1580 1312 NtSetInformationObject (48, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
296* 1580 1312 NtOpenThreadToken (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN
297* 1580 1312 NtOpenProcessToken (-1, 0x8, ... 52, ) == 0x0
298* 1580 1312 NtQueryInformationToken (52, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
299* 1580 1312 NtQueryInformationToken (52, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
300* 1580 1312 NtClose (52, ... ) == 0x0
301* 1580 1312 NtAllocateVirtualMemory (-1, 0, 0, 32, 4096, 4, ... 8126464, 4096, ) == 0x0
302* 1580 1312 NtFreeVirtualMemory (-1, (0x7c0000), 4096, 32768, ... (0x7c0000), 4096, ) == 0x0
303* 1580 1312 NtDuplicateObject (-1, 52, -1, 0x0, 0, 2, ... 60, ) == 0x0
304* 1580 1312 NtOpenKey (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147483060, ) == 0x0
305* 1580 1312 NtQueryValueKey (-2147483060, "test", Partial, 332, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
306* 1580 1312 NtClose (-2147483060, ... ) == 0x0
307* 1580 1312 NtOpenKey (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility2"}, ... -2147483060, ) == 0x0
308* 1580 1312 NtQueryValueKey (-2147483060, "test1.0", Partial, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
309* 1580 1312 NtClose (-2147483060, ... ) == 0x0
310* 1580 1312 NtOpenKey (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147483060, ) == 0x0
311* 1580 1312 NtQueryValueKey (-2147483060, "test", Partial, 332, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
312* 1580 1312 NtClose (-2147483060, ... ) == 0x0
313* 1580 1312 NtQueryDefaultLocale (0, -1128719708, ... ) == 0x0
314 1580 1312 NtGdiQueryFontAssocInfo (0, ... ) == 0x0
315 1580 1312 NtUserCallNoParam (18, ... ) == 0x0
316 1580 1312 NtGdiCreateCompatibleDC (0, ...
317* 1580 1312 NtAllocateVirtualMemory (-1, 0, 0, 4096, 12288, 4, ... 11337728, 4096, ) == 0x0
316 1580 1312 NtGdiCreateCompatibleDC ... ) == 0xe5010a04
318 1580 1312 NtGdiGetStockObject (0, ... ) == 0x1900010
319 1580 1312 NtGdiGetStockObject (4, ... ) == 0x1900011
320 1580 1312 NtGdiCreateBitmap (8, 8, 1, 1, 2011376776, ... ) == 0x50509eb
321 1580 1312 NtGdiCreateSolidBrush (0, 0, ...
322* 1580 1312 NtAllocateVirtualMemory (-1, 0, 0, 4096, 12288, 4, ... 11403264, 4096, ) == 0x0
321 1580 1312 NtGdiCreateSolidBrush ... ) == 0x321009e4
323 1580 1312 NtGdiGetStockObject (13, ... ) == 0x18a0021
324 1580 1312 NtGdiCreateCompatibleDC (0, ... ) == 0xa0109df
325 1580 1312 NtGdiSelectBitmap (167840223, 84216299, ... ) == 0x185000f
326 1580 1312 NtUserGetThreadDesktop (1312, 0, ... ) == 0x38
327 1580 1312 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager\AppCompatibility\test.exe"}, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
328 1580 1312 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 64, ) == 0x0
329 1580 1312 NtQueryValueKey (64, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) == 0x0
330 1580 1312 NtClose (64, ... ) == 0x0
331 1580 1312 NtUserFindExistingCursorIcon (2289528, 2289544, 2290112, ... ) == 0x10011
332 1580 1312 NtUserRegisterClassExWOW (2290068, 2290132, 2290148, 2011366047, 128, 0, ... ) == 0x817ec017
333 1580 1312 NtUserFindExistingCursorIcon (2289528, 2289544, 2290112, ... ) == 0x10011
334 1580 1312 NtUserRegisterClassExWOW (2290068, 2290132, 2290148, 2011366048, 128, 0, ... ) == 0x817ec01c
335 1580 1312 NtUserFindExistingCursorIcon (2289528, 2289544, 2290112, ... ) == 0x10011
336 1580 1312 NtUserRegisterClassExWOW (2290068, 2290132, 2290148, 2011366049, 128, 0, ... ) == 0x817ec01e
337 1580 1312 NtUserFindExistingCursorIcon (2289528, 2289544, 2290112, ... ) == 0x10011
338 1580 1312 NtUserRegisterClassExWOW (2290068, 2290132, 2290148, 674, 128, 0, ... ) == 0x817e8002
339 1580 1312 NtUserFindExistingCursorIcon (2289528, 2289544, 2290112, ... ) == 0x10013
340 1580 1312 NtUserRegisterClassExWOW (2290068, 2290132, 2290148, 2011366051, 128, 0, ... ) == 0x817ec018
341 1580 1312 NtUserFindExistingCursorIcon (2289528, 2289544, 2290112, ... ) == 0x10011
342 1580 1312 NtUserRegisterClassExWOW (2290068, 2290132, 2290148, 2011366052, 128, 0, ... ) == 0x817ec01a
343 1580 1312 NtUserFindExistingCursorIcon (2289528, 2289544, 2290112, ... ) == 0x10011
344 1580 1312 NtUserRegisterClassExWOW (2290068, 2290132, 2290148, 2011366053, 128, 0, ... ) == 0x817ec01d
345 1580 1312 NtUserFindExistingCursorIcon (2289528, 2289544, 2290112, ... ) == 0x10011
346 1580 1312 NtUserRegisterClassExWOW (2290068, 2290132, 2290148, 2011366055, 128, 0, ... ) == 0x817ec026
347 1580 1312 NtUserFindExistingCursorIcon (2289528, 2289544, 2290112, ... ) == 0x10011
348 1580 1312 NtUserRegisterClassExWOW (2290068, 2290132, 2290148, 2011366054, 128, 0, ... ) == 0x817ec019
349 1580 1312 NtUserRegisterClassExWOW (2290020, 2290084, 2290100, 0, 128, 0, ... ) == 0x817ec020
350 1580 1312 NtUserRegisterClassExWOW (2290020, 2290084, 2290100, 0, 130, 0, ... ) == 0x817ec022
351 1580 1312 NtUserRegisterClassExWOW (2290020, 2290084, 2290100, 0, 128, 0, ... ) == 0x817ec023
352 1580 1312 NtUserRegisterClassExWOW (2290020, 2290084, 2290100, 0, 130, 0, ... ) == 0x817ec024
353 1580 1312 NtUserRegisterClassExWOW (2290020, 2290084, 2290100, 0, 128, 0, ... ) == 0x817ec025
354 1580 1312 NtCallbackReturn (0, 0, 0, ...
355 1580 1312 NtGdiInit (... ) == 0x1
356 1580 1312 NtGdiGetStockObject (18, ... ) == 0x290001c
357 1580 1312 NtGdiGetStockObject (19, ... ) == 0x1b00019
358 1580 1312 NtOpenProcess (0x400, {24, 0, 0x0, 0, 0, 0x0}, {1580, 0}, ... 64, ) == 0x0
359 1580 1312 NtQueryInformationProcess (64, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
360 1580 1312 NtClose (64, ... ) == 0x0
361 1580 1312 NtUserRegisterWindowMessage ("ShellGetDragImage", ... ) == 0xc03d
362 1580 1312 NtUserSystemParametersInfo (104, 0, 1903624220, 0, ... ) == 0x1
363 1580 1312 NtUserSystemParametersInfo (38, 4, 1903625400, 0, ... ) == 0x1
364 1580 1312 NtOpenThreadToken (-2, 0x20008, 1, ... ) == STATUS_NO_TOKEN
365 1580 1312 NtOpenProcessToken (-1, 0x20008, ... 64, ) == 0x0
366 1580 1312 NtQueryInformationToken (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
367 1580 1312 NtClose (64, ... ) == 0x0
368 1580 1312 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1214440339-152049171-1343024091-1111"}, ... 64, ) == 0x0
369 1580 1312 NtOpenKey (0x20019, {24, 64, 0x40, 0, 0, "Control Panel\Desktop"}, ... 68, ) == 0x0
370 1580 1312 NtQueryValueKey (68, "SmoothScroll", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) == 0x0
371 1580 1312 NtClose (68, ... ) == 0x0
372 1580 1312 NtUserSystemParametersInfo (41, 500, 2291392, 0, ... ) == 0x1
373 1580 1312 NtUserSystemParametersInfo (102, 0, 1903625280, 0, ... ) == 0x1
374 1580 1312 NtUserGetClassInfo (1903230976, 2291800, 2291752, 2291828, 0, ... ) == 0x0
375 1580 1312 NtUserFindExistingCursorIcon (2291184, 2291200, 2291768, ... ) == 0x10011
376 1580 1312 NtUserRegisterClassExWOW (2291656, 2291720, 2291736, 0, 128, 0, ... ) == 0x817ec03e
377 1580 1312 NtUserGetClassInfo (1903230976, 2291800, 2291752, 2291828, 0, ... ) == 0x0
378 1580 1312 NtUserFindExistingCursorIcon (2291184, 2291200, 2291768, ... ) == 0x10011
379 1580 1312 NtUserRegisterClassExWOW (2291656, 2291720, 2291736, 0, 128, 0, ... ) == 0x817ec03f
380 1580 1312 NtUserGetClassInfo (1903230976, 2291800, 2291752, 2291828, 0, ... ) == 0x0
381 1580 1312 NtUserFindExistingCursorIcon (2291184, 2291200, 2291768, ... ) == 0x10011
382 1580 1312 NtUserRegisterClassExWOW (2291656, 2291720, 2291736, 0, 128, 0, ... ) == 0x817ec040
383 1580 1312 NtUserGetClassInfo (1903230976, 2291800, 2291752, 2291828, 0, ... ) == 0x0
384 1580 1312 NtUserFindExistingCursorIcon (2291184, 2291200, 2291768, ... ) == 0x10011
385 1580 1312 NtUserRegisterClassExWOW (2291656, 2291720, 2291736, 0, 128, 0, ... ) == 0x817ec041
386 1580 1312 NtUserGetClassInfo (1903230976, 2291800, 2291752, 2291828, 0, ... ) == 0x0
387 1580 1312 NtUserRegisterClassExWOW (2291656, 2291720, 2291736, 0, 128, 0, ... ) == 0x817ec042
388 1580 1312 NtUserGetClassInfo (1903230976, 2291800, 2291752, 2291828, 0, ... ) == 0x0
389 1580 1312 NtUserFindExistingCursorIcon (2291184, 2291200, 2291768, ... ) == 0x10011
390 1580 1312 NtUserRegisterClassExWOW (2291656, 2291720, 2291736, 0, 128, 0, ... ) == 0x817ec043
391 1580 1312 NtUserGetClassInfo (1903230976, 2291800, 2291752, 2291828, 0, ... ) == 0x0
392 1580 1312 NtUserFindExistingCursorIcon (2291180, 2291196, 2291764, ... ) == 0x10011
393 1580 1312 NtUserRegisterClassExWOW (2291652, 2291716, 2291732, 0, 128, 0, ... ) == 0x817ec044
394 1580 1312 NtUserGetClassInfo (1903230976, 2291800, 2291752, 2291828, 0, ... ) == 0x0
395 1580 1312 NtUserFindExistingCursorIcon (2291184, 2291200, 2291768, ... ) == 0x10011
396 1580 1312 NtUserRegisterClassExWOW (2291656, 2291720, 2291736, 0, 128, 0, ... ) == 0x817ec045
397 1580 1312 NtUserGetClassInfo (1903230976, 2291800, 2291752, 2291828, 0, ... ) == 0x0
398 1580 1312 NtUserFindExistingCursorIcon (2291184, 2291200, 2291768, ... ) == 0x10011
399 1580 1312 NtUserRegisterClassExWOW (2291656, 2291720, 2291736, 0, 128, 0, ... ) == 0x817ec046
400 1580 1312 NtUserGetClassInfo (1903230976, 2291800, 2291752, 2291828, 0, ... ) == 0x0
401 1580 1312 NtUserFindExistingCursorIcon (2291184, 2291200, 2291768, ... ) == 0x10011
402 1580 1312 NtUserRegisterClassExWOW (2291656, 2291720, 2291736, 0, 128, 0, ... ) == 0x817ec047
403 1580 1312 NtUserGetClassInfo (1903230976, 2291804, 2291756, 2291832, 0, ... ) == 0x0
404 1580 1312 NtUserRegisterClassExWOW (2291660, 2291724, 2291740, 0, 128, 0, ... ) == 0x817ec048
405 1580 1312 NtUserGetClassInfo (1903230976, 2291800, 2291752, 2291828, 0, ... ) == 0x0
406 1580 1312 NtUserFindExistingCursorIcon (2291184, 2291200, 2291768, ... ) == 0x10011
407 1580 1312 NtUserRegisterClassExWOW (2291656, 2291720, 2291736, 0, 128, 0, ... ) == 0x817ec049
408 1580 1312 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0x1ff04,LowestPhysicalPage=0x2,HighestPhysicalPage=0x1ff76,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
409 1580 1312 NtAllocateVirtualMemory (-1, 0, 0, 65536, 8192, 4, ... 11468800, 65536, ) == 0x0
410 1580 1312 NtAllocateVirtualMemory (-1, 11468800, 0, 4096, 4096, 4, ... 11468800, 4096, ) == 0x0
411 1580 1312 NtCreateEvent (0x100003, 0x0, 1, 0, ... 68, ) == 0x0
412 1580 1312 NtAllocateVirtualMemory (-1, 11472896, 0, 8192, 4096, 4, ... 11472896, 8192, ) == 0x0
413 1580 1312 NtQueryVolumeInformationFile (3, 2291668, 8, Device, ... ) == STATUS_INVALID_HANDLE
414 1580 1312 NtQueryVolumeInformationFile (0, 2291668, 8, Device, ... ) == STATUS_INVALID_HANDLE
415 1580 1312 NtQueryVolumeInformationFile (11, 2291668, 8, Device, ... ) == STATUS_OBJECT_TYPE_MISMATCH
416 1580 1312 NtOpenSection (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 72, ) == 0x0
417 1580 1312 NtMapViewOfSection (72, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xb00000), 0x0, 8192, ) == 0x0
418 1580 1312 NtClose (72, ... ) == 0x0
419 1580 1312 NtAllocateVirtualMemory (-1, 11481088, 0, 4096, 4096, 4, ... 11481088, 4096, ) == 0x0
420 1580 1312 NtOpenKey (0x2000000, {24, 40, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
421 1580 1312 NtUserRegisterWindowMessage ("WOWLFChange", ... ) == 0xc053
422 1580 1312 NtUserRegisterWindowMessage ("WOWDirChange", ... ) == 0xc054
423 1580 1312 NtUserRegisterWindowMessage ("WOWCHOOSEFONT_GETLOGFONT", ... ) == 0xc055
424 1580 1312 NtUserRegisterWindowMessage ("commdlg_LBSelChangedNotify", ... ) == 0xc056
425 1580 1312 NtUserRegisterWindowMessage ("commdlg_ShareViolation", ... ) == 0xc057
426 1580 1312 NtUserRegisterWindowMessage ("commdlg_FileNameOK", ... ) == 0xc058
427 1580 1312 NtUserRegisterWindowMessage ("commdlg_ColorOK", ... ) == 0xc059
428 1580 1312 NtUserRegisterWindowMessage ("commdlg_SetRGBColor", ... ) == 0xc05a
429 1580 1312 NtUserRegisterWindowMessage ("commdlg_LBSelChangedNotify", ... ) == 0xc056
430 1580 1312 NtUserRegisterWindowMessage ("commdlg_ShareViolation", ... ) == 0xc057
431 1580 1312 NtUserRegisterWindowMessage ("commdlg_FileNameOK", ... ) == 0xc058
432 1580 1312 NtUserRegisterWindowMessage ("commdlg_ColorOK", ... ) == 0xc059
433 1580 1312 NtUserRegisterWindowMessage ("commdlg_SetRGBColor", ... ) == 0xc05a
434 1580 1312 NtUserRegisterWindowMessage ("Shell IDList Array", ... ) == 0xc052
435 1580 1312 NtUserRegisterWindowMessage ("commdlg_help", ... ) == 0xc05b
436 1580 1312 NtUserRegisterWindowMessage ("commdlg_help", ... ) == 0xc05b
437 1580 1312 NtOpenKey (0x1, {24, 40, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager"}, ... 72, ) == 0x0
438 1580 1312 NtQueryValueKey (72, "AdditionalBaseNamedObjectsProtectionMode", Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
439 1580 1312 NtClose (72, ... ) == 0x0
440 1580 1312 NtOpenKey (0x20019, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\OLE"}, ... 72, ) == 0x0
441 1580 1312 NtQueryValueKey (72, "PageAllocatorUseSystemHeap", Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
442 1580 1312 NtClose (72, ... ) == 0x0
443 1580 1312 NtOpenKey (0x20019, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\OLE"}, ... 72, ) == 0x0
444 1580 1312 NtQueryValueKey (72, "PageAllocatorSystemHeapIsPrivate", Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
445 1580 1312 NtClose (72, ... ) == 0x0
446 1580 1312 NtCreateKey (0x1, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... 72, 2, ) == 0x0
447 1580 1312 NtQueryValueKey (72, "Seed", Partial, 144, ... TitleIdx=0, Type=3, Data="\21\250^\363\226X\313\345\337\240j\366\345\366r\255M\200\244\257\215\311\300\202\224\0\30\327\207-\3320\277\255\332\252\253a\3\244\204\24s\227o\332E\260\23I-\230\326\373\307\232;\233\345\221\303(j\16\333\255w\225;0|Q\24\323\200\13\354\312"}, 92, ) == 0x0
448 1580 1312 NtClose (72, ... ) == 0x0
449 1580 1312 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 72, {status=0x0, info=0}, ) == 0x0
450 1580 1312 NtDeviceIoControlFile (72, 0, 0x0, 0x0, 0x390008, "IE\26Bn\27\335\336*\12\336Vk\344\326L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
451* 1580 1312 NtQuerySystemInformation (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
452* 1580 1312 NtQuerySystemInformation (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
453* 1580 1312 NtQuerySystemInformation (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
454* 1580 1312 NtQuerySystemInformation (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
455* 1580 1312 NtQuerySystemInformation (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
456* 1580 1312 NtQuerySystemInformation (ProcessorStatistics, 3024, ... {system info, class 23, size 0}, 0, ) == 0x0
457* 1580 1312 NtQuerySystemInformation (ProcessesAndThreads, 3016, ... ) == STATUS_INFO_LENGTH_MISMATCH
458* 1580 1312 NtCreateKey (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147483060, 2, ) == 0x0
459* 1580 1312 NtSetValueKey (-2147483060, "Seed", 0, 3, "\223\262#ek\304\2013\255#\16\240\360J\332\314es\11S\203\314\224\2728\221[\272\241\363\307\203V%\253@\356G\236\26\247\253/\363_^0\263\344L\307\302|\274,\203\364\355"\272_cqf\277\200|\2c{\205\317%\365\354|\207w^$", 80, ...
460* 1580 1312 NtSetInformationFile (-2147483640, -1128722956, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
461* 1580 1312 NtSetInformationFile (-2147483640, -1128722992, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
462* 1580 1312 NtSetInformationFile (-2147483640, -1128723068, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
463* 1580 1312 NtSetInformationFile (-2147483640, -1128723068, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
459* 1580 1312 NtSetValueKey ... ) == 0x0
464* 1580 1312 NtClose (-2147483060, ... ) == 0x0
450 1580 1312 NtDeviceIoControlFile ... {status=0x0, info=256}, "8\274u\324>\242\343Q\264!\220\327\5Ap\2273\302\223?\330T\310\225\346\267\303\13\306\217\356\274u\373<\373\241\36\277P-\350\344\10Ye\325\27v\317)^TZ,\337a\344\16>\333\255_u\372\242\206\3018\27\337\201\2575Q\346\232`\220UbD\\313\364L\15U\11\206w\346\365\25\340\327c\377\216I%5\336\1\307\340\1347\306%\2\220\363\216Zj\341aJ*\336\353DVT\14\2\362#2,\250\37\11\332Jq \1\233Dl\335\231\316\231\315\2538\215j\274.\1\32\260ZY\4\1\4\263$\3\26\128qp=\241\251\256A\12c\214\34\247j8|\367m\226\3\360\317(}H\17\242&\375"a\272H\354re%\377\211\272\245\232,# \310\2116\262\277\356V\366n4\243\237\255TEn#\330K\374\257\3176v\27\221k\301\252K\267\327\264l\243\2_S\11o8\205G\216", ) == 0x0
465 1580 1312 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0x1ff04,LowestPhysicalPage=0x2,HighestPhysicalPage=0x1ff76,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
466 1580 1312 NtQuerySystemInformation (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
467 1580 1312 NtOpenKey (0x20019, {24, 40, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 76, ) == 0x0
468 1580 1312 NtQueryValueKey (76, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) == 0x0
469 1580 1312 NtClose (76, ... ) == 0x0
470 1580 1312 NtOpenDirectoryObject (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 76, ) == 0x0
471 1580 1312 NtOpenEvent (0x1f0003, {24, 76, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
472 1580 1312 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0x1ff04,LowestPhysicalPage=0x2,HighestPhysicalPage=0x1ff76,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
473 1580 1312 NtAllocateVirtualMemory (-1, 0, 0, 65536, 8192, 4, ... 11599872, 65536, ) == 0x0
474 1580 1312 NtAllocateVirtualMemory (-1, 11599872, 0, 4096, 4096, 4, ... 11599872, 4096, ) == 0x0
475 1580 1312 NtCreateEvent (0x100003, 0x0, 1, 0, ... 80, ) == 0x0
476 1580 1312 NtAllocateVirtualMemory (-1, 11603968, 0, 8192, 4096, 4, ... 11603968, 8192, ) == 0x0
477 1580 1312 NtAllocateVirtualMemory (-1, 0, 0, 4194304, 8192, 4, ... 11665408, 4194304, ) == 0x0
478 1580 1312 NtAllocateVirtualMemory (-1, 11665408, 0, 65536, 4096, 4, ... 11665408, 65536, ) == 0x0
479 1580 1312 NtQueryVolumeInformationFile (3, 2291792, 8, Device, ... ) == STATUS_INVALID_HANDLE
480 1580 1312 NtQueryVolumeInformationFile (0, 2291792, 8, Device, ... ) == STATUS_INVALID_HANDLE
481 1580 1312 NtQueryVolumeInformationFile (11, 2291792, 8, Device, ... ) == STATUS_OBJECT_TYPE_MISMATCH
482 1580 1312 NtUserRegisterWindowMessage ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) == 0xc04d
483 1580 1312 NtOpenKey (0x1, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
484 1580 1312 NtOpenKey (0x9, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
485 1580 1312 NtFsControlFile (24, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
486 1580 1312 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, "\??\C:\WINNT\system32\ole32.dll"}, 2289656, ... ) == 0x0
487 1580 1312 NtFsControlFile (24, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
488 1580 1312 NtOpenKey (0x1, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
489 1580 1312 NtTestAlert (... ) == 0x0
490 1580 1312 NtContinue (2293040, 1, ...
491 1580 1312 NtSetInformationThread (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x401240,}, 4, ... ) == 0x0
492 1580 1312 NtAllocateVirtualMemory (-1, 0, 0, 131064, 8192, 4, ... 15859712, 131072, ) == 0x0
493 1580 1312 NtAllocateVirtualMemory (-1, 15859712, 0, 4096, 4096, 4, ... 15859712, 4096, ) == 0x0
494 1580 1312 NtAllocateVirtualMemory (-1, 11485184, 0, 4096, 4096, 4, ... 11485184, 4096, ) == 0x0
495 1580 1312 NtAllocateVirtualMemory (-1, 11489280, 0, 4096, 4096, 4, ... 11489280, 4096, ) == 0x0
496 1580 1312 NtAllocateVirtualMemory (-1, 11493376, 0, 4096, 4096, 4, ... 11493376, 4096, ) == 0x0
497 1580 1312 NtAllocateVirtualMemory (-1, 11497472, 0, 4096, 4096, 4, ... 11497472, 4096, ) == 0x0
498 1580 1312 NtAllocateVirtualMemory (-1, 11501568, 0, 4096, 4096, 4, ... 11501568, 4096, ) == 0x0
499 1580 1312 NtAllocateVirtualMemory (-1, 11505664, 0, 4096, 4096, 4, ... 11505664, 4096, ) == 0x0
500 1580 1312 NtAllocateVirtualMemory (-1, 11509760, 0, 4096, 4096, 4, ... 11509760, 4096, ) == 0x0
501 1580 1312 NtAllocateVirtualMemory (-1, 11513856, 0, 4096, 4096, 4, ... 11513856, 4096, ) == 0x0
502 1580 1312 NtAllocateVirtualMemory (-1, 11517952, 0, 4096, 4096, 4, ... 11517952, 4096, ) == 0x0
503 1580 1312 NtGdiGetStockObject (17, ... ) == 0x18a0029
504 1580 1312 NtGdiExtGetObjectW (25821225, 92, 2292128, ... ) == 0x5c
505 1580 1312 NtGdiHfontCreate (2291428, 356, 0, 0, 2314232, ... ) == 0x90a09dc
506 1580 1312 NtUserGetDC (0, ... ) == 0x1010057
507 1580 1312 NtUserCallOneParam (16842839, 41, ... ) == 0x1
508 1580 1312 NtUserGetDC (0, ... ) == 0x1010057
509 1580 1312 NtUserCallOneParam (16842839, 41, ... ) == 0x1
510 1580 1312 NtGdiHfontCreate (2291764, 356, 0, 0, 2314224, ... ) == 0x390a09d9
511 1580 1312 NtUserGetDC (0, ... ) == 0x1010057
512 1580 1312 NtUserCallOneParam (16842839, 41, ... ) == 0x1
513 1580 1312 NtGdiHfontCreate (2291764, 356, 0, 0, 2314216, ... ) == 0x750a09c9
514 1580 1312 NtUserGetDC (0, ... ) == 0x1010057
515 1580 1312 NtUserCallOneParam (16842839, 41, ... ) == 0x1
516 1580 1312 NtGdiHfontCreate (2291764, 356, 0, 0, 2314208, ... ) == 0xf20a09c1
517 1580 1312 NtAllocateVirtualMemory (-1, 11522048, 0, 4096, 4096, 4, ... 11522048, 4096, ) == 0x0
518 1580 1312 NtAllocateVirtualMemory (-1, 11526144, 0, 8192, 4096, 4, ... 11526144, 8192, ) == 0x0
519 1580 1312 NtGdiCreatePen (0, 1, 33554687, 0, ... ) == 0xe63009ad
520 1580 1312 NtGdiCreatePen (0, 1, 50331392, 0, ... ) == 0x433009a4
521 1580 1312 NtGdiCreatePen (0, 1, 33619712, 0, ... ) == 0xd9300987
522 1580 1312 NtGdiCreatePen (0, 1, 33554432, 0, ... ) == 0x83009e9
523 1580 1312 NtGdiCreatePen (0, 1, 50331647, 0, ... ) == 0x83009e8
524 1580 1312 NtGdiGetStockObject (8, ... ) == 0x1b00016
525 1580 1312 NtGdiCreatePen (1, 1, 33554432, 0, ... ) == 0xa3009db
526 1580 1312 NtGdiCreatePen (0, 1, 41975936, 0, ... ) == 0x403009da
527 1580 1312 NtGdiCreatePen (0, 1, 40133732, 0, ... ) == 0x8f3009ce
528 1580 1312 NtGdiCreatePen (0, 1, 46186688, 0, ... ) == 0x393009ed
529 1580 1312 NtUserFindExistingCursorIcon (2291644, 2291660, 2292228, ... ) == 0x10011
530 1580 1312 NtUserFindExistingCursorIcon (2291644, 2291660, 2292228, ... ) == 0x10015
531 1580 1312 NtUserFindExistingCursorIcon (2291644, 2291660, 2292228, ... ) == 0x0
532 1580 1312 NtFsControlFile (24, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
533 1580 1312 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, "\??\C:\WINNT\system32\rpcss.dll"}, 2291048, ... ) == 0x0
534 1580 1312 NtFsControlFile (24, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
535 1580 1312 NtFsControlFile (24, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
536 1580 1312 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINNT\system32\rpcss.dll"}, 5, 96, ... 84, {status=0x0, info=1}, ) == 0x0
537 1580 1312 NtCreateSection (0xe, 0x0, 0x0, 16, 134217728, 84, ... 88, ) == 0x0
538 1580 1312 NtClose (84, ... ) == 0x0
539 1580 1312 NtMapViewOfSection (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xf40000), 0x0, 274432, ) == 0x0
540 1580 1312 NtClose (88, ... ) == 0x0
541 1580 1312 NtUnmapViewOfSection (-1, 0xf40000, ... ) == 0x0
542 1580 1312 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0x1ff04,LowestPhysicalPage=0x2,HighestPhysicalPage=0x1ff76,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
543 1580 1312 NtQuerySystemInformation (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
544 1580 1312 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0x1ff04,LowestPhysicalPage=0x2,HighestPhysicalPage=0x1ff76,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
545 1580 1312 NtQuerySystemInformation (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
546 1580 1312 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0x1ff04,LowestPhysicalPage=0x2,HighestPhysicalPage=0x1ff76,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
547 1580 1312 NtQuerySystemInformation (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
548 1580 1312 NtDeviceIoControlFile (72, 0, 0x0, 0x0, 0x390008, "IE\26Bn\27\335(\324F\37\361\303\363s]\254o\327B\326\336\252\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
549* 1580 1312 NtQuerySystemInformation (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
550* 1580 1312 NtQuerySystemInformation (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
551* 1580 1312 NtQuerySystemInformation (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
552* 1580 1312 NtQuerySystemInformation (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
553* 1580 1312 NtQuerySystemInformation (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
554* 1580 1312 NtQuerySystemInformation (ProcessorStatistics, 3024, ... {system info, class 23, size 0}, 0, ) == 0x0
555* 1580 1312 NtQuerySystemInformation (ProcessesAndThreads, 3016, ... ) == STATUS_INFO_LENGTH_MISMATCH
556* 1580 1312 NtCreateKey (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147483060, 2, ) == 0x0
557* 1580 1312 NtSetValueKey (-2147483060, "Seed", 0, 3, ""N\176\320l\227\177:|\34F\274NL\255e'\245\300xb\21"\306\352T\265\236\265\205~\375\222$\31,O\343n\2659\246\242\17\337\306\373f\35\302]^\202\322V\255\277{\57\333\27\224R\4\12IX!\30J+H';e\341+\250", 80, ... ) == 0x0
558* 1580 1312 NtClose (-2147483060, ... ) == 0x0
548 1580 1312 NtDeviceIoControlFile ... {status=0x0, info=256}, "\27\37\332\17pz\260\265\224\350\336\3074\330\245ZoH\317D\2765\215\3152\270\333\16A\231\366e\261H\250\202\225cQ\260x\225I\343oz\31\237\307c\322\300..\257\270$\256T\253\254\262L\337\24@'\14K\\231\310\213\221\237j\233\32N\220F\355t\312\31\340q\270\24\222\356\324\347\272J\306\255wTb\21\27\354\234\311P\242\271\212f\10\213\371\230\376Ke\256\231\16\26zMeA\257n\245\3622!\366\277G\337ot\217\273\211D\30\257#O\306\250-\G\360)P\310\2437t{n\202\373}\302\13x\224\230\212\232\236\235f9\334\356\\245h\322l\330\351\214v\177\247/\370(4\12\313\336\365{z\23,\333x\206*)\17eb\364\206\34^\1^7.Q\21\254\224\334\345HE\275\2701o+j\362\345e2"&)E\5\332r\37\241I \277\216&\11\317?\256>8\333\327\5\344", ) == 0x0
559 1580 1312 NtDeviceIoControlFile (72, 0, 0x0, 0x0, 0x390008, "IE\26Bn\27\335(\324F\37\361\303\363\205\243\340\256p\352\301{\273\254o\327B\326\336\252\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
560* 1580 1312 NtQuerySystemInformation (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
561* 1580 1312 NtQuerySystemInformation (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
562* 1580 1312 NtQuerySystemInformation (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
563* 1580 1312 NtQuerySystemInformation (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
564* 1580 1312 NtQuerySystemInformation (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
565* 1580 1312 NtQuerySystemInformation (ProcessorStatistics, 3024, ... {system info, class 23, size 0}, 0, ) == 0x0
566* 1580 1312 NtQuerySystemInformation (ProcessesAndThreads, 3016, ... ) == STATUS_INFO_LENGTH_MISMATCH
567* 1580 1312 NtCreateKey (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147483060, 2, ) == 0x0
568* 1580 1312 NtSetValueKey (-2147483060, "Seed", 0, 3, "\226\32\363H\241^C\23ED\373\32)\304\3246VJ.\353'.(\344\224\265c]\251\206\374\344\304<\310\367yza\247\372!0\257\246\203;\5l\224\276\203\7\5)5a\212'\273\17\273\351\273?qS\316\234\253%\255\316\13n\232\33^\210", 80, ... ) == 0x0
569* 1580 1312 NtClose (-2147483060, ... ) == 0x0
559 1580 1312 NtDeviceIoControlFile ... {status=0x0, info=256}, "\37Q\24\334@q\351\251\255\220\177\362\220\26\306\177\202\35kE\262$\247\335\271\23\324$a\2127\2\314\16\375/yU\371\271\240r\337o@g\33\2545\11^\205\255\350T\371b\326\367\350\233j\226vf+\305o\246\326\367L\244t\277I&\311\360\374\205\300*)\7\227\356\34\217$\21\321Sgo\15\261\34\177\257\245\262c\275\343\225\300\362\325\306\2140\326{0d\365\374\351p\217\327_N\0\356\35\323\222\270S9\203\302\318Hc\12\224|+\205\246\207i\30h0\216\321\207_\11\370\227\360\260<\225H\7\16U\257\350\253\30\370~\365(I\210\272\12u\240V\206\255\203p[\347\12\202\301\15\3227\313q\15\205\355\25\34\366Qq\217\347\314\206\264\15\242\336v\13\360@\332%\247\250u\304\326\2752\323O\2548\251\3(O\330k\6\243\205\217Q\12\371\264\374\330#r\331\177\271K\323\273\177\374\31\302\341\272", ) == 0x0
570 1580 1312 NtDeviceIoControlFile (72, 0, 0x0, 0x0, 0x390008, "IE\26Bn\27\335(\324F\37\361\303\363\205\243\340\256p\352\301\215E\340\256p\352\301{\273\254o\327B\326\336\252\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
571* 1580 1312 NtQuerySystemInformation (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
572* 1580 1312 NtQuerySystemInformation (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
573* 1580 1312 NtQuerySystemInformation (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
574* 1580 1312 NtQuerySystemInformation (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
575* 1580 1312 NtQuerySystemInformation (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
576* 1580 1312 NtQuerySystemInformation (ProcessorStatistics, 3024, ... {system info, class 23, size 0}, 0, ) == 0x0
577* 1580 1312 NtQuerySystemInformation (ProcessesAndThreads, 3016, ... ) == STATUS_INFO_LENGTH_MISMATCH
578* 1580 1312 NtCreateKey (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147483060, 2, ) == 0x0
579* 1580 1312 NtSetValueKey (-2147483060, "Seed", 0, 3, "\266\250g\36\356\324w\323\357;HI\226\3767\270\203\225\26\332\321\233\340\306\330F\322sN\311\355\346\220\353\273\330\217t"i\313\314\24\354u&z\237T\230"\352\34\315+\374\177\323j\10\255L-\253L\210?"\211\302G\361<\355\24\261+QzG", 80, ... ) == 0x0
580* 1580 1312 NtClose (-2147483060, ... ) == 0x0
570 1580 1312 NtDeviceIoControlFile ... {status=0x0, info=256}, "\330")\303\226\320w.\354\347\300\242\277\260\263\373c\370u.\235\356\25g\271f\306z\216\236r\20l\323\253~%\314\221\362\323"\372\250\247K>k\217\25n\3119;\355?r\327{\261\177\247\\324\257e\223\216\201\343\336ay\0|m\364\17l5\250\257KB\25A\11\330\270\332G\323N6\307\23\311\217\373\304\236\273\337v\23P5a&\352\361\3058\225\300\264\31x\256gi\260\5\346\227\263\5"\13\315\305\310\225\277\265\251\14?\376\2108\240\204u\314U\275\242\356sp\0v;\257\214\214\204\310\336\242\217n\236\2<z\206\300\377\264f\244P\314\262_\17\365\255.\363\14\251\0u\354a\224\277\322<\2407\224w\254\277\356\337\13\122\306\33\37\30\306\214\244\316_l\276\354\14:B\257R\335c\366\30\351+\345X/{\267y%\230\342\307\271\16\11BV\2156_\267\323\222\35\335\273%\4\346\31", ) == 0x0
581 1580 1312 NtDeviceIoControlFile (72, 0, 0x0, 0x0, 0x390008, "IE\26Bn\27\335(\324F\37\361\303\363\205\243\340\256p\352\301\215E\340\256p\352\301\215E\340\256p\352\301{\273\254o\327B\326\336\252\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
582* 1580 1312 NtQuerySystemInformation (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
583* 1580 1312 NtQuerySystemInformation (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
584* 1580 1312 NtQuerySystemInformation (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
585* 1580 1312 NtQuerySystemInformation (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
586* 1580 1312 NtQuerySystemInformation (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
587* 1580 1312 NtQuerySystemInformation (ProcessorStatistics, 3024, ... {system info, class 23, size 0}, 0, ) == 0x0
588* 1580 1312 NtQuerySystemInformation (ProcessesAndThreads, 3016, ... ) == STATUS_INFO_LENGTH_MISMATCH
589* 1580 1312 NtCreateKey (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147483060, 2, ) == 0x0
590* 1580 1312 NtSetValueKey (-2147483060, "Seed", 0, 3, "\356x\201\324z)\316\262\37\262l\220J@i&\311!l|\367\324c\375x/\301\222o\237\267\5\326\206\3741\322\370\203.\