Summary:





NtContinue(>)  1 
NtQueryInformationProcess(>)  1 
NtRegisterThreadTerminatePort(>)  1 
NtQuerySystemInformation(>)  5 


NtCreateSection(>)  1 
NtQueryObject(>)  1 
NtSecureConnectPort(>)  1 
NtMapViewOfSection(>)  7 


NtOpenDirectoryObject(>)  1 
NtQuerySection(>)  1 
NtSetInformationObject(>)  1 
NtAllocateVirtualMemory(>)  9 


NtOpenKeyedEvent(>)  1 
NtQuerySymbolicLinkObject(>)  1 
NtOpenFile(>)  2 
NtFlushInstructionCache(>)  9 


NtOpenSymbolicLinkObject(>)  1 
NtQueryValueKey(>)  1 
NtOpenKey(>)  2 
NtOpenSection(>)  9 


NtQueryAttributesFile(>)  1 
NtQueryVolumeInformationFile(>)  1 
NtQueryVirtualMemory(>)  3 
NtClose(>)  10 


NtQueryDefaultLocale(>)  1 
NtRaiseHardError(>)  1 
NtRequestWaitReplyPort(>)  3 
NtProtectVirtualMemory(>)  18 





Trace:

 00001   808   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   808   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003   808   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004   808   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005   808   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 1310720, 4096, ) == 0x0
 00006   808   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007   808   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1376256, 1048576, ) == 0x0
 00008   808   NtAllocateVirtualMemory  (-1, 1376256, 0, 10248, 4096, 4, ... 1376256, 12288, ) == 0x0
 00009   808   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00010   808   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2424832, 65536, ) == 0x0
 00011   808   NtAllocateVirtualMemory  (-1, 2424832, 0, 24576, 4096, 4, ... 2424832, 24576, ) == 0x0
 00012   808   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00013   808   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00014   808   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00015   808   NtClose  (12, ... ) == 0x0
 00016   808   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00017   808   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00018   808   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00019   808   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00020   808   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00021   808   NtClose  (16, ... ) == 0x0
 00022   808   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00023   808   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00024   808   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00025   808   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00026   808   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00027   808   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00028   808   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00029   808   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1313584, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2490368, 19267584}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1313584, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2490368, 19267584}, {0, 0, 0}, 200, 44, ) == 0x0
 00030   808   NtClose  (16, ... ) == 0x0
 00031   808   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00032   808   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00033   808   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00034   808   NtQueryVirtualMemory  (-1, 0x260000, Basic, 28, ... {BaseAddress=0x260000,AllocationBase=0x260000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00035   808   NtAllocateVirtualMemory  (-1, 2490368, 0, 4096, 4096, 4, ... 2490368, 4096, ) == 0x0
 00036   808   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6&\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6&\1\4\0\0\0" ... {28, 56, reply, 0, 868, 808, 75546, 0} "P\14\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6&\1\4\0\0\0" )  ... {28, 56, reply, 0, 868, 808, 75546, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6&\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6&\1\4\0\0\0" ... {28, 56, reply, 0, 868, 808, 75546, 0} "P\14\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6&\1\4\0\0\0" )  ) == 0x0
 00037   808   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00038   808   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00039   808   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00040   808   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00041   808   NtClose  (16, ... ) == 0x0
 00042   808   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00043   808   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x270000), 0x0, 90112, ) == 0x0
 00044   808   NtClose  (16, ... ) == 0x0
 00045   808   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00046   808   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00047   808   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x290000), 0x0, 249856, ) == 0x0
 00048   808   NtClose  (16, ... ) == 0x0
 00049   808   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00050   808   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2d0000), 0x0, 266240, ) == 0x0
 00051   808   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00052   808   NtClose  (16, ... ) == 0x0
 00053   808   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00054   808   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x320000), 0x0, 24576, ) == 0x0
 00055   808   NtClose  (16, ... ) == 0x0
 00056   808   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00057   808   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058   808   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00059   808   NtAllocateVirtualMemory  (-1, 2494464, 0, 8192, 4096, 4, ... 2494464, 8192, ) == 0x0
 00060   808   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6&\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6&\1p\30\0\0" ... {24, 52, reply, 0, 868, 808, 75551, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6&\1p\30\0\0" )  ... {24, 52, reply, 0, 868, 808, 75551, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6&\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6&\1p\30\0\0" ... {24, 52, reply, 0, 868, 808, 75551, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6&\1p\30\0\0" )  ) == 0x0
 00061   808   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6&\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6&\18\6\0\0" ... {28, 56, reply, 0, 868, 808, 75552, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6&\18\6\0\0" )  ... {28, 56, reply, 0, 868, 808, 75552, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6&\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6&\18\6\0\0" ... {28, 56, reply, 0, 868, 808, 75552, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6&\18\6\0\0" )  ) == 0x0
 00062   808   NtProtectVirtualMemory  (-1, (0x13ab000), 200704, 4, ... (0x13ab000), 200704, 128, ) == 0x0
 00063   808   NtProtectVirtualMemory  (-1, (0x13ab000), 200704, 128, ... (0x13ab000), 200704, 8, ) == 0x0
 00064   808   NtFlushInstructionCache  (-1, 20623360, 200704, ... ) == 0x0
 00065   808   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.DLL"}, ... 16, ) }, ... 16, ) == 0x0
 00066   808   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00067   808   NtClose  (16, ... ) == 0x0
 00068   808   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00069   808   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00070   808   NtClose  (16, ... ) == 0x0
 00071   808   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00072   808   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00073   808   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00074   808   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00075   808   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00076   808   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00077   808   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00078   808   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00079   808   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00080   808   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00081   808   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00082   808   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00083   808   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00084   808   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00085   808   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00086   808   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00087   808   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00088   808   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00089   808   NtProtectVirtualMemory  (-1, (0x13ab000), 200704, 4, ... (0x13ab000), 200704, 128, ) == 0x0
 00090   808   NtProtectVirtualMemory  (-1, (0x13ab000), 200704, 128, ... (0x13ab000), 200704, 8, ) == 0x0
 00091   808   NtFlushInstructionCache  (-1, 20623360, 200704, ... ) == 0x0
 00092   808   NtQueryVirtualMemory  (-1, 0x7c918e00, Basic, 28, ... {BaseAddress=0x7c918000,AllocationBase=0x7c900000,AllocationProtect=0x80,RegionSize=0x64000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00093   808   NtContinue  (1242124, 0, ...
 00094   808   NtRaiseHardError  (-1073741499, 1, 0, 1244332, 1, 1244320, ...