Summary:
| NtAddAtom(>) | 1 | NtUserGetDC(>) | 1 | NtReadFile(>) | 3 | NtOpenProcessTokenEx(>) | 10 | 
| NtAdjustPrivilegesToken(>) | 1 | NtUserGetThreadDesktop(>) | 1 | NtSetInformationThread(>) | 3 | NtOpenThreadTokenEx(>) | 10 | 
| NtCallbackReturn(>) | 1 | NtUserSetWindowsHookEx(>) | 1 | NtWaitForMultipleObjects(>) | 3 | NtCreateEvent(>) | 14 | 
| NtCreateSemaphore(>) | 1 | NtUserUnhookWindowsHookEx(>) | 1 | NtContinue(>) | 4 | NtQueryDirectoryFile(>) | 14 | 
| NtDuplicateToken(>) | 1 | NtWriteVirtualMemory(>) | 1 | NtDuplicateObject(>) | 4 | NtQueryAttributesFile(>) | 15 | 
| NtEnumerateValueKey(>) | 1 | NtCreateIoCompletion(>) | 2 | NtQuerySection(>) | 4 | NtQueryDebugFilterState(>) | 15 | 
| NtGdiCreateBitmap(>) | 1 | NtCreateKey(>) | 2 | NtQueryVirtualMemory(>) | 4 | NtQueryInformationToken(>) | 15 | 
| NtGdiInit(>) | 1 | NtCreateThread(>) | 2 | NtQueryVolumeInformationFile(>) | 4 | NtUnmapViewOfSection(>) | 15 | 
| NtGdiQueryFontAssocInfo(>) | 1 | NtDelayExecution(>) | 2 | NtSetEvent(>) | 4 | NtCreateFile(>) | 16 | 
| NtGdiSelectBitmap(>) | 1 | NtEnumerateKey(>) | 2 | NtSetInformationObject(>) | 4 | NtOpenSection(>) | 20 | 
| NtOpenEvent(>) | 1 | NtGdiCreateSolidBrush(>) | 2 | NtWaitForSingleObject(>) | 4 | NtOpenFile(>) | 22 | 
| NtOpenKeyedEvent(>) | 1 | NtOpenDirectoryObject(>) | 2 | NtWriteFile(>) | 4 | NtQuerySystemInformation(>) | 25 | 
| NtOpenProcess(>) | 1 | NtQueryKey(>) | 2 | NtFreeVirtualMemory(>) | 5 | NtUserFindExistingCursorIcon(>) | 34 | 
| NtOpenSymbolicLinkObject(>) | 1 | NtRegisterThreadTerminatePort(>) | 2 | NtFsControlFile(>) | 5 | NtMapViewOfSection(>) | 37 | 
| NtQueryInformationThread(>) | 1 | NtResumeThread(>) | 2 | NtGdiGetStockObject(>) | 5 | NtAllocateVirtualMemory(>) | 39 | 
| NtQueryInstallUILanguage(>) | 1 | NtSetEventBoostPriority(>) | 2 | NtQueryDefaultLocale(>) | 5 | NtUserRegisterClassExWOW(>) | 42 | 
| NtQueryObject(>) | 1 | NtTestAlert(>) | 2 | NtQueryInformationFile(>) | 5 | NtQueryValueKey(>) | 55 | 
| NtQuerySymbolicLinkObject(>) | 1 | NtUserCallOneParam(>) | 2 | NtSetInformationFile(>) | 5 | NtCreateSection(>) | 62 | 
| NtQuerySystemTime(>) | 1 | NtUserRegisterWindowMessage(>) | 2 | NtQueryInformationProcess(>) | 6 | NtFlushInstructionCache(>) | 77 | 
| NtSecureConnectPort(>) | 1 | NtAccessCheck(>) | 3 | NtUserSystemParametersInfo(>) | 7 | NtOpenKey(>) | 121 | 
| NtSetInformationProcess(>) | 1 | NtCreateMutant(>) | 3 | NtDeviceIoControlFile(>) | 8 | NtProtectVirtualMemory(>) | 174 | 
| NtSetValueKey(>) | 1 | NtGdiCreateCompatibleDC(>) | 3 | NtOpenProcessToken(>) | 8 | NtClose(>) | 233 | 
| NtTerminateProcess(>) | 1 | NtOpenThreadToken(>) | 3 | NtQueryDefaultUILanguage(>) | 8 | ||
| NtUserCallNoParam(>) | 1 | NtQueryPerformanceCounter(>) | 3 | 
\324\3\265\237K\20\253\35\227|\225D\274\311q\262\1\302\317\321\325\337\0\6\345|ih"
, ) , ) == 0x0 00527 896 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 00528 896 NtQuerySystemInformation (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0 00529 896 NtOpenKey (0x20019, {24, 40, 0x40, 0, 0, (0x20019, {24, 40, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 48, ) }, ... 48, ) == 0x0 00530 896 NtQueryValueKey (48, (48, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (48, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0 00531 896 NtClose (48, ... ) == 0x0 00532 896 NtOpenKey (0x20019, {24, 40, 0x40, 0, 0, (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Ole"}, ... 48, ) }, ... 48, ) == 0x0 00533 896 NtQueryValueKey (48, (48, "RWLockResourceTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00534 896 NtClose (48, ... ) == 0x0 00535 896 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 00536 896 NtQuerySystemInformation (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0 00537 896 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 00538 896 NtQuerySystemInformation (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0 00539 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 48, ) }, ... 48, ) == 0x0 00540 896 NtQueryValueKey (48, (48, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00541 896 NtQueryValueKey (48, (48, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00542 896 NtQueryValueKey (48, (48, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00543 896 NtClose (48, ... ) == 0x0 00544 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 48, ) }, ... 48, ) == 0x0 00545 896 NtQueryValueKey (48, (48, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00546 896 NtQueryValueKey (48, (48, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00547 896 NtClose (48, ... ) == 0x0 00548 896 NtOpenDirectoryObject (0x2000f, {24, 0, 0x40, 0, 0, (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 48, ) }, ... 48, ) == 0x0 00549 896 NtOpenEvent (0x1f0003, {24, 48, 0x0, 0, 0, (0x1f0003, {24, 48, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00550 896 NtUserRegisterWindowMessage ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc077 00551 896 NtOpenKey (0x1, {24, 40, 0x40, 0, 0, (0x1, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00552 896 NtOpenKey (0x9, {24, 40, 0x40, 0, 0, (0x9, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00553 896 NtOpenKey (0x1, {24, 40, 0x40, 0, 0, (0x1, {24, 40, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00554 896 NtTestAlert (... ) == 0x0 00555 896 NtContinue (1244464, 1, ... 00556 896 NtSetInformationThread (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x406646,}, 4, ... ) == 0x0 00557 896 NtProtectVirtualMemory (-1, (0x401000), 32768, 64, ... (0x401000), 32768, 128, ) == 0x0 00558 896 NtProtectVirtualMemory (-1, (0x409000), 32768, 64, ... (0x409000), 32768, 2, ) == 0x0 00559 896 NtProtectVirtualMemory (-1, (0x411000), 4096, 4, ... (0x411000), 4096, 8, ) == 0x0 00560 896 NtProtectVirtualMemory (-1, (0x400000), 1024, 4, ... (0x400000), 4096, 2, ) == 0x0 00561 896 NtProtectVirtualMemory (-1, (0x400000), 1024, 2, ... (0x400000), 4096, 4, ) == 0x0 00562 896 NtProtectVirtualMemory (-1, (0x400000), 4096, 4, ... (0x400000), 4096, 2, ) == 0x0 00563 896 NtProtectVirtualMemory (-1, (0x400000), 4096, 2, ... (0x400000), 4096, 4, ) == 0x0 00564 896 NtUserCallOneParam (1244308, 38, ... ) == 0x1 00565 896 NtOpenProcessToken (-1, 0x8, ... 52, ) == 0x0 00566 896 NtAllocateVirtualMemory (-1, 0, 0, 1024, 4096, 4, ... 8781824, 4096, ) == 0x0 00567 896 NtQueryInformationToken (52, Groups, 1024, ... {token info, class 2, size 196}, 196, ) == 0x0 00568 896 NtClose (52, ... ) == 0x0 00569 896 NtFreeVirtualMemory (-1, (0x860000), 0, 32768, ... (0x860000), 4096, ) == 0x0 00570 896 NtOpenFile (0x100100, {24, 0, 0x40, 0, 0, (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\awtqnkhe.dll"}, 7, 2113568, ... ) }, 7, 2113568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00571 896 NtQueryDefaultUILanguage (2090319928, ... 00572 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 00573 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... -2147482756, ) == 0x0 00574 896 NtQueryInformationToken (-2147482756, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 00575 896 NtClose (-2147482756, ... ) == 0x0 00576 896 NtOpenKey (0x2000000, {24, 0, 0x640, 0, 0, (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482756, ) }, ... -2147482756, ) == 0x0 00577 896 NtOpenKey (0x80000000, {24, -2147482756, 0x240, 0, 0, (0x80000000, {24, -2147482756, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00578 896 NtOpenKey (0x80000000, {24, -2147482756, 0x640, 0, 0, (0x80000000, {24, -2147482756, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0 00579 896 NtQueryValueKey (-2147481452, (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00580 896 NtClose (-2147481452, ... ) == 0x0 00581 896 NtClose (-2147482756, ... ) == 0x0 00571 896 NtQueryDefaultUILanguage ... ) == 0x0 00582 896 NtQueryInstallUILanguage (2090319930, ... ) == 0x0 00583 896 NtQueryDefaultLocale (1, 1244116, ... ) == 0x0 00584 896 NtCreateFile (0x40100080, {24, 0, 0x40, 0, 1244124, (0x40100080, {24, 0, 0x40, 0, 1244124, "\??\C:\WINDOWS\system32\awtqnkhe.dll"}, 0x0, 128, 1, 5, 96, 0, 0, ... }, 0x0, 128, 1, 5, 96, 0, 0, ... 00585 896 NtClose (-2147482756, ... ) == 0x0 00584 896 NtCreateFile ... 52, {status=0x0, info=2}, ) == 0x0 00586 896 NtWriteFile (52, 0, 0, 0, (52, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\177\14}\243\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\12\0T\0\0\0\20\0\0\0\340\1\0\304_\0\0\0\20\0\0\0\360\1\0\0\0\0\20\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0`\2\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0|P\2\0P\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\2\0X\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", 41984, 0x0, 0, ... , 41984, 0x0, 0, ... 00587 896 NtContinue (-135750188, 0, ... 00586 896 NtWriteFile ... {status=0x0, info=41984}, ) == 0x0 00588 896 NtClose (52, ... ) == 0x0 00589 896 NtCreateFile (0x80100080, {24, 0, 0x40, 0, 1243840, (0x80100080, {24, 0, 0x40, 0, 1243840, "\??\u:\work\packed.exe"}, 0x0, 0, 3, 1, 96, 0, 0, ... 52, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 52, {status=0x0, info=1}, ) == 0x0 00590 896 NtCreateFile (0x40100080, {24, 0, 0x40, 0, 1243840, (0x40100080, {24, 0, 0x40, 0, 1243840, "\??\C:\WINDOWS\system32\awtqnkhe.dll"}, 0x0, 0, 3, 1, 96, 0, 0, ... 56, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 56, {status=0x0, info=1}, ) == 0x0 00591 896 NtQueryInformationFile (52, 1243900, 24, Standard, ... {status=0x0, info=24}, ) == 0x0 00592 896 NtSetInformationFile (52, 1243932, 8, Position, ... {status=0x0, info=0}, ) == 0x0 00593 896 NtReadFile (52, 0, 0, 0, 16, 0x0, 0, ... {status=0x0, info=13}, (52, 0, 0, 0, 16, 0x0, 0, ... {status=0x0, info=13}, "153406\0\0\0\0\0\0\0", ) , ) == 0x0 00594 896 NtQueryInformationFile (56, 1243900, 24, Standard, ... {status=0x0, info=24}, ) == 0x0 00595 896 NtSetInformationFile (56, 1243932, 8, Position, ... {status=0x0, info=0}, ) == 0x0 00596 896 NtWriteFile (56, 0, 0, 0, (56, 0, 0, 0, "153406\0\0\0\0\0\0\0", 13, 0x0, 0, ... {status=0x0, info=13}, ) , 13, 0x0, 0, ... {status=0x0, info=13}, ) == 0x0 00597 896 NtClose (52, ... ) == 0x0 00598 896 NtClose (56, ... ) == 0x0 00599 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\awtqnkhe.dll"}, 1241936, ... ) }, 1241936, ... ) == 0x0 00600 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\awtqnkhe.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0 00601 896 NtCreateSection (0xe, 0x0, 0x0, 16, 134217728, 56, ... 52, ) == 0x0 00602 896 NtClose (56, ... ) == 0x0 00603 896 NtMapViewOfSection (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x860000), 0x0, 45056, ) == 0x0 00604 896 NtClose (52, ... ) == 0x0 00605 896 NtUnmapViewOfSection (-1, 0x860000, ... ) == 0x0 00606 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\awtqnkhe.dll"}, 1242244, ... ) }, 1242244, ... ) == 0x0 00607 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\awtqnkhe.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0 00608 896 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 52, ... 56, ) == 0x0 00609 896 NtQuerySection (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 00610 896 NtClose (52, ... ) == 0x0 00611 896 NtMapViewOfSection (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x10000000), 0x0, 155648, ) == 0x0 00612 896 NtClose (56, ... ) == 0x0 00613 896 NtProtectVirtualMemory (-1, (0x10025000), 4096, 4, ... (0x10025000), 4096, 2, ) == 0x0 00614 896 NtProtectVirtualMemory (-1, (0x10025000), 4096, 2, ... (0x10025000), 4096, 4, ) == 0x0 00615 896 NtFlushInstructionCache (-1, 268587008, 4096, ... ) == 0x0 00616 896 NtProtectVirtualMemory (-1, (0x10025000), 4096, 4, ... (0x10025000), 4096, 2, ) == 0x0 00617 896 NtProtectVirtualMemory (-1, (0x10025000), 4096, 2, ... (0x10025000), 4096, 4, ) == 0x0 00618 896 NtFlushInstructionCache (-1, 268587008, 4096, ... ) == 0x0 00619 896 NtProtectVirtualMemory (-1, (0x10025000), 4096, 4, ... (0x10025000), 4096, 2, ) == 0x0 00620 896 NtProtectVirtualMemory (-1, (0x10025000), 4096, 2, ... (0x10025000), 4096, 4, ) == 0x0 00621 896 NtFlushInstructionCache (-1, 268587008, 4096, ... ) == 0x0 00622 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\awtqnkhe.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00623 896 NtProtectVirtualMemory (-1, (0x10001000), 122880, 64, ... (0x10001000), 122880, 128, ) == 0x0 00624 896 NtProtectVirtualMemory (-1, (0x1001f000), 20480, 64, ... (0x1001f000), 20480, 2, ) == 0x0 00625 896 NtProtectVirtualMemory (-1, (0x10024000), 4096, 4, ... (0x10024000), 4096, 8, ) == 0x0 00626 896 NtProtectVirtualMemory (-1, (0x10000000), 1024, 4, ... (0x10000000), 4096, 2, ) == 0x0 00627 896 NtProtectVirtualMemory (-1, (0x10000000), 1024, 2, ... (0x10000000), 4096, 4, ) == 0x0 00628 896 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 56, ) }, ... 56, ) == 0x0 00629 896 NtMapViewOfSection (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f60000), 0x0, 483328, ) == 0x0 00630 896 NtClose (56, ... ) == 0x0 00631 896 NtProtectVirtualMemory (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0 00632 896 NtProtectVirtualMemory (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0 00633 896 NtFlushInstructionCache (-1, 2012614656, 2076, ... ) == 0x0 00634 896 NtProtectVirtualMemory (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0 00635 896 NtProtectVirtualMemory (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0 00636 896 NtFlushInstructionCache (-1, 2012614656, 2076, ... ) == 0x0 00637 896 NtProtectVirtualMemory (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0 00638 896 NtProtectVirtualMemory (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0 00639 896 NtFlushInstructionCache (-1, 2012614656, 2076, ... ) == 0x0 00640 896 NtProtectVirtualMemory (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0 00641 896 NtProtectVirtualMemory (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0 00642 896 NtFlushInstructionCache (-1, 2012614656, 2076, ... ) == 0x0 00643 896 NtProtectVirtualMemory (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0 00644 896 NtProtectVirtualMemory (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0 00645 896 NtFlushInstructionCache (-1, 2012614656, 2076, ... ) == 0x0 00646 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00647 896 NtOpenKey (0x2000000, {24, 40, 0x40, 0, 0, (0x2000000, {24, 40, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00648 896 NtCreateSemaphore (0x1f0003, {24, 48, 0x80, 1333712, 0, (0x1f0003, {24, 48, 0x80, 1333712, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 56, ) }, 0, 2147483647, ... 56, ) == STATUS_OBJECT_NAME_EXISTS 00649 896 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "urlmon.dll"}, ... 52, ) }, ... 52, ) == 0x0 00650 896 NtMapViewOfSection (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x42cf0000), 0x0, 1208320, ) == 0x0 00651 896 NtClose (52, ... ) == 0x0 00652 896 NtProtectVirtualMemory (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0 00653 896 NtProtectVirtualMemory (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0 00654 896 NtFlushInstructionCache (-1, 1120866304, 2148, ... ) == 0x0 00655 896 NtProtectVirtualMemory (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0 00656 896 NtProtectVirtualMemory (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0 00657 896 NtFlushInstructionCache (-1, 1120866304, 2148, ... ) == 0x0 00658 896 NtProtectVirtualMemory (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0 00659 896 NtProtectVirtualMemory (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0 00660 896 NtFlushInstructionCache (-1, 1120866304, 2148, ... ) == 0x0 00661 896 NtProtectVirtualMemory (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0 00662 896 NtProtectVirtualMemory (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0 00663 896 NtFlushInstructionCache (-1, 1120866304, 2148, ... ) == 0x0 00664 896 NtProtectVirtualMemory (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0 00665 896 NtProtectVirtualMemory (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0 00666 896 NtFlushInstructionCache (-1, 1120866304, 2148, ... ) == 0x0 00667 896 NtProtectVirtualMemory (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0 00668 896 NtProtectVirtualMemory (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0 00669 896 NtFlushInstructionCache (-1, 1120866304, 2148, ... ) == 0x0 00670 896 NtProtectVirtualMemory (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0 00671 896 NtProtectVirtualMemory (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0 00672 896 NtFlushInstructionCache (-1, 1120866304, 2148, ... ) == 0x0 00673 896 NtProtectVirtualMemory (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0 00674 896 NtProtectVirtualMemory (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0 00675 896 NtFlushInstructionCache (-1, 1120866304, 2148, ... ) == 0x0 00676 896 NtProtectVirtualMemory (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0 00677 896 NtProtectVirtualMemory (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0 00678 896 NtFlushInstructionCache (-1, 1120866304, 2148, ... ) == 0x0 00679 896 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "iertutil.dll"}, ... 52, ) }, ... 52, ) == 0x0 00680 896 NtMapViewOfSection (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x42990000), 0x0, 282624, ) == 0x0 00681 896 NtClose (52, ... ) == 0x0 00682 896 NtProtectVirtualMemory (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0 00683 896 NtProtectVirtualMemory (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0 00684 896 NtFlushInstructionCache (-1, 1117327360, 616, ... ) == 0x0 00685 896 NtProtectVirtualMemory (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0 00686 896 NtProtectVirtualMemory (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0 00687 896 NtFlushInstructionCache (-1, 1117327360, 616, ... ) == 0x0 00688 896 NtProtectVirtualMemory (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0 00689 896 NtProtectVirtualMemory (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0 00690 896 NtFlushInstructionCache (-1, 1117327360, 616, ... ) == 0x0 00691 896 NtProtectVirtualMemory (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0 00692 896 NtProtectVirtualMemory (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0 00693 896 NtFlushInstructionCache (-1, 1117327360, 616, ... ) == 0x0 00694 896 NtProtectVirtualMemory (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0 00695 896 NtProtectVirtualMemory (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0 00696 896 NtFlushInstructionCache (-1, 1117327360, 616, ... ) == 0x0 00697 896 NtProtectVirtualMemory (-1, (0x42991000), 616, 4, ... (0x42991000), 4096, 32, ) == 0x0 00698 896 NtProtectVirtualMemory (-1, (0x42991000), 4096, 32, ... (0x42991000), 4096, 4, ) == 0x0 00699 896 NtFlushInstructionCache (-1, 1117327360, 616, ... ) == 0x0 00700 896 NtProtectVirtualMemory (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0 00701 896 NtProtectVirtualMemory (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0 00702 896 NtFlushInstructionCache (-1, 1120866304, 2148, ... ) == 0x0 00703 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iertutil.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00704 896 NtQueryPerformanceCounter (... {-1449271618, 16}, {3579545, 0}, ) == 0x0 00705 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\urlmon.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00706 896 NtQueryPerformanceCounter (... {-1449270588, 16}, {3579545, 0}, ) == 0x0 00707 896 NtAllocateVirtualMemory (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0 00708 896 NtCreateMutant (0x1f0001, {24, 48, 0x80, 0, 0, (0x1f0001, {24, 48, 0x80, 0, 0, "Local\ZonesCounterMutex"}, 0, ... 52, ) }, 0, ... 52, ) == STATUS_OBJECT_NAME_EXISTS 00709 896 NtCreateMutant (0x1f0001, {24, 48, 0x80, 0, 0, (0x1f0001, {24, 48, 0x80, 0, 0, "Local\ZonesCacheCounterMutex"}, 0, ... 60, ) }, 0, ... 60, ) == STATUS_OBJECT_NAME_EXISTS 00710 896 NtCreateMutant (0x1f0001, {24, 48, 0x80, 0, 0, (0x1f0001, {24, 48, 0x80, 0, 0, "Local\ZonesLockedCacheCounterMutex"}, 0, ... 64, ) }, 0, ... 64, ) == STATUS_OBJECT_NAME_EXISTS 00711 896 NtQueryDefaultUILanguage (1239148, ... 00712 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 00713 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... -2147482756, ) == 0x0 00714 896 NtQueryInformationToken (-2147482756, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 00715 896 NtClose (-2147482756, ... ) == 0x0 00716 896 NtOpenKey (0x2000000, {24, 0, 0x640, 0, 0, (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482756, ) }, ... -2147482756, ) == 0x0 00717 896 NtOpenKey (0x80000000, {24, -2147482756, 0x240, 0, 0, (0x80000000, {24, -2147482756, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00718 896 NtOpenKey (0x80000000, {24, -2147482756, 0x640, 0, 0, (0x80000000, {24, -2147482756, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0 00719 896 NtQueryValueKey (-2147481452, (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00720 896 NtClose (-2147481452, ... ) == 0x0 00721 896 NtClose (-2147482756, ... ) == 0x0 00711 896 NtQueryDefaultUILanguage ... ) == 0x0 00722 896 NtOpenFile (0x1200a9, {24, 0, 0x40, 0, 0, (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\urlmon.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00723 896 NtQueryDefaultLocale (1, 1237244, ... ) == 0x0 00724 896 NtOpenFile (0x1200a9, {24, 0, 0x40, 0, 0, (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\urlmon.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00725 896 NtRequestWaitReplyPort (24, {128, 156, new_msg, 0, 2088850039, 1238280, 1179817, 1238004} (24, {128, 156, new_msg, 0, 2088850039, 1238280, 1179817, 1238004} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0\0I\333B\0\0\0\0\361\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\374\350\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81837, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0\0I\333B\0\0\0\0\361\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\374\350\22\0\0\0\0\0" ) ... {128, 156, reply, 0, 1252, 896, 81837, 0} (24, {128, 156, new_msg, 0, 2088850039, 1238280, 1179817, 1238004} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0\0I\333B\0\0\0\0\361\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\374\350\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81837, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0\0I\333B\0\0\0\0\361\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\374\350\22\0\0\0\0\0" ) ) == 0x0 00726 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 00727 896 NtOpenKey (0x8, {24, 0, 0x40, 0, 0, (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00728 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 00729 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 00730 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236472, ... ) }, 1236472, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00731 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 00732 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 00733 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 00734 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 1236536, ... ) }, 1236536, ... ) == 0x0 00735 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 3, 33, ... 68, {status=0x0, info=1}, ) }, 3, 33, ... 68, {status=0x0, info=1}, ) == 0x0 00736 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 00737 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 72, {status=0x0, info=1}, ) }, 5, 96, ... 72, {status=0x0, info=1}, ) == 0x0 00738 896 NtCreateSection (0xe, 0x0, 0x0, 16, 134217728, 72, ... 76, ) == 0x0 00739 896 NtClose (72, ... ) == 0x0 00740 896 NtMapViewOfSection (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x870000), 0x0, 1056768, ) == 0x0 00741 896 NtClose (76, ... ) == 0x0 00742 896 NtUnmapViewOfSection (-1, 0x870000, ... ) == 0x0 00743 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0 00744 896 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 76, ... 72, ) == 0x0 00745 896 NtQuerySection (72, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 00746 896 NtClose (76, ... ) == 0x0 00747 896 NtMapViewOfSection (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 1060864, ) == 0x0 00748 896 NtClose (72, ... ) == 0x0 00749 896 NtProtectVirtualMemory (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0 00750 896 NtProtectVirtualMemory (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0 00751 896 NtFlushInstructionCache (-1, 2000490496, 1924, ... ) == 0x0 00752 896 NtProtectVirtualMemory (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0 00753 896 NtProtectVirtualMemory (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0 00754 896 NtFlushInstructionCache (-1, 2000490496, 1924, ... ) == 0x0 00755 896 NtProtectVirtualMemory (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0 00756 896 NtProtectVirtualMemory (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0 00757 896 NtFlushInstructionCache (-1, 2000490496, 1924, ... ) == 0x0 00758 896 NtProtectVirtualMemory (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0 00759 896 NtProtectVirtualMemory (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0 00760 896 NtFlushInstructionCache (-1, 2000490496, 1924, ... ) == 0x0 00761 896 NtProtectVirtualMemory (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0 00762 896 NtProtectVirtualMemory (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0 00763 896 NtFlushInstructionCache (-1, 2000490496, 1924, ... ) == 0x0 00764 896 NtProtectVirtualMemory (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0 00765 896 NtProtectVirtualMemory (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0 00766 896 NtFlushInstructionCache (-1, 2000490496, 1924, ... ) == 0x0 00767 896 NtProtectVirtualMemory (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0 00768 896 NtProtectVirtualMemory (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0 00769 896 NtFlushInstructionCache (-1, 2000490496, 1924, ... ) == 0x0 00770 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00771 896 NtAddAtom ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1238016, ... ) , 42, 1238016, ... ) == 0x0 00772 896 NtQueryDefaultUILanguage (1236700, ... 00773 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 00774 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... -2147482756, ) == 0x0 00775 896 NtQueryInformationToken (-2147482756, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 00776 896 NtClose (-2147482756, ... ) == 0x0 00777 896 NtOpenKey (0x2000000, {24, 0, 0x640, 0, 0, (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482756, ) }, ... -2147482756, ) == 0x0 00778 896 NtOpenKey (0x80000000, {24, -2147482756, 0x240, 0, 0, (0x80000000, {24, -2147482756, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00779 896 NtOpenKey (0x80000000, {24, -2147482756, 0x640, 0, 0, (0x80000000, {24, -2147482756, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0 00780 896 NtQueryValueKey (-2147481452, (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00781 896 NtClose (-2147481452, ... ) == 0x0 00782 896 NtClose (-2147482756, ... ) == 0x0 00772 896 NtQueryDefaultUILanguage ... ) == 0x0 00783 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1235540, ... ) }, 1235540, ... ) == 0x0 00784 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 72, {status=0x0, info=1}, ) }, 5, 96, ... 72, {status=0x0, info=1}, ) == 0x0 00785 896 NtCreateSection (0xe, 0x0, 0x0, 16, 134217728, 72, ... 76, ) == 0x0 00786 896 NtClose (72, ... ) == 0x0 00787 896 NtMapViewOfSection (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x870000), 0x0, 4096, ) == 0x0 00788 896 NtClose (76, ... ) == 0x0 00789 896 NtUnmapViewOfSection (-1, 0x870000, ... ) == 0x0 00790 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1235136, ... ) }, 1235136, ... ) == 0x0 00791 896 NtCreateFile (0x80100080, {24, 0, 0x40, 0, 1235880, (0x80100080, {24, 0, 0x40, 0, 1235880, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) == 0x0 00792 896 NtCreateSection (0xf0005, 0x0, 0x0, 2, 134217728, 76, ... 72, ) == 0x0 00793 896 NtClose (76, ... ) == 0x0 00794 896 NtMapViewOfSection (72, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x870000), {0, 0}, 4096, ) == 0x0 00795 896 NtClose (72, ... ) == 0x0 00796 896 NtUnmapViewOfSection (-1, 0x870000, ... ) == 0x0 00797 896 NtOpenFile (0x1200a9, {24, 0, 0x40, 0, 0, (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 72, {status=0x0, info=1}, ) }, 1, 96, ... 72, {status=0x0, info=1}, ) == 0x0 00798 896 NtCreateSection (0x4, 0x0, 0x0, 2, 134217728, 72, ... 76, ) == 0x0 00799 896 NtMapViewOfSection (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x870000), 0x0, 4096, ) == 0x0 00800 896 NtQueryInformationFile (72, 1235532, 24, Standard, ... {status=0x0, info=24}, ) == 0x0 00801 896 NtOpenFile (0x1200a9, {24, 0, 0x40, 0, 0, (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00802 896 NtRequestWaitReplyPort (24, {128, 156, new_msg, 0, 2088850039, 1235832, 1179817, 1235556} (24, {128, 156, new_msg, 0, 2088850039, 1235832, 1179817, 1235556} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\1H\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\0l\337\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81838, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\1H\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\0l\337\22\0\0\0\0\0" ) ... {128, 156, reply, 0, 1252, 896, 81838, 0} (24, {128, 156, new_msg, 0, 2088850039, 1235832, 1179817, 1235556} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\1H\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\0l\337\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81838, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6!\1H\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6!\1\0\0\0\0\0\0\0\0l\337\22\0\0\0\0\0" ) ) == 0x0 00803 896 NtClose (72, ... ) == 0x0 00804 896 NtClose (76, ... ) == 0x0 00805 896 NtUnmapViewOfSection (-1, 0x870000, ... ) == 0x0 00806 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 00807 896 NtUserRegisterWindowMessage ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a 00808 896 NtUserSystemParametersInfo (104, 0, 2001084812, 0, ... ) == 0x1 00809 896 NtUserGetDC (0, ... ) == 0x1010052 00810 896 NtUserCallOneParam (16842834, 57, ... ) == 0x1 00811 896 NtUserSystemParametersInfo (38, 4, 2001086940, 0, ... ) == 0x1 00812 896 NtAllocateVirtualMemory (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0 00813 896 NtUserSystemParametersInfo (66, 12, 1237532, 0, ... ) == 0x1 00814 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 00815 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 76, ) == 0x0 00816 896 NtQueryInformationToken (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 00817 896 NtClose (76, ... ) == 0x0 00818 896 NtOpenKey (0x20019, {24, 0, 0x640, 0, 0, (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 76, ) }, ... 76, ) == 0x0 00819 896 NtOpenProcessToken (-1, 0x8, ... 72, ) == 0x0 00820 896 NtAccessCheck (1332816, 72, 0x1, 1237364, 1237416, 56, 1237396, ... ) == STATUS_NO_IMPERSONATION_TOKEN 00821 896 NtClose (72, ... ) == 0x0 00822 896 NtOpenKey (0x20019, {24, 76, 0x40, 0, 0, (0x20019, {24, 76, 0x40, 0, 0, "Control Panel\Desktop"}, ... 72, ) }, ... 72, ) == 0x0 00823 896 NtQueryValueKey (72, (72, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00824 896 NtClose (72, ... ) == 0x0 00825 896 NtUserSystemParametersInfo (41, 500, 1237560, 0, ... ) == 0x1 00826 896 NtOpenProcessToken (-1, 0x8, ... 72, ) == 0x0 00827 896 NtAccessCheck (1332816, 72, 0x1, 1237364, 1237416, 56, 1237396, ... ) == STATUS_NO_IMPERSONATION_TOKEN 00828 896 NtClose (72, ... ) == 0x0 00829 896 NtOpenKey (0x20019, {24, 76, 0x40, 0, 0, (0x20019, {24, 76, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 72, ) }, ... 72, ) == 0x0 00830 896 NtQueryValueKey (72, (72, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00831 896 NtClose (72, ... ) == 0x0 00832 896 NtUserSystemParametersInfo (27, 0, 2001085788, 0, ... ) == 0x1 00833 896 NtUserSystemParametersInfo (102, 0, 2001086828, 0, ... ) == 0x1 00834 896 NtClose (76, ... ) == 0x0 00835 896 NtUserSystemParametersInfo (4130, 0, 1238064, 0, ... ) == 0x1 00836 896 NtOpenKey (0x1, {24, 40, 0x40, 0, 0, (0x1, {24, 40, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 76, ) }, ... 76, ) == 0x0 00837 896 NtEnumerateValueKey (76, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES 00838 896 NtClose (76, ... ) == 0x0 00839 896 NtUserFindExistingCursorIcon (1237312, 1237328, 1237376, ... ) == 0x10011 00840 896 NtUserRegisterClassExWOW (1237256, 1237324, 1237340, 1237356, 0, 384, 0, ... ) == 0x8177c03b 00841 896 NtUserRegisterClassExWOW (1237256, 1237324, 1237340, 1237356, 0, 384, 0, ... ) == 0x8177c03d 00842 896 NtUserFindExistingCursorIcon (1237312, 1237328, 1237376, ... ) == 0x10011 00843 896 NtUserRegisterClassExWOW (1237256, 1237324, 1237340, 1237356, 0, 384, 0, ... ) == 0x8177c03f 00844 896 NtUserFindExistingCursorIcon (1237312, 1237328, 1237376, ... ) == 0x10011 00845 896 NtUserRegisterClassExWOW (1237256, 1237324, 1237340, 1237356, 0, 384, 0, ... ) == 0x8177c041 00846 896 NtUserFindExistingCursorIcon (1237312, 1237328, 1237376, ... ) == 0x10011 00847 896 NtUserRegisterClassExWOW (1237256, 1237324, 1237340, 1237356, 0, 384, 0, ... ) == 0x8177c043 00848 896 NtUserRegisterClassExWOW (1237256, 1237324, 1237340, 1237356, 0, 384, 0, ... ) == 0x8177c045 00849 896 NtUserFindExistingCursorIcon (1237312, 1237328, 1237376, ... ) == 0x10011 00850 896 NtUserRegisterClassExWOW (1237256, 1237324, 1237340, 1237356, 0, 384, 0, ... ) == 0x8177c047 00851 896 NtUserFindExistingCursorIcon (1237312, 1237328, 1237376, ... ) == 0x10011 00852 896 NtUserRegisterClassExWOW (1237256, 1237324, 1237340, 1237356, 0, 384, 0, ... ) == 0x8177c049 00853 896 NtUserFindExistingCursorIcon (1237312, 1237328, 1237376, ... ) == 0x10011 00854 896 NtUserRegisterClassExWOW (1237256, 1237324, 1237340, 1237356, 0, 384, 0, ... ) == 0x8177c04b 00855 896 NtUserFindExistingCursorIcon (1237312, 1237328, 1237376, ... ) == 0x10011 00856 896 NtUserRegisterClassExWOW (1237256, 1237324, 1237340, 1237356, 0, 384, 0, ... ) == 0x8177c04d 00857 896 NtUserFindExistingCursorIcon (1237312, 1237328, 1237376, ... ) == 0x10011 00858 896 NtUserRegisterClassExWOW (1237256, 1237324, 1237340, 1237356, 0, 384, 0, ... ) == 0x8177c04f 00859 896 NtUserRegisterClassExWOW (1237256, 1237324, 1237340, 1237356, 0, 384, 0, ... ) == 0x8177c051 00860 896 NtUserFindExistingCursorIcon (1237312, 1237328, 1237376, ... ) == 0x10011 00861 896 NtUserRegisterClassExWOW (1237256, 1237324, 1237340, 1237356, 0, 384, 0, ... ) == 0x8177c053 00862 896 NtUserFindExistingCursorIcon (1237308, 1237324, 1237372, ... ) == 0x10011 00863 896 NtUserRegisterClassExWOW (1237252, 1237320, 1237336, 1237352, 0, 384, 0, ... ) == 0x8177c055 00864 896 NtUserFindExistingCursorIcon (1237308, 1237324, 1237372, ... ) == 0x10011 00865 896 NtUserRegisterClassExWOW (1237252, 1237320, 1237336, 1237352, 0, 384, 0, ... ) == 0x8177c057 00866 896 NtUserFindExistingCursorIcon (1237312, 1237328, 1237376, ... ) == 0x10011 00867 896 NtUserRegisterClassExWOW (1237256, 1237324, 1237340, 1237356, 0, 384, 0, ... ) == 0x8177c059 00868 896 NtUserFindExistingCursorIcon (1237312, 1237328, 1237376, ... ) == 0x10013 00869 896 NtUserRegisterClassExWOW (1237256, 1237324, 1237340, 1237356, 0, 384, 0, ... ) == 0x8177c05b 00870 896 NtUserFindExistingCursorIcon (1237312, 1237328, 1237376, ... ) == 0x10011 00871 896 NtUserRegisterClassExWOW (1237256, 1237324, 1237340, 1237356, 0, 384, 0, ... ) == 0x8177c05d 00872 896 NtUserFindExistingCursorIcon (1237312, 1237328, 1237376, ... ) == 0x10011 00873 896 NtUserRegisterClassExWOW (1237256, 1237324, 1237340, 1237356, 0, 384, 0, ... ) == 0x8177c05f 00874 896 NtUserFindExistingCursorIcon (1237312, 1237328, 1237376, ... ) == 0x10011 00875 896 NtUserRegisterClassExWOW (1237256, 1237324, 1237340, 1237356, 0, 384, 0, ... ) == 0x8177c017 00876 896 NtUserFindExistingCursorIcon (1237312, 1237328, 1237376, ... ) == 0x10011 00877 896 NtUserRegisterClassExWOW (1237256, 1237324, 1237340, 1237356, 0, 384, 0, ... ) == 0x8177c019 00878 896 NtUserFindExistingCursorIcon (1237312, 1237328, 1237376, ... ) == 0x10013 00879 896 NtUserRegisterClassExWOW (1237256, 1237324, 1237340, 1237356, 0, 384, 0, ... ) == 0x8177c018 00880 896 NtUserFindExistingCursorIcon (1237312, 1237328, 1237376, ... ) == 0x10011 00881 896 NtUserRegisterClassExWOW (1237256, 1237324, 1237340, 1237356, 0, 384, 0, ... ) == 0x8177c01a 00882 896 NtUserFindExistingCursorIcon (1237312, 1237328, 1237376, ... ) == 0x10011 00883 896 NtUserRegisterClassExWOW (1237256, 1237324, 1237340, 1237356, 0, 384, 0, ... ) == 0x8177c01c 00884 896 NtUserFindExistingCursorIcon (1237312, 1237328, 1237376, ... ) == 0x10011 00885 896 NtUserRegisterClassExWOW (1237256, 1237324, 1237340, 1237356, 0, 384, 0, ... ) == 0x8177c01e 00886 896 NtUserFindExistingCursorIcon (1237304, 1237320, 1237368, ... ) == 0x10011 00887 896 NtUserRegisterClassExWOW (1237304, 1237372, 1237388, 1237404, 0, 384, 0, ... ) == 0x8177c01b 00888 896 NtUserFindExistingCursorIcon (1237312, 1237328, 1237376, ... ) == 0x10011 00889 896 NtUserRegisterClassExWOW (1237256, 1237324, 1237340, 1237356, 0, 384, 0, ... ) == 0x8177c068 00890 896 NtUserFindExistingCursorIcon (1237312, 1237328, 1237376, ... ) == 0x10011 00891 896 NtUserRegisterClassExWOW (1237256, 1237324, 1237340, 1237356, 0, 384, 0, ... ) == 0x8177c06a 00892 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 00893 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 76, ) == 0x0 00894 896 NtQueryInformationToken (76, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 00895 896 NtClose (76, ... ) == 0x0 00896 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes"}, ... 76, ) }, ... 76, ) == 0x0 00897 896 NtSetInformationObject (78, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0 00898 896 NtQueryKey (78, Name, 384, ... {Name= (78, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 00899 896 NtOpenKey (0x2000000, {24, 78, 0x40, 0, 0, (0x2000000, {24, 78, 0x40, 0, 0, "PROTOCOLS\Name-Space Handler\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00900 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\PROTOCOLS\Name-Space Handler"}, ... 72, ) }, ... 72, ) == 0x0 00901 896 NtQueryKey (74, Name, 392, ... {Name= (74, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Name-Space HandlerS"}, 130, ) }, 130, ) == 0x0 00902 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 00903 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 80, ) == 0x0 00904 896 NtQueryInformationToken (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 00905 896 NtClose (80, ... ) == 0x0 00906 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\PROTOCOLS\Name-Space Handler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00907 896 NtEnumerateKey (74, 0, Node, 288, ... {LastWrite={0xdf7c22cc,0x1c74da8}, TitleIdx=0, Name= (74, 0, Node, 288, ... {LastWrite={0xdf7c22cc,0x1c74da8}, TitleIdx=0, Name="mk", Class=""}, 28, ) , Class=""}, 28, ) == 0x0 00908 896 NtEnumerateKey (74, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES 00909 896 NtClose (74, ... ) == 0x0 00910 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 00911 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 72, ) == 0x0 00912 896 NtQueryInformationToken (72, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 00913 896 NtClose (72, ... ) == 0x0 00914 896 NtOpenKey (0x2000000, {24, 0, 0x640, 0, 0, (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 72, ) }, ... 72, ) == 0x0 00915 896 NtSetInformationObject (72, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0 00916 896 NtOpenKey (0x1, {24, 72, 0x40, 0, 0, (0x1, {24, 72, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00917 896 NtOpenKey (0x1, {24, 72, 0x40, 0, 0, (0x1, {24, 72, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00918 896 NtOpenKey (0x1, {24, 40, 0x40, 0, 0, (0x1, {24, 40, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 80, ) }, ... 80, ) == 0x0 00919 896 NtQueryValueKey (80, (80, "DisableImprovedZoneCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00920 896 NtClose (80, ... ) == 0x0 00921 896 NtOpenKey (0x1, {24, 40, 0x40, 0, 0, (0x1, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00922 896 NtOpenKey (0x1, {24, 40, 0x40, 0, 0, (0x1, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00923 896 NtOpenKey (0x1, {24, 40, 0x40, 0, 0, (0x1, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00924 896 NtOpenKey (0x1, {24, 72, 0x40, 0, 0, (0x1, {24, 72, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00925 896 NtOpenKey (0x1, {24, 40, 0x40, 0, 0, (0x1, {24, 40, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 80, ) }, ... 80, ) == 0x0 00926 896 NtOpenKey (0x1, {24, 72, 0x40, 0, 0, (0x1, {24, 72, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00927 896 NtOpenKey (0x1, {24, 80, 0x40, 0, 0, (0x1, {24, 80, 0x40, 0, 0, "FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00928 896 NtClose (80, ... ) == 0x0 00929 896 NtOpenKey (0x20019, {24, 40, 0x40, 0, 0, (0x20019, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00930 896 NtOpenKey (0x20019, {24, 72, 0x40, 0, 0, (0x20019, {24, 72, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00931 896 NtOpenKey (0x20019, {24, 40, 0x40, 0, 0, (0x20019, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00932 896 NtOpenKey (0x20019, {24, 40, 0x40, 0, 0, (0x20019, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00933 896 NtOpenKey (0x20019, {24, 72, 0x40, 0, 0, (0x20019, {24, 72, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00934 896 NtOpenKey (0x20019, {24, 40, 0x40, 0, 0, (0x20019, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00935 896 NtOpenKey (0x1, {24, 40, 0x40, 0, 0, (0x1, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00936 896 NtOpenKey (0x1, {24, 40, 0x40, 0, 0, (0x1, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00937 896 NtOpenKey (0x1, {24, 72, 0x40, 0, 0, (0x1, {24, 72, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00938 896 NtOpenKey (0x1, {24, 40, 0x40, 0, 0, (0x1, {24, 40, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 80, ) }, ... 80, ) == 0x0 00939 896 NtOpenKey (0x1, {24, 72, 0x40, 0, 0, (0x1, {24, 72, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00940 896 NtOpenKey (0x1, {24, 80, 0x40, 0, 0, (0x1, {24, 80, 0x40, 0, 0, "FEATURE_OBJECT_CACHING"}, ... 84, ) }, ... 84, ) == 0x0 00941 896 NtQueryValueKey (84, (84, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00942 896 NtQueryValueKey (84, (84, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00943 896 NtClose (84, ... ) == 0x0 00944 896 NtOpenKey (0x1, {24, 80, 0x40, 0, 0, (0x1, {24, 80, 0x40, 0, 0, "FEATURE_ZONE_ELEVATION"}, ... 84, ) }, ... 84, ) == 0x0 00945 896 NtQueryValueKey (84, (84, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00946 896 NtQueryValueKey (84, (84, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00947 896 NtClose (84, ... ) == 0x0 00948 896 NtOpenKey (0x1, {24, 80, 0x40, 0, 0, (0x1, {24, 80, 0x40, 0, 0, "FEATURE_MIME_HANDLING"}, ... 84, ) }, ... 84, ) == 0x0 00949 896 NtQueryValueKey (84, (84, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00950 896 NtQueryValueKey (84, (84, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00951 896 NtClose (84, ... ) == 0x0 00952 896 NtOpenKey (0x1, {24, 80, 0x40, 0, 0, (0x1, {24, 80, 0x40, 0, 0, "FEATURE_MIME_SNIFFING"}, ... 84, ) }, ... 84, ) == 0x0 00953 896 NtQueryValueKey (84, (84, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00954 896 NtQueryValueKey (84, (84, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00955 896 NtClose (84, ... ) == 0x0 00956 896 NtOpenKey (0x1, {24, 80, 0x40, 0, 0, (0x1, {24, 80, 0x40, 0, 0, "FEATURE_WINDOW_RESTRICTIONS"}, ... 84, ) }, ... 84, ) == 0x0 00957 896 NtQueryValueKey (84, (84, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00958 896 NtQueryValueKey (84, (84, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00959 896 NtClose (84, ... ) == 0x0 00960 896 NtOpenKey (0x1, {24, 80, 0x40, 0, 0, (0x1, {24, 80, 0x40, 0, 0, "FEATURE_WEBOC_POPUPMANAGEMENT"}, ... 84, ) }, ... 84, ) == 0x0 00961 896 NtQueryValueKey (84, (84, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00962 896 NtQueryValueKey (84, (84, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00963 896 NtClose (84, ... ) == 0x0 00964 896 NtOpenKey (0x1, {24, 80, 0x40, 0, 0, (0x1, {24, 80, 0x40, 0, 0, "FEATURE_BEHAVIORS"}, ... 84, ) }, ... 84, ) == 0x0 00965 896 NtQueryValueKey (84, (84, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00966 896 NtQueryValueKey (84, (84, "*", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (84, "*", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 00967 896 NtClose (84, ... ) == 0x0 00968 896 NtOpenKey (0x1, {24, 80, 0x40, 0, 0, (0x1, {24, 80, 0x40, 0, 0, "FEATURE_DISABLE_MK_PROTOCOL"}, ... 84, ) }, ... 84, ) == 0x0 00969 896 NtQueryValueKey (84, (84, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00970 896 NtQueryValueKey (84, (84, "*", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (84, "*", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 00971 896 NtClose (84, ... ) == 0x0 00972 896 NtOpenKey (0x1, {24, 80, 0x40, 0, 0, (0x1, {24, 80, 0x40, 0, 0, "FEATURE_LOCALMACHINE_LOCKDOWN"}, ... 84, ) }, ... 84, ) == 0x0 00973 896 NtQueryValueKey (84, (84, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00974 896 NtQueryValueKey (84, (84, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00975 896 NtClose (84, ... ) == 0x0 00976 896 NtOpenKey (0x1, {24, 80, 0x40, 0, 0, (0x1, {24, 80, 0x40, 0, 0, "FEATURE_SECURITYBAND"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00977 896 NtOpenKey (0x1, {24, 80, 0x40, 0, 0, (0x1, {24, 80, 0x40, 0, 0, "FEATURE_RESTRICT_ACTIVEXINSTALL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00978 896 NtOpenKey (0x1, {24, 80, 0x40, 0, 0, (0x1, {24, 80, 0x40, 0, 0, "FEATURE_VALIDATE_NAVIGATE_URL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00979 896 NtOpenKey (0x1, {24, 80, 0x40, 0, 0, (0x1, {24, 80, 0x40, 0, 0, "FEATURE_RESTRICT_FILEDOWNLOAD"}, ... 84, ) }, ... 84, ) == 0x0 00980 896 NtQueryValueKey (84, (84, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00981 896 NtQueryValueKey (84, (84, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00982 896 NtClose (84, ... ) == 0x0 00983 896 NtOpenKey (0x1, {24, 80, 0x40, 0, 0, (0x1, {24, 80, 0x40, 0, 0, "FEATURE_ADDON_MANAGEMENT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00984 896 NtOpenKey (0x1, {24, 80, 0x40, 0, 0, (0x1, {24, 80, 0x40, 0, 0, "FEATURE_PROTOCOL_LOCKDOWN"}, ... 84, ) }, ... 84, ) == 0x0 00985 896 NtQueryValueKey (84, (84, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00986 896 NtQueryValueKey (84, (84, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00987 896 NtClose (84, ... ) == 0x0 00988 896 NtOpenKey (0x1, {24, 80, 0x40, 0, 0, (0x1, {24, 80, 0x40, 0, 0, "FEATURE_HTTP_USERNAME_PASSWORD_DISABLE"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00989 896 NtOpenKey (0x1, {24, 80, 0x40, 0, 0, (0x1, {24, 80, 0x40, 0, 0, "FEATURE_SAFE_BINDTOOBJECT"}, ... 84, ) }, ... 84, ) == 0x0 00990 896 NtQueryValueKey (84, (84, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00991 896 NtQueryValueKey (84, (84, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00992 896 NtClose (84, ... ) == 0x0 00993 896 NtOpenKey (0x1, {24, 80, 0x40, 0, 0, (0x1, {24, 80, 0x40, 0, 0, "FEATURE_UNC_SAVEDFILECHECK"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00994 896 NtOpenKey (0x1, {24, 80, 0x40, 0, 0, (0x1, {24, 80, 0x40, 0, 0, "FEATURE_GET_URL_DOM_FILEPATH_UNENCODED"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00995 896 NtOpenKey (0x1, {24, 80, 0x40, 0, 0, (0x1, {24, 80, 0x40, 0, 0, "FEATURE_TABBED_BROWSING"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00996 896 NtOpenKey (0x1, {24, 80, 0x40, 0, 0, (0x1, {24, 80, 0x40, 0, 0, "FEATURE_SSLUX"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00997 896 NtOpenKey (0x1, {24, 80, 0x40, 0, 0, (0x1, {24, 80, 0x40, 0, 0, "FEATURE_DISABLE_NAVIGATION_SOUNDS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00998 896 NtOpenKey (0x1, {24, 80, 0x40, 0, 0, (0x1, {24, 80, 0x40, 0, 0, "FEATURE_DISABLE_LEGACY_COMPRESSION"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00999 896 NtOpenKey (0x1, {24, 80, 0x40, 0, 0, (0x1, {24, 80, 0x40, 0, 0, "FEATURE_FORCE_ADDR_AND_STATUS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01000 896 NtOpenKey (0x1, {24, 80, 0x40, 0, 0, (0x1, {24, 80, 0x40, 0, 0, "FEATURE_XMLHTTP"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01001 896 NtOpenKey (0x1, {24, 80, 0x40, 0, 0, (0x1, {24, 80, 0x40, 0, 0, "FEATURE_DISABLE_TELNET_PROTOCOL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01002 896 NtOpenKey (0x1, {24, 80, 0x40, 0, 0, (0x1, {24, 80, 0x40, 0, 0, "FEATURE_FEEDS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01003 896 NtOpenKey (0x1, {24, 80, 0x40, 0, 0, (0x1, {24, 80, 0x40, 0, 0, "FEATURE_BLOCK_INPUT_PROMPTS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01004 896 NtClose (80, ... ) == 0x0 01005 896 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 80, ) }, ... 80, ) == 0x0 01006 896 NtMapViewOfSection (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x42c10000), 0x0, 847872, ) == 0x0 01007 896 NtClose (80, ... ) == 0x0 01008 896 NtProtectVirtualMemory (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0 01009 896 NtProtectVirtualMemory (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0 01010 896 NtFlushInstructionCache (-1, 1119948800, 1452, ... ) == 0x0 01011 896 NtProtectVirtualMemory (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0 01012 896 NtProtectVirtualMemory (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0 01013 896 NtFlushInstructionCache (-1, 1119948800, 1452, ... ) == 0x0 01014 896 NtProtectVirtualMemory (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0 01015 896 NtProtectVirtualMemory (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0 01016 896 NtFlushInstructionCache (-1, 1119948800, 1452, ... ) == 0x0 01017 896 NtProtectVirtualMemory (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0 01018 896 NtProtectVirtualMemory (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0 01019 896 NtFlushInstructionCache (-1, 1119948800, 1452, ... ) == 0x0 01020 896 NtProtectVirtualMemory (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0 01021 896 NtProtectVirtualMemory (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0 01022 896 NtFlushInstructionCache (-1, 1119948800, 1452, ... ) == 0x0 01023 896 NtProtectVirtualMemory (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0 01024 896 NtProtectVirtualMemory (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0 01025 896 NtFlushInstructionCache (-1, 1119948800, 1452, ... ) == 0x0 01026 896 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "Normaliz.dll"}, ... 80, ) }, ... 80, ) == 0x0 01027 896 NtMapViewOfSection (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x870000), 0x0, 36864, ) == STATUS_IMAGE_NOT_AT_BASE 01028 896 NtProtectVirtualMemory (-1, (0x871000), 18944, 4, ... (0x871000), 20480, 32, ) == 0x0 01029 896 NtProtectVirtualMemory (-1, (0x877000), 1024, 4, ... (0x877000), 4096, 2, ) == 0x0 01030 896 NtProtectVirtualMemory (-1, (0x878000), 1536, 4, ... (0x878000), 4096, 2, ) == 0x0 01031 896 NtMapViewOfSection (80, -1, (0x870000), 0, 0, 0x0, 36864, 1, 0, 4, ... ) == STATUS_CONFLICTING_ADDRESSES 01032 896 NtProtectVirtualMemory (-1, (0x871000), 18944, 16, ... (0x871000), 20480, 4, ) == 0x0 01033 896 NtProtectVirtualMemory (-1, (0x877000), 1024, 2, ... (0x877000), 4096, 8, ) == 0x0 01034 896 NtProtectVirtualMemory (-1, (0x878000), 1536, 2, ... (0x878000), 4096, 8, ) == 0x0 01035 896 NtFlushInstructionCache (-1, 0, 0, ... ) == 0x0 01036 896 NtClose (80, ... ) == 0x0 01037 896 NtProtectVirtualMemory (-1, (0x871000), 160, 4, ... (0x871000), 4096, 16, ) == 0x0 01038 896 NtProtectVirtualMemory (-1, (0x871000), 4096, 16, ... (0x871000), 4096, 4, ) == 0x0 01039 896 NtFlushInstructionCache (-1, 8851456, 160, ... ) == 0x0 01040 896 NtProtectVirtualMemory (-1, (0x871000), 160, 4, ... (0x871000), 4096, 16, ) == 0x0 01041 896 NtProtectVirtualMemory (-1, (0x871000), 4096, 16, ... (0x871000), 4096, 4, ) == 0x0 01042 896 NtFlushInstructionCache (-1, 8851456, 160, ... ) == 0x0 01043 896 NtProtectVirtualMemory (-1, (0x871000), 160, 4, ... (0x871000), 4096, 16, ) == 0x0 01044 896 NtProtectVirtualMemory (-1, (0x871000), 4096, 16, ... (0x871000), 4096, 4, ) == 0x0 01045 896 NtFlushInstructionCache (-1, 8851456, 160, ... ) == 0x0 01046 896 NtProtectVirtualMemory (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0 01047 896 NtProtectVirtualMemory (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0 01048 896 NtFlushInstructionCache (-1, 1119948800, 1452, ... ) == 0x0 01049 896 NtProtectVirtualMemory (-1, (0x42c11000), 1452, 4, ... (0x42c11000), 4096, 32, ) == 0x0 01050 896 NtProtectVirtualMemory (-1, (0x42c11000), 4096, 32, ... (0x42c11000), 4096, 4, ) == 0x0 01051 896 NtFlushInstructionCache (-1, 1119948800, 1452, ... ) == 0x0 01052 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Normaliz.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01053 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WININET.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01054 896 NtQueryPerformanceCounter (... {-1448507233, 16}, {3579545, 0}, ) == 0x0 01055 896 NtAllocateVirtualMemory (-1, 1343488, 0, 8192, 4096, 4, ... 1343488, 8192, ) == 0x0 01056 896 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 01057 896 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 8978432, 1048576, ) == 0x0 01058 896 NtAllocateVirtualMemory (-1, 8978432, 0, 4096, 4096, 4, ... 8978432, 4096, ) == 0x0 01059 896 NtAllocateVirtualMemory (-1, 8982528, 0, 8192, 4096, 4, ... 8982528, 8192, ) == 0x0 01060 896 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 80, ) == 0x0 01061 896 NtCreateFile (0xc0100080, {24, 0, 0x40, 0, 1239784, (0xc0100080, {24, 0, 0x40, 0, 1239784, "\??\WMIDataDevice"}, 0x0, 128, 0, 1, 64, 0, 0, ... 84, {status=0x0, info=0}, ) }, 0x0, 128, 0, 1, 64, 0, 0, ... 84, {status=0x0, info=0}, ) == 0x0 01062 896 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 88, ) == 0x0 01063 896 NtDeviceIoControlFile (84, 88, 0x0, 0x12eb48, 0x22414c, (84, 88, 0x0, 0x12eb48, 0x22414c, "\220\353\22\0\0\0\0\0\1\0\0\0\2\0\0\0\24\0\0\0\34\0\0\0P\0\0\0\0\0\0\0L\0\0\0\0\0\0\0\2\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\20\10\0\0\0\0\0\0\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\0\10\0\0\0\0\0\0\0\0\0\2\0\0\0", 104, 80, ... , 104, 80, ... 01064 896 NtOpenKey (0x82000000, {24, 0, 0x240, 0, 0, (0x82000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\WMI\Security"}, ... -2147482756, ) }, ... -2147482756, ) == 0x0 01065 896 NtQueryValueKey (-2147482756, (-2147482756, "DF8480A1-7492-4F45-AB78-1084642581FB", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01066 896 NtQueryValueKey (-2147482756, (-2147482756, "00000000-0000-0000-0000-000000000000", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01067 896 NtClose (-2147482756, ... ) == 0x0 01068 896 NtClose (892, ... ) == 0x0 01063 896 NtDeviceIoControlFile ... {status=0x0, info=80}, ... {status=0x0, info=80}, " \30P\342\0\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#LinksG\16\0\0\0\0\0\0\0\0\0\2\0\0\0U\4\376\14\272\223\15D\243\376U9s\320\267#\0\20\10\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0 01069 896 NtCreateFile (0xc0100080, {24, 0, 0x40, 0, 1240000, (0xc0100080, {24, 0, 0x40, 0, 1240000, "\??\WMIDataDevice"}, 0x0, 128, 0, 1, 64, 0, 0, ... 96, {status=0x0, info=0}, ) }, 0x0, 128, 0, 1, 64, 0, 0, ... 96, {status=0x0, info=0}, ) == 0x0 01070 896 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 100, ) == 0x0 01071 896 NtDuplicateObject (-1, -1, -1, 0x0, 0, 2, ... 104, ) == 0x0 01072 896 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 108, ) == 0x0 01073 896 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 112, ) == 0x0 01074 896 NtAllocateVirtualMemory (-1, 8990720, 0, 8192, 4096, 4, ... 8990720, 8192, ) == 0x0 01075 896 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 10027008, 1048576, ) == 0x0 01076 896 NtAllocateVirtualMemory (-1, 11067392, 0, 8192, 4096, 4, ... 11067392, 8192, ) == 0x0 01077 896 NtProtectVirtualMemory (-1, (0xa8e000), 4096, 260, ... (0xa8e000), 4096, 4, ) == 0x0 01078 896 NtCreateThread (0x1f03ff, 0x0, -1, 1239084, 1239028, 1, ... 116, {1252, 2016}, ) == 0x0 01079 896 NtQueryInformationThread (116, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=1252,Tid=2016,}, 0x0, ) == 0x0 01080 896 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 0, 0, 0, 8978808} (24, {28, 56, new_msg, 0, 0, 0, 0, 8978808} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0t\0\0\0\344\4\0\0\340\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81839, 0} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0t\0\0\0\344\4\0\0\340\7\0\0" ) ... {28, 56, reply, 0, 1252, 896, 81839, 0} (24, {28, 56, new_msg, 0, 0, 0, 0, 8978808} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0t\0\0\0\344\4\0\0\340\7\0\0" ... {28, 56, reply, 0, 1252, 896, 81839, 0} "\0\0\0\0\1\0\1\0\0\0\0\0(\2\0\0t\0\0\0\344\4\0\0\340\7\0\0" ) ) == 0x0 01081 896 NtResumeThread (116, ... 1, ) == 0x0 01082 896 NtClose (116, ... ) == 0x0 01083 2016 NtCreateEvent (0x100003, 0x0, 1, 0, ... 116, ) == 0x0 01084 2016 NtWaitForSingleObject (116, 0, 0x0, ... 01085 896 NtSetEvent (100, ... 0x0, ) == 0x0 01086 896 NtSetEvent (80, ... 0x0, ) == 0x0 01087 896 NtClose (80, ... ) == 0x0 01088 896 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 80, ) == 0x0 01089 896 NtAllocateVirtualMemory (-1, 8998912, 0, 4096, 4096, 4, ... 8998912, 4096, ) == 0x0 01090 896 NtDeviceIoControlFile (84, 88, 0x0, 0x12eb48, 0x22414c, (84, 88, 0x0, 0x12eb48, 0x22414c, "\220\353\22\0\0\0\0\0\2\0\0\0\2\0\0\0\24\0\0\0\34\0\0\0P\0\0\0\0\0\0\0L\0\0\0\0\0\0\0\2\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\20\10\0\0\0\0\0\0\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\0\10\0\0\0\0\0\0\0\0\0\2\0\0\0", 104, 80, ... , 104, 80, ... 01091 896 NtOpenKey (0x82000000, {24, 0, 0x240, 0, 0, (0x82000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\WMI\Security"}, ... -2147482756, ) }, ... -2147482756, ) == 0x0 01092 896 NtQueryValueKey (-2147482756, (-2147482756, "DF8480A1-7492-4F45-AB78-1084642581FB", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01093 896 NtQueryValueKey (-2147482756, (-2147482756, "00000000-0000-0000-0000-000000000000", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01094 896 NtClose (-2147482756, ... ) == 0x0 01095 896 NtClose (892, ... ) == 0x0 01090 896 NtDeviceIoControlFile ... {status=0x0, info=80}, ... {status=0x0, info=80}, " (\267\341\0\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344HotKey\16\0\0\0\0\0\0\0\0\0\2\0\0\0\254\253\177yX{\226G\271$\325\21x\245\234\344\0\20\10\0x\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0 01096 896 NtSetEvent (100, ... 0x0, ) == 0x0 01097 896 NtSetEvent (80, ... 0x0, ) == 0x0 01098 896 NtClose (80, ... ) == 0x0 01099 896 NtOpenThreadToken (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN 01100 896 NtOpenProcessToken (-1, 0xa, ... 80, ) == 0x0 01101 896 NtDuplicateToken (80, 0xc, {24, 0, 0x0, 0, 1240268, 0x0}, 0, 2, ... 124, ) == 0x0 01102 896 NtClose (80, ... ) == 0x0 01103 896 NtAccessCheck (1332816, 124, 0x1, 1240344, 1240396, 56, 1240376, ... (0x1), ) == 0x0 01104 896 NtClose (124, ... ) == 0x0 01105 896 NtQueryDefaultUILanguage (1239148, ... 01106 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01107 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... -2147482756, ) == 0x0 01108 896 NtQueryInformationToken (-2147482756, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01109 896 NtClose (-2147482756, ... ) == 0x0 01110 896 NtOpenKey (0x2000000, {24, 0, 0x640, 0, 0, (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482756, ) }, ... -2147482756, ) == 0x0 01111 896 NtOpenKey (0x80000000, {24, -2147482756, 0x240, 0, 0, (0x80000000, {24, -2147482756, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01112 896 NtOpenKey (0x80000000, {24, -2147482756, 0x640, 0, 0, (0x80000000, {24, -2147482756, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0 01113 896 NtQueryValueKey (-2147481452, (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01114 896 NtClose (-2147481452, ... ) == 0x0 01115 896 NtClose (-2147482756, ... ) == 0x0 01105 896 NtQueryDefaultUILanguage ... ) == 0x0 01116 896 NtOpenFile (0x1200a9, {24, 0, 0x40, 0, 0, (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01117 896 NtQueryDefaultLocale (1, 1237244, ... ) == 0x0 01118 896 NtOpenFile (0x1200a9, {24, 0, 0x40, 0, 0, (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01119 896 NtRequestWaitReplyPort (24, {128, 156, new_msg, 0, 2088850039, 1238280, 1179817, 1238004} (24, {128, 156, new_msg, 0, 2088850039, 1238280, 1179817, 1238004} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\374\350\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81840, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\374\350\22\0\0\0\0\0" ) ... {128, 156, reply, 0, 1252, 896, 81840, 0} (24, {128, 156, new_msg, 0, 2088850039, 1238280, 1179817, 1238004} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\374\350\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81840, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0PR\313B\0\0\0\0\370\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\374\350\22\0\0\0\0\0" ) ) == 0x0 01120 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 01121 896 NtOpenKey (0x8, {24, 0, 0x40, 0, 0, (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01122 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 01123 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 01124 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236472, ... ) }, 1236472, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01125 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 01126 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 01127 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 01128 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 1236536, ... ) }, 1236536, ... ) == 0x0 01129 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 3, 33, ... 124, {status=0x0, info=1}, ) }, 3, 33, ... 124, {status=0x0, info=1}, ) == 0x0 01130 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 01131 896 NtCreateKey (0x2001f, {24, 72, 0x40, 0, 0, (0x2001f, {24, 72, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 80, 2, ) }, 0, 0x0, 0, ... 80, 2, ) == 0x0 01132 896 NtProtectVirtualMemory (-1, (0x10000000), 4096, 4, ... (0x10000000), 4096, 2, ) == 0x0 01133 896 NtProtectVirtualMemory (-1, (0x10000000), 4096, 2, ... (0x10000000), 4096, 4, ) == 0x0 01134 896 NtOpenProcessToken (-1, 0x8, ... 128, ) == 0x0 01135 896 NtAllocateVirtualMemory (-1, 0, 0, 1024, 4096, 4, ... 11141120, 4096, ) == 0x0 01136 896 NtQueryInformationToken (128, Groups, 1024, ... {token info, class 2, size 196}, 196, ) == 0x0 01137 896 NtClose (128, ... ) == 0x0 01138 896 NtFreeVirtualMemory (-1, (0xaa0000), 0, 32768, ... (0xaa0000), 4096, ) == 0x0 01139 896 NtSetEventBoostPriority (116, ... 01084 2016 NtWaitForSingleObject ... ) == 0x0 01140 2016 NtTestAlert (... ) == 0x0 01141 2016 NtContinue (11074864, 1, ... 01142 2016 NtRegisterThreadTerminatePort (24, ... ) == 0x0 01143 2016 NtDeviceIoControlFile (96, 108, 0x0, 0x77e466a0, 0x228144, (96, 108, 0x0, 0x77e466a0, 0x228144, "\2\0\0\0\1\0\0\0\\370\342w\0\0\0\0h\0\0\0\0\0\0\0x\0\0\0\0\0\0\0\\0\0\0\0\0\0\0", 40, 4096, ... {status=0x103, info=0}, "", ) , 40, 4096, ... {status=0x103, info=0}, "", ) == 0x103 01139 896 NtSetEventBoostPriority ... ) == 0x0 01144 896 NtDelayExecution (0, {0, 0}, ... 01145 2016 NtWaitForMultipleObjects (2, (100, 108, ), 1, 1, {1294967296, -1}, ... ) == 0x0 01146 2016 NtDeviceIoControlFile (96, 112, 0x0, 0x77e46680, 0x228144, (96, 112, 0x0, 0x77e46680, 0x228144, "\2\0\0\0\1\0\0\0\\370\342w\0\0\0\0h\0\0\0\0\0\0\0x\0\0\0\0\0\0\0\\0\0\0\0\0\0\0", 40, 4096, ... {status=0x103, info=0}, "", ) , 40, 4096, ... {status=0x103, info=0}, "", ) == 0x103 01144 896 NtDelayExecution ... ) == 0x0 01147 896 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\c:\"}, 3, 16417, ... 128, {status=0x0, info=1}, ) }, 3, 16417, ... 128, {status=0x0, info=1}, ) == 0x0 01148 896 NtQueryInformationFile (128, 1242016, 528, Name, ... {status=0x0, info=6}, ) == 0x0 01149 896 NtQueryVolumeInformationFile (128, 1348280, 284, Volume, ... {status=0x0, info=18}, ) == 0x0 01150 896 NtClose (128, ... ) == 0x0 01151 896 NtCreateEvent (0x1f0003, {24, 48, 0x80, 0, 0, (0x1f0003, {24, 48, 0x80, 0, 0, "a7cfcaa5"}, 0, 0, ... 128, ) }, 0, 0, ... 128, ) == 0x0 01152 896 NtAllocateVirtualMemory (-1, 0, 0, 65536, 4096, 4, ... 01153 2016 NtWaitForMultipleObjects (2, (100, 112, ), 1, 1, {1294967296, -1}, ... 01152 896 NtAllocateVirtualMemory ... 11141120, 65536, ) == 0x0 01154 896 NtQuerySystemInformation (ProcessesAndThreads, 65536, ... {system info, class 5, size 500}, 0x0, ) == 0x0 01155 896 NtCreateSection (0xf0007, 0x0, {18400, 0}, 4, 134217728, 0, ... 132, ) == 0x0 01156 896 NtMapViewOfSection (132, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xab0000), {0, 0}, 20480, ) == 0x0 01157 896 NtUnmapViewOfSection (-1, 0xab0000, ... ) == 0x0 01158 896 NtMapViewOfSection (132, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xab0000), {0, 0}, 20480, ) == 0x0 01159 896 NtFreeVirtualMemory (-1, (0xaa0000), 0, 32768, ... (0xaa0000), 65536, ) == 0x0 01160 896 NtUnmapViewOfSection (-1, 0xab0000, ... ) == 0x0 01161 896 NtMapViewOfSection (132, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xaa0000), {0, 0}, 20480, ) == 0x0 01162 896 NtUnmapViewOfSection (-1, 0xaa0000, ... ) == 0x0 01163 896 NtMapViewOfSection (132, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xaa0000), {0, 0}, 20480, ) == 0x0 01164 896 NtUnmapViewOfSection (-1, 0xaa0000, ... ) == 0x0 01165 896 NtMapViewOfSection (132, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xaa0000), {0, 0}, 20480, ) == 0x0 01166 896 NtUnmapViewOfSection (-1, 0xaa0000, ... ) == 0x0 01167 896 NtMapViewOfSection (132, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xaa0000), {0, 0}, 20480, ) == 0x0 01168 896 NtUnmapViewOfSection (-1, 0xaa0000, ... ) == 0x0 01169 896 NtMapViewOfSection (132, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xaa0000), {0, 0}, 20480, ) == 0x0 01170 896 NtUnmapViewOfSection (-1, 0xaa0000, ... ) == 0x0 01171 896 NtClose (132, ... ) == 0x0 01172 896 NtOpenProcessToken (-1, 0x28, ... 132, ) == 0x0 01173 896 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 01174 896 NtOpenKey (0x20019, {24, 40, 0x40, 0, 0, (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01175 896 NtOpenKey (0x20019, {24, 40, 0x40, 0, 0, (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 136, ) }, ... 136, ) == 0x0 01176 896 NtQueryValueKey (136, (136, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01177 896 NtClose (136, ... ) == 0x0 01178 896 NtOpenKey (0x20019, {24, 40, 0x40, 0, 0, (0x20019, {24, 40, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01179 896 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 136, ) == 0x0 01180 896 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 140, ) == 0x0 01181 896 NtQuerySystemTime (... {1421329164, 29929616}, ) == 0x0 01182 896 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 144, ) == 0x0 01183 896 NtOpenKey (0x20019, {24, 40, 0x40, 0, 0, (0x20019, {24, 40, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01184 896 NtQuerySystemInformation (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0 01185 896 NtQueryInformationProcess (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0 01186 896 NtQueryInformationProcess (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0 01187 896 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 148, ) == 0x0 01188 896 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 152, ) == 0x0 01189 896 NtAllocateVirtualMemory (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0 01190 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 156, ) }, ... 156, ) == 0x0 01191 896 NtOpenKey (0x20019, {24, 156, 0x40, 0, 0, (0x20019, {24, 156, 0x40, 0, 0, "ActiveComputerName"}, ... 160, ) }, ... 160, ) == 0x0 01192 896 NtQueryValueKey (160, (160, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (160, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (160, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0 01193 896 NtClose (160, ... ) == 0x0 01194 896 NtClose (156, ... ) == 0x0 01195 896 NtCreateIoCompletion (0x1f0003, 0x0, 0, ... 156, ) == 0x0 01196 896 NtCreateIoCompletion (0x1f0003, 0x0, -1, ... 160, ) == 0x0 01197 896 NtDuplicateObject (-1, 156, -1, 0x0, 0, 2, ... 164, ) == 0x0 01198 896 NtOpenThreadToken (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN 01199 896 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 168, ) == 0x0 01200 896 NtOpenThreadToken (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN 01201 896 NtSetInformationThread (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0 01202 896 NtCreateFile (0xc0100080, {24, 0, 0x40, 0, 1240980, (0xc0100080, {24, 0, 0x40, 0, 1240980, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 172, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 172, {status=0x0, info=1}, ) == 0x0 01203 896 NtSetInformationFile (172, 1241036, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0 01204 896 NtSetInformationFile (172, 1241024, 8, Completion, ... {status=0x0, info=0}, ) == 0x0 01205 896 NtSetInformationThread (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0 01206 896 NtWriteFile (172, 149, 0, 0, (172, 149, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0 01207 896 NtAllocateVirtualMemory (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0 01208 896 NtReadFile (172, 149, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, (172, 149, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20k+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0 01209 896 NtFsControlFile (172, 149, 0x0, 0x0, 0x11c017, (172, 149, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\366\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20k+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68}, (172, 149, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\366\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20k+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103 01210 896 NtFsControlFile (172, 149, 0x0, 0x0, 0x11c017, (172, 149, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28 \0"\00\222\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28\0\0\0\0", ) \00\222\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (172, 149, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28 \0"\00\222\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28\0\0\0\0", ) == 0x103 01211 896 NtFsControlFile (172, 149, 0x0, 0x0, 0x11c017, (172, 149, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36}, (172, 149, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\201\262\254?gS\263F\252\227\2L\355h\28", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103 01212 896 NtClose (168, ... ) == 0x0 01213 896 NtClose (172, ... ) == 0x0 01214 896 NtAdjustPrivilegesToken (132, 0, 1242828, 0, 0, 0, ... ) == 0x0 01215 896 NtClose (132, ... ) == 0x0 01216 896 NtOpenProcess (0x42a, {24, 0, 0x0, 0, 0, 0x0}, {580, 0}, ... 132, ) == 0x0 01217 896 NtAllocateVirtualMemory (132, 0, 0, 33, 4096, 4, ... 19595264, 4096, ) == 0x0 01218 896 NtProtectVirtualMemory (132, (0x12b0000), 33, 64, ... (0x12b0000), 4096, 4, ) == 0x0 01219 896 NtProtectVirtualMemory (132, (0x12b0000), 4096, 4, ... (0x12b0000), 4096, 64, ) == 0x0 01220 896 NtWriteVirtualMemory (132, 0x12b0000, (132, 0x12b0000, "C:\WINDOWS\system32\awtqnkhe.dll\0", 33, ... 33, ) , 33, ... 33, ) == 0x0 01221 896 NtFlushInstructionCache (132, 19595264, 33, ... ) == 0x0 01222 896 NtAllocateVirtualMemory (132, 0, 0, 1048576, 8192, 4, ... 27852800, 1048576, ) == 0x0 01223 896 NtAllocateVirtualMemory (132, 28893184, 0, 8192, 4096, 4, ... 28893184, 8192, ) == 0x0 01224 896 NtProtectVirtualMemory (132, (0x1b8e000), 4096, 260, ... (0x1b8e000), 4096, 4, ) == 0x0 01225 896 NtCreateThread (0x1f03ff, 0x0, 132, 1241872, 1241816, 1, ... 172, {580, 596}, ) == 0x0 01226 896 NtRequestWaitReplyPort (24, {28, 56, new_msg, 0, 268541172, 33, 65535, 2147340288} (24, {28, 56, new_msg, 0, 268541172, 33, 65535, 2147340288} "\0\0\0\0\1\0\1\0\34&\200|\0\0\0\0\254\0\0\0D\2\0\0T\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81841, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\254\0\0\0D\2\0\0T\2\0\0" ) ... {28, 56, reply, 0, 1252, 896, 81841, 0} (24, {28, 56, new_msg, 0, 268541172, 33, 65535, 2147340288} "\0\0\0\0\1\0\1\0\34&\200|\0\0\0\0\254\0\0\0D\2\0\0T\2\0\0" ... {28, 56, reply, 0, 1252, 896, 81841, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\254\0\0\0D\2\0\0T\2\0\0" ) ) == 0x0 01227 896 NtResumeThread (172, ... 1, ) == 0x0 01228 896 NtWaitForSingleObject (172, 0, 0x0, ... ) == 0x0 01229 896 NtFreeVirtualMemory (132, (0x12b0000), 0, 32768, ... (0x12b0000), 4096, ) == 0x0 01230 896 NtClose (172, ... ) == 0x0 01231 896 NtClose (132, ... ) == 0x0 01232 896 NtUserSetWindowsHookEx (268435456, 1242248, 0, 3, 268443916, 2, ... ) == 0x2007009d 01233 896 NtWaitForSingleObject (128, 0, {-300000000, -1}, ... ) == 0x0 01234 896 NtUserUnhookWindowsHookEx (537329821, ... ) == 0x1 01235 896 NtClose (128, ... ) == 0x0 01236 896 NtUnmapViewOfSection (-1, 0x10000000, ... ) == 0x0 01237 896 NtOpenFile (0x100100, {24, 0, 0x40, 0, 0, (0x100100, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 7, 2113568, ... 128, {status=0x0, info=1}, ) }, 7, 2113568, ... 128, {status=0x0, info=1}, ) == 0x0 01238 896 NtSetInformationFile (128, 1243576, 40, Basic, ... ) == STATUS_ACCESS_DENIED 01239 896 NtClose (128, ... ) == 0x0 01240 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1243600, ... ) }, 1243600, ... ) == 0x0 01241 896 NtTerminateProcess (-1, 0, ... 01153 2016 NtWaitForMultipleObjects ... ) == 0xc0