Summary:


NtAccessCheck(>)  1 
NtGetContextThread(>)  2 
NtResumeThread(>)  4 
NtQuerySystemInformation(>)  11 

NtCreateProcessEx(>)  1 
NtOpenDirectoryObject(>)  2 
NtSetValueKey(>)  4 
NtSetInformationFile(>)  13 

NtDeviceIoControlFile(>)  1 
NtOpenMutant(>)  2 
NtContinue(>)  5 
NtSetInformationProcess(>)  13 

NtLoadDriver(>)  1 
NtOpenSymbolicLinkObject(>)  2 
NtCreateEvent(>)  5 
NtCreateFile(>)  14 

NtOpenEvent(>)  1 
NtQueryDefaultUILanguage(>)  2 
NtFlushInstructionCache(>)  5 
NtOpenFile(>)  15 

NtOpenKeyedEvent(>)  1 
NtQuerySymbolicLinkObject(>)  2 
NtFreeVirtualMemory(>)  5 
NtProtectVirtualMemory(>)  15 

NtQueryDebugFilterState(>)  1 
NtReleaseMutant(>)  2 
NtQueryVirtualMemory(>)  5 
NtMapViewOfSection(>)  16 

NtQueryInformationJobObject(>)  1 
NtSetContextThread(>)  2 
NtRequestWaitReplyPort(>)  5 
NtQueryAttributesFile(>)  18 

NtQueryInstallUILanguage(>)  1 
NtSetInformationObject(>)  2 
NtFsControlFile(>)  6 
NtQueryInformationProcess(>)  18 

NtQueryObject(>)  1 
NtSuspendThread(>)  2 
NtOpenThreadToken(>)  6 
NtOpenProcessTokenEx(>)  21 

NtQuerySystemTime(>)  1 
NtAdjustPrivilegesToken(>)  3 
NtQueryInformationFile(>)  6 
NtOpenThreadTokenEx(>)  21 

NtReadFile(>)  1 
NtCreateThread(>)  3 
NtSetInformationThread(>)  6 
NtQueryDefaultLocale(>)  22 

NtSecureConnectPort(>)  1 
NtQueryInformationThread(>)  3 
NtUnmapViewOfSection(>)  6 
NtQueryValueKey(>)  23 

NtTerminateThread(>)  1 
NtQuerySection(>)  3 
NtOpenProcessToken(>)  7 
NtQueryInformationToken(>)  26 

NtCreateIoCompletion(>)  2 
NtRegisterThreadTerminatePort(>)  3 
NtWaitForSingleObject(>)  8 
NtAllocateVirtualMemory(>)  40 

NtCreateKey(>)  2 
NtTestAlert(>)  3 
NtCreateSection(>)  9 
NtOpenKey(>)  71 

NtDuplicateObject(>)  2 
NtQueryDirectoryFile(>)  4 
NtWriteFile(>)  9 
NtClose(>)  101 

NtDuplicateToken(>)  2 
NtQueryVolumeInformationFile(>)  4 
NtWriteVirtualMemory(>)  9 

NtEnumerateKey(>)  2 
NtReadVirtualMemory(>)  4 

Trace:
 00001   312   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   312   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   312   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   312   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   312   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   312   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   312   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   312   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   312   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   312   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   312   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   312   NtClose  (12, ... ) == 0x0
 00014   312   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   312   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   312   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   312   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   312   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   312   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   312   NtClose  (16, ... ) == 0x0
 00021   312   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   312   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   312   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   312   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   312   NtClose  (16, ... ) == 0x0
 00026   312   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   312   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   312   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   312   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   312   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 304, 312, 1472, 0} "\20>\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 304, 312, 1472, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 304, 312, 1472, 0} "\20>\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   312   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   312   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   312   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   312   NtClose  (16, ... ) == 0x0
 00036   312   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   312   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   312   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   312   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   312   NtClose  (28, ... ) == 0x0
 00041   312   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   312   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   312   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   312   NtClose  (28, ... ) == 0x0
 00045   312   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   312   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   312   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   312   NtClose  (28, ... ) == 0x0
 00049   312   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   312   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   312   NtClose  (28, ... ) == 0x0
 00052   312   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   312   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   312   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 304, 312, 1477, 0} "\10\260\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 304, 312, 1477, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 304, 312, 1477, 0} "\10\260\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   312   NtProtectVirtualMemory  (-1, (0x401000), 28, 4, ... (0x401000), 4096, 32, ) == 0x0
 00057   312   NtProtectVirtualMemory  (-1, (0x401000), 4096, 32, ... (0x401000), 4096, 4, ) == 0x0
 00058   312   NtFlushInstructionCache  (-1, 4198400, 28, ... ) == 0x0
 00059   312   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00060   312   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00061   312   NtClose  (28, ... ) == 0x0
 00062   312   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00063   312   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00064   312   NtClose  (28, ... ) == 0x0
 00065   312   NtTestAlert  (... ) == 0x0
 00066   312   NtContinue  (1244464, 1, ...
 00067   312   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x401020,}, 4, ... ) == 0x0
 00068   312   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 4259840, 1048576, ) == 0x0
 00069   312   NtAllocateVirtualMemory  (-1, 5300224, 0, 8192, 4096, 4, ... 5300224, 8192, ) == 0x0
 00070   312   NtProtectVirtualMemory  (-1, (0x50e000), 4096, 260, ... (0x50e000), 4096, 4, ) == 0x0
 00071   312   NtCreateThread  (0x1f03ff, 0x0, -1, 1243544, 1244260, 1, ... 28, {304, 500}, ) == 0x0
 00072   312   NtQueryInformationThread  (28, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=304,Tid=500,}, 0x0, ) == 0x0
 00073   312   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 2147347448, 2367272}  (24, {28, 56, new_msg, 0, 0, 0, 2147347448, 2367272} "\0\0\0\0\1\0\1\0\0\0\24\0\365\26\365w\34\0\0\00\1\0\0\364\1\0\0" ... {28, 56, reply, 0, 304, 312, 1478, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\365\26\365w\34\0\0\00\1\0\0\364\1\0\0" )  ... {28, 56, reply, 0, 304, 312, 1478, 0}  (24, {28, 56, new_msg, 0, 0, 0, 2147347448, 2367272} "\0\0\0\0\1\0\1\0\0\0\24\0\365\26\365w\34\0\0\00\1\0\0\364\1\0\0" ... {28, 56, reply, 0, 304, 312, 1478, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\365\26\365w\34\0\0\00\1\0\0\364\1\0\0" )  ) == 0x0
 00074   312   NtGetContextThread  (28, 1244388, ... ) == 0x0
 00075   312   NtSetContextThread  (28, 1244388, ... ) == 0x0
 00076   312   NtResumeThread  (28, ...
 00077   500   NtTestAlert  (... ) == 0x0
 00078   500   NtContinue  (5307696, 1, ...
 00079   500   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00080   500   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00081   500   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 3276800, 262144, ) == 0x0
 00082   500   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00083   500   NtAllocateVirtualMemory  (-1, 3280896, 0, 20480, 4096, 4, ... 3280896, 20480, ) == 0x0
 00076   312   NtResumeThread  ... 1, ) == 0x0
 00084   312   NtSuspendThread  (-2, ...
 00085   500   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00086   500   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 3538944, 262144, ) == 0x0
 00087   500   NtAllocateVirtualMemory  (-1, 3538944, 0, 4096, 4096, 4, ... 3538944, 4096, ) == 0x0
 00088   500   NtAllocateVirtualMemory  (-1, 3543040, 0, 61440, 4096, 4, ... 3543040, 61440, ) == 0x0
 00089   500   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00090   500   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 3801088, 262144, ) == 0x0
 00091   500   NtAllocateVirtualMemory  (-1, 3801088, 0, 4096, 4096, 4, ... 3801088, 4096, ) == 0x0
 00092   500   NtAllocateVirtualMemory  (-1, 0, 0, 12800032, 4096, 4, ... 5308416, 12804096, ) == 0x0
 00093   500   NtAllocateVirtualMemory  (-1, 336855040, 0, 36864, 12288, 64, ... 336855040, 36864, ) == 0x0
 00094   500   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 32, ) }, ... 32, ) == 0x0
 00095   500   NtQueryValueKey  (32,  (32, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00096   500   NtClose  (32, ... ) == 0x0
 00097   500   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00098   500   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00099   500   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00100   500   NtClose  (32, ... ) == 0x0
 00101   500   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00102   500   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00103   500   NtClose  (32, ... ) == 0x0
 00104   500   NtAllocateVirtualMemory  (-1, 5296128, 0, 4096, 4096, 260, ... 5296128, 4096, ) == 0x0
 00105   500   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 32, ) }, ... 32, ) == 0x0
 00106   500   NtQueryValueKey  (32,  (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00107   500   NtQueryValueKey  (32,  (32, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00108   500   NtClose  (32, ... ) == 0x0
 00109   500   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 32, ) }, ... 32, ) == 0x0
 00110   500   NtQueryValueKey  (32,  (32, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00111   500   NtClose  (32, ... ) == 0x0
 00112   500   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 32, ) }, ... 32, ) == 0x0
 00113   500   NtSetInformationObject  (32, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00114   500   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00115   500   NtFreeVirtualMemory  (-1, (0x360000), 0, 32768, ... (0x360000), 262144, ) == 0x0
 00116   500   NtFreeVirtualMemory  (-1, (0x510000), 0, 32768, ... (0x510000), 12804096, ) == 0x0
 00117   500   NtFreeVirtualMemory  (-1, (0x3a0000), 0, 32768, ... (0x3a0000), 262144, ) == 0x0
 00118   500   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 3538944, 262144, ) == 0x0
 00119   500   NtAllocateVirtualMemory  (-1, 3788800, 0, 12288, 4096, 4, ... 3788800, 12288, ) == 0x0
 00120   500   NtProtectVirtualMemory  (-1, (0x39d000), 4096, 260, ... (0x39d000), 4096, 4, ) == 0x0
 00121   500   NtCreateThread  (0x1f03ff, 0x0, -1, 5307496, 5308212, 1, ... 36, {304, 536}, ) == 0x0
 00122   500   NtQueryInformationThread  (36, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=304,Tid=536,}, 0x0, ) == 0x0
 00123   500   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0$\0\0\00\1\0\0\30\2\0\0" ... {28, 56, reply, 0, 304, 500, 1481, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0$\0\0\00\1\0\0\30\2\0\0" )  ... {28, 56, reply, 0, 304, 500, 1481, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0$\0\0\00\1\0\0\30\2\0\0" ... {28, 56, reply, 0, 304, 500, 1481, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0$\0\0\00\1\0\0\30\2\0\0" )  ) == 0x0
 00124   500   NtResumeThread  (36, ... 1, ) == 0x0
 00125   500   NtSuspendThread  (-2, ...
 00126   536   NtTestAlert  (... ) == 0x0
 00127   536   NtContinue  (3800368, 1, ...
 00128   536   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00129   536   NtOpenThreadToken  (-2, 0x28, 0, ... ) == STATUS_NO_TOKEN
 00130   536   NtOpenProcessToken  (-1, 0x2, ... 40, ) == 0x0
 00131   536   NtDuplicateToken  (40, 0x4, {24, 0, 0x0, 0, 3799496, 0x0}, 0, 2, ... 44, ) == 0x0
 00132   536   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=44,}, 4, ... ) == 0x0
 00133   536   NtClose  (44, ... ) == 0x0
 00134   536   NtClose  (40, ... ) == 0x0
 00135   536   NtOpenThreadToken  (-2, 0x28, 0, ... 40, ) == 0x0
 00136   536   NtAdjustPrivilegesToken  (40, 0, 1326580, 1024, 1325556, 3799540, ... ) == 0x0
 00137   536   NtSetInformationProcess  (-1, PriorityClass, {process info, class 18, size 2}, 1024, ... ) == 0x0
 00138   536   NtClose  (40, ... ) == 0x0
 00139   536   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00140   536   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 00141   536   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\U:\"}, 3, 16417, ... 40, {status=0x0, info=1}, ) }, 3, 16417, ... 40, {status=0x0, info=1}, ) == 0x0
 00142   536   NtQueryInformationFile  (40, 3798716, 528, Name, ... {status=0x0, info=42}, ) == 0x0
 00143   536   NtQueryVolumeInformationFile  (40, 1325680, 144, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00144   536   NtClose  (40, ... ) == 0x0
 00145   536   NtQueryDefaultUILanguage  (2013024600, ...
 00146   536   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00147   536   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00148   536   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00149   536   NtClose  (-2147482020, ... ) == 0x0
 00150   536   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00151   536   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00152   536   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482024, ) }, ... -2147482024, ) == 0x0
 00153   536   NtQueryValueKey  (-2147482024,  (-2147482024, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00154   536   NtClose  (-2147482024, ... ) == 0x0
 00155   536   NtClose  (-2147482020, ... ) == 0x0
 00145   536   NtQueryDefaultUILanguage  ... ) == 0x0
 00156   536   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00157   536   NtQueryDefaultLocale  (1, 3799280, ... ) == 0x0
 00158   536   NtQueryDefaultLocale  (1, 3799280, ... ) == 0x0
 00159   536   NtQueryDefaultLocale  (0, 3799260, ... ) == 0x0
 00160   536   NtAllocateVirtualMemory  (-1, 1327104, 0, 8192, 4096, 4, ... 1327104, 8192, ) == 0x0
 00161   536   NtOpenFile  (0x100000, {24, 0, 0x40, 0, 0,  (0x100000, {24, 0, 0x40, 0, 0, "\??\C:\polyunpack"}, 3, 33, ... 40, {status=0x0, info=1}, ) }, 3, 33, ... 40, {status=0x0, info=1}, ) == 0x0
 00162   536   NtClose  (40, ... ) == 0x0
 00163   536   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\polyunpack"}, 3, 8388641, ... 40, {status=0x0, info=1}, ) }, 3, 8388641, ... 40, {status=0x0, info=1}, ) == 0x0
 00164   536   NtQueryVolumeInformationFile  (40, 3799380, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00165   536   NtClose  (40, ... ) == 0x0
 00166   536   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 3799364,  (0x100080, {24, 0, 0x40, 0, 3799364, "\??\C:\WINDOWS\System32\drivers\secdrv.sys"}, 0x0, 0, 7, 1, 96, 0, 0, ... 40, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 96, 0, 0, ... 40, {status=0x0, info=1}, ) == 0x0
 00167   536   NtQueryInformationFile  (40, 3799380, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00168   536   NtFsControlFile  (40, 0, 0x0, 0x0, 0x90073,  (40, 0, 0x0, 0x0, 0x90073, "\0\0\0\0\0\0\0\0", 8, 128, ... {status=0x0, info=32}, "\1\0\0\0x\1\24\0\0\0\0\0\0\0\0\0\7\0\0\0\0\0\0\0\1j\1\0\0\0\0\0", ) , 8, 128, ... {status=0x0, info=32},  (40, 0, 0x0, 0x0, 0x90073, "\0\0\0\0\0\0\0\0", 8, 128, ... {status=0x0, info=32}, "\1\0\0\0x\1\24\0\0\0\0\0\0\0\0\0\7\0\0\0\0\0\0\0\1j\1\0\0\0\0\0", ) , ) == 0x0
 00169   536   NtClose  (40, ... ) == 0x0
 00170   536   NtAllocateVirtualMemory  (-1, 1335296, 0, 28672, 4096, 4, ... 1335296, 28672, ) == 0x0
 00171   536   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 3799364,  (0xc0100080, {24, 0, 0x40, 0, 3799364, "\??\C:"}, 0x0, 0, 3, 1, 96, 0, 0, ... 40, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 40, {status=0x0, info=1}, ) == 0x0
 00172   536   NtSetInformationFile  (40, 3799420, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00173   536   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0X\2\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, 0x0, 0, ... {status=0x0, info=4096}, ) , 4096, 0x0, 0, ... {status=0x0, info=4096}, ) == 0x0
 00174   536   NtSetInformationFile  (40, 3799420, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00175   536   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\377\377PSW\350\14\375\377\377+\265\320\376\377\377\213\320\241X\27\1\0\377p\10\3\327\350\247\375\377\3773\311\205\300\211E\260v1\372\17 \300\211E\254%\377\377\376\377\17"\300\213\4\212\213\35X\27\1\0\213\33\215\2040\0\0\0\200\211\4\213\213E\254\17"\300\373A;M\260r\317j\0W\377\25(\27\1\03\300@[\213M\374_^\350\345\5\0\0\311\303\314\314\314\314\314\314\213\377U\213\354\203\354\20SV\21358\27\1\0W\215E\374P3\333SPj\13\377\326hDdk \377u\374j\1\377\254\27\1\0\213\370\213E\374S\301\340\2PWj\13\377\3263\3009\37\211]\360vt\215O\36\211]\370\211M\364\213U\364\17\267\22\3U\370\213M\10\215t: \212\36\212\323:\31u\32\204\322t\22\212^\1\212\323:Y\1u\14FFAA\204\322u\3423\311\353\5\33\311\203\331\3773\333;\313t\22\271\34\1\0\0\1M\370\1M\364@;\7r\263\353\34i\300\34\1\0\0\215D8\4\213H\10\211M\360\213M\14;\313t\5\213@\14\211\1SW\377\25(\27\1\0\213E\360_^[\311\302\10\0\314\\0D\0r\0i\0v\0e\0r\0\\0T\0c\0p\0i\0p\0\0\0\314\314\314\314\314\314\213\377U\213\354\203\354\20VWhF\21\1\0\215E\360P\377\25\14\27\1\0\215E\374P\241\10\27\1\03\366VV\3770\215E\360VVj@P\377\25\4\27\1\0\213\370;\376|1\213E\374\213H\4\353\34\372\17 \300\211E\370%\377\377\376\377\17"\300\211q\20\213E\370\17"\300\373\213I\14;\316u\340\213M\374\377\25\0\27\1\0\213\307_^\311\303\314tcpip.sys\0\314\314\314\314\314\314\213\377U\213\354\203\354\20", 4096, 0x0, 0, ... {status=0x0, info=4096}, ) \300\213\4\212\213\35X\27\1\0\213\33\215\2040\0\0\0\200\211\4\213\213E\254\17 (40, 0, 0, 0, "\377\377PSW\350\14\375\377\377+\265\320\376\377\377\213\320\241X\27\1\0\377p\10\3\327\350\247\375\377\3773\311\205\300\211E\260v1\372\17 \300\211E\254%\377\377\376\377\17"\300\213\4\212\213\35X\27\1\0\213\33\215\2040\0\0\0\200\211\4\213\213E\254\17"\300\373A;M\260r\317j\0W\377\25(\27\1\03\300@[\213M\374_^\350\345\5\0\0\311\303\314\314\314\314\314\314\213\377U\213\354\203\354\20SV\21358\27\1\0W\215E\374P3\333SPj\13\377\326hDdk \377u\374j\1\377\254\27\1\0\213\370\213E\374S\301\340\2PWj\13\377\3263\3009\37\211]\360vt\215O\36\211]\370\211M\364\213U\364\17\267\22\3U\370\213M\10\215t: \212\36\212\323:\31u\32\204\322t\22\212^\1\212\323:Y\1u\14FFAA\204\322u\3423\311\353\5\33\311\203\331\3773\333;\313t\22\271\34\1\0\0\1M\370\1M\364@;\7r\263\353\34i\300\34\1\0\0\215D8\4\213H\10\211M\360\213M\14;\313t\5\213@\14\211\1SW\377\25(\27\1\0\213E\360_^[\311\302\10\0\314\\0D\0r\0i\0v\0e\0r\0\\0T\0c\0p\0i\0p\0\0\0\314\314\314\314\314\314\213\377U\213\354\203\354\20VWhF\21\1\0\215E\360P\377\25\14\27\1\0\215E\374P\241\10\27\1\03\366VV\3770\215E\360VVj@P\377\25\4\27\1\0\213\370;\376|1\213E\374\213H\4\353\34\372\17 \300\211E\370%\377\377\376\377\17"\300\211q\20\213E\370\17"\300\373\213I\14;\316u\340\213M\374\377\25\0\27\1\0\213\307_^\311\303\314tcpip.sys\0\314\314\314\314\314\314\213\377U\213\354\203\354\20", 4096, 0x0, 0, ... {status=0x0, info=4096}, ) \300\211q\20\213E\370\17 (40, 0, 0, 0, "\377\377PSW\350\14\375\377\377+\265\320\376\377\377\213\320\241X\27\1\0\377p\10\3\327\350\247\375\377\3773\311\205\300\211E\260v1\372\17 \300\211E\254%\377\377\376\377\17"\300\213\4\212\213\35X\27\1\0\213\33\215\2040\0\0\0\200\211\4\213\213E\254\17"\300\373A;M\260r\317j\0W\377\25(\27\1\03\300@[\213M\374_^\350\345\5\0\0\311\303\314\314\314\314\314\314\213\377U\213\354\203\354\20SV\21358\27\1\0W\215E\374P3\333SPj\13\377\326hDdk \377u\374j\1\377\254\27\1\0\213\370\213E\374S\301\340\2PWj\13\377\3263\3009\37\211]\360vt\215O\36\211]\370\211M\364\213U\364\17\267\22\3U\370\213M\10\215t: \212\36\212\323:\31u\32\204\322t\22\212^\1\212\323:Y\1u\14FFAA\204\322u\3423\311\353\5\33\311\203\331\3773\333;\313t\22\271\34\1\0\0\1M\370\1M\364@;\7r\263\353\34i\300\34\1\0\0\215D8\4\213H\10\211M\360\213M\14;\313t\5\213@\14\211\1SW\377\25(\27\1\0\213E\360_^[\311\302\10\0\314\\0D\0r\0i\0v\0e\0r\0\\0T\0c\0p\0i\0p\0\0\0\314\314\314\314\314\314\213\377U\213\354\203\354\20VWhF\21\1\0\215E\360P\377\25\14\27\1\0\215E\374P\241\10\27\1\03\366VV\3770\215E\360VVj@P\377\25\4\27\1\0\213\370;\376|1\213E\374\213H\4\353\34\372\17 \300\211E\370%\377\377\376\377\17"\300\211q\20\213E\370\17"\300\373\213I\14;\316u\340\213M\374\377\25\0\27\1\0\213\307_^\311\303\314tcpip.sys\0\314\314\314\314\314\314\213\377U\213\354\203\354\20", 4096, 0x0, 0, ... {status=0x0, info=4096}, ) , 4096, 0x0, 0, ... {status=0x0, info=4096}, ) == 0x0
 00176   536   NtSetInformationFile  (40, 3799420, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00177   536   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, 0x0, 0, ... {status=0x0, info=4096}, ) , 4096, 0x0, 0, ... {status=0x0, info=4096}, ) == 0x0
 00178   536   NtSetInformationFile  (40, 3799420, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00179   536   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, 0x0, 0, ... {status=0x0, info=4096}, ) , 4096, 0x0, 0, ... {status=0x0, info=4096}, ) == 0x0
 00180   536   NtSetInformationFile  (40, 3799420, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00181   536   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, 0x0, 0, ... {status=0x0, info=4096}, ) , 4096, 0x0, 0, ... {status=0x0, info=4096}, ) == 0x0
 00182   536   NtSetInformationFile  (40, 3799420, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00183   536   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, 0x0, 0, ... {status=0x0, info=4096}, ) , 4096, 0x0, 0, ... {status=0x0, info=4096}, ) == 0x0
 00184   536   NtSetInformationFile  (40, 3799420, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00185   536   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, 0x0, 0, ... {status=0x0, info=4096}, ) , 4096, 0x0, 0, ... {status=0x0, info=4096}, ) == 0x0
 00186   536   NtClose  (40, ... ) == 0x0
 00187   536   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 3799364,  (0x100080, {24, 0, 0x40, 0, 3799364, "\??\C:\WINDOWS\System32\drivers\secdrv.sys"}, 0x0, 128, 7, 1, 104, 0, 0, ... }, 0x0, 128, 7, 1, 104, 0, 0, ...
 00188   536   NtContinue  (-135071000, 0, ...
 00189   536   NtContinue  (-135071236, 0, ...
 00187   536   NtCreateFile  ... 40, {status=0x0, info=1}, ) == 0x0
 00190   536   NtClose  (40, ... ) == 0x0
 00191   536   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 40, ) }, ... 40, ) == 0x0
 00192   536   NtOpenEvent  (0x100000, {24, 40, 0x0, 0, 0,  (0x100000, {24, 40, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 44, ) }, ... 44, ) == 0x0
 00193   536   NtWaitForSingleObject  (44, 0, {-1800000000, -1}, ... ) == 0x0
 00194   536   NtClose  (44, ... ) == 0x0
 00195   536   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00196   536   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00197   536   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 44, ) }, ... 44, ) == 0x0
 00198   536   NtQueryValueKey  (44,  (44, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00199   536   NtClose  (44, ... ) == 0x0
 00200   536   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00201   536   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 44, ) == 0x0
 00202   536   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 48, ) == 0x0
 00203   536   NtQuerySystemTime  (... {-416545474, 29889243}, ) == 0x0
 00204   536   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 52, ) == 0x0
 00205   536   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00206   536   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00207   536   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00208   536   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00209   536   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 56, ) == 0x0
 00210   536   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 60, ) == 0x0
 00211   536   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 00212   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 64, ) }, ... 64, ) == 0x0
 00213   536   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "ActiveComputerName"}, ... 68, ) }, ... 68, ) == 0x0
 00214   536   NtQueryValueKey  (68,  (68, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (68, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (68, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 00215   536   NtClose  (68, ... ) == 0x0
 00216   536   NtClose  (64, ... ) == 0x0
 00217   536   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 64, ) == 0x0
 00218   536   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 68, ) == 0x0
 00219   536   NtDuplicateObject  (-1, 64, -1, 0x0, 0, 2, ... 72, ) == 0x0
 00220   536   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00221   536   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 76, ) == 0x0
 00222   536   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00223   536   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00224   536   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 3797912,  (0xc0100080, {24, 0, 0x40, 0, 3797912, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 80, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 80, {status=0x0, info=1}, ) == 0x0
 00225   536   NtSetInformationFile  (80, 3797968, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00226   536   NtSetInformationFile  (80, 3797960, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00227   536   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00228   536   NtWriteFile  (80, 57, 0, 0,  (80, 57, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00229   536   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0
 00230   536   NtReadFile  (80, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x103, info=0}, "", ) == 0x103
 00231   536   NtWaitForSingleObject  (57, 1, {-410065408, -3}, ... ) == 0x0
 00232   536   NtFsControlFile  (80, 57, 0x0, 0x0, 0x11c017,  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\33\0\0\0\0\0\0\0\0\0?\0\17\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20""\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\33\0\0\0\0\0\0\0\0\0?\0\17\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20""\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", )  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\33\0\0\0\0\0\0\0\0\0?\0\17\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20""\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 00233   536   NtWaitForSingleObject  (57, 0, 0x0, ... ) == 0x0
 00234   536   NtFsControlFile  (80, 57, 0x0, 0x0, 0x11c017,  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\23=\372!\317~\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0S\0e\0c\0d\0r\0v\0\0\0\0\0\377\1\17\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\23=\372!\317~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 76, 1024, ... {status=0x103, info=48},  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\23=\372!\317~\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0S\0e\0c\0d\0r\0v\0\0\0\0\0\377\1\17\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\23=\372!\317~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 00235   536   NtWaitForSingleObject  (57, 0, 0x0, ... ) == 0x0
 00236   536   NtFsControlFile  (80, 57, 0x0, 0x0, 0x11c017,  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\04\0\0\0\3\0\0\0\34\0\0\0\0\0\23\0\0\0\0\0\24=\372!\317~\334\21\261\310\0\14)\371\246\305\0\0\0\0\0\0\0\0", 52, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\24=\372!\317~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 52, 1024, ... {status=0x103, info=48},  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\04\0\0\0\3\0\0\0\34\0\0\0\0\0\23\0\0\0\0\0\24=\372!\317~\334\21\261\310\0\14)\371\246\305\0\0\0\0\0\0\0\0", 52, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\24=\372!\317~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 00237   536   NtWaitForSingleObject  (57, 0, 0x0, ... ) == 0x0
 00238   536   NtFsControlFile  (80, 57, 0x0, 0x0, 0x11c017,  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\24=\372!\317~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\3\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=28},  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\24=\372!\317~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\3\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 00239   536   NtWaitForSingleObject  (57, 0, 0x0, ... ) == 0x0
 00240   536   NtQueryDefaultLocale  (1, 3799280, ... ) == 0x0
 00241   536   NtQueryDefaultLocale  (1, 3799280, ... ) == 0x0
 00242   536   NtQueryDefaultLocale  (0, 3799260, ... ) == 0x0
 00243   536   NtAllocateVirtualMemory  (-1, 1372160, 0, 8192, 4096, 4, ... 1372160, 8192, ) == 0x0
 00244   536   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 3799476,  (0x40100080, {24, 0, 0x40, 0, 3799476, "\??\C:\WINDOWS\System32\drivers\runtime.sys"}, 0x0, 128, 0, 5, 96, 0, 0, ... }, 0x0, 128, 0, 5, 96, 0, 0, ...
 00245   536   NtClose  (-2147482020, ... ) == 0x0
 00244   536   NtCreateFile  ... 84, {status=0x0, info=2}, ) == 0x0
 00246   536   NtWriteFile  (84, 0, 0, 0,  (84, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\2\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 5504, 0x0, 0, ... {status=0x0, info=5504}, ) , 5504, 0x0, 0, ... {status=0x0, info=5504}, ) == 0x0
 00247   536   NtClose  (84, ... ) == 0x0
 00248   536   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services"}, ... 84, ) }, ... 84, ) == 0x0
 00249   536   NtCreateKey  (0x2000000, {24, 84, 0x40, 0, 0,  (0x2000000, {24, 84, 0x40, 0, 0, "runtime"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 00250   536   NtSetInformationFile  (-2147482844, -135068636, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00251   536   NtSetInformationFile  (-2147482844, -135068732, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00249   536   NtCreateKey  ... 88, 1, ) == 0x0
 00252   536   NtSetValueKey  (88,  (88, "ImagePath", 0, 1, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0i\0v\0e\0r\0s\0\\0r\0u\0n\0t\0i\0m\0e\0.\0s\0y\0s\0\0\0", 88, ... ) , 0, 1,  (88, "ImagePath", 0, 1, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0i\0v\0e\0r\0s\0\\0r\0u\0n\0t\0i\0m\0e\0.\0s\0y\0s\0\0\0", 88, ... ) , 88, ... ) == 0x0
 00253   536   NtSetValueKey  (88,  (88, "Type", 0, 4, "\1\0\0\0", 4, ... ) , 0, 4,  (88, "Type", 0, 4, "\1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 00254   536   NtSetValueKey  (88,  (88, "Start", 0, 4, "\3\0\0\0", 4, ... , 0, 4,  (88, "Start", 0, 4, "\3\0\0\0", 4, ... , 4, ...
 00255   536   NtSetInformationFile  (-2147482844, -135068252, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00254   536   NtSetValueKey  ... ) == 0x0
 00256   536   NtClose  (88, ... ) == 0x0
 00257   536   NtClose  (84, ... ) == 0x0
 00258   536   NtOpenProcessToken  (-1, 0x28, ... 84, ) == 0x0
 00259   536   NtAdjustPrivilegesToken  (84, 0, 3798984, 16, 3798968, 3799000, ... ) == 0x0
 00260   536   NtClose  (84, ... ) == 0x0
 00261   536   NtLoadDriver  ( ("\Registry\Machine\System\CurrentControlSet\Services\runtime", ... ) , ... ) == 0x0
 00262   536   NtOpenProcessToken  (-1, 0x28, ... 84, ) == 0x0
 00263   536   NtAdjustPrivilegesToken  (84, 0, 3798984, 16, 3798968, 3799000, ... ) == 0x0
 00264   536   NtClose  (84, ... ) == 0x0
 00265   536   NtQueryDefaultLocale  (1, 3799312, ... ) == 0x0
 00266   536   NtQueryDefaultLocale  (1, 3799312, ... ) == 0x0
 00267   536   NtQueryDefaultLocale  (0, 3799292, ... ) == 0x0
 00268   536   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 00269   536   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program"}, 3795348, ... ) }, 3795348, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00270   536   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program.exe"}, 3795348, ... ) }, 3795348, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00271   536   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 3796048,  (0x80100080, {24, 0, 0x40, 0, 3796048, "\??\C:\Program"}, 0x0, 128, 3, 1, 96, 0, 0, ... ) }, 0x0, 128, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00272   536   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet"}, 3795348, ... ) }, 3795348, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00273   536   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet.exe"}, 3795348, ... ) }, 3795348, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00274   536   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 3796048,  (0x80100080, {24, 0, 0x40, 0, 3796048, "\??\C:\Program Files\Internet"}, 0x0, 128, 3, 1, 96, 0, 0, ... ) }, 0x0, 128, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00275   536   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet Explorer\IEXPLORE.EXE"}, 3795348, ... ) }, 3795348, ... ) == 0x0
 00276   536   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet Explorer\IEXPLORE.EXE"}, 3796040, ... ) }, 3796040, ... ) == 0x0
 00277   536   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet Explorer\IEXPLORE.EXE"}, 5, 96, ... 84, {status=0x0, info=1}, ) }, 5, 96, ... 84, {status=0x0, info=1}, ) == 0x0
 00278   536   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 84, ... 88, ) == 0x0
 00279   536   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00280   536   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 92, ) }, ... 92, ) == 0x0
 00281   536   NtQueryValueKey  (92,  (92, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00282   536   NtClose  (92, ... ) == 0x0
 00283   536   NtQueryVolumeInformationFile  (84, 3795348, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00284   536   NtOpenMutant  (0x120001, {24, 40, 0x0, 0, 0,  (0x120001, {24, 40, 0x0, 0, 0, "ShimCacheMutex"}, ... 92, ) }, ... 92, ) == 0x0
 00285   536   NtWaitForSingleObject  (92, 0, {-1000000, -1}, ... ) == 0x0
 00286   536   NtOpenSection  (0x2, {24, 40, 0x0, 0, 0,  (0x2, {24, 40, 0x0, 0, 0, "ShimSharedMemory"}, ... 96, ) }, ... 96, ) == 0x0
 00287   536   NtMapViewOfSection  (96, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 57344, ) == 0x0
 00288   536   NtReleaseMutant  (92, ... 0x0, ) == 0x0
 00289   536   NtAllocateVirtualMemory  (-1, 3784704, 0, 4096, 4096, 260, ... 3784704, 4096, ) == 0x0
 00290   536   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 3793332, ... ) }, 3793332, ... ) == 0x0
 00291   536   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00292   536   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 100, ... 104, ) == 0x0
 00293   536   NtClose  (100, ... ) == 0x0
 00294   536   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3b0000), 0x0, 106496, ) == 0x0
 00295   536   NtClose  (104, ... ) == 0x0
 00296   536   NtUnmapViewOfSection  (-1, 0x3b0000, ... ) == 0x0
 00297   536   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 3793648, ... ) }, 3793648, ... ) == 0x0
 00298   536   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00299   536   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 100, ) == 0x0
 00300   536   NtQuerySection  (100, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00301   536   NtOpenProcessToken  (-1, 0x8, ... 108, ) == 0x0
 00302   536   NtQueryInformationToken  (108, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00303   536   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00304   536   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 112, ) }, ... 112, ) == 0x0
 00305   536   NtQueryValueKey  (112,  (112, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (112, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00306   536   NtClose  (112, ... ) == 0x0
 00307   536   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00308   536   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 112, ) == 0x0
 00309   536   NtQueryInformationToken  (112, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00310   536   NtClose  (112, ... ) == 0x0
 00311   536   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00312   536   NtClose  (108, ... ) == 0x0
 00313   536   NtClose  (104, ... ) == 0x0
 00314   536   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 00315   536   NtClose  (100, ... ) == 0x0
 00316   536   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 100, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 100, {status=0x0, info=1}, ) == 0x0
 00317   536   NtQueryInformationFile  (100, 3793936, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00318   536   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 100, ... 104, ) == 0x0
 00319   536   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x510000), 0x0, 1028096, ) == 0x0
 00320   536   NtQueryInformationFile  (100, 3794032, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00321   536   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00322   536   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00323   536   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 00324   536   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet Explorer\"}, 3, 16417, ... 108, {status=0x0, info=1}, ) }, 3, 16417, ... 108, {status=0x0, info=1}, ) == 0x0
 00325   536   NtQueryDirectoryFile  (108, 0, 0, 0, 3791596, 616, BothDirectory, 1,  (108, 0, 0, 0, 3791596, 616, BothDirectory, 1, "IEXPLORE.EXE", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 00326   536   NtClose  (108, ... ) == 0x0
 00327   536   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00328   536   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00329   536   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet Explorer\IEXPLORE.EXE"}, 3790984, ... ) }, 3790984, ... ) == 0x0
 00330   536   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet Explorer\"}, 3, 16417, ... 108, {status=0x0, info=1}, ) }, 3, 16417, ... 108, {status=0x0, info=1}, ) == 0x0
 00331   536   NtQueryDirectoryFile  (108, 0, 0, 0, 3790344, 616, BothDirectory, 1,  (108, 0, 0, 0, 3790344, 616, BothDirectory, 1, "IEXPLORE.EXE", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 00332   536   NtClose  (108, ... ) == 0x0
 00333   536   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00334   536   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00335   536   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 00336   536   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00337   536   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 00338   536   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00339   536   NtClose  (108, ... ) == 0x0
 00340   536   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00341   536   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\IEXPLORE.EXE"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00342   536   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet Explorer\IEXPLORE.EXE"}, 3792856, ... ) }, 3792856, ... ) == 0x0
 00343   536   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 108, ) }, ... 108, ) == 0x0
 00344   536   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 28672, ) == 0x0
 00345   536   NtClose  (108, ... ) == 0x0
 00346   536   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00347   536   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00348   536   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet Explorer\IEXPLORE.EXE"}, 3791772, ... ) }, 3791772, ... ) == 0x0
 00349   536   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet Explorer\IEXPLORE.EXE"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00350   536   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 108, ... 112, ) == 0x0
 00351   536   NtClose  (108, ... ) == 0x0
 00352   536   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3b0000), 0x0, 94208, ) == 0x0
 00353   536   NtClose  (112, ... ) == 0x0
 00354   536   NtUnmapViewOfSection  (-1, 0x3b0000, ... ) == 0x0
 00355   536   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet Explorer\IEXPLORE.EXE"}, 3791412, ... ) }, 3791412, ... ) == 0x0
 00356   536   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 3792112,  (0x80100080, {24, 0, 0x40, 0, 3792112, "\??\C:\Program Files\Internet Explorer\IEXPLORE.EXE"}, 0x0, 0, 5, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 00357   536   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 112, ... 108, ) == 0x0
 00358   536   NtClose  (112, ... ) == 0x0
 00359   536   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3b0000), {0, 0}, 94208, ) == 0x0
 00360   536   NtClose  (108, ... ) == 0x0
 00361   536   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00362   536   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00363   536   NtQueryDefaultLocale  (1, 3792636, ... ) == 0x0
 00364   536   NtQueryVirtualMemory  (-1, 0x3b0000, Basic, 28, ... {BaseAddress=0x3b0000,AllocationBase=0x3b0000,AllocationProtect=0x2,RegionSize=0x17000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00365   536   NtQueryVirtualMemory  (-1, 0x3b0000, Basic, 28, ... {BaseAddress=0x3b0000,AllocationBase=0x3b0000,AllocationProtect=0x2,RegionSize=0x17000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00366   536   NtUnmapViewOfSection  (-1, 0x3b0000, ... ) == 0x0
 00367   536   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ... 1380352, 4096, ) == 0x0
 00368   536   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00369   536   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00370   536   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet Explorer\IEXPLORE.EXE"}, 3791764, ... ) }, 3791764, ... ) == 0x0
 00371   536   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet Explorer\IEXPLORE.EXE"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00372   536   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 108, ... 112, ) == 0x0
 00373   536   NtClose  (108, ... ) == 0x0
 00374   536   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3b0000), 0x0, 94208, ) == 0x0
 00375   536   NtClose  (112, ... ) == 0x0
 00376   536   NtUnmapViewOfSection  (-1, 0x3b0000, ... ) == 0x0
 00377   536   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet Explorer\IEXPLORE.EXE"}, 3791404, ... ) }, 3791404, ... ) == 0x0
 00378   536   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 3792104,  (0x80100080, {24, 0, 0x40, 0, 3792104, "\??\C:\Program Files\Internet Explorer\IEXPLORE.EXE"}, 0x0, 0, 5, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 00379   536   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 112, ... 108, ) == 0x0
 00380   536   NtClose  (112, ... ) == 0x0
 00381   536   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3b0000), {0, 0}, 94208, ) == 0x0
 00382   536   NtClose  (108, ... ) == 0x0
 00383   536   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00384   536   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00385   536   NtQueryDefaultLocale  (1, 3792628, ... ) == 0x0
 00386   536   NtQueryVirtualMemory  (-1, 0x3b0000, Basic, 28, ... {BaseAddress=0x3b0000,AllocationBase=0x3b0000,AllocationProtect=0x2,RegionSize=0x17000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00387   536   NtUnmapViewOfSection  (-1, 0x3b0000, ... ) == 0x0
 00388   536   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00389   536   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00390   536   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 00391   536   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00392   536   NtClose  (108, ... ) == 0x0
 00393   536   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00394   536   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00395   536   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00396   536   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet Explorer\IEXPLORE.EXE"}, 3793264, ... ) }, 3793264, ... ) == 0x0
 00397   536   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet Explorer\"}, 3, 16417, ... 108, {status=0x0, info=1}, ) }, 3, 16417, ... 108, {status=0x0, info=1}, ) == 0x0
 00398   536   NtQueryDirectoryFile  (108, 0, 0, 0, 3792624, 616, BothDirectory, 1,  (108, 0, 0, 0, 3792624, 616, BothDirectory, 1, "IEXPLORE.EXE", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 00399   536   NtClose  (108, ... ) == 0x0
 00400   536   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00401   536   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00402   536   NtWaitForSingleObject  (92, 0, {-1000000, -1}, ... ) == 0x0
 00403   536   NtReleaseMutant  (92, ... 0x0, ) == 0x0
 00404   536   NtUnmapViewOfSection  (-1, 0x510000, ... ) == 0x0
 00405   536   NtClose  (104, ... ) == 0x0
 00406   536   NtClose  (100, ... ) == 0x0
 00407   536   NtQuerySection  (88, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00408   536   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEXPLORE.EXE"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00409   536   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 00410   536   NtOpenProcessToken  (-1, 0xa, ... 100, ) == 0x0
 00411   536   NtQueryInformationToken  (100, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00412   536   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00413   536   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 104, ) }, ... 104, ) == 0x0
 00414   536   NtQueryValueKey  (104,  (104, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (104, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00415   536   NtQueryValueKey  (104,  (104, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (104, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00416   536   NtClose  (104, ... ) == 0x0
 00417   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 104, ) }, ... 104, ) == 0x0
 00418   536   NtQueryValueKey  (104,  (104, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00419   536   NtQueryValueKey  (104,  (104, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (104, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 00420   536   NtClose  (104, ... ) == 0x0
 00421   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00422   536   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 104, ) }, ... 104, ) == 0x0
 00423   536   NtQueryValueKey  (104,  (104, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00424   536   NtClose  (104, ... ) == 0x0
 00425   536   NtQueryDefaultLocale  (1, 3794720, ... ) == 0x0
 00426   536   NtQueryDefaultLocale  (1, 3794720, ... ) == 0x0
 00427   536   NtQueryDefaultLocale  (1, 3794720, ... ) == 0x0
 00428   536   NtQueryDefaultLocale  (1, 3794720, ... ) == 0x0
 00429   536   NtQueryDefaultLocale  (1, 3794720, ... ) == 0x0
 00430   536   NtQueryDefaultLocale  (1, 3794720, ... ) == 0x0
 00431   536   NtQueryDefaultLocale  (1, 3794720, ... ) == 0x0
 00432   536   NtQueryDefaultLocale  (1, 3794720, ... ) == 0x0
 00433   536   NtQueryDefaultLocale  (1, 3794720, ... ) == 0x0
 00434   536   NtQueryDefaultLocale  (1, 3794720, ... ) == 0x0
 00435   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 104, ) }, ... 104, ) == 0x0
 00436   536   NtEnumerateKey  (104, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (104, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 00437   536   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 108, ) }, ... 108, ) == 0x0
 00438   536   NtQueryValueKey  (108,  (108, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (108, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 00439   536   NtQueryValueKey  (108,  (108, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (108, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00440   536   NtClose  (108, ... ) == 0x0
 00441   536   NtEnumerateKey  (104, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 00442   536   NtClose  (104, ... ) == 0x0
 00443   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00444   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00445   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00446   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00447   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00448   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00449   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00450   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00451   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00452   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00453   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00454   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00455   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00456   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00457   536   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00458   536   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 00459   536   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00460   536   NtClose  (104, ... ) == 0x0
 00461   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00462   536   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00463   536   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 00464   536   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00465   536   NtClose  (104, ... ) == 0x0
 00466   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00467   536   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00468   536   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 00469   536   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00470   536   NtClose  (104, ... ) == 0x0
 00471   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00472   536   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00473   536   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 00474   536   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00475   536   NtClose  (104, ... ) == 0x0
 00476   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00477   536   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00478   536   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 00479   536   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00480   536   NtClose  (104, ... ) == 0x0
 00481   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00482   536   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00483   536   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 00484   536   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00485   536   NtClose  (104, ... ) == 0x0
 00486   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00487   536   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00488   536   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 00489   536   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00490   536   NtClose  (104, ... ) == 0x0
 00491   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00492   536   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00493   536   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 00494   536   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00495   536   NtClose  (104, ... ) == 0x0
 00496   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00497   536   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00498   536   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 00499   536   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00500   536   NtClose  (104, ... ) == 0x0
 00501   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00502   536   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00503   536   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 00504   536   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00505   536   NtClose  (104, ... ) == 0x0
 00506   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00507   536   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00508   536   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 00509   536   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00510   536   NtClose  (104, ... ) == 0x0
 00511   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00512   536   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00513   536   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 00514   536   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00515   536   NtClose  (104, ... ) == 0x0
 00516   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00517   536   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00518   536   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 00519   536   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00520   536   NtClose  (104, ... ) == 0x0
 00521   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00522   536   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00523   536   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 00524   536   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00525   536   NtClose  (104, ... ) == 0x0
 00526   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00527   536   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00528   536   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 00529   536   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00530   536   NtClose  (104, ... ) == 0x0
 00531   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00532   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 104, ) }, ... 104, ) == 0x0
 00533   536   NtQueryValueKey  (104,  (104, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (104, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (104, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 00534   536   NtClose  (104, ... ) == 0x0
 00535   536   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00536   536   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 00537   536   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00538   536   NtClose  (104, ... ) == 0x0
 00539   536   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00540   536   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 00541   536   NtOpenProcessToken  (-1, 0xa, ... 104, ) == 0x0
 00542   536   NtDuplicateToken  (104, 0xc, {24, 0, 0x0, 0, 3795240, 0x0}, 0, 2, ... 108, ) == 0x0
 00543   536   NtClose  (104, ... ) == 0x0
 00544   536   NtAccessCheck  (1381632, 108, 0x1, 3795368, 3795312, 56, 3795396, ... (0x1), ) == 0x0
 00545   536   NtClose  (108, ... ) == 0x0
 00546   536   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 108, ) }, ... 108, ) == 0x0
 00547   536   NtQueryValueKey  (108,  (108, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (108, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00548   536   NtClose  (108, ... ) == 0x0
 00549   536   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 108, ) }, ... 108, ) == 0x0
 00550   536   NtQuerySymbolicLinkObject  (108, ...  (108, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 00551   536   NtClose  (108, ... ) == 0x0
 00552   536   NtQueryInformationFile  (84, 3793700, 528, Name, ... {status=0x0, info=94}, ) == 0x0
 00553   536   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00554   536   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00555   536   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet Explorer\IEXPLORE.EXE"}, 3792380, ... ) }, 3792380, ... ) == 0x0
 00556   536   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet Explorer\"}, 3, 16417, ... 108, {status=0x0, info=1}, ) }, 3, 16417, ... 108, {status=0x0, info=1}, ) == 0x0
 00557   536   NtQueryDirectoryFile  (108, 0, 0, 0, 3791740, 616, BothDirectory, 1,  (108, 0, 0, 0, 3791740, 616, BothDirectory, 1, "IEXPLORE.EXE", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 00558   536   NtClose  (108, ... ) == 0x0
 00559   536   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00560   536   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00561   536   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00562   536   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 00563   536   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00564   536   NtClose  (108, ... ) == 0x0
 00565   536   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 108, ) }, ... 108, ) == 0x0
 00566   536   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 104, ) }, ... 104, ) == 0x0
 00567   536   NtClose  (108, ... ) == 0x0
 00568   536   NtQueryValueKey  (104,  (104, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00569   536   NtQueryValueKey  (104,  (104, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (104, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 00570   536   NtClose  (104, ... ) == 0x0
 00571   536   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 3866624, 4096, ) == 0x0
 00572   536   NtAllocateVirtualMemory  (-1, 3866624, 0, 4096, 4096, 4, ... 3866624, 4096, ) == 0x0
 00573   536   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 104, ) }, ... 104, ) == 0x0
 00574   536   NtQueryValueKey  (104,  (104, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00575   536   NtClose  (104, ... ) == 0x0
 00576   536   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00577   536   NtQueryInformationToken  (100, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 00578   536   NtQueryInformationToken  (100, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 00579   536   NtClose  (100, ... ) == 0x0
 00580   536   NtCreateProcessEx  (3797976, 2035711, 0, -1, 0, 88, 0, 0, 0, ... ) == 0x0
 00581   536   NtQueryInformationProcess  (100, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=396,ParentPid=304,}, 0x0, ) == 0x0
 00582   536   NtReadVirtualMemory  (100, 0x7ffdf008, 4, ...  (100, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 00583   536   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet Explorer\IEXPLORE.EXE.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00584   536   NtAllocateVirtualMemory  (-1, 1384448, 0, 8192, 4096, 4, ... 1384448, 8192, ) == 0x0
 00585   536   NtReadVirtualMemory  (100, 0x400000, 4096, ...  (100, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\322C:\374\226"T\257\226"T\257\226"T\257l\1\24\257\227"T\257\226"U\257\322"T\257l\1M\257\233"T\257\1\1\21\257\227"T\257L\1H\257\227"T\257L\1I\257\227"T\257l\1k\257\227"T\257l\1i\257\227"T\257Rich\226"T\257\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0L\203};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\26\0\0\0J\1\0\0\0\0\0\346\36\0\0\0\20\0\0\00\0\0\0\0@\0\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\220\1\0\0\4\0\0VT\2\0\2\0\0\200\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\240%\0\0K\0\0\0\354\37\0\0x\0\0\0\0@\0\0HG\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\2\0\0l\0\0\0\0\20\0\0\30\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\353\25\0\0", 4096, ) T\257\226 (100, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\322C:\374\226"T\257\226"T\257\226"T\257l\1\24\257\227"T\257\226"U\257\322"T\257l\1M\257\233"T\257\1\1\21\257\227"T\257L\1H\257\227"T\257L\1I\257\227"T\257l\1k\257\227"T\257l\1i\257\227"T\257Rich\226"T\257\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0L\203};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\26\0\0\0J\1\0\0\0\0\0\346\36\0\0\0\20\0\0\00\0\0\0\0@\0\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\220\1\0\0\4\0\0VT\2\0\2\0\0\200\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\240%\0\0K\0\0\0\354\37\0\0x\0\0\0\0@\0\0HG\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\2\0\0l\0\0\0\0\20\0\0\30\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\353\25\0\0", 4096, ) T\257l\1\24\257\227 (100, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\322C:\374\226"T\257\226"T\257\226"T\257l\1\24\257\227"T\257\226"U\257\322"T\257l\1M\257\233"T\257\1\1\21\257\227"T\257L\1H\257\227"T\257L\1I\257\227"T\257l\1k\257\227"T\257l\1i\257\227"T\257Rich\226"T\257\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0L\203};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\26\0\0\0J\1\0\0\0\0\0\346\36\0\0\0\20\0\0\00\0\0\0\0@\0\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\220\1\0\0\4\0\0VT\2\0\2\0\0\200\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\240%\0\0K\0\0\0\354\37\0\0x\0\0\0\0@\0\0HG\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\2\0\0l\0\0\0\0\20\0\0\30\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\353\25\0\0", 4096, ) U\257\322 (100, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\322C:\374\226"T\257\226"T\257\226"T\257l\1\24\257\227"T\257\226"U\257\322"T\257l\1M\257\233"T\257\1\1\21\257\227"T\257L\1H\257\227"T\257L\1I\257\227"T\257l\1k\257\227"T\257l\1i\257\227"T\257Rich\226"T\257\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0L\203};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\26\0\0\0J\1\0\0\0\0\0\346\36\0\0\0\20\0\0\00\0\0\0\0@\0\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\220\1\0\0\4\0\0VT\2\0\2\0\0\200\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\240%\0\0K\0\0\0\354\37\0\0x\0\0\0\0@\0\0HG\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\2\0\0l\0\0\0\0\20\0\0\30\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\353\25\0\0", 4096, ) T\257\1\1\21\257\227 (100, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\322C:\374\226"T\257\226"T\257\226"T\257l\1\24\257\227"T\257\226"U\257\322"T\257l\1M\257\233"T\257\1\1\21\257\227"T\257L\1H\257\227"T\257L\1I\257\227"T\257l\1k\257\227"T\257l\1i\257\227"T\257Rich\226"T\257\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0L\203};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\26\0\0\0J\1\0\0\0\0\0\346\36\0\0\0\20\0\0\00\0\0\0\0@\0\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\220\1\0\0\4\0\0VT\2\0\2\0\0\200\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\240%\0\0K\0\0\0\354\37\0\0x\0\0\0\0@\0\0HG\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\2\0\0l\0\0\0\0\20\0\0\30\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\353\25\0\0", 4096, ) T\257L\1I\257\227 (100, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\322C:\374\226"T\257\226"T\257\226"T\257l\1\24\257\227"T\257\226"U\257\322"T\257l\1M\257\233"T\257\1\1\21\257\227"T\257L\1H\257\227"T\257L\1I\257\227"T\257l\1k\257\227"T\257l\1i\257\227"T\257Rich\226"T\257\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0L\203};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\26\0\0\0J\1\0\0\0\0\0\346\36\0\0\0\20\0\0\00\0\0\0\0@\0\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\220\1\0\0\4\0\0VT\2\0\2\0\0\200\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\240%\0\0K\0\0\0\354\37\0\0x\0\0\0\0@\0\0HG\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\2\0\0l\0\0\0\0\20\0\0\30\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\353\25\0\0", 4096, ) T\257l\1i\257\227 (100, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\322C:\374\226"T\257\226"T\257\226"T\257l\1\24\257\227"T\257\226"U\257\322"T\257l\1M\257\233"T\257\1\1\21\257\227"T\257L\1H\257\227"T\257L\1I\257\227"T\257l\1k\257\227"T\257l\1i\257\227"T\257Rich\226"T\257\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0L\203};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\26\0\0\0J\1\0\0\0\0\0\346\36\0\0\0\20\0\0\00\0\0\0\0@\0\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\220\1\0\0\4\0\0VT\2\0\2\0\0\200\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\240%\0\0K\0\0\0\354\37\0\0x\0\0\0\0@\0\0HG\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\2\0\0l\0\0\0\0\20\0\0\30\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\353\25\0\0", 4096, ) T\257\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0L\203};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\26\0\0\0J\1\0\0\0\0\0\346\36\0\0\0\20\0\0\00\0\0\0\0@\0\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\220\1\0\0\4\0\0VT\2\0\2\0\0\200\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\240%\0\0K\0\0\0\354\37\0\0x\0\0\0\0@\0\0HG\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\2\0\0l\0\0\0\0\20\0\0\30\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\353\25\0\0", 4096, ) == 0x0
 00586   536   NtReadVirtualMemory  (100, 0x404000, 256, ...  (100, 0x404000, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\3\0\0\00\0\0\200\6\0\0\0\370\1\0\200\16\0\0\0\20\2\0\200\20\0\0\0\330\2\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\07\0\1\0\0\0\360\2\0\200\2\0\0\0\10\3\0\200\3\0\0\0 \3\0\200\4\0\0\08\3\0\200\5\0\0\0P\3\0\200\6\0\0\0h\3\0\200\7\0\0\0\200\3\0\200\10\0\0\0\230\3\0\200\11\0\0\0\260\3\0\200\12\0\0\0\310\3\0\200\13\0\0\0\340\3\0\200\14\0\0\0\370\3\0\200\15\0\0\0\20\4\0\200\16\0\0\0(\4\0\200\17\0\0\0@\4\0\200\20\0\0\0X\4\0\200\21\0\0\0p\4\0\200\22\0\0\0\210\4\0\200\23\0\0\0\240\4\0\200\24\0\0\0\270\4\0\200\25\0\0\0\320\4\0\200\26\0\0\0\350\4\0\200\27\0\0\0\0\5\0\200\30\0\0\0\30\5\0\200", 256, ) , 256, ) == 0x0
 00587   536   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00588   536   NtQueryInformationProcess  (100, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=396,ParentPid=304,}, 0x0, ) == 0x0
 00589   536   NtAllocateVirtualMemory  (-1, 0, 0, 1788, 4096, 4, ... 3932160, 4096, ) == 0x0
 00590   536   NtAllocateVirtualMemory  (100, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 00591   536   NtWriteVirtualMemory  (100, 0x10000,  (100, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 00592   536   NtAllocateVirtualMemory  (100, 0, 0, 1788, 4096, 4, ... 131072, 4096, ) == 0x0
 00593   536   NtWriteVirtualMemory  (100, 0x20000,  (100, 0x20000, "\0\20\0\0\374\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\32\1\34\1\230\4\0\0^\0`\0\264\5\0\0b\0d\0\24\6\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0^\0`\0x\6\0\0\36\0 \0\330\6\0\0\0\0\2\0\370\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1788, ... 0x0, ) , 1788, ... 0x0, ) == 0x0
 00594   536   NtWriteVirtualMemory  (100, 0x7ffdf010,  (100, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 00595   536   NtAllocateVirtualMemory  (100, 0, 0, 148, 4096, 4, ... 196608, 4096, ) == 0x0
 00596   536   NtWriteVirtualMemory  (100, 0x30000,  (100, 0x30000, "S\0h\0i\0m\0E\0n\0g\0.\0d\0l\0l\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\0\0\253\355\15\254\344\254\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 148, ... 0x0, ) , 148, ... 0x0, ) == 0x0
 00597   536   NtWriteVirtualMemory  (100, 0x7ffdf1e8,  (100, 0x7ffdf1e8, "\0\0\3\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 00598   536   NtFreeVirtualMemory  (-1, (0x3c0000), 0, 32768, ... (0x3c0000), 4096, ) == 0x0
 00599   536   NtAllocateVirtualMemory  (100, 0, 0, 1048576, 8192, 4, ... 262144, 1048576, ) == 0x0
 00600   536   NtAllocateVirtualMemory  (100, 1302528, 0, 8192, 4096, 4, ... 1302528, 8192, ) == 0x0
 00601   536   NtProtectVirtualMemory  (100, (0x13e000), 4096, 260, ... (0x13e000), 4096, 4, ) == 0x0
 00602   536   NtCreateThread  (0x1f03ff, 0x0, 100, 3796240, 3796960, 1, ... 104, {396, 392}, ) == 0x0
 00603   536   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1365964, 0, 3798112, 2009901952}  (24, {168, 196, new_msg, 0, 1365964, 0, 3798112, 2009901952} "\0\0\0\0\0\0\1\0h\3649\0\0\0\0\0g\0\0\0h\0\0\0\214\1\0\0\210\1\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\260\333\24\0\250\3649\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\09\0\340\325\24\0" ... {168, 196, reply, 0, 304, 536, 1492, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0d\0\0\0h\0\0\0\214\1\0\0\210\1\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\260\333\24\0\250\3649\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\09\0\340\325\24\0" )  ... {168, 196, reply, 0, 304, 536, 1492, 0}  (24, {168, 196, new_msg, 0, 1365964, 0, 3798112, 2009901952} "\0\0\0\0\0\0\1\0h\3649\0\0\0\0\0g\0\0\0h\0\0\0\214\1\0\0\210\1\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\260\333\24\0\250\3649\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\09\0\340\325\24\0" ... {168, 196, reply, 0, 304, 536, 1492, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0d\0\0\0h\0\0\0\214\1\0\0\210\1\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\260\333\24\0\250\3649\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\09\0\340\325\24\0" )  ) == 0x0
 00604   536   NtClose  (84, ... ) == 0x0
 00605   536   NtClose  (88, ... ) == 0x0
 00606   536   NtGetContextThread  (104, 3798860, ... ) == 0x0
 00607   536   NtReadVirtualMemory  (100, 0x7ffdf008, 4, ...  (100, 0x7ffdf008, 4, ... "\0\0@\0", 4, ) , 4, ) == 0x0
 00608   536   NtAllocateVirtualMemory  (100, 320077824, 0, 1089536, 12288, 4, ... 320077824, 1089536, ) == 0x0
 00609   536   NtProtectVirtualMemory  (100, (0x13140000), 512, 64, ... (0x13140000), 4096, 4, ) == 0x0
 00610   536   NtProtectVirtualMemory  (100, (0x13140000), 4096, 4, ... (0x13140000), 4096, 64, ) == 0x0
 00611   536   NtWriteVirtualMemory  (100, 0x13140000,  (100, 0x13140000, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0PE\0\0L\1\2\0\332\206\23G\0\0\0\0\0\0\0\0\340\0\17\1\13\1\5\14\0\14\0\0\0x\20\0\0\0\0\0\20\20\0\0\0\20\0\0\0 \0\0\0\0\24\23\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\240\20\0\0\2\0\0\360b\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\230\33\0\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\374\13\0\0\0\20\0\0\0\14\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0zw\20\0\0 \0\0\0\6\0\0\0\16\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 512, ... 512, ) , 512, ... 512, ) == 0x0
 00612   536   NtFlushInstructionCache  (100, 320077824, 512, ... ) == 0x0
 00613   536   NtProtectVirtualMemory  (100, (0x13141000), 3072, 64, ... (0x13141000), 4096, 4, ) == 0x0
 00614   536   NtProtectVirtualMemory  (100, (0x13141000), 4096, 4, ... (0x13141000), 4096, 64, ) == 0x0
 00615   536   NtWriteVirtualMemory  (100, 0x13141000,  (100, 0x13141000, "\336\33\0\0\314\33\0\0\0\0\0\0\0\0\0\0\270\263%\24\23-% \24\23Ph% \24\23\350E\13\0\0\241\14 \24\23\203\370\0u\3\0\0h\323 \24\23j\0j\0\377\25\312\226$\23\241\0 \24\23\203\370\0t\11\276_!\24\23N\306\6 h\310\0\0\0h\244\220$\23h\3!\24\23\377\25\346\226$\23h?!\24\23h\244\220$\23h:!\24\23h\310\212$\23\377\25v\227$\23\203\304\20j\0h\200\0\0\0j\2j\0j\0h\0\0\0\300hz!\24\23\377\25\306\226$\23\243\267\226$\23h\310\0\0\0h\24\217$\23h\367 \24\23\377\25\346\226$\23h\230q$\23\350\370\2\0\0h% \24\23\350\323\6\0\0\243\310\221$\23\243\314\221$\23\200=\274\226$\23\0\17\204\305\0\0\0h\310\0\0\0h\334\217$\23h\374 \24\23\377\25\346\226$\23\273\334\217$\233\366CF\200;\0u\371h\20!\24\23h\334\217$\23h\33!\24\23h\340\306\33\23\377\25v\227$\23\203\304\20\277\340\306\33\23\3\376\203\307\12\273\12\0\0\0K\203\373\377t3\210\37\200\70j\0h\200\0\0\0j\3j\0j\0h\0\0\0\200h\340\306\33\23\377\25\306\226$\23\203\370\377t\323P\377\25\302\226$\23\351\367\0\0\0\377\25\356\226$\233\322\271\12\0\0\0\367\361\200\3020\210\27j\0h\200\0\0\0j\1j\0j\0", 3072, ... 3072, ) \3\0\0h\323 \24\23j\0j\0\377\25\312\226$\23\241\0 \24\23\203\370\0t\11\276_!\24\23N\306\6 h\310\0\0\0h\244\220$\23h\3!\24\23\377\25\346\226$\23h?!\24\23h\244\220$\23h:!\24\23h\310\212$\23\377\25v\227$\23\203\304\20j\0h\200\0\0\0j\2j\0j\0h\0\0\0\300hz!\24\23\377\25\306\226$\23\243\267\226$\23h\310\0\0\0h\24\217$\23h\367 \24\23\377\25\346\226$\23h\230q$\23\350\370\2\0\0h% \24\23\350\323\6\0\0\243\310\221$\23\243\314\221$\23\200=\274\226$\23\0\17\204\305\0\0\0h\310\0\0\0h\334\217$\23h\374 \24\23\377\25\346\226$\23\273\334\217$\233\366CF\200;\0u\371h\20!\24\23h\334\217$\23h\33!\24\23h\340\306\33\23\377\25v\227$\23\203\304\20\277\340\306\33\23\3\376\203\307\12\273\12\0\0\0K\203\373\377t3\210\37\200\70j\0h\200\0\0\0j\3j\0j\0h\0\0\0\200h\340\306\33\23\377\25\306\226$\23\203\370\377t\323P\377\25\302\226$\23\351\367\0\0\0\377\25\356\226$\233\322\271\12\0\0\0\367\361\200\3020\210\27j\0h\200\0\0\0j\1j\0j\0", 3072, ... 3072, ) == 0x0
 00616   536   NtFlushInstructionCache  (100, 320081920, 3072, ... ) == 0x0
 00617   536   NtProtectVirtualMemory  (100, (0x13141000), 3068, 32, ... (0x13141000), 4096, 4, ) == 0x0
 00618   536   NtProtectVirtualMemory  (100, (0x13142000), 1536, 64, ... (0x13142000), 4096, 4, ) == 0x0
 00619   536   NtProtectVirtualMemory  (100, (0x13142000), 4096, 4, ... (0x13142000), 4096, 64, ) == 0x0
 00620   536   NtWriteVirtualMemory  (100, 0x13142000,  (100, 0x13142000, "\0\0\0\0p\0\0\0%\0\0\0\330\5\350w\375\245\347w3a6SiG75nXoOI7df\0\5W\30a]q\31\2\v^xz7RQ\35P\16}Xv\3\33W`o}y\17JP\5O\7j]i\5\1_XYyg\5PP\35S\3aGu\6\6nnYa{\3RH\1T\4}[v\25\hWa\177\1JW\12U\30aZs75\6,\33?s\30KC@NE+6bBjK-0j:hA\25\14DES.\2c\25A+0jw^ay:nk9az<\10#{\\14*\16=0vd!V\25f!\6$vQ\12*\12<:7\17RYO\5a!\30Q\2\24\75y,\31\3^tQ6v\32\33\22@@=\27*I:nk9ab\26$\277B\76\13&;74\24\\6D2\4\1^Y\13+o\23:N\27\22V\14\5a5G\22FK+V\20,O\7\3C\25_<\7iYY\35X3#-E\12\22\35\3_=ibD\20\35X3\6'C\1\24]\4Bs,?GY\1*\12=\25^\1\36C\15Y!\14iRM\13X\35*:C\5\24Gaj\17G\33g]\27+\6,([ \24Z\27Sci\33k\332\12\32!=^\11\33\17B7\5+\31Q\24o\25>f\21\3A\30e*\323RX'6\11 ;Z\5\22Z\16XS:(QA\319\35*\25z\15\5A\16E<\173kb\76\13 >D8%F\23D6\73aP\34+\6 'k0\16V\14S 5\13VF\32\14\7*$Rd*R\22BSnG\P\346\12#z\5J", 1536, ... 1536, ) , 1536, ... 1536, ) == 0x0
 00621   536   NtFlushInstructionCache  (100, 320086016, 1536, ... ) == 0x0
 00622   536   NtProtectVirtualMemory  (100, (0x13142000), 1079162, 4, ... (0x13142000), 1081344, 4, ) == 0x0
 00623   536   NtProtectVirtualMemory  (100, (0x7ffdf008), 4, 64, ... (0x7ffdf000), 4096, 64, ) == 0x0
 00624   536   NtProtectVirtualMemory  (100, (0x7ffdf000), 4096, 64, ... (0x7ffdf000), 4096, 64, ) == 0x0
 00625   536   NtWriteVirtualMemory  (100, 0x7ffdf008,  (100, 0x7ffdf008, "\0\0\24\23", 4, ... 4, ) , 4, ... 4, ) == 0x0
 00626   536   NtFlushInstructionCache  (100, 2147348488, 4, ... ) == 0x0
 00627   536   NtSetContextThread  (104, 3798860, ... ) == 0x0
 00628   536   NtResumeThread  (104, ... 1, ) == 0x0
 00629   536   NtClose  (100, ... ) == 0x0
 00630   536   NtClose  (104, ... ) == 0x0
 00631   536   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 3799476,  (0xc0100080, {24, 0, 0x40, 0, 3799476, "\??\Runtime"}, 0x0, 128, 0, 5, 96, 0, 0, ... 104, {status=0x0, info=0}, ) }, 0x0, 128, 0, 5, 96, 0, 0, ... 104, {status=0x0, info=0}, ) == 0x0
 00632   536   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x9c402400,  (104, 0, 0x0, 0x0, 0x9c402400, "\214\1\0\0", 4, 0, ... {status=0x0, info=0}, 0x0, ) , 4, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00633   536   NtClose  (104, ... ) == 0x0
 00634   536   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drivers\runtime.sys"}, 7, 2113600, ... 104, {status=0x0, info=1}, ) }, 7, 2113600, ... 104, {status=0x0, info=1}, ) == 0x0
 00635   536   NtQueryInformationFile  (104, 3799548, 8, AttributeFlag, ... ) == STATUS_INVALID_PARAMETER
 00636   536   NtSetInformationFile  (104, 3799599, 1, Disposition, ... {status=0x0, info=0}, ) == 0x0
 00637   536   NtClose  (104, ... ) == 0x0
 00638   536   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00639   536   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00640   536   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, ":\work\packed.ex"}, 3797640, ... ) }, 3797640, ... ) == STATUS_OBJECT_PATH_SYNTAX_BAD
 00641   536   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00642   536   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00643   536   NtQueryInformationThread  (-2, AmILastThread, 4, ... {thread info, class 12, size 4}, 0x0, ) == 0x0
 00644   536   NtClose  (60, ... ) == 0x0
 00645   536   NtClose  (56, ... ) == 0x0
 00646   536   NtTerminateThread  (0, 0, ...
 00647   536   NtFreeVirtualMemory  (-1, (0x360000), 0, 32768, ... (0x360000), 262144, ) == 0x0
NtAccessCheck(>)	1	NtGetContextThread(>)	2	NtResumeThread(>)	4	NtQuerySystemInformation(>)	11
NtCreateProcessEx(>)	1	NtOpenDirectoryObject(>)	2	NtSetValueKey(>)	4	NtSetInformationFile(>)	13
NtDeviceIoControlFile(>)	1	NtOpenMutant(>)	2	NtContinue(>)	5	NtSetInformationProcess(>)	13
NtLoadDriver(>)	1	NtOpenSymbolicLinkObject(>)	2	NtCreateEvent(>)	5	NtCreateFile(>)	14
NtOpenEvent(>)	1	NtQueryDefaultUILanguage(>)	2	NtFlushInstructionCache(>)	5	NtOpenFile(>)	15
NtOpenKeyedEvent(>)	1	NtQuerySymbolicLinkObject(>)	2	NtFreeVirtualMemory(>)	5	NtProtectVirtualMemory(>)	15
NtQueryDebugFilterState(>)	1	NtReleaseMutant(>)	2	NtQueryVirtualMemory(>)	5	NtMapViewOfSection(>)	16
NtQueryInformationJobObject(>)	1	NtSetContextThread(>)	2	NtRequestWaitReplyPort(>)	5	NtQueryAttributesFile(>)	18
NtQueryInstallUILanguage(>)	1	NtSetInformationObject(>)	2	NtFsControlFile(>)	6	NtQueryInformationProcess(>)	18
NtQueryObject(>)	1	NtSuspendThread(>)	2	NtOpenThreadToken(>)	6	NtOpenProcessTokenEx(>)	21
NtQuerySystemTime(>)	1	NtAdjustPrivilegesToken(>)	3	NtQueryInformationFile(>)	6	NtOpenThreadTokenEx(>)	21
NtReadFile(>)	1	NtCreateThread(>)	3	NtSetInformationThread(>)	6	NtQueryDefaultLocale(>)	22
NtSecureConnectPort(>)	1	NtQueryInformationThread(>)	3	NtUnmapViewOfSection(>)	6	NtQueryValueKey(>)	23
NtTerminateThread(>)	1	NtQuerySection(>)	3	NtOpenProcessToken(>)	7	NtQueryInformationToken(>)	26
NtCreateIoCompletion(>)	2	NtRegisterThreadTerminatePort(>)	3	NtWaitForSingleObject(>)	8	NtAllocateVirtualMemory(>)	40
NtCreateKey(>)	2	NtTestAlert(>)	3	NtCreateSection(>)	9	NtOpenKey(>)	71
NtDuplicateObject(>)	2	NtQueryDirectoryFile(>)	4	NtWriteFile(>)	9	NtClose(>)	101
NtDuplicateToken(>)	2	NtQueryVolumeInformationFile(>)	4	NtWriteVirtualMemory(>)	9
NtEnumerateKey(>)	2	NtReadVirtualMemory(>)	4