Summary:


NtAccessCheck(>)  1 
NtEnumerateKey(>)  2 
NtReadVirtualMemory(>)  4 
NtQuerySystemInformation(>)  11 

NtCreateProcessEx(>)  1 
NtGetContextThread(>)  2 
NtResumeThread(>)  4 
NtSetInformationFile(>)  12 

NtDeviceIoControlFile(>)  1 
NtOpenDirectoryObject(>)  2 
NtContinue(>)  5 
NtSetInformationProcess(>)  13 

NtLoadDriver(>)  1 
NtOpenMutant(>)  2 
NtCreateEvent(>)  5 
NtCreateFile(>)  14 

NtOpenEvent(>)  1 
NtOpenSymbolicLinkObject(>)  2 
NtFlushInstructionCache(>)  5 
NtOpenFile(>)  15 

NtOpenKeyedEvent(>)  1 
NtQueryDefaultUILanguage(>)  2 
NtFreeVirtualMemory(>)  5 
NtProtectVirtualMemory(>)  15 

NtQueryDebugFilterState(>)  1 
NtQuerySymbolicLinkObject(>)  2 
NtQueryVirtualMemory(>)  5 
NtMapViewOfSection(>)  16 

NtQueryInformationJobObject(>)  1 
NtReleaseMutant(>)  2 
NtRequestWaitReplyPort(>)  5 
NtQueryAttributesFile(>)  18 

NtQueryInstallUILanguage(>)  1 
NtSetContextThread(>)  2 
NtFsControlFile(>)  6 
NtQueryInformationProcess(>)  18 

NtQueryObject(>)  1 
NtSetInformationObject(>)  2 
NtOpenThreadToken(>)  6 
NtDelayExecution(>)  19 

NtQuerySystemTime(>)  1 
NtAdjustPrivilegesToken(>)  3 
NtQueryInformationFile(>)  6 
NtOpenProcessTokenEx(>)  21 

NtReadFile(>)  1 
NtCreateThread(>)  3 
NtSetInformationThread(>)  6 
NtOpenThreadTokenEx(>)  21 

NtSecureConnectPort(>)  1 
NtQueryInformationThread(>)  3 
NtUnmapViewOfSection(>)  6 
NtQueryDefaultLocale(>)  22 

NtSuspendThread(>)  1 
NtQuerySection(>)  3 
NtOpenProcessToken(>)  7 
NtQueryValueKey(>)  23 

NtTerminateThread(>)  1 
NtRegisterThreadTerminatePort(>)  3 
NtWaitForSingleObject(>)  8 
NtQueryInformationToken(>)  26 

NtCreateIoCompletion(>)  2 
NtSetValueKey(>)  3 
NtCreateSection(>)  9 
NtAllocateVirtualMemory(>)  40 

NtCreateKey(>)  2 
NtTestAlert(>)  3 
NtWriteFile(>)  9 
NtOpenKey(>)  71 

NtDuplicateObject(>)  2 
NtQueryDirectoryFile(>)  4 
NtWriteVirtualMemory(>)  9 
NtClose(>)  101 

NtDuplicateToken(>)  2 
NtQueryVolumeInformationFile(>)  4 
NtOpenSection(>)  11 

Trace:
 00001   528   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   528   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   528   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   528   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   528   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   528   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   528   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   528   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   528   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   528   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   528   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   528   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   528   NtClose  (12, ... ) == 0x0
 00014   528   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   528   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   528   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   528   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   528   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   528   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   528   NtClose  (16, ... ) == 0x0
 00021   528   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   528   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   528   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   528   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18481152}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18481152}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   528   NtClose  (16, ... ) == 0x0
 00026   528   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   528   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   528   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   528   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   528   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   528   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 516, 528, 1523, 0} "h\226\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ... {28, 56, reply, 0, 516, 528, 1523, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 516, 528, 1523, 0} "h\226\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ) == 0x0
 00032   528   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   528   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   528   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   528   NtClose  (16, ... ) == 0x0
 00036   528   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   528   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   528   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   528   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   528   NtClose  (28, ... ) == 0x0
 00041   528   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   528   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   528   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   528   NtClose  (28, ... ) == 0x0
 00045   528   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   528   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   528   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   528   NtClose  (28, ... ) == 0x0
 00049   528   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   528   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   528   NtClose  (28, ... ) == 0x0
 00052   528   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   528   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   528   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   528   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 516, 528, 1527, 0} "\240B\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ... {28, 56, reply, 0, 516, 528, 1527, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 516, 528, 1527, 0} "\240B\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ) == 0x0
 00056   528   NtProtectVirtualMemory  (-1, (0x401000), 52, 4, ... (0x401000), 4096, 32, ) == 0x0
 00057   528   NtProtectVirtualMemory  (-1, (0x401000), 4096, 32, ... (0x401000), 4096, 4, ) == 0x0
 00058   528   NtFlushInstructionCache  (-1, 4198400, 52, ... ) == 0x0
 00059   528   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00060   528   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00061   528   NtClose  (28, ... ) == 0x0
 00062   528   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00063   528   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00064   528   NtClose  (28, ... ) == 0x0
 00065   528   NtTestAlert  (... ) == 0x0
 00066   528   NtContinue  (1244464, 1, ...
 00067   528   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x401040,}, 4, ... ) == 0x0
 00068   528   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 4259840, 1048576, ) == 0x0
 00069   528   NtAllocateVirtualMemory  (-1, 5300224, 0, 8192, 4096, 4, ... 5300224, 8192, ) == 0x0
 00070   528   NtProtectVirtualMemory  (-1, (0x50e000), 4096, 260, ... (0x50e000), 4096, 4, ) == 0x0
 00071   528   NtCreateThread  (0x1f03ff, 0x0, -1, 1244284, 1245000, 1, ... 28, {516, 752}, ) == 0x0
 00072   528   NtQueryInformationThread  (28, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=516,Tid=752,}, 0x0, ) == 0x0
 00073   528   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 4128831, 4128831, 0, 0}  (24, {28, 56, new_msg, 0, 4128831, 4128831, 0, 0} "\0\0\0\0\1\0\1\0\34\20\374\177"\24\374\177\34\0\0\0\4\2\0\0\360\2\0\0" ... {28, 56, reply, 0, 516, 528, 1533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0"\24\374\177\34\0\0\0\4\2\0\0\360\2\0\0" ) \24\374\177\34\0\0\0\4\2\0\0\360\2\0\0 (24, {28, 56, new_msg, 0, 4128831, 4128831, 0, 0} "\0\0\0\0\1\0\1\0\34\20\374\177"\24\374\177\34\0\0\0\4\2\0\0\360\2\0\0" ... {28, 56, reply, 0, 516, 528, 1533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0"\24\374\177\34\0\0\0\4\2\0\0\360\2\0\0" ) \0\0\0\0\1\0\1\0\0\0\0\0 (24, {28, 56, new_msg, 0, 4128831, 4128831, 0, 0} "\0\0\0\0\1\0\1\0\34\20\374\177"\24\374\177\34\0\0\0\4\2\0\0\360\2\0\0" ... {28, 56, reply, 0, 516, 528, 1533, 0} "\0\0\0\0\1\0\1\0\0\0\0\0"\24\374\177\34\0\0\0\4\2\0\0\360\2\0\0" )  ) == 0x0
 00074   528   NtGetContextThread  (28, 4202496, ... ) == 0x0
 00075   528   NtSetContextThread  (28, 4202496, ... ) == 0x0
 00076   528   NtResumeThread  (28, ...
 00077   752   NtTestAlert  (... ) == 0x0
 00078   752   NtContinue  (5307696, 1, ...
 00079   752   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00080   752   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00081   752   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 3276800, 262144, ) == 0x0
 00082   752   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00083   752   NtAllocateVirtualMemory  (-1, 3280896, 0, 20480, 4096, 4, ... 3280896, 20480, ) == 0x0
 00076   528   NtResumeThread  ... 1, ) == 0x0
 00084   528   NtSuspendThread  (-2, ...
 00085   752   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00086   752   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 3538944, 262144, ) == 0x0
 00087   752   NtAllocateVirtualMemory  (-1, 3538944, 0, 4096, 4096, 4, ... 3538944, 4096, ) == 0x0
 00088   752   NtAllocateVirtualMemory  (-1, 3543040, 0, 61440, 4096, 4, ... 3543040, 61440, ) == 0x0
 00089   752   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00090   752   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 3801088, 262144, ) == 0x0
 00091   752   NtAllocateVirtualMemory  (-1, 3801088, 0, 4096, 4096, 4, ... 3801088, 4096, ) == 0x0
 00092   752   NtAllocateVirtualMemory  (-1, 0, 0, 12800032, 4096, 4, ... 5308416, 12804096, ) == 0x0
 00093   752   NtAllocateVirtualMemory  (-1, 336855040, 0, 36864, 12288, 64, ... 336855040, 36864, ) == 0x0
 00094   752   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 32, ) }, ... 32, ) == 0x0
 00095   752   NtQueryValueKey  (32,  (32, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00096   752   NtClose  (32, ... ) == 0x0
 00097   752   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00098   752   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00099   752   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00100   752   NtClose  (32, ... ) == 0x0
 00101   752   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00102   752   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00103   752   NtClose  (32, ... ) == 0x0
 00104   752   NtAllocateVirtualMemory  (-1, 5296128, 0, 4096, 4096, 260, ... 5296128, 4096, ) == 0x0
 00105   752   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 32, ) }, ... 32, ) == 0x0
 00106   752   NtQueryValueKey  (32,  (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00107   752   NtQueryValueKey  (32,  (32, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00108   752   NtClose  (32, ... ) == 0x0
 00109   752   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 32, ) }, ... 32, ) == 0x0
 00110   752   NtQueryValueKey  (32,  (32, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00111   752   NtClose  (32, ... ) == 0x0
 00112   752   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 32, ) }, ... 32, ) == 0x0
 00113   752   NtSetInformationObject  (32, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00114   752   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00115   752   NtFreeVirtualMemory  (-1, (0x360000), 0, 32768, ... (0x360000), 262144, ) == 0x0
 00116   752   NtFreeVirtualMemory  (-1, (0x510000), 0, 32768, ... (0x510000), 12804096, ) == 0x0
 00117   752   NtFreeVirtualMemory  (-1, (0x3a0000), 0, 32768, ... (0x3a0000), 262144, ) == 0x0
 00118   752   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 3538944, 262144, ) == 0x0
 00119   752   NtAllocateVirtualMemory  (-1, 3788800, 0, 12288, 4096, 4, ... 3788800, 12288, ) == 0x0
 00120   752   NtProtectVirtualMemory  (-1, (0x39d000), 4096, 260, ... (0x39d000), 4096, 4, ) == 0x0
 00121   752   NtCreateThread  (0x1f03ff, 0x0, -1, 5307496, 5308212, 1, ... 36, {516, 880}, ) == 0x0
 00122   752   NtQueryInformationThread  (36, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=516,Tid=880,}, 0x0, ) == 0x0
 00123   752   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0$\0\0\0\4\2\0\0p\3\0\0" ... {28, 56, reply, 0, 516, 752, 1546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0$\0\0\0\4\2\0\0p\3\0\0" )  ... {28, 56, reply, 0, 516, 752, 1546, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0$\0\0\0\4\2\0\0p\3\0\0" ... {28, 56, reply, 0, 516, 752, 1546, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0$\0\0\0\4\2\0\0p\3\0\0" )  ) == 0x0
 00124   752   NtResumeThread  (36, ... 1, ) == 0x0
 00125   752   NtDelayExecution  (0, {-40000000, -1}, ...
 00126   880   NtTestAlert  (... ) == 0x0
 00127   880   NtContinue  (3800368, 1, ...
 00128   880   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00129   880   NtOpenThreadToken  (-2, 0x28, 0, ... ) == STATUS_NO_TOKEN
 00130   880   NtOpenProcessToken  (-1, 0x2, ... 40, ) == 0x0
 00131   880   NtDuplicateToken  (40, 0x4, {24, 0, 0x0, 0, 3799496, 0x0}, 0, 2, ... 44, ) == 0x0
 00132   880   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=44,}, 4, ... ) == 0x0
 00133   880   NtClose  (44, ... ) == 0x0
 00134   880   NtClose  (40, ... ) == 0x0
 00135   880   NtOpenThreadToken  (-2, 0x28, 0, ... 40, ) == 0x0
 00136   880   NtAdjustPrivilegesToken  (40, 0, 1326580, 1024, 1325556, 3799540, ... ) == 0x0
 00137   880   NtSetInformationProcess  (-1, PriorityClass, {process info, class 18, size 2}, 1024, ... ) == 0x0
 00138   880   NtClose  (40, ... ) == 0x0
 00139   880   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00140   880   NtSetInformationThread  (-2, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 00141   880   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\U:\"}, 3, 16417, ... 40, {status=0x0, info=1}, ) }, 3, 16417, ... 40, {status=0x0, info=1}, ) == 0x0
 00142   880   NtQueryInformationFile  (40, 3798716, 528, Name, ... {status=0x0, info=42}, ) == 0x0
 00143   880   NtQueryVolumeInformationFile  (40, 1325680, 144, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00144   880   NtClose  (40, ... ) == 0x0
 00145   880   NtQueryDefaultUILanguage  (2013024600, ...
 00146   880   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00147   880   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00148   880   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00149   880   NtClose  (-2147482032, ... ) == 0x0
 00150   880   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00151   880   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00152   880   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 00153   880   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00154   880   NtClose  (-2147482044, ... ) == 0x0
 00155   880   NtClose  (-2147482032, ... ) == 0x0
 00145   880   NtQueryDefaultUILanguage  ... ) == 0x0
 00156   880   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00157   880   NtQueryDefaultLocale  (1, 3799280, ... ) == 0x0
 00158   880   NtQueryDefaultLocale  (1, 3799280, ... ) == 0x0
 00159   880   NtQueryDefaultLocale  (0, 3799260, ... ) == 0x0
 00160   880   NtAllocateVirtualMemory  (-1, 1327104, 0, 8192, 4096, 4, ... 1327104, 8192, ) == 0x0
 00161   880   NtOpenFile  (0x100000, {24, 0, 0x40, 0, 0,  (0x100000, {24, 0, 0x40, 0, 0, "\??\C:\polyunpack"}, 3, 33, ... 40, {status=0x0, info=1}, ) }, 3, 33, ... 40, {status=0x0, info=1}, ) == 0x0
 00162   880   NtClose  (40, ... ) == 0x0
 00163   880   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\polyunpack"}, 3, 8388641, ... 40, {status=0x0, info=1}, ) }, 3, 8388641, ... 40, {status=0x0, info=1}, ) == 0x0
 00164   880   NtQueryVolumeInformationFile  (40, 3799380, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00165   880   NtClose  (40, ... ) == 0x0
 00166   880   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 3799364,  (0x100080, {24, 0, 0x40, 0, 3799364, "\??\C:\WINDOWS\System32\drivers\secdrv.sys"}, 0x0, 0, 7, 1, 96, 0, 0, ... 40, {status=0x0, info=1}, ) }, 0x0, 0, 7, 1, 96, 0, 0, ... 40, {status=0x0, info=1}, ) == 0x0
 00167   880   NtQueryInformationFile  (40, 3799380, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00168   880   NtFsControlFile  (40, 0, 0x0, 0x0, 0x90073,  (40, 0, 0x0, 0x0, 0x90073, "\0\0\0\0\0\0\0\0", 8, 128, ... {status=0x0, info=32}, "\1\0\0\0x\1\24\0\0\0\0\0\0\0\0\0\7\0\0\0\0\0\0\0\1j\1\0\0\0\0\0", ) , 8, 128, ... {status=0x0, info=32},  (40, 0, 0x0, 0x0, 0x90073, "\0\0\0\0\0\0\0\0", 8, 128, ... {status=0x0, info=32}, "\1\0\0\0x\1\24\0\0\0\0\0\0\0\0\0\7\0\0\0\0\0\0\0\1j\1\0\0\0\0\0", ) , ) == 0x0
 00169   880   NtClose  (40, ... ) == 0x0
 00170   880   NtAllocateVirtualMemory  (-1, 1335296, 0, 28672, 4096, 4, ... 1335296, 28672, ) == 0x0
 00171   880   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 3799364,  (0xc0100080, {24, 0, 0x40, 0, 3799364, "\??\C:"}, 0x0, 0, 3, 1, 96, 0, 0, ... 40, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 40, {status=0x0, info=1}, ) == 0x0
 00172   880   NtSetInformationFile  (40, 3799420, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00173   880   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0X\2\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, 0x0, 0, ... {status=0x0, info=4096}, ) , 4096, 0x0, 0, ... {status=0x0, info=4096}, ) == 0x0
 00174   880   NtSetInformationFile  (40, 3799420, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00175   880   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\377\377PSW\350\14\375\377\377+\265\320\376\377\377\213\320\241X\27\1\0\377p\10\3\327\350\247\375\377\3773\311\205\300\211E\260v1\372\17 \300\211E\254%\377\377\376\377\17"\300\213\4\212\213\35X\27\1\0\213\33\215\2040\0\0\0\200\211\4\213\213E\254\17"\300\373A;M\260r\317j\0W\377\25(\27\1\03\300@[\213M\374_^\350\345\5\0\0\311\303\314\314\314\314\314\314\213\377U\213\354\203\354\20SV\21358\27\1\0W\215E\374P3\333SPj\13\377\326hDdk \377u\374j\1\377\254\27\1\0\213\370\213E\374S\301\340\2PWj\13\377\3263\3009\37\211]\360vt\215O\36\211]\370\211M\364\213U\364\17\267\22\3U\370\213M\10\215t: \212\36\212\323:\31u\32\204\322t\22\212^\1\212\323:Y\1u\14FFAA\204\322u\3423\311\353\5\33\311\203\331\3773\333;\313t\22\271\34\1\0\0\1M\370\1M\364@;\7r\263\353\34i\300\34\1\0\0\215D8\4\213H\10\211M\360\213M\14;\313t\5\213@\14\211\1SW\377\25(\27\1\0\213E\360_^[\311\302\10\0\314\\0D\0r\0i\0v\0e\0r\0\\0T\0c\0p\0i\0p\0\0\0\314\314\314\314\314\314\213\377U\213\354\203\354\20VWhF\21\1\0\215E\360P\377\25\14\27\1\0\215E\374P\241\10\27\1\03\366VV\3770\215E\360VVj@P\377\25\4\27\1\0\213\370;\376|1\213E\374\213H\4\353\34\372\17 \300\211E\370%\377\377\376\377\17"\300\211q\20\213E\370\17"\300\373\213I\14;\316u\340\213M\374\377\25\0\27\1\0\213\307_^\311\303\314tcpip.sys\0\314\314\314\314\314\314\213\377U\213\354\203\354\20", 4096, 0x0, 0, ... {status=0x0, info=4096}, ) \300\213\4\212\213\35X\27\1\0\213\33\215\2040\0\0\0\200\211\4\213\213E\254\17 (40, 0, 0, 0, "\377\377PSW\350\14\375\377\377+\265\320\376\377\377\213\320\241X\27\1\0\377p\10\3\327\350\247\375\377\3773\311\205\300\211E\260v1\372\17 \300\211E\254%\377\377\376\377\17"\300\213\4\212\213\35X\27\1\0\213\33\215\2040\0\0\0\200\211\4\213\213E\254\17"\300\373A;M\260r\317j\0W\377\25(\27\1\03\300@[\213M\374_^\350\345\5\0\0\311\303\314\314\314\314\314\314\213\377U\213\354\203\354\20SV\21358\27\1\0W\215E\374P3\333SPj\13\377\326hDdk \377u\374j\1\377\254\27\1\0\213\370\213E\374S\301\340\2PWj\13\377\3263\3009\37\211]\360vt\215O\36\211]\370\211M\364\213U\364\17\267\22\3U\370\213M\10\215t: \212\36\212\323:\31u\32\204\322t\22\212^\1\212\323:Y\1u\14FFAA\204\322u\3423\311\353\5\33\311\203\331\3773\333;\313t\22\271\34\1\0\0\1M\370\1M\364@;\7r\263\353\34i\300\34\1\0\0\215D8\4\213H\10\211M\360\213M\14;\313t\5\213@\14\211\1SW\377\25(\27\1\0\213E\360_^[\311\302\10\0\314\\0D\0r\0i\0v\0e\0r\0\\0T\0c\0p\0i\0p\0\0\0\314\314\314\314\314\314\213\377U\213\354\203\354\20VWhF\21\1\0\215E\360P\377\25\14\27\1\0\215E\374P\241\10\27\1\03\366VV\3770\215E\360VVj@P\377\25\4\27\1\0\213\370;\376|1\213E\374\213H\4\353\34\372\17 \300\211E\370%\377\377\376\377\17"\300\211q\20\213E\370\17"\300\373\213I\14;\316u\340\213M\374\377\25\0\27\1\0\213\307_^\311\303\314tcpip.sys\0\314\314\314\314\314\314\213\377U\213\354\203\354\20", 4096, 0x0, 0, ... {status=0x0, info=4096}, ) \300\211q\20\213E\370\17 (40, 0, 0, 0, "\377\377PSW\350\14\375\377\377+\265\320\376\377\377\213\320\241X\27\1\0\377p\10\3\327\350\247\375\377\3773\311\205\300\211E\260v1\372\17 \300\211E\254%\377\377\376\377\17"\300\213\4\212\213\35X\27\1\0\213\33\215\2040\0\0\0\200\211\4\213\213E\254\17"\300\373A;M\260r\317j\0W\377\25(\27\1\03\300@[\213M\374_^\350\345\5\0\0\311\303\314\314\314\314\314\314\213\377U\213\354\203\354\20SV\21358\27\1\0W\215E\374P3\333SPj\13\377\326hDdk \377u\374j\1\377\254\27\1\0\213\370\213E\374S\301\340\2PWj\13\377\3263\3009\37\211]\360vt\215O\36\211]\370\211M\364\213U\364\17\267\22\3U\370\213M\10\215t: \212\36\212\323:\31u\32\204\322t\22\212^\1\212\323:Y\1u\14FFAA\204\322u\3423\311\353\5\33\311\203\331\3773\333;\313t\22\271\34\1\0\0\1M\370\1M\364@;\7r\263\353\34i\300\34\1\0\0\215D8\4\213H\10\211M\360\213M\14;\313t\5\213@\14\211\1SW\377\25(\27\1\0\213E\360_^[\311\302\10\0\314\\0D\0r\0i\0v\0e\0r\0\\0T\0c\0p\0i\0p\0\0\0\314\314\314\314\314\314\213\377U\213\354\203\354\20VWhF\21\1\0\215E\360P\377\25\14\27\1\0\215E\374P\241\10\27\1\03\366VV\3770\215E\360VVj@P\377\25\4\27\1\0\213\370;\376|1\213E\374\213H\4\353\34\372\17 \300\211E\370%\377\377\376\377\17"\300\211q\20\213E\370\17"\300\373\213I\14;\316u\340\213M\374\377\25\0\27\1\0\213\307_^\311\303\314tcpip.sys\0\314\314\314\314\314\314\213\377U\213\354\203\354\20", 4096, 0x0, 0, ... {status=0x0, info=4096}, ) , 4096, 0x0, 0, ... {status=0x0, info=4096}, ) == 0x0
 00176   880   NtSetInformationFile  (40, 3799420, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00177   880   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, 0x0, 0, ... {status=0x0, info=4096}, ) , 4096, 0x0, 0, ... {status=0x0, info=4096}, ) == 0x0
 00178   880   NtSetInformationFile  (40, 3799420, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00179   880   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, 0x0, 0, ... {status=0x0, info=4096}, ) , 4096, 0x0, 0, ... {status=0x0, info=4096}, ) == 0x0
 00180   880   NtSetInformationFile  (40, 3799420, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00181   880   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, 0x0, 0, ... {status=0x0, info=4096}, ) , 4096, 0x0, 0, ... {status=0x0, info=4096}, ) == 0x0
 00182   880   NtSetInformationFile  (40, 3799420, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00183   880   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, 0x0, 0, ... {status=0x0, info=4096}, ) , 4096, 0x0, 0, ... {status=0x0, info=4096}, ) == 0x0
 00184   880   NtSetInformationFile  (40, 3799420, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00185   880   NtWriteFile  (40, 0, 0, 0,  (40, 0, 0, 0, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, 0x0, 0, ... {status=0x0, info=4096}, ) , 4096, 0x0, 0, ... {status=0x0, info=4096}, ) == 0x0
 00186   880   NtClose  (40, ... ) == 0x0
 00187   880   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 3799364,  (0x100080, {24, 0, 0x40, 0, 3799364, "\??\C:\WINDOWS\System32\drivers\secdrv.sys"}, 0x0, 128, 7, 1, 104, 0, 0, ... }, 0x0, 128, 7, 1, 104, 0, 0, ...
 00188   880   NtContinue  (-134858008, 0, ...
 00189   880   NtContinue  (-134858244, 0, ...
 00187   880   NtCreateFile  ... 40, {status=0x0, info=1}, ) == 0x0
 00190   880   NtClose  (40, ... ) == 0x0
 00191   880   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 40, ) }, ... 40, ) == 0x0
 00192   880   NtOpenEvent  (0x100000, {24, 40, 0x0, 0, 0,  (0x100000, {24, 40, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 44, ) }, ... 44, ) == 0x0
 00193   880   NtWaitForSingleObject  (44, 0, {-1800000000, -1}, ... ) == 0x0
 00194   880   NtClose  (44, ... ) == 0x0
 00195   880   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00196   880   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00197   880   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 44, ) }, ... 44, ) == 0x0
 00198   880   NtQueryValueKey  (44,  (44, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00199   880   NtClose  (44, ... ) == 0x0
 00200   880   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00201   880   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 44, ) == 0x0
 00202   880   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 48, ) == 0x0
 00203   880   NtQuerySystemTime  (... {112904868, 29882242}, ) == 0x0
 00204   880   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 52, ) == 0x0
 00205   880   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00206   880   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00207   880   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00208   880   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00209   880   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 56, ) == 0x0
 00210   880   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 60, ) == 0x0
 00211   880   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 00212   880   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 64, ) }, ... 64, ) == 0x0
 00213   880   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "ActiveComputerName"}, ... 68, ) }, ... 68, ) == 0x0
 00214   880   NtQueryValueKey  (68,  (68, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (68, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (68, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 00215   880   NtClose  (68, ... ) == 0x0
 00216   880   NtClose  (64, ... ) == 0x0
 00217   880   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 64, ) == 0x0
 00218   880   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 68, ) == 0x0
 00219   880   NtDuplicateObject  (-1, 64, -1, 0x0, 0, 2, ... 72, ) == 0x0
 00220   880   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00221   880   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 76, ) == 0x0
 00222   880   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00223   880   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00224   880   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 3797912,  (0xc0100080, {24, 0, 0x40, 0, 3797912, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 80, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 80, {status=0x0, info=1}, ) == 0x0
 00225   880   NtSetInformationFile  (80, 3797968, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00226   880   NtSetInformationFile  (80, 3797960, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00227   880   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00228   880   NtWriteFile  (80, 57, 0, 0,  (80, 57, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00229   880   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0
 00230   880   NtReadFile  (80, 57, 0, 0, 1024, {0, 0}, 0, ... {status=0x103, info=0}, "", ) == 0x103
 00231   880   NtWaitForSingleObject  (57, 1, {-410065408, -3}, ... ) == 0x0
 00232   880   NtFsControlFile  (80, 57, 0x0, 0x0, 0x11c017,  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\33\0\0\0\0\0\0\0\0\0?\0\17\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\270!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\33\0\0\0\0\0\0\0\0\0?\0\17\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\270!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 00233   880   NtWaitForSingleObject  (57, 0, 0x0, ... ) == 0x0
 00234   880   NtFsControlFile  (80, 57, 0x0, 0x0, 0x11c017,  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0'\5\245?uc\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0S\0e\0c\0d\0r\0v\0\0\0\0\0\377\1\17\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0'\5\245?uc\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 76, 1024, ... {status=0x103, info=48},  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0'\5\245?uc\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0S\0e\0c\0d\0r\0v\0\0\0\0\0\377\1\17\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0'\5\245?uc\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 00235   880   NtWaitForSingleObject  (57, 0, 0x0, ... ) == 0x0
 00236   880   NtFsControlFile  (80, 57, 0x0, 0x0, 0x11c017,  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\04\0\0\0\3\0\0\0\34\0\0\0\0\0\23\0\0\0\0\0(\5\245?uc\334\21\261\310\0\14)\371\246\305\0\0\0\0\0\0\0\0", 52, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0(\5\245?uc\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 52, 1024, ... {status=0x103, info=48},  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\04\0\0\0\3\0\0\0\34\0\0\0\0\0\23\0\0\0\0\0(\5\245?uc\334\21\261\310\0\14)\371\246\305\0\0\0\0\0\0\0\0", 52, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0(\5\245?uc\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 00237   880   NtWaitForSingleObject  (57, 0, 0x0, ... ) == 0x0
 00238   880   NtFsControlFile  (80, 57, 0x0, 0x0, 0x11c017,  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0(\5\245?uc\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\3\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=28},  (80, 57, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0(\5\245?uc\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=28}, "\5\0\2\3\20\0\0\0\34\0\0\0\3\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 00239   880   NtWaitForSingleObject  (57, 0, 0x0, ... ) == 0x0
 00240   880   NtQueryDefaultLocale  (1, 3799280, ... ) == 0x0
 00241   880   NtQueryDefaultLocale  (1, 3799280, ... ) == 0x0
 00242   880   NtQueryDefaultLocale  (0, 3799260, ... ) == 0x0
 00243   880   NtAllocateVirtualMemory  (-1, 1372160, 0, 8192, 4096, 4, ... 1372160, 8192, ) == 0x0
 00244   880   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 3799476,  (0x40100080, {24, 0, 0x40, 0, 3799476, "\??\C:\WINDOWS\System32\drivers\runtime.sys"}, 0x0, 128, 0, 5, 96, 0, 0, ... }, 0x0, 128, 0, 5, 96, 0, 0, ...
 00245   880   NtClose  (-2147482032, ... ) == 0x0
 00244   880   NtCreateFile  ... 84, {status=0x0, info=2}, ) == 0x0
 00246   880   NtWriteFile  (84, 0, 0, 0,  (84, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\2\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 5632, 0x0, 0, ... {status=0x0, info=5632}, ) , 5632, 0x0, 0, ... {status=0x0, info=5632}, ) == 0x0
 00247   880   NtClose  (84, ... ) == 0x0
 00248   880   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services"}, ... 84, ) }, ... 84, ) == 0x0
 00249   880   NtCreateKey  (0x2000000, {24, 84, 0x40, 0, 0,  (0x2000000, {24, 84, 0x40, 0, 0, "runtime"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 00250   880   NtSetInformationFile  (-2147482844, -134855644, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00251   880   NtSetInformationFile  (-2147482844, -134855740, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00249   880   NtCreateKey  ... 88, 1, ) == 0x0
 00252   880   NtSetValueKey  (88,  (88, "ImagePath", 0, 1, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0i\0v\0e\0r\0s\0\\0r\0u\0n\0t\0i\0m\0e\0.\0s\0y\0s\0\0\0", 88, ... ) , 0, 1,  (88, "ImagePath", 0, 1, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0i\0v\0e\0r\0s\0\\0r\0u\0n\0t\0i\0m\0e\0.\0s\0y\0s\0\0\0", 88, ... ) , 88, ... ) == 0x0
 00253   880   NtSetValueKey  (88,  (88, "Type", 0, 4, "\1\0\0\0", 4, ... ) , 0, 4,  (88, "Type", 0, 4, "\1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 00254   880   NtSetValueKey  (88,  (88, "Start", 0, 4, "\3\0\0\0", 4, ... ) , 0, 4,  (88, "Start", 0, 4, "\3\0\0\0", 4, ... ) , 4, ... ) == 0x0
 00255   880   NtClose  (88, ... ) == 0x0
 00256   880   NtClose  (84, ... ) == 0x0
 00257   880   NtOpenProcessToken  (-1, 0x28, ... 84, ) == 0x0
 00258   880   NtAdjustPrivilegesToken  (84, 0, 3798984, 16, 3798968, 3799000, ... ) == 0x0
 00259   880   NtClose  (84, ... ) == 0x0
 00260   880   NtLoadDriver  ( ("\Registry\Machine\System\CurrentControlSet\Services\runtime", ... ) , ... ) == 0x0
 00261   880   NtOpenProcessToken  (-1, 0x28, ... 84, ) == 0x0
 00262   880   NtAdjustPrivilegesToken  (84, 0, 3798984, 16, 3798968, 3799000, ... ) == 0x0
 00263   880   NtClose  (84, ... ) == 0x0
 00264   880   NtQueryDefaultLocale  (1, 3799312, ... ) == 0x0
 00265   880   NtQueryDefaultLocale  (1, 3799312, ... ) == 0x0
 00266   880   NtQueryDefaultLocale  (0, 3799292, ... ) == 0x0
 00267   880   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 00268   880   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program"}, 3795348, ... ) }, 3795348, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00269   880   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program.exe"}, 3795348, ... ) }, 3795348, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00270   880   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 3796048,  (0x80100080, {24, 0, 0x40, 0, 3796048, "\??\C:\Program"}, 0x0, 128, 3, 1, 96, 0, 0, ... ) }, 0x0, 128, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00271   880   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet"}, 3795348, ... ) }, 3795348, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00272   880   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet.exe"}, 3795348, ... ) }, 3795348, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00273   880   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 3796048,  (0x80100080, {24, 0, 0x40, 0, 3796048, "\??\C:\Program Files\Internet"}, 0x0, 128, 3, 1, 96, 0, 0, ... ) }, 0x0, 128, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00274   880   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet Explorer\IEXPLORE.EXE"}, 3795348, ... ) }, 3795348, ... ) == 0x0
 00275   880   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet Explorer\IEXPLORE.EXE"}, 3796040, ... ) }, 3796040, ... ) == 0x0
 00276   880   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet Explorer\IEXPLORE.EXE"}, 5, 96, ... 84, {status=0x0, info=1}, ) }, 5, 96, ... 84, {status=0x0, info=1}, ) == 0x0
 00277   880   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 84, ... 88, ) == 0x0
 00278   880   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00279   880   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 92, ) }, ... 92, ) == 0x0
 00280   880   NtQueryValueKey  (92,  (92, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00281   880   NtClose  (92, ... ) == 0x0
 00282   880   NtQueryVolumeInformationFile  (84, 3795348, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00283   880   NtOpenMutant  (0x120001, {24, 40, 0x0, 0, 0,  (0x120001, {24, 40, 0x0, 0, 0, "ShimCacheMutex"}, ... 92, ) }, ... 92, ) == 0x0
 00284   880   NtWaitForSingleObject  (92, 0, {-1000000, -1}, ... ) == 0x0
 00285   880   NtOpenSection  (0x2, {24, 40, 0x0, 0, 0,  (0x2, {24, 40, 0x0, 0, 0, "ShimSharedMemory"}, ... 96, ) }, ... 96, ) == 0x0
 00286   880   NtMapViewOfSection  (96, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 57344, ) == 0x0
 00287   880   NtReleaseMutant  (92, ... 0x0, ) == 0x0
 00288   880   NtAllocateVirtualMemory  (-1, 3784704, 0, 4096, 4096, 260, ... 3784704, 4096, ) == 0x0
 00289   880   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 3793332, ... ) }, 3793332, ... ) == 0x0
 00290   880   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00291   880   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 100, ... 104, ) == 0x0
 00292   880   NtClose  (100, ... ) == 0x0
 00293   880   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3b0000), 0x0, 106496, ) == 0x0
 00294   880   NtClose  (104, ... ) == 0x0
 00295   880   NtUnmapViewOfSection  (-1, 0x3b0000, ... ) == 0x0
 00296   880   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 3793648, ... ) }, 3793648, ... ) == 0x0
 00297   880   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00298   880   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 100, ) == 0x0
 00299   880   NtQuerySection  (100, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00300   880   NtOpenProcessToken  (-1, 0x8, ... 108, ) == 0x0
 00301   880   NtQueryInformationToken  (108, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00302   880   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00303   880   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 112, ) }, ... 112, ) == 0x0
 00304   880   NtQueryValueKey  (112,  (112, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (112, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00305   880   NtClose  (112, ... ) == 0x0
 00306   880   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00307   880   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 112, ) == 0x0
 00308   880   NtQueryInformationToken  (112, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00309   880   NtClose  (112, ... ) == 0x0
 00310   880   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00311   880   NtClose  (108, ... ) == 0x0
 00312   880   NtClose  (104, ... ) == 0x0
 00313   880   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 00314   880   NtClose  (100, ... ) == 0x0
 00315   880   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 100, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 100, {status=0x0, info=1}, ) == 0x0
 00316   880   NtQueryInformationFile  (100, 3793936, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00317   880   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 100, ... 104, ) == 0x0
 00318   880   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x510000), 0x0, 1028096, ) == 0x0
 00319   880   NtQueryInformationFile  (100, 3794032, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00320   880   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00321   880   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00322   880   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 00323   880   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet Explorer\"}, 3, 16417, ... 108, {status=0x0, info=1}, ) }, 3, 16417, ... 108, {status=0x0, info=1}, ) == 0x0
 00324   880   NtQueryDirectoryFile  (108, 0, 0, 0, 3791596, 616, BothDirectory, 1,  (108, 0, 0, 0, 3791596, 616, BothDirectory, 1, "IEXPLORE.EXE", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 00325   880   NtClose  (108, ... ) == 0x0
 00326   880   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00327   880   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00328   880   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet Explorer\IEXPLORE.EXE"}, 3790984, ... ) }, 3790984, ... ) == 0x0
 00329   880   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet Explorer\"}, 3, 16417, ... 108, {status=0x0, info=1}, ) }, 3, 16417, ... 108, {status=0x0, info=1}, ) == 0x0
 00330   880   NtQueryDirectoryFile  (108, 0, 0, 0, 3790344, 616, BothDirectory, 1,  (108, 0, 0, 0, 3790344, 616, BothDirectory, 1, "IEXPLORE.EXE", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 00331   880   NtClose  (108, ... ) == 0x0
 00332   880   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00333   880   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00334   880   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 00335   880   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00336   880   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 00337   880   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00338   880   NtClose  (108, ... ) == 0x0
 00339   880   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00340   880   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\IEXPLORE.EXE"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00341   880   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet Explorer\IEXPLORE.EXE"}, 3792856, ... ) }, 3792856, ... ) == 0x0
 00342   880   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 108, ) }, ... 108, ) == 0x0
 00343   880   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 28672, ) == 0x0
 00344   880   NtClose  (108, ... ) == 0x0
 00345   880   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00346   880   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00347   880   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet Explorer\IEXPLORE.EXE"}, 3791772, ... ) }, 3791772, ... ) == 0x0
 00348   880   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet Explorer\IEXPLORE.EXE"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00349   880   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 108, ... 112, ) == 0x0
 00350   880   NtClose  (108, ... ) == 0x0
 00351   880   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3b0000), 0x0, 94208, ) == 0x0
 00352   880   NtClose  (112, ... ) == 0x0
 00353   880   NtUnmapViewOfSection  (-1, 0x3b0000, ... ) == 0x0
 00354   880   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet Explorer\IEXPLORE.EXE"}, 3791412, ... ) }, 3791412, ... ) == 0x0
 00355   880   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 3792112,  (0x80100080, {24, 0, 0x40, 0, 3792112, "\??\C:\Program Files\Internet Explorer\IEXPLORE.EXE"}, 0x0, 0, 5, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 00356   880   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 112, ... 108, ) == 0x0
 00357   880   NtClose  (112, ... ) == 0x0
 00358   880   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3b0000), {0, 0}, 94208, ) == 0x0
 00359   880   NtClose  (108, ... ) == 0x0
 00360   880   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00361   880   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00362   880   NtQueryDefaultLocale  (1, 3792636, ... ) == 0x0
 00363   880   NtQueryVirtualMemory  (-1, 0x3b0000, Basic, 28, ... {BaseAddress=0x3b0000,AllocationBase=0x3b0000,AllocationProtect=0x2,RegionSize=0x17000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00364   880   NtQueryVirtualMemory  (-1, 0x3b0000, Basic, 28, ... {BaseAddress=0x3b0000,AllocationBase=0x3b0000,AllocationProtect=0x2,RegionSize=0x17000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00365   880   NtUnmapViewOfSection  (-1, 0x3b0000, ... ) == 0x0
 00366   880   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ... 1380352, 4096, ) == 0x0
 00367   880   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00368   880   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00369   880   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet Explorer\IEXPLORE.EXE"}, 3791764, ... ) }, 3791764, ... ) == 0x0
 00370   880   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet Explorer\IEXPLORE.EXE"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00371   880   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 108, ... 112, ) == 0x0
 00372   880   NtClose  (108, ... ) == 0x0
 00373   880   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3b0000), 0x0, 94208, ) == 0x0
 00374   880   NtClose  (112, ... ) == 0x0
 00375   880   NtUnmapViewOfSection  (-1, 0x3b0000, ... ) == 0x0
 00376   880   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet Explorer\IEXPLORE.EXE"}, 3791404, ... ) }, 3791404, ... ) == 0x0
 00377   880   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 3792104,  (0x80100080, {24, 0, 0x40, 0, 3792104, "\??\C:\Program Files\Internet Explorer\IEXPLORE.EXE"}, 0x0, 0, 5, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 00378   880   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 112, ... 108, ) == 0x0
 00379   880   NtClose  (112, ... ) == 0x0
 00380   880   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3b0000), {0, 0}, 94208, ) == 0x0
 00381   880   NtClose  (108, ... ) == 0x0
 00382   880   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00383   880   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00384   880   NtQueryDefaultLocale  (1, 3792628, ... ) == 0x0
 00385   880   NtQueryVirtualMemory  (-1, 0x3b0000, Basic, 28, ... {BaseAddress=0x3b0000,AllocationBase=0x3b0000,AllocationProtect=0x2,RegionSize=0x17000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00386   880   NtUnmapViewOfSection  (-1, 0x3b0000, ... ) == 0x0
 00387   880   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00388   880   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00389   880   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 00390   880   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00391   880   NtClose  (108, ... ) == 0x0
 00392   880   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00393   880   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00394   880   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00395   880   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet Explorer\IEXPLORE.EXE"}, 3793264, ... ) }, 3793264, ... ) == 0x0
 00396   880   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet Explorer\"}, 3, 16417, ... 108, {status=0x0, info=1}, ) }, 3, 16417, ... 108, {status=0x0, info=1}, ) == 0x0
 00397   880   NtQueryDirectoryFile  (108, 0, 0, 0, 3792624, 616, BothDirectory, 1,  (108, 0, 0, 0, 3792624, 616, BothDirectory, 1, "IEXPLORE.EXE", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 00398   880   NtClose  (108, ... ) == 0x0
 00399   880   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00400   880   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00401   880   NtWaitForSingleObject  (92, 0, {-1000000, -1}, ... ) == 0x0
 00402   880   NtReleaseMutant  (92, ... 0x0, ) == 0x0
 00403   880   NtUnmapViewOfSection  (-1, 0x510000, ... ) == 0x0
 00404   880   NtClose  (104, ... ) == 0x0
 00405   880   NtClose  (100, ... ) == 0x0
 00406   880   NtQuerySection  (88, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00407   880   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEXPLORE.EXE"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00408   880   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 00409   880   NtOpenProcessToken  (-1, 0xa, ... 100, ) == 0x0
 00410   880   NtQueryInformationToken  (100, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00411   880   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00412   880   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 104, ) }, ... 104, ) == 0x0
 00413   880   NtQueryValueKey  (104,  (104, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (104, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00414   880   NtQueryValueKey  (104,  (104, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (104, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00415   880   NtClose  (104, ... ) == 0x0
 00416   880   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 104, ) }, ... 104, ) == 0x0
 00417   880   NtQueryValueKey  (104,  (104, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00418   880   NtQueryValueKey  (104,  (104, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (104, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 00419   880   NtClose  (104, ... ) == 0x0
 00420   880   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00421   880   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 104, ) }, ... 104, ) == 0x0
 00422   880   NtQueryValueKey  (104,  (104, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00423   880   NtClose  (104, ... ) == 0x0
 00424   880   NtQueryDefaultLocale  (1, 3794720, ... ) == 0x0
 00425   880   NtQueryDefaultLocale  (1, 3794720, ... ) == 0x0
 00426   880   NtQueryDefaultLocale  (1, 3794720, ... ) == 0x0
 00427   880   NtQueryDefaultLocale  (1, 3794720, ... ) == 0x0
 00428   880   NtQueryDefaultLocale  (1, 3794720, ... ) == 0x0
 00429   880   NtQueryDefaultLocale  (1, 3794720, ... ) == 0x0
 00430   880   NtQueryDefaultLocale  (1, 3794720, ... ) == 0x0
 00431   880   NtQueryDefaultLocale  (1, 3794720, ... ) == 0x0
 00432   880   NtQueryDefaultLocale  (1, 3794720, ... ) == 0x0
 00433   880   NtQueryDefaultLocale  (1, 3794720, ... ) == 0x0
 00434   880   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 104, ) }, ... 104, ) == 0x0
 00435   880   NtEnumerateKey  (104, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (104, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 00436   880   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 108, ) }, ... 108, ) == 0x0
 00437   880   NtQueryValueKey  (108,  (108, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (108, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 00438   880   NtQueryValueKey  (108,  (108, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (108, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00439   880   NtClose  (108, ... ) == 0x0
 00440   880   NtEnumerateKey  (104, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 00441   880   NtClose  (104, ... ) == 0x0
 00442   880   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00443   880   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00444   880   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00445   880   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00446   880   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00447   880   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00448   880   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00449   880   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00450   880   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00451   880   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00452   880   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00453   880   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00454   880   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00455   880   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00456   880   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00457   880   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 00458   880   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00459   880   NtClose  (104, ... ) == 0x0
 00460   880   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00461   880   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00462   880   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 00463   880   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00464   880   NtClose  (104, ... ) == 0x0
 00465   880   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00466   880   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00467   880   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 00468   880   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00469   880   NtClose  (104, ... ) == 0x0
 00470   880   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00471   880   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00472   880   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 00473   880   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00474   880   NtClose  (104, ... ) == 0x0
 00475   880   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00476   880   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00477   880   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 00478   880   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00479   880   NtClose  (104, ... ) == 0x0
 00480   880   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00481   880   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00482   880   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 00483   880   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00484   880   NtClose  (104, ... ) == 0x0
 00485   880   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00486   880   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00487   880   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 00488   880   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00489   880   NtClose  (104, ... ) == 0x0
 00490   880   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00491   880   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00492   880   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 00493   880   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00494   880   NtClose  (104, ... ) == 0x0
 00495   880   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00496   880   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00497   880   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 00498   880   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00499   880   NtClose  (104, ... ) == 0x0
 00500   880   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00501   880   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00502   880   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 00503   880   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00504   880   NtClose  (104, ... ) == 0x0
 00505   880   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00506   880   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00507   880   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 00508   880   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00509   880   NtClose  (104, ... ) == 0x0
 00510   880   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00511   880   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00512   880   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 00513   880   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00514   880   NtClose  (104, ... ) == 0x0
 00515   880   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00516   880   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00517   880   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 00518   880   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00519   880   NtClose  (104, ... ) == 0x0
 00520   880   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00521   880   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00522   880   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 00523   880   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00524   880   NtClose  (104, ... ) == 0x0
 00525   880   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00526   880   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00527   880   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 00528   880   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00529   880   NtClose  (104, ... ) == 0x0
 00530   880   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00531   880   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 104, ) }, ... 104, ) == 0x0
 00532   880   NtQueryValueKey  (104,  (104, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (104, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (104, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 00533   880   NtClose  (104, ... ) == 0x0
 00534   880   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00535   880   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 00536   880   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00537   880   NtClose  (104, ... ) == 0x0
 00538   880   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00539   880   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 00540   880   NtOpenProcessToken  (-1, 0xa, ... 104, ) == 0x0
 00541   880   NtDuplicateToken  (104, 0xc, {24, 0, 0x0, 0, 3795240, 0x0}, 0, 2, ... 108, ) == 0x0
 00542   880   NtClose  (104, ... ) == 0x0
 00543   880   NtAccessCheck  (1382304, 108, 0x1, 3795368, 3795312, 56, 3795396, ... (0x1), ) == 0x0
 00544   880   NtClose  (108, ... ) == 0x0
 00545   880   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 108, ) }, ... 108, ) == 0x0
 00546   880   NtQueryValueKey  (108,  (108, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (108, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00547   880   NtClose  (108, ... ) == 0x0
 00548   880   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 108, ) }, ... 108, ) == 0x0
 00549   880   NtQuerySymbolicLinkObject  (108, ...  (108, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 00550   880   NtClose  (108, ... ) == 0x0
 00551   880   NtQueryInformationFile  (84, 3793700, 528, Name, ... {status=0x0, info=94}, ) == 0x0
 00552   880   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00553   880   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00554   880   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet Explorer\IEXPLORE.EXE"}, 3792380, ... ) }, 3792380, ... ) == 0x0
 00555   880   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet Explorer\"}, 3, 16417, ... 108, {status=0x0, info=1}, ) }, 3, 16417, ... 108, {status=0x0, info=1}, ) == 0x0
 00556   880   NtQueryDirectoryFile  (108, 0, 0, 0, 3791740, 616, BothDirectory, 1,  (108, 0, 0, 0, 3791740, 616, BothDirectory, 1, "IEXPLORE.EXE", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 00557   880   NtClose  (108, ... ) == 0x0
 00558   880   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00559   880   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00560   880   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00561   880   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 00562   880   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00563   880   NtClose  (108, ... ) == 0x0
 00564   880   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 108, ) }, ... 108, ) == 0x0
 00565   880   NtOpenKey  (0x20019, {24, 108, 0x40, 0, 0,  (0x20019, {24, 108, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 104, ) }, ... 104, ) == 0x0
 00566   880   NtClose  (108, ... ) == 0x0
 00567   880   NtQueryValueKey  (104,  (104, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00568   880   NtQueryValueKey  (104,  (104, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (104, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 00569   880   NtClose  (104, ... ) == 0x0
 00570   880   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 3866624, 4096, ) == 0x0
 00571   880   NtAllocateVirtualMemory  (-1, 3866624, 0, 4096, 4096, 4, ... 3866624, 4096, ) == 0x0
 00572   880   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 104, ) }, ... 104, ) == 0x0
 00573   880   NtQueryValueKey  (104,  (104, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00574   880   NtClose  (104, ... ) == 0x0
 00575   880   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00576   880   NtQueryInformationToken  (100, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 00577   880   NtQueryInformationToken  (100, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 00578   880   NtClose  (100, ... ) == 0x0
 00579   880   NtCreateProcessEx  (3797976, 2035711, 0, -1, 0, 88, 0, 0, 0, ... ) == 0x0
 00580   880   NtQueryInformationProcess  (100, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=960,ParentPid=516,}, 0x0, ) == 0x0
 00581   880   NtReadVirtualMemory  (100, 0x7ffdf008, 4, ...  (100, 0x7ffdf008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 00582   880   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\Internet Explorer\IEXPLORE.EXE.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00583   880   NtAllocateVirtualMemory  (-1, 1384448, 0, 8192, 4096, 4, ... 1384448, 8192, ) == 0x0
 00584   880   NtReadVirtualMemory  (100, 0x400000, 4096, ...  (100, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\322C:\374\226"T\257\226"T\257\226"T\257l\1\24\257\227"T\257\226"U\257\322"T\257l\1M\257\233"T\257\1\1\21\257\227"T\257L\1H\257\227"T\257L\1I\257\227"T\257l\1k\257\227"T\257l\1i\257\227"T\257Rich\226"T\257\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0L\203};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\26\0\0\0J\1\0\0\0\0\0\346\36\0\0\0\20\0\0\00\0\0\0\0@\0\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\220\1\0\0\4\0\0VT\2\0\2\0\0\200\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\240%\0\0K\0\0\0\354\37\0\0x\0\0\0\0@\0\0HG\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\2\0\0l\0\0\0\0\20\0\0\30\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\353\25\0\0", 4096, ) T\257\226 (100, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\322C:\374\226"T\257\226"T\257\226"T\257l\1\24\257\227"T\257\226"U\257\322"T\257l\1M\257\233"T\257\1\1\21\257\227"T\257L\1H\257\227"T\257L\1I\257\227"T\257l\1k\257\227"T\257l\1i\257\227"T\257Rich\226"T\257\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0L\203};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\26\0\0\0J\1\0\0\0\0\0\346\36\0\0\0\20\0\0\00\0\0\0\0@\0\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\220\1\0\0\4\0\0VT\2\0\2\0\0\200\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\240%\0\0K\0\0\0\354\37\0\0x\0\0\0\0@\0\0HG\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\2\0\0l\0\0\0\0\20\0\0\30\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\353\25\0\0", 4096, ) T\257l\1\24\257\227 (100, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\322C:\374\226"T\257\226"T\257\226"T\257l\1\24\257\227"T\257\226"U\257\322"T\257l\1M\257\233"T\257\1\1\21\257\227"T\257L\1H\257\227"T\257L\1I\257\227"T\257l\1k\257\227"T\257l\1i\257\227"T\257Rich\226"T\257\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0L\203};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\26\0\0\0J\1\0\0\0\0\0\346\36\0\0\0\20\0\0\00\0\0\0\0@\0\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\220\1\0\0\4\0\0VT\2\0\2\0\0\200\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\240%\0\0K\0\0\0\354\37\0\0x\0\0\0\0@\0\0HG\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\2\0\0l\0\0\0\0\20\0\0\30\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\353\25\0\0", 4096, ) U\257\322 (100, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\322C:\374\226"T\257\226"T\257\226"T\257l\1\24\257\227"T\257\226"U\257\322"T\257l\1M\257\233"T\257\1\1\21\257\227"T\257L\1H\257\227"T\257L\1I\257\227"T\257l\1k\257\227"T\257l\1i\257\227"T\257Rich\226"T\257\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0L\203};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\26\0\0\0J\1\0\0\0\0\0\346\36\0\0\0\20\0\0\00\0\0\0\0@\0\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\220\1\0\0\4\0\0VT\2\0\2\0\0\200\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\240%\0\0K\0\0\0\354\37\0\0x\0\0\0\0@\0\0HG\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\2\0\0l\0\0\0\0\20\0\0\30\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\353\25\0\0", 4096, ) T\257\1\1\21\257\227 (100, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\322C:\374\226"T\257\226"T\257\226"T\257l\1\24\257\227"T\257\226"U\257\322"T\257l\1M\257\233"T\257\1\1\21\257\227"T\257L\1H\257\227"T\257L\1I\257\227"T\257l\1k\257\227"T\257l\1i\257\227"T\257Rich\226"T\257\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0L\203};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\26\0\0\0J\1\0\0\0\0\0\346\36\0\0\0\20\0\0\00\0\0\0\0@\0\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\220\1\0\0\4\0\0VT\2\0\2\0\0\200\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\240%\0\0K\0\0\0\354\37\0\0x\0\0\0\0@\0\0HG\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\2\0\0l\0\0\0\0\20\0\0\30\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\353\25\0\0", 4096, ) T\257L\1I\257\227 (100, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\322C:\374\226"T\257\226"T\257\226"T\257l\1\24\257\227"T\257\226"U\257\322"T\257l\1M\257\233"T\257\1\1\21\257\227"T\257L\1H\257\227"T\257L\1I\257\227"T\257l\1k\257\227"T\257l\1i\257\227"T\257Rich\226"T\257\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0L\203};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\26\0\0\0J\1\0\0\0\0\0\346\36\0\0\0\20\0\0\00\0\0\0\0@\0\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\220\1\0\0\4\0\0VT\2\0\2\0\0\200\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\240%\0\0K\0\0\0\354\37\0\0x\0\0\0\0@\0\0HG\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\2\0\0l\0\0\0\0\20\0\0\30\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\353\25\0\0", 4096, ) T\257l\1i\257\227 (100, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\322C:\374\226"T\257\226"T\257\226"T\257l\1\24\257\227"T\257\226"U\257\322"T\257l\1M\257\233"T\257\1\1\21\257\227"T\257L\1H\257\227"T\257L\1I\257\227"T\257l\1k\257\227"T\257l\1i\257\227"T\257Rich\226"T\257\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0L\203};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\26\0\0\0J\1\0\0\0\0\0\346\36\0\0\0\20\0\0\00\0\0\0\0@\0\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\220\1\0\0\4\0\0VT\2\0\2\0\0\200\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\240%\0\0K\0\0\0\354\37\0\0x\0\0\0\0@\0\0HG\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\2\0\0l\0\0\0\0\20\0\0\30\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\353\25\0\0", 4096, ) T\257\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0L\203};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\26\0\0\0J\1\0\0\0\0\0\346\36\0\0\0\20\0\0\00\0\0\0\0@\0\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\220\1\0\0\4\0\0VT\2\0\2\0\0\200\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\240%\0\0K\0\0\0\354\37\0\0x\0\0\0\0@\0\0HG\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \21\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\2\0\0l\0\0\0\0\20\0\0\30\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\353\25\0\0", 4096, ) == 0x0
 00585   880   NtReadVirtualMemory  (100, 0x404000, 256, ...  (100, 0x404000, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\3\0\0\00\0\0\200\6\0\0\0\370\1\0\200\16\0\0\0\20\2\0\200\20\0\0\0\330\2\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\07\0\1\0\0\0\360\2\0\200\2\0\0\0\10\3\0\200\3\0\0\0 \3\0\200\4\0\0\08\3\0\200\5\0\0\0P\3\0\200\6\0\0\0h\3\0\200\7\0\0\0\200\3\0\200\10\0\0\0\230\3\0\200\11\0\0\0\260\3\0\200\12\0\0\0\310\3\0\200\13\0\0\0\340\3\0\200\14\0\0\0\370\3\0\200\15\0\0\0\20\4\0\200\16\0\0\0(\4\0\200\17\0\0\0@\4\0\200\20\0\0\0X\4\0\200\21\0\0\0p\4\0\200\22\0\0\0\210\4\0\200\23\0\0\0\240\4\0\200\24\0\0\0\270\4\0\200\25\0\0\0\320\4\0\200\26\0\0\0\350\4\0\200\27\0\0\0\0\5\0\200\30\0\0\0\30\5\0\200", 256, ) , 256, ) == 0x0
 00586   880   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00587   880   NtQueryInformationProcess  (100, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=960,ParentPid=516,}, 0x0, ) == 0x0
 00588   880   NtAllocateVirtualMemory  (-1, 0, 0, 1788, 4096, 4, ... 3932160, 4096, ) == 0x0
 00589   880   NtAllocateVirtualMemory  (100, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 00590   880   NtWriteVirtualMemory  (100, 0x10000,  (100, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 00591   880   NtAllocateVirtualMemory  (100, 0, 0, 1788, 4096, 4, ... 131072, 4096, ) == 0x0
 00592   880   NtWriteVirtualMemory  (100, 0x20000,  (100, 0x20000, "\0\20\0\0\374\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\32\1\34\1\230\4\0\0^\0`\0\264\5\0\0b\0d\0\24\6\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0^\0`\0x\6\0\0\36\0 \0\330\6\0\0\0\0\2\0\370\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1788, ... 0x0, ) , 1788, ... 0x0, ) == 0x0
 00593   880   NtWriteVirtualMemory  (100, 0x7ffdf010,  (100, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 00594   880   NtAllocateVirtualMemory  (100, 0, 0, 148, 4096, 4, ... 196608, 4096, ) == 0x0
 00595   880   NtWriteVirtualMemory  (100, 0x30000,  (100, 0x30000, "S\0h\0i\0m\0E\0n\0g\0.\0d\0l\0l\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\0\0\253\355\15\254\344\254\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 148, ... 0x0, ) , 148, ... 0x0, ) == 0x0
 00596   880   NtWriteVirtualMemory  (100, 0x7ffdf1e8,  (100, 0x7ffdf1e8, "\0\0\3\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 00597   880   NtFreeVirtualMemory  (-1, (0x3c0000), 0, 32768, ... (0x3c0000), 4096, ) == 0x0
 00598   880   NtAllocateVirtualMemory  (100, 0, 0, 1048576, 8192, 4, ... 262144, 1048576, ) == 0x0
 00599   880   NtAllocateVirtualMemory  (100, 1302528, 0, 8192, 4096, 4, ... 1302528, 8192, ) == 0x0
 00600   880   NtProtectVirtualMemory  (100, (0x13e000), 4096, 260, ... (0x13e000), 4096, 4, ) == 0x0
 00601   880   NtCreateThread  (0x1f03ff, 0x0, 100, 3796240, 3796960, 1, ... 104, {960, 964}, ) == 0x0
 00602   880   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1366084, 0, 3798112, 2009901952}  (24, {168, 196, new_msg, 0, 1366084, 0, 3798112, 2009901952} "\0\0\0\0\0\0\1\0h\3649\0\0\0\0\0g\0\0\0h\0\0\0\300\3\0\0\304\3\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0(\334\24\0\250\3649\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\09\0X\326\24\0" ... {168, 196, reply, 0, 516, 880, 1572, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0d\0\0\0h\0\0\0\300\3\0\0\304\3\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0(\334\24\0\250\3649\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\09\0X\326\24\0" )  ... {168, 196, reply, 0, 516, 880, 1572, 0}  (24, {168, 196, new_msg, 0, 1366084, 0, 3798112, 2009901952} "\0\0\0\0\0\0\1\0h\3649\0\0\0\0\0g\0\0\0h\0\0\0\300\3\0\0\304\3\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0(\334\24\0\250\3649\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\09\0X\326\24\0" ... {168, 196, reply, 0, 516, 880, 1572, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0d\0\0\0h\0\0\0\300\3\0\0\304\3\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0(\334\24\0\250\3649\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\09\0X\326\24\0" )  ) == 0x0
 00603   880   NtClose  (84, ... ) == 0x0
 00604   880   NtClose  (88, ... ) == 0x0
 00605   880   NtGetContextThread  (104, 3798860, ... ) == 0x0
 00606   880   NtReadVirtualMemory  (100, 0x7ffdf008, 4, ...  (100, 0x7ffdf008, 4, ... "\0\0@\0", 4, ) , 4, ) == 0x0
 00607   880   NtAllocateVirtualMemory  (100, 320077824, 0, 1089536, 12288, 4, ... 320077824, 1089536, ) == 0x0
 00608   880   NtProtectVirtualMemory  (100, (0x13140000), 512, 64, ... (0x13140000), 4096, 4, ) == 0x0
 00609   880   NtProtectVirtualMemory  (100, (0x13140000), 4096, 4, ... (0x13140000), 4096, 64, ) == 0x0
 00610   880   NtWriteVirtualMemory  (100, 0x13140000,  (100, 0x13140000, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0PE\0\0L\1\2\0Px\352F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\5\14\0\16\0\0\0x\20\0\0\0\0\0\20\20\0\0\0\20\0\0\0 \0\0\0\0\24\23\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\240\20\0\0\2\0\0S\207\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\234\34\0\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\15\0\0\0\20\0\0\0\16\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0`.data\0\0\0\232w\20\0\0 \0\0\0\6\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 512, ... 512, ) , 512, ... 512, ) == 0x0
 00611   880   NtFlushInstructionCache  (100, 320077824, 512, ... ) == 0x0
 00612   880   NtProtectVirtualMemory  (100, (0x13141000), 3584, 64, ... (0x13141000), 4096, 4, ) == 0x0
 00613   880   NtProtectVirtualMemory  (100, (0x13141000), 4096, 4, ... (0x13141000), 4096, 64, ) == 0x0
 00614   880   NtWriteVirtualMemory  (100, 0x13141000,  (100, 0x13141000, "\342\34\0\0\320\34\0\0\0\0\0\0\0\0\0\0\270\263%\24\23-% \24\23Ph% \24\23\350G\14\0\0\241\14 \24\23\203\370\0u\3\0\0h\323 \24\23j\0j\0\377\25\352\226$\23\241\0 \24\23\203\370\0t\11\276_!\24\23N\306\6 h\310\0\0\0h\304\220$\23h\3!\24\23\377\25\6\227$\23h?!\24\23h\304\220$\23h:!\24\23h\350\212$\23\377\25\226\227$\23\203\304\20j\0h\200\0\0\0j\2j\0j\0h\0\0\0\300hz!\24\23\377\25\346\226$\23\243\327\226$\23h\310\0\0\0h4\217$\23h\367 \24\23\377\25\6\227$\23h\270q$\23\350\370\2\0\0h% \24\23\350\222\6\0\0\243\350\221$\23\243\354\221$\23\200=\334\226$\23\0\17\204\305\0\0\0h\310\0\0\0h\374\217$\23h\374 \24\23\377\25\6\227$\23\273\374\217$\233\366CF\200;\0u\371h\20!\24\23h\374\217$\23h\33!\24\23h\0\307\33\23\377\25\226\227$\23\203\304\20\277\0\307\33\23\3\376\203\307\12\273\12\0\0\0K\203\373\377t3\210\37\200\70j\0h\200\0\0\0j\3j\0j\0h\0\0\0\200h\0\307\33\23\377\25\346\226$\23\203\370\377t\323P\377\25\342\226$\23\351\367\0\0\0\377\25\16\227$\233\322\271\12\0\0\0\367\361\200\3020\210\27j\0h\200\0\0\0j\1j\0j\0", 3584, ... 3584, ) \3\0\0h\323 \24\23j\0j\0\377\25\352\226$\23\241\0 \24\23\203\370\0t\11\276_!\24\23N\306\6 h\310\0\0\0h\304\220$\23h\3!\24\23\377\25\6\227$\23h?!\24\23h\304\220$\23h:!\24\23h\350\212$\23\377\25\226\227$\23\203\304\20j\0h\200\0\0\0j\2j\0j\0h\0\0\0\300hz!\24\23\377\25\346\226$\23\243\327\226$\23h\310\0\0\0h4\217$\23h\367 \24\23\377\25\6\227$\23h\270q$\23\350\370\2\0\0h% \24\23\350\222\6\0\0\243\350\221$\23\243\354\221$\23\200=\334\226$\23\0\17\204\305\0\0\0h\310\0\0\0h\374\217$\23h\374 \24\23\377\25\6\227$\23\273\374\217$\233\366CF\200;\0u\371h\20!\24\23h\374\217$\23h\33!\24\23h\0\307\33\23\377\25\226\227$\23\203\304\20\277\0\307\33\23\3\376\203\307\12\273\12\0\0\0K\203\373\377t3\210\37\200\70j\0h\200\0\0\0j\3j\0j\0h\0\0\0\200h\0\307\33\23\377\25\346\226$\23\203\370\377t\323P\377\25\342\226$\23\351\367\0\0\0\377\25\16\227$\233\322\271\12\0\0\0\367\361\200\3020\210\27j\0h\200\0\0\0j\1j\0j\0", 3584, ... 3584, ) == 0x0
 00615   880   NtFlushInstructionCache  (100, 320081920, 3584, ... ) == 0x0
 00616   880   NtProtectVirtualMemory  (100, (0x13141000), 3328, 32, ... (0x13141000), 4096, 4, ) == 0x0
 00617   880   NtProtectVirtualMemory  (100, (0x13142000), 1536, 64, ... (0x13142000), 4096, 4, ) == 0x0
 00618   880   NtProtectVirtualMemory  (100, (0x13142000), 4096, 4, ... (0x13142000), 4096, 64, ) == 0x0
 00619   880   NtWriteVirtualMemory  (100, 0x13142000,  (100, 0x13142000, "\0\0\0\0V\0\0\0%\0\0\0\330\5\350w\375\245\347w3a6SiG75nXoOI7df\0\5W\30a]q\31\2\v^xz7RQ\35P\16}Xv\3\33W`o}y\17JP\5O\7j]i\5\1_XYyg\5PP\35S\3aGu\6\6nnYa{\3RH\1T\4}[v\25\hWa\177\1JW\12U\30aZs75\6,\33?s\30KC@NE+6bBjK-0j:hA\25\14DES.\2c\25A+0jw^ay:nk9az<\10#{\\14*\16=0vd!V\25f!\6$vQ\12*\12<:7\17RYO\5a!\30Q\2\24\75y,\31\3^tQ6v\32\33\22@@=\27*I:nk9ab\26$\277B\76\13&;74\24\\6D2\4\1^Y\13+o\23:N\27\22V\14\5a5G\22FK+V\20,O\7\3C\25_<\7iYY\35X3#-E\12\22\35\3_=ibD\20\35X3\6'C\1\24]\4Bs,?GY\1*\12=\25^\1\36C\15Y!\14iRM\13X\35*:C\5\24Gaj\17G\33g]\27+\6,([ \24Z\27Sci\33k\332\12\32!=^\11\33\17B7\5+\31Q\24o\25>f\21\3A\30e*\323RX'6\11 ;Z\5\22Z\16XS:(QA\319\35*\25z\15\5A\16E<\173kb\76\13 >D8%F\23D6\73aP\34+\6 'k0\16V\14S 5\13VF\32\14\7*$Rd*R\22BSnG\P\346\12#z\5J", 1536, ... 1536, ) , 1536, ... 1536, ) == 0x0
 00620   880   NtFlushInstructionCache  (100, 320086016, 1536, ... ) == 0x0
 00621   880   NtProtectVirtualMemory  (100, (0x13142000), 1079194, 4, ... (0x13142000), 1081344, 4, ) == 0x0
 00622   880   NtProtectVirtualMemory  (100, (0x7ffdf008), 4, 64, ... (0x7ffdf000), 4096, 64, ) == 0x0
 00623   880   NtProtectVirtualMemory  (100, (0x7ffdf000), 4096, 64, ... (0x7ffdf000), 4096, 64, ) == 0x0
 00624   880   NtWriteVirtualMemory  (100, 0x7ffdf008,  (100, 0x7ffdf008, "\0\0\24\23", 4, ... 4, ) , 4, ... 4, ) == 0x0
 00625   880   NtFlushInstructionCache  (100, 2147348488, 4, ... ) == 0x0
 00626   880   NtSetContextThread  (104, 3798860, ... ) == 0x0
 00627   880   NtResumeThread  (104, ... 1, ) == 0x0
 00628   880   NtClose  (100, ... ) == 0x0
 00629   880   NtClose  (104, ... ) == 0x0
 00630   880   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 3799476,  (0xc0100080, {24, 0, 0x40, 0, 3799476, "\??\Runtime"}, 0x0, 128, 0, 5, 96, 0, 0, ... 104, {status=0x0, info=0}, ) }, 0x0, 128, 0, 5, 96, 0, 0, ... 104, {status=0x0, info=0}, ) == 0x0
 00631   880   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x9c402400,  (104, 0, 0x0, 0x0, 0x9c402400, "\300\3\0\0", 4, 0, ... {status=0x0, info=0}, 0x0, ) , 4, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00632   880   NtClose  (104, ... ) == 0x0
 00633   880   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drivers\runtime.sys"}, 7, 2113600, ... 104, {status=0x0, info=1}, ) }, 7, 2113600, ... 104, {status=0x0, info=1}, ) == 0x0
 00634   880   NtQueryInformationFile  (104, 3799548, 8, AttributeFlag, ... ) == STATUS_INVALID_PARAMETER
 00635   880   NtSetInformationFile  (104, 3799599, 1, Disposition, ... {status=0x0, info=0}, ) == 0x0
 00636   880   NtClose  (104, ... ) == 0x0
 00637   880   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00638   880   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00639   880   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, ":\work\packed.ex"}, 3797640, ... ) }, 3797640, ... ) == STATUS_OBJECT_PATH_SYNTAX_BAD
 00640   880   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00641   880   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00642   880   NtQueryInformationThread  (-2, AmILastThread, 4, ... {thread info, class 12, size 4}, 0x0, ) == 0x0
 00643   880   NtClose  (60, ... ) == 0x0
 00644   880   NtClose  (56, ... ) == 0x0
 00645   880   NtTerminateThread  (0, 0, ...
 00646   880   NtFreeVirtualMemory  (-1, (0x360000), 0, 32768, ... (0x360000), 262144, ) == 0x0
 00125   752   NtDelayExecution  ... ) == 0x0
 00647   752   NtDelayExecution  (0, {-40000000, -1}, ... ) == 0x0
 00648   752   NtDelayExecution  (0, {-40000000, -1}, ... ) == 0x0
 00649   752   NtDelayExecution  (0, {-40000000, -1}, ... ) == 0x0
 00650   752   NtDelayExecution  (0, {-40000000, -1}, ... ) == 0x0
 00651   752   NtDelayExecution  (0, {-40000000, -1}, ... ) == 0x0
 00652   752   NtDelayExecution  (0, {-40000000, -1}, ... ) == 0x0
 00653   752   NtDelayExecution  (0, {-40000000, -1}, ... ) == 0x0
 00654   752   NtDelayExecution  (0, {-40000000, -1}, ... ) == 0x0
 00655   752   NtDelayExecution  (0, {-40000000, -1}, ... ) == 0x0
 00656   752   NtDelayExecution  (0, {-40000000, -1}, ... ) == 0x0
 00657   752   NtDelayExecution  (0, {-40000000, -1}, ... ) == 0x0
 00658   752   NtDelayExecution  (0, {-40000000, -1}, ... ) == 0x0
 00659   752   NtDelayExecution  (0, {-40000000, -1}, ... ) == 0x0
 00660   752   NtDelayExecution  (0, {-40000000, -1}, ... ) == 0x0
 00661   752   NtDelayExecution  (0, {-40000000, -1}, ... ) == 0x0
 00662   752   NtDelayExecution  (0, {-40000000, -1}, ... ) == 0x0
 00663   752   NtDelayExecution  (0, {-40000000, -1}, ...
NtAccessCheck(>)	1	NtEnumerateKey(>)	2	NtReadVirtualMemory(>)	4	NtQuerySystemInformation(>)	11
NtCreateProcessEx(>)	1	NtGetContextThread(>)	2	NtResumeThread(>)	4	NtSetInformationFile(>)	12
NtDeviceIoControlFile(>)	1	NtOpenDirectoryObject(>)	2	NtContinue(>)	5	NtSetInformationProcess(>)	13
NtLoadDriver(>)	1	NtOpenMutant(>)	2	NtCreateEvent(>)	5	NtCreateFile(>)	14
NtOpenEvent(>)	1	NtOpenSymbolicLinkObject(>)	2	NtFlushInstructionCache(>)	5	NtOpenFile(>)	15
NtOpenKeyedEvent(>)	1	NtQueryDefaultUILanguage(>)	2	NtFreeVirtualMemory(>)	5	NtProtectVirtualMemory(>)	15
NtQueryDebugFilterState(>)	1	NtQuerySymbolicLinkObject(>)	2	NtQueryVirtualMemory(>)	5	NtMapViewOfSection(>)	16
NtQueryInformationJobObject(>)	1	NtReleaseMutant(>)	2	NtRequestWaitReplyPort(>)	5	NtQueryAttributesFile(>)	18
NtQueryInstallUILanguage(>)	1	NtSetContextThread(>)	2	NtFsControlFile(>)	6	NtQueryInformationProcess(>)	18
NtQueryObject(>)	1	NtSetInformationObject(>)	2	NtOpenThreadToken(>)	6	NtDelayExecution(>)	19
NtQuerySystemTime(>)	1	NtAdjustPrivilegesToken(>)	3	NtQueryInformationFile(>)	6	NtOpenProcessTokenEx(>)	21
NtReadFile(>)	1	NtCreateThread(>)	3	NtSetInformationThread(>)	6	NtOpenThreadTokenEx(>)	21
NtSecureConnectPort(>)	1	NtQueryInformationThread(>)	3	NtUnmapViewOfSection(>)	6	NtQueryDefaultLocale(>)	22
NtSuspendThread(>)	1	NtQuerySection(>)	3	NtOpenProcessToken(>)	7	NtQueryValueKey(>)	23
NtTerminateThread(>)	1	NtRegisterThreadTerminatePort(>)	3	NtWaitForSingleObject(>)	8	NtQueryInformationToken(>)	26
NtCreateIoCompletion(>)	2	NtSetValueKey(>)	3	NtCreateSection(>)	9	NtAllocateVirtualMemory(>)	40
NtCreateKey(>)	2	NtTestAlert(>)	3	NtWriteFile(>)	9	NtOpenKey(>)	71
NtDuplicateObject(>)	2	NtQueryDirectoryFile(>)	4	NtWriteVirtualMemory(>)	9	NtClose(>)	101
NtDuplicateToken(>)	2	NtQueryVolumeInformationFile(>)	4	NtOpenSection(>)	11