Summary:


NtContinue(>)  1 
NtQueryObject(>)  1 
NtOpenThreadToken(>)  2 
NtProtectVirtualMemory(>)  4 

NtCreateSection(>)  1 
NtQuerySection(>)  1 
NtQueryInformationProcess(>)  2 
NtCreateEvent(>)  5 

NtFreeVirtualMemory(>)  1 
NtQuerySymbolicLinkObject(>)  1 
NtQueryVirtualMemory(>)  2 
NtFsControlFile(>)  5 

NtOpenEvent(>)  1 
NtQuerySystemTime(>)  1 
NtReadFile(>)  2 
NtMapViewOfSection(>)  7 

NtOpenFile(>)  1 
NtQueryVolumeInformationFile(>)  1 
NtSetInformationObject(>)  2 
NtQuerySystemInformation(>)  7 

NtOpenKeyedEvent(>)  1 
NtRegisterThreadTerminatePort(>)  1 
NtTerminateProcess(>)  2 
NtQueryValueKey(>)  8 

NtOpenMutant(>)  1 
NtSecureConnectPort(>)  1 
NtWaitForSingleObject(>)  2 
NtOpenSection(>)  9 

NtOpenProcessToken(>)  1 
NtTestAlert(>)  1 
NtWriteFile(>)  2 
NtAllocateVirtualMemory(>)  10 

NtOpenSymbolicLinkObject(>)  1 
NtCreateIoCompletion(>)  2 
NtCreateFile(>)  3 
NtOpenKey(>)  14 

NtQueryAttributesFile(>)  1 
NtDuplicateObject(>)  2 
NtRequestWaitReplyPort(>)  3 
NtClose(>)  23 

NtQueryDefaultLocale(>)  1 
NtFlushInstructionCache(>)  2 
NtSetInformationFile(>)  3 

NtQueryInformationToken(>)  1 
NtOpenDirectoryObject(>)  2 

Trace:
 00001   460   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   460   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   460   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   460   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   460   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   460   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   460   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   460   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   460   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   460   NtClose  (12, ... ) == 0x0
 00014   460   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   460   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   460   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   460   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   460   NtClose  (16, ... ) == 0x0
 00021   460   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   460   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   460   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   460   NtClose  (16, ... ) == 0x0
 00026   460   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   460   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   460   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   460   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 448, 460, 1490, 0} "\350k\30\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 448, 460, 1490, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 448, 460, 1490, 0} "\350k\30\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   460   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   460   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   460   NtClose  (16, ... ) == 0x0
 00036   460   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   460   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   460   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   460   NtClose  (28, ... ) == 0x0
 00041   460   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   460   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   460   NtClose  (28, ... ) == 0x0
 00045   460   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   460   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   460   NtClose  (28, ... ) == 0x0
 00049   460   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   460   NtClose  (28, ... ) == 0x0
 00052   460   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   460   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   460   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 448, 460, 1491, 0} "8\244\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 448, 460, 1491, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 448, 460, 1491, 0} "8\244\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   460   NtProtectVirtualMemory  (-1, (0x402000), 60, 4, ... (0x402000), 4096, 2, ) == 0x0
 00057   460   NtProtectVirtualMemory  (-1, (0x402000), 4096, 2, ... (0x402000), 4096, 4, ) == 0x0
 00058   460   NtFlushInstructionCache  (-1, 4202496, 60, ... ) == 0x0
 00059   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00061   460   NtClose  (28, ... ) == 0x0
 00062   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00064   460   NtClose  (28, ... ) == 0x0
 00065   460   NtProtectVirtualMemory  (-1, (0x402000), 60, 4, ... (0x402000), 4096, 2, ) == 0x0
 00066   460   NtProtectVirtualMemory  (-1, (0x402000), 4096, 2, ... (0x402000), 4096, 4, ) == 0x0
 00067   460   NtFlushInstructionCache  (-1, 4202496, 60, ... ) == 0x0
 00068   460   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00069   460   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00070   460   NtClose  (28, ... ) == 0x0
 00071   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00072   460   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00073   460   NtClose  (28, ... ) == 0x0
 00074   460   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00075   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00076   460   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00077   460   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00078   460   NtClose  (28, ... ) == 0x0
 00079   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00080   460   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00081   460   NtClose  (28, ... ) == 0x0
 00082   460   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00083   460   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00084   460   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00085   460   NtTestAlert  (... ) == 0x0
 00086   460   NtContinue  (1244464, 1, ...
 00087   460   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x401000,}, 4, ... ) == 0x0
 00088   460   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1245000,  (0x80100080, {24, 0, 0x40, 0, 1245000, "\??\u:\work\packed.exe"}, 0x0, 0, 3, 1, 96, 0, 0, ... 32, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 32, {status=0x0, info=1}, ) == 0x0
 00089   460   NtSetInformationFile  (32, 1245092, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 00090   460   NtReadFile  (32, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=2432},  (32, 0, 0, 0, 16384, 0x0, 0, ... {status=0x0, info=2432}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\270\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\245\361B\332\341\220,\211\341\220,\211\341\220,\211\341\220-\211\344\220,\211\270\263?\211\342\220,\211\35\260>\211\340\220,\211Rich\341\220,\211\0\0\0\0\0\0\0\0PE\0\0L\1\5\0qH6G\0\0\0\0\0\0\0\0\340\0\16\1\13\1\5\14\340\1\0\0 \5\0\0\0\0\0\0c\3\0\0\200\2\0\0\240\3\0\0\0\0\1\0 \0\0\0 \0\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\200\11\0\0\200\2\0\0\35\366\0\0\1\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0@\10\0\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\11\0\0p\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\240\3\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\24\1\0\0\200\2\0\0 \1\0\0\200\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0h.rdata\0\0\30\0\0\0\240\3\0\0 \0\0\0\240\3\0\0\0\0\0\0", ) , ) == 0x0
 00091   460   NtClose  (32, ... ) == 0x0
 00092   460   NtCreateFile  (0x40100080, {24, 0, 0x40, 0, 1245000,  (0x40100080, {24, 0, 0x40, 0, 1245000, "\??\C:\WINDOWS\System32\unpr.sys"}, 0x0, 0, 1, 2, 96, 0, 0, ... 32, {status=0x0, info=2}, ) }, 0x0, 0, 1, 2, 96, 0, 0, ... 32, {status=0x0, info=2}, ) == 0x0
 00093   460   NtWriteFile  (32, 0, 0, 0,  (32, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\270\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\245\361B\332\341\220,\211\341\220,\211\341\220,\211\341\220-\211\344\220,\211\270\263?\211\342\220,\211\35\260>\211\340\220,\211Rich\341\220,\211\0\0\0\0\0\0\0\0PE\0\0L\1\5\0qH6G\0\0\0\0\0\0\0\0\340\0\16\1\13\1\5\14\340\1\0\0 \5\0\0\0\0\0\0c\3\0\0\200\2\0\0\240\3\0\0\0\0\1\0 \0\0\0 \0\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\200\11\0\0\200\2\0\0\35\366\0\0\1\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0@\10\0\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\11\0\0p\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\240\3\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\24\1\0\0\200\2\0\0 \1\0\0\200\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0h.rdata\0\0\30\0\0\0\240\3\0\0 \0\0\0\240\3\0\0\0\0\0\0", 2432, 0x0, 0, ... {status=0x0, info=2432}, ) , 2432, 0x0, 0, ... {status=0x0, info=2432}, ) == 0x0
 00094   460   NtClose  (32, ... ) == 0x0
 00095   460   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 32, ) }, ... 32, ) == 0x0
 00096   460   NtOpenEvent  (0x100000, {24, 32, 0x0, 0, 0,  (0x100000, {24, 32, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 36, ) }, ... 36, ) == 0x0
 00097   460   NtWaitForSingleObject  (36, 0, {-1800000000, -1}, ... ) == 0x0
 00098   460   NtClose  (36, ... ) == 0x0
 00099   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00100   460   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00101   460   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 36, ) }, ... 36, ) == 0x0
 00102   460   NtQueryValueKey  (36,  (36, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00103   460   NtClose  (36, ... ) == 0x0
 00104   460   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00105   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00106   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 40, ) == 0x0
 00107   460   NtQuerySystemTime  (... {-728103530, 29891054}, ) == 0x0
 00108   460   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 44, ) == 0x0
 00109   460   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00110   460   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00111   460   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00112   460   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00113   460   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00114   460   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 48, ) }, ... 48, ) == 0x0
 00115   460   NtQueryValueKey  (48,  (48, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00116   460   NtClose  (48, ... ) == 0x0
 00117   460   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 48, ) == 0x0
 00118   460   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 52, ) == 0x0
 00119   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 56, ) }, ... 56, ) == 0x0
 00120   460   NtOpenKey  (0x20019, {24, 56, 0x40, 0, 0,  (0x20019, {24, 56, 0x40, 0, 0, "ActiveComputerName"}, ... 60, ) }, ... 60, ) == 0x0
 00121   460   NtQueryValueKey  (60,  (60, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (60, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (60, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 00122   460   NtClose  (60, ... ) == 0x0
 00123   460   NtClose  (56, ... ) == 0x0
 00124   460   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 56, ) == 0x0
 00125   460   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 60, ) == 0x0
 00126   460   NtDuplicateObject  (-1, 56, -1, 0x0, 0, 2, ... 64, ) == 0x0
 00127   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00128   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 68, ) == 0x0
 00129   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00130   460   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00131   460   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00132   460   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243452,  (0xc0100080, {24, 0, 0x40, 0, 1243452, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 72, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 72, {status=0x0, info=1}, ) == 0x0
 00133   460   NtSetInformationFile  (72, 1243508, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00134   460   NtSetInformationFile  (72, 1243500, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00135   460   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00136   460   NtWriteFile  (72, 49, 0, 0,  (72, 49, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00137   460   NtReadFile  (72, 49, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (72, 49, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20y\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 00138   460   NtFsControlFile  (72, 49, 0x0, 0x0, 0x11c017,  (72, 49, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\33\0\0\0\0\0\0\0\0\0?\0\17\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20y\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (72, 49, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\33\0\0\0\0\0\0\0\0\0?\0\17\0", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20y\36\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 00139   460   NtFsControlFile  (72, 49, 0x0, 0x0, 0x11c017,  (72, 49, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\260\0\0\0\2\0\0\0\230\0\0\0\0\0\30\0\0\0\0\0lt\300\17\342\205\334\21\261\310\0\14)\371\246\305\5\0\0\0\0\0\0\0\5\0\0\0UNPR\0\350\10\0\120@\0\5\0\0\0\0\0\0\0\5\0\0\0UNPR\0\0\0\0\377\1\17\0\1\0\0\0\0\0\0\0\1\0\0\0\35\0\0\0\0\0\0\0\35\0\0\0C:\WINDOWS\System32\unpr.sys\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 176, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0lt\300\17\342\205\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 176, 1024, ... {status=0x103, info=48},  (72, 49, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\260\0\0\0\2\0\0\0\230\0\0\0\0\0\30\0\0\0\0\0lt\300\17\342\205\334\21\261\310\0\14)\371\246\305\5\0\0\0\0\0\0\0\5\0\0\0UNPR\0\350\10\0\120@\0\5\0\0\0\0\0\0\0\5\0\0\0UNPR\0\0\0\0\377\1\17\0\1\0\0\0\0\0\0\0\1\0\0\0\35\0\0\0\0\0\0\0\35\0\0\0C:\WINDOWS\System32\unpr.sys\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 176, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0lt\300\17\342\205\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 00140   460   NtWaitForSingleObject  (49, 0, 0x0, ... ) == 0x0
 00141   460   NtFsControlFile  (72, 49, 0x0, 0x0, 0x11c017,  (72, 49, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0mt\300\17\342\205\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=52}, "\5\0\2\3\20\0\0\04\0\0\0\2\0\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0mt\300\17\342\205\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=52},  (72, 49, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0mt\300\17\342\205\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=52}, "\5\0\2\3\20\0\0\04\0\0\0\2\0\0\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0mt\300\17\342\205\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 00142   460   NtFsControlFile  (72, 49, 0x0, 0x0, 0x11c017,  (72, 49, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0lt\300\17\342\205\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\3\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (72, 49, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0lt\300\17\342\205\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\3\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 00143   460   NtClose  (68, ... ) == 0x0
 00144   460   NtClose  (72, ... ) == 0x0
 00145   460   NtTerminateProcess  (0, 0, ... ) == 0x0
 00146   460   NtFreeVirtualMemory  (-1, (0x0), 0, 32768, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 00147   460   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1244936, 1245048, 2009942201, 2010037320}  (24, {20, 48, new_msg, 0, 1244936, 1245048, 2009942201, 2010037320} "\0\0\0\0\3\0\1\0\301\311\342w\370\362\336w\0\0\0\0" ... {20, 48, reply, 0, 448, 460, 1503, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\370\362\336w\0\0\0\0" )  ... {20, 48, reply, 0, 448, 460, 1503, 0}  (24, {20, 48, new_msg, 0, 1244936, 1245048, 2009942201, 2010037320} "\0\0\0\0\3\0\1\0\301\311\342w\370\362\336w\0\0\0\0" ... {20, 48, reply, 0, 448, 460, 1503, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\370\362\336w\0\0\0\0" )  ) == 0x0
 00148   460   NtTerminateProcess  (-1, 0, ...
NtContinue(>)	1	NtQueryObject(>)	1	NtOpenThreadToken(>)	2	NtProtectVirtualMemory(>)	4
NtCreateSection(>)	1	NtQuerySection(>)	1	NtQueryInformationProcess(>)	2	NtCreateEvent(>)	5
NtFreeVirtualMemory(>)	1	NtQuerySymbolicLinkObject(>)	1	NtQueryVirtualMemory(>)	2	NtFsControlFile(>)	5
NtOpenEvent(>)	1	NtQuerySystemTime(>)	1	NtReadFile(>)	2	NtMapViewOfSection(>)	7
NtOpenFile(>)	1	NtQueryVolumeInformationFile(>)	1	NtSetInformationObject(>)	2	NtQuerySystemInformation(>)	7
NtOpenKeyedEvent(>)	1	NtRegisterThreadTerminatePort(>)	1	NtTerminateProcess(>)	2	NtQueryValueKey(>)	8
NtOpenMutant(>)	1	NtSecureConnectPort(>)	1	NtWaitForSingleObject(>)	2	NtOpenSection(>)	9
NtOpenProcessToken(>)	1	NtTestAlert(>)	1	NtWriteFile(>)	2	NtAllocateVirtualMemory(>)	10
NtOpenSymbolicLinkObject(>)	1	NtCreateIoCompletion(>)	2	NtCreateFile(>)	3	NtOpenKey(>)	14
NtQueryAttributesFile(>)	1	NtDuplicateObject(>)	2	NtRequestWaitReplyPort(>)	3	NtClose(>)	23
NtQueryDefaultLocale(>)	1	NtFlushInstructionCache(>)	2	NtSetInformationFile(>)	3
NtQueryInformationToken(>)	1	NtOpenDirectoryObject(>)	2