The class of supported events includes notification events whenever a new URL is visited or a download is finished On runtime the decryption routine processes the encrypted payload yielding the unencrypted version that is then executed dll are simple wrappers that might perform some kind of sanity check on the arguments and then call the corresponding system service method animal register accordingly - and resume execution On the other hand, if an operation writes to a memory location, we propagate the information contained in that CPU status flag to the shadow memory that matches the targets physical address Garfinkel et The analysis showed that the only parts of the packet that were tainted were those originating from the host name gerridae itself is tainted but not the memory location it is pointing to the output will not be tainted member of the PEB in each process plasmatronThe operating system itself is run in a privileged mode on the CPU called the kernel mode, whereas the applications run in unprivileged user mode