Summary:





NtCallbackReturn(>)  1 
NtUserGetIconSize(>)  2 
NtGdiCreateDIBitmapInternal(>)  6 
NtUserSelectPalette(>)  16 


NtConnectPort(>)  1 
NtUserGetImeInfoEx(>)  2 
NtGdiCreateRectRgn(>)  6 
NtGdiCreateCompatibleDC(>)  17 


NtCreateKey(>)  1 
NtUserNotifyIMEStatus(>)  2 
NtGdiGetCharSet(>)  6 
NtQueryDirectoryFile(>)  17 


NtDuplicateObject(>)  1 
NtUserQueryInputContext(>)  2 
NtGdiGetStockObject(>)  6 
NtUserRegisterClassExWOW(>)  17 


NtFlushVirtualMemory(>)  1 
NtUserSetTimer(>)  2 
NtOpenThreadToken(>)  6 
NtGdiDrawStream(>)  18 


NtFsControlFile(>)  1 
NtUserSetWindowRgn(>)  2 
NtUserBeginPaint(>)  6 
NtQueryInformationFile(>)  19 


NtGdiExtCreateRegion(>)  1 
NtUserSetWindowsHookEx(>)  2 
NtUserGetClassInfo(>)  6 
NtSetInformationProcess(>)  19 


NtGdiGetDCDword(>)  1 
NtUserShowWindow(>)  2 
NtUserGetForegroundWindow(>)  6 
NtUserFindExistingCursorIcon(>)  19 


NtGdiInit(>)  1 
NtUserUnhookWindowsHookEx(>)  2 
NtUserGetKeyboardLayoutList(>)  6 
NtUserRemoveProp(>)  20 


NtGdiOffsetRgn(>)  1 
NtUserUnregisterClass(>)  2 
NtUserSetCursorIconData(>)  6 
NtUserCallMsgFilter(>)  21 


NtGdiQueryFontAssocInfo(>)  1 
NtCreateEvent(>)  3 
NtUserSetWindowPos(>)  6 
NtGdiIntersectClipRect(>)  22 


NtOpenKeyedEvent(>)  1 
NtGdiExcludeClipRect(>)  3 
NtCreateMutant(>)  7 
NtOpenSection(>)  22 


NtOpenMutant(>)  1 
NtGdiGetWidthTable(>)  3 
NtSetInformationThread(>)  7 
NtUserRegisterWindowMessage(>)  22 


NtQueryKey(>)  1 
NtOpenSymbolicLinkObject(>)  3 
NtUserGetControlBrush(>)  7 
NtQuerySystemInformation(>)  24 


NtQueryObject(>)  1 
NtQuerySymbolicLinkObject(>)  3 
NtUserSetProp(>)  7 
NtSetEvent(>)  24 


NtRegisterThreadTerminatePort(>)  1 
NtSetInformationFile(>)  3 
NtEnumerateKey(>)  8 
NtUserPostThreadMessage(>)  24 


NtSecureConnectPort(>)  1 
NtSetInformationObject(>)  3 
NtGdiCreateBitmap(>)  8 
NtOpenEvent(>)  25 


NtSetValueKey(>)  1 
NtUserEndPaint(>)  3 
NtGdiCreateCompatibleBitmap(>)  8 
NtUserGetWindowDC(>)  25 


NtTestAlert(>)  1 
NtUserGetObjectInformation(>)  3 
NtGdiGetBitmapBits(>)  8 
NtGdiExtGetObjectW(>)  30 


NtUserBuildNameList(>)  1 
NtUserGetThreadDesktop(>)  3 
NtGdiGetDCforBitmap(>)  8 
NtOpenProcessTokenEx(>)  30 


NtUserCallHwnd(>)  1 
NtUserOpenDesktop(>)  3 
NtGdiRestoreDC(>)  8 
NtOpenThreadTokenEx(>)  30 


NtUserCloseDesktop(>)  1 
NtUserSetCursor(>)  3 
NtGdiSaveDC(>)  8 
NtQueryDefaultLocale(>)  33 


NtUserDrawIconEx(>)  1 
NtUserSystemParametersInfo(>)  3 
NtGdiSetDIBitsToDeviceInternal(>)  8 
NtQueryInformationProcess(>)  34 


NtUserFindWindowEx(>)  1 
NtUserUpdateInputContext(>)  3 
NtQueryDefaultUILanguage(>)  8 
NtUnmapViewOfSection(>)  34 


NtUserGetCursorFrameInfo(>)  1 
NtAccessCheck(>)  4 
NtQueryVirtualMemory(>)  8 
NtCreateSection(>)  35 


NtUserGetGUIThreadInfo(>)  1 
NtContinue(>)  4 
NtUserInternalGetWindowText(>)  8 
NtUserPeekMessage(>)  39 


NtUserInvalidateRect(>)  1 
NtDuplicateToken(>)  4 
NtWriteVirtualMemory(>)  8 
NtFlushInstructionCache(>)  41 


NtUserModifyUserStartupInfoFlags(>)  1 
NtFreeVirtualMemory(>)  4 
NtGdiBitBlt(>)  9 
NtOpenFile(>)  41 


NtUserSetCapture(>)  1 
NtGdiGetDIBitsInternal(>)  4 
NtGdiGetDCObject(>)  9 
NtQueryInformationToken(>)  41 


NtUserSetImeOwnerWindow(>)  1 
NtGdiGetTextCharsetInfo(>)  4 
NtQuerySection(>)  9 
NtAllocateVirtualMemory(>)  42 


NtUserSetThreadState(>)  1 
NtGdiGetTextMetricsW(>)  4 
NtQueryVolumeInformationFile(>)  9 
NtQueryAttributesFile(>)  47 


NtUserTranslateMessage(>)  1 
NtReadVirtualMemory(>)  4 
NtUserSetWindowFNID(>)  9 
NtGdiDeleteObjectApp(>)  51 


NtCreateProcessEx(>)  2 
NtUserCallHwndLock(>)  4 
NtOpenProcessToken(>)  10 
NtMapViewOfSection(>)  54 


NtCreateThread(>)  2 
NtUserFillWindow(>)  4 
NtUserDestroyCursor(>)  10 
NtWaitForSingleObject(>)  65 


NtDeviceIoControlFile(>)  2 
NtUserGetAtomName(>)  4 
NtUserGetIconInfo(>)  10 
NtReleaseMutant(>)  67 


NtGdiCreatePatternBrushInternal(>)  2 
NtUserGetClassName(>)  4 
NtUserWaitMessage(>)  10 
NtGdiSelectBitmap(>)  69 


NtGdiCreateSolidBrush(>)  2 
NtUserGetDCEx(>)  4 
NtUserCallNoParam(>)  11 
NtQueryValueKey(>)  70 


NtGdiDoPalette(>)  2 
NtUserWaitForInputIdle(>)  4 
NtUserSetWindowLong(>)  11 
NtUserCallOneParam(>)  71 


NtGdiStretchDIBitsInternal(>)  2 
NtGdiHfontCreate(>)  5 
NtRequestWaitReplyPort(>)  12 
NtUserMessageCall(>)  75 


NtOpenDirectoryObject(>)  2 
NtUserCalcMenuBar(>)  5 
NtUserCreateWindowEx(>)  12 
NtProtectVirtualMemory(>)  84 


NtQueryDebugFilterState(>)  2 
NtUserGetAncestor(>)  5 
NtGdiExtSelectClipRgn(>)  14 
NtOpenKey(>)  129 


NtQueryInformationJobObject(>)  2 
NtUserGetProcessWindowStation(>)  5 
NtGdiGetRandomRgn(>)  14 
NtUserQueryWindow(>)  182 


NtQueryInstallUILanguage(>)  2 
NtUserGetTitleBarInfo(>)  5 
NtUserBuildHwndList(>)  14 
NtClose(>)  245 


NtResumeThread(>)  2 
NtUserPostMessage(>)  5 
NtUserGetDC(>)  14 
NtUserValidateHandleSecure(>)  428 


NtTerminateProcess(>)  2 
NtUserSetFocus(>)  5 
NtUserGetThreadState(>)  15 


NtUserCallHwndParam(>)  2 
NtWriteFile(>)  5 
NtUserKillTimer(>)  15 


NtUserDestroyWindow(>)  2 



Trace:

 00001   928   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003   928   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004   928   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005   928   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00006   928   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007   928   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00008   928   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009   928   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00010   928   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00011   928   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00012   928   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00013   928   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00014   928   NtClose  (12, ... ) == 0x0
 00015   928   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00016   928   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00017   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   928   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   928   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00020   928   NtClose  (16, ... ) == 0x0
 00021   928   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00022   928   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00023   928   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00024   928   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00025   928   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00026   928   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00027   928   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00028   928   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00029   928   NtClose  (16, ... ) == 0x0
 00030   928   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00031   928   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00032   928   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00033   928   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00034   928   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00035   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 1972, 928, 57932, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 1972, 928, 57932, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 1972, 928, 57932, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00036   928   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00037   928   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00038   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00039   928   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00040   928   NtClose  (16, ... ) == 0x0
 00041   928   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00042   928   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00043   928   NtClose  (16, ... ) == 0x0
 00044   928   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00045   928   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00046   928   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00047   928   NtClose  (16, ... ) == 0x0
 00048   928   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00049   928   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00050   928   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00051   928   NtClose  (16, ... ) == 0x0
 00052   928   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00053   928   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00054   928   NtClose  (16, ... ) == 0x0
 00055   928   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00056   928   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00057   928   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058   928   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00059   928   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 1972, 928, 57933, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ... {24, 52, reply, 0, 1972, 928, 57933, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 1972, 928, 57933, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ) == 0x0
 00060   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 1972, 928, 57934, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 1972, 928, 57934, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 1972, 928, 57934, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00061   928   NtProtectVirtualMemory  (-1, (0x40d000), 40960, 4, ... (0x40d000), 40960, 8, ) == 0x0
 00062   928   NtProtectVirtualMemory  (-1, (0x40d000), 40960, 8, ... (0x40d000), 40960, 8, ) == 0x0
 00063   928   NtFlushInstructionCache  (-1, 4247552, 40960, ... ) == 0x0
 00064   928   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00065   928   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00066   928   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00067   928   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00068   928   NtClose  (16, ... ) == 0x0
 00069   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00070   928   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00071   928   NtClose  (16, ... ) == 0x0
 00072   928   NtTestAlert  (... ) == 0x0
 00073   928   NtContinue  (1244464, 1, ...
 00074   928   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x416c5d,}, 4, ... ) == 0x0
 00075   928   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 16, ) }, ... 16, ) == 0x0
 00076   928   NtQueryValueKey  (16,  (16, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00077   928   NtClose  (16, ... ) == 0x0
 00078   928   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00079   928   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00080   928   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00081   928   NtClose  (16, ... ) == 0x0
 00082   928   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00083   928   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00084   928   NtClose  (16, ... ) == 0x0
 00085   928   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00086   928   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00087   928   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00088   928   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00089   928   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00090   928   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00091   928   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00092   928   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00093   928   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00094   928   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00095   928   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00096   928   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00097   928   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00098   928   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00099   928   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00100   928   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00101   928   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00102   928   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00103   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00104   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00105   928   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00106   928   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089900645, 127, 2090320576, 1241696}  (24, {28, 56, new_msg, 0, 2089900645, 127, 2090320576, 1241696} "\210\6\31\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 1972, 928, 57935, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 1972, 928, 57935, 0}  (24, {28, 56, new_msg, 0, 2089900645, 127, 2090320576, 1241696} "\210\6\31\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 1972, 928, 57935, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00107   928   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00108   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239088, ... ) }, 1239088, ... ) == 0x0
 00109   928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00110   928   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 16, ... 28, ) == 0x0
 00111   928   NtClose  (16, ... ) == 0x0
 00112   928   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x420000), 0x0, 110592, ) == 0x0
 00113   928   NtClose  (28, ... ) == 0x0
 00114   928   NtUnmapViewOfSection  (-1, 0x420000, ... ) == 0x0
 00115   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1238996, ... ) }, 1238996, ... ) == 0x0
 00116   928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00117   928   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 16, ) == 0x0
 00118   928   NtClose  (28, ... ) == 0x0
 00119   928   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x420000), 0x0, 110592, ) == 0x0
 00120   928   NtClose  (16, ... ) == 0x0
 00121   928   NtUnmapViewOfSection  (-1, 0x420000, ... ) == 0x0
 00122   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239304, ... ) }, 1239304, ... ) == 0x0
 00123   928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00124   928   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 16, ... 28, ) == 0x0
 00125   928   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00126   928   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00127   928   NtQueryInformationToken  (32, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00128   928   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00129   928   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 36, ) }, ... 36, ) == 0x0
 00130   928   NtQueryValueKey  (36,  (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00131   928   NtClose  (36, ... ) == 0x0
 00132   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00133   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 36, ) == 0x0
 00134   928   NtQueryInformationToken  (36, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00135   928   NtClose  (36, ... ) == 0x0
 00136   928   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00137   928   NtClose  (32, ... ) == 0x0
 00138   928   NtClose  (16, ... ) == 0x0
 00139   928   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00140   928   NtClose  (28, ... ) == 0x0
 00141   928   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00142   928   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00143   928   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00144   928   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00145   928   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00146   928   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00147   928   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00148   928   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00149   928   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00150   928   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00151   928   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00152   928   NtClose  (28, ... ) == 0x0
 00153   928   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00154   928   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00155   928   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00156   928   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00157   928   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00158   928   NtClose  (28, ... ) == 0x0
 00159   928   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00160   928   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00161   928   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00162   928   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00163   928   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00164   928   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00165   928   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00166   928   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00167   928   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00168   928   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00169   928   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00170   928   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00171   928   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00172   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00173   928   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00174   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00175   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00176   928   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00177   928   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00178   928   NtClose  (28, ... ) == 0x0
 00179   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00180   928   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00181   928   NtClose  (28, ... ) == 0x0
 00182   928   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00183   928   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00184   928   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00185   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00186   928   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00187   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236220, ... ) }, 1236220, ... ) == 0x0
 00188   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00189   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00190   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239624, ... ) }, 1239624, ... ) == 0x0
 00191   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00192   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 16, ) }, ... 16, ) == 0x0
 00193   928   NtQueryValueKey  (16,  (16, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00194   928   NtClose  (16, ... ) == 0x0
 00195   928   NtMapViewOfSection  (-2147482740, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x420000), 0x0, 1060864, ) == 0x0
 00196   928   NtClose  (-2147482740, ... ) == 0x0
 00197   928   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 16, ) == 0x0
 00198   928   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00199   928   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482740, ) == 0x0
 00200   928   NtQueryInformationToken  (-2147482740, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00201   928   NtQueryInformationToken  (-2147482740, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00202   928   NtClose  (-2147482740, ... ) == 0x0
 00203   928   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00204   928   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00205   928   NtDuplicateObject  (-1, 32, -1, 0x0, 0, 2, ... 40, ) == 0x0
 00206   928   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00207   928   NtQueryValueKey  (-2147482740,  (-2147482740, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00208   928   NtClose  (-2147482740, ... ) == 0x0
 00209   928   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00210   928   NtQueryValueKey  (-2147482740,  (-2147482740, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00211   928   NtClose  (-2147482740, ... ) == 0x0
 00212   928   NtQueryDefaultLocale  (0, -139609780, ... ) == 0x0
 00213   928   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00214   928   NtUserCallNoParam  (24, ... ) == 0x0
 00215   928   NtGdiCreateCompatibleDC  (0, ...
 00216   928   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00215   928   NtGdiCreateCompatibleDC  ... ) == 0xee0105b0
 00217   928   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00218   928   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00219   928   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0x76050581
 00220   928   NtGdiCreateSolidBrush  (0, 0, ...
 00221   928   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8585216, 4096, ) == 0x0
 00220   928   NtGdiCreateSolidBrush  ... ) == 0xa51003d2
 00222   928   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00223   928   NtGdiCreateCompatibleDC  (0, ... ) == 0x5201039b
 00224   928   NtGdiSelectBitmap  (1375798171, 1980040577, ... ) == 0x185000f
 00225   928   NtUserGetThreadDesktop  (928, 0, ... ) == 0x24
 00226   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 44, ) }, ... 44, ) == 0x0
 00227   928   NtQueryValueKey  (44,  (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00228   928   NtClose  (44, ... ) == 0x0
 00229   928   NtUserFindExistingCursorIcon  (1240800, 1240816, 1240864, ... ) == 0x10011
 00230   928   NtUserRegisterClassExWOW  (1240812, 1240880, 1240896, 1240912, 673, 128, 0, ... ) == 0x816ec017
 00231   928   NtUserFindExistingCursorIcon  (1240800, 1240816, 1240864, ... ) == 0x10011
 00232   928   NtUserRegisterClassExWOW  (1240812, 1240880, 1240896, 1240912, 674, 128, 0, ... ) == 0x816ec01c
 00233   928   NtUserFindExistingCursorIcon  (1240800, 1240816, 1240864, ... ) == 0x10011
 00234   928   NtUserRegisterClassExWOW  (1240812, 1240880, 1240896, 1240912, 675, 128, 0, ... ) == 0x816ec01e
 00235   928   NtUserFindExistingCursorIcon  (1240800, 1240816, 1240864, ... ) == 0x10011
 00236   928   NtUserRegisterClassExWOW  (1240812, 1240880, 1240896, 1240912, 676, 128, 0, ... ) == 0x816e8002
 00237   928   NtUserFindExistingCursorIcon  (1240800, 1240816, 1240864, ... ) == 0x10013
 00238   928   NtUserRegisterClassExWOW  (1240812, 1240880, 1240896, 1240912, 677, 128, 0, ... ) == 0x816ec018
 00239   928   NtUserFindExistingCursorIcon  (1240800, 1240816, 1240864, ... ) == 0x10011
 00240   928   NtUserRegisterClassExWOW  (1240812, 1240880, 1240896, 1240912, 678, 128, 0, ... ) == 0x816ec01a
 00241   928   NtUserFindExistingCursorIcon  (1240800, 1240816, 1240864, ... ) == 0x10011
 00242   928   NtUserRegisterClassExWOW  (1240812, 1240880, 1240896, 1240912, 679, 128, 0, ... ) == 0x816ec01d
 00243   928   NtUserFindExistingCursorIcon  (1240800, 1240816, 1240864, ... ) == 0x10011
 00244   928   NtUserRegisterClassExWOW  (1240812, 1240880, 1240896, 1240912, 681, 128, 0, ... ) == 0x816ec026
 00245   928   NtUserFindExistingCursorIcon  (1240800, 1240816, 1240864, ... ) == 0x10011
 00246   928   NtUserRegisterClassExWOW  (1240812, 1240880, 1240896, 1240912, 680, 128, 0, ... ) == 0x816ec019
 00247   928   NtUserRegisterClassExWOW  (1240764, 1240832, 1240848, 1240864, 0, 128, 0, ... ) == 0x816ec020
 00248   928   NtUserRegisterClassExWOW  (1241020, 1241116, 1241100, 1241088, 0, 130, 0, ... ) == 0x816ec022
 00249   928   NtUserRegisterClassExWOW  (1240764, 1240832, 1240848, 1240864, 0, 128, 0, ... ) == 0x816ec023
 00250   928   NtUserRegisterClassExWOW  (1241020, 1241116, 1241100, 1241088, 0, 130, 0, ... ) == 0x816ec024
 00251   928   NtUserRegisterClassExWOW  (1240764, 1240832, 1240848, 1240864, 0, 128, 0, ... ) == 0x816ec025
 00252   928   NtCallbackReturn  (0, 0, 0, ...
 00253   928   NtGdiInit  (... ) == 0x1
 00254   928   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00255   928   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00256   928   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.dll"}, ... 44, ) }, ... 44, ) == 0x0
 00257   928   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00258   928   NtClose  (44, ... ) == 0x0
 00259   928   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00260   928   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00261   928   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00262   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSVCRT.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00263   928   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00264   928   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8650752, 65536, ) == 0x0
 00265   928   NtAllocateVirtualMemory  (-1, 8650752, 0, 4096, 4096, 4, ... 8650752, 4096, ) == 0x0
 00266   928   NtAllocateVirtualMemory  (-1, 8654848, 0, 8192, 4096, 4, ... 8654848, 8192, ) == 0x0
 00267   928   NtAllocateVirtualMemory  (-1, 8663040, 0, 4096, 4096, 4, ... 8663040, 4096, ) == 0x0
 00268   928   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 44, ) }, ... 44, ) == 0x0
 00269   928   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x850000), 0x0, 12288, ) == 0x0
 00270   928   NtClose  (44, ... ) == 0x0
 00271   928   NtAllocateVirtualMemory  (-1, 8667136, 0, 4096, 4096, 4, ... 8667136, 4096, ) == 0x0
 00272   928   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00273   928   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00274   928   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00275   928   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00276   928   NtUserModifyUserStartupInfoFlags  (1, 0, ... ) == 0x816e5328
 00277   928   NtUserGetDCEx  (0, 0, 3, ... ) == 0x1010051
 00278   928   NtUserGetForegroundWindow  (... ) == 0x70104
 00279   928   NtUserQueryWindow  (459012, 0, ... ) == 0x49c
 00280   928   NtUserQueryWindow  (459012, 1, ... ) == 0x180
 00281   928   NtGdiGetTextCharsetInfo  (16842833, 0, 0, ... ) == 0x0
 00282   928   NtGdiCreateRectRgn  (0, 0, 1, 1, ... ) == 0x330404e1
 00283   928   NtGdiGetRandomRgn  (16842833, 855901409, 1, ... ) == 0x0
 00284   928   NtGdiIntersectClipRect  (16842833, 0, 0, 565, 738, ... ) == 0x3
 00285   928   NtGdiExtSelectClipRgn  (16842833, 0, 5, ... ) == 0x2
 00286   928   NtGdiGetTextCharsetInfo  (16842833, 0, 0, ... ) == 0x0
 00287   928   NtGdiGetRandomRgn  (16842833, 872678625, 1, ... ) == 0x0
 00288   928   NtGdiIntersectClipRect  (16842833, 0, 0, 382, 738, ... ) == 0x3
 00289   928   NtGdiExtSelectClipRgn  (16842833, 0, 5, ... ) == 0x2
 00290   928   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00291   928   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00292   928   NtUserFindExistingCursorIcon  (1241636, 1241652, 1241700, ... ) == 0x10011
 00293   928   NtUserSetCursor  (65553, ... ) == 0x10015
 00294   928   NtUserCallOneParam  (1, 50, ... ) == 0x1
 00295   928   NtUserFindExistingCursorIcon  (1241588, 1241604, 1241652, ... ) == 0x10015
 00296   928   NtUserSetCursor  (65557, ... ) == 0x10011
 00297   928   NtGdiCreateCompatibleDC  (0, ... ) == 0x52010634
 00298   928   NtGdiExtGetObjectW  (50987262, 92, 1241876, ... ) == 0x5c
 00299   928   NtGdiHfontCreate  (1241348, 356, 0, 0, 1331528, ... ) == 0x2a0a0697
 00300   928   NtGdiGetTextMetricsW  (1375798836, 1241872, 68, ... ) == 0x1
 00301   928   NtGdiGetWidthTable  (1375798836, 52, 1332232, 308, 1332848, 1331600, 1331616, ... ) == 0x1
 00302   928   NtGdiDeleteObjectApp  (1375798836, ... ) == 0x1
 00303   928   NtUserGetForegroundWindow  (... ) == 0x70104
 00304   928   NtUserQueryWindow  (459012, 0, ... ) == 0x49c
 00305   928   NtUserQueryWindow  (459012, 1, ... ) == 0x180
 00306   928   NtUserGetAtomName  (32770, 1240848, ... ) == 0x6
 00307   928   NtUserCreateWindowEx  (65793, 32770, 32770,  (65793, 32770, 32770, "Error", -2134375995, 287, 335, 458, 126, 0, 0, 2118189056, 0, 1073742848, 0, ... , -2134375995, 287, 335, 458, 126, 0, 0, 2118189056, 0, 1073742848, 0, ...
 00308   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1238320, ... ) }, 1238320, ... ) == 0x0
 00309   928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 44, {status=0x0, info=1}, ) }, 5, 96, ... 44, {status=0x0, info=1}, ) == 0x0
 00310   928   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 44, ... 48, ) == 0x0
 00311   928   NtClose  (44, ... ) == 0x0
 00312   928   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x860000), 0x0, 221184, ) == 0x0
 00313   928   NtClose  (48, ... ) == 0x0
 00314   928   NtUnmapViewOfSection  (-1, 0x860000, ... ) == 0x0
 00315   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1238628, ... ) }, 1238628, ... ) == 0x0
 00316   928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 48, {status=0x0, info=1}, ) }, 5, 96, ... 48, {status=0x0, info=1}, ) == 0x0
 00317   928   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 48, ... 44, ) == 0x0
 00318   928   NtQuerySection  (44, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00319   928   NtClose  (48, ... ) == 0x0
 00320   928   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 229376, ) == 0x0
 00321   928   NtClose  (44, ... ) == 0x0
 00322   928   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00323   928   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00324   928   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00325   928   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00326   928   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00327   928   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00328   928   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00329   928   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00330   928   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00331   928   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00332   928   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00333   928   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00334   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uxtheme.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00335   928   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00336   928   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00337   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00338   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 44, ) == 0x0
 00339   928   NtQueryInformationToken  (44, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00340   928   NtClose  (44, ... ) == 0x0
 00341   928   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 44, ) }, ... 44, ) == 0x0
 00342   928   NtOpenKey  (0x1, {24, 44, 0x40, 0, 0,  (0x1, {24, 44, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 48, ) }, ... 48, ) == 0x0
 00343   928   NtQueryValueKey  (48,  (48, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00344   928   NtClose  (48, ... ) == 0x0
 00345   928   NtClose  (44, ... ) == 0x0
 00346   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00347   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 44, ) == 0x0
 00348   928   NtQueryInformationToken  (44, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00349   928   NtClose  (44, ... ) == 0x0
 00350   928   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 44, ) }, ... 44, ) == 0x0
 00351   928   NtOpenKey  (0x1, {24, 44, 0x40, 0, 0,  (0x1, {24, 44, 0x40, 0, 0, "Control Panel\Desktop"}, ... 48, ) }, ... 48, ) == 0x0
 00352   928   NtQueryValueKey  (48,  (48, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00353   928   NtClose  (48, ... ) == 0x0
 00354   928   NtClose  (44, ... ) == 0x0
 00355   928   NtUserGetProcessWindowStation  (... ) == 0x20
 00356   928   NtUserGetObjectInformation  (32, 2, 1240416, 64, 1240412, ... ) == 0x1
 00357   928   NtUserGetGUIThreadInfo  (928, 1240436, ... ) == 0x1
 00358   928   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1240280, 64, ... 44, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1240280, 64, ... 44, 0x0, 0x0, 0x0, 64, ) == 0x0
 00359   928   NtRequestWaitReplyPort  (44, {32, 56, new_msg, 0, 0, 0, 0, 0}  (44, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1972, 928, 57947, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 1972, 928, 57947, 0}  (44, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1972, 928, 57947, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00360   928   NtRequestWaitReplyPort  (44, {32, 56, new_msg, 0, 0, 0, 0, 0}  (44, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1972, 928, 57948, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 1972, 928, 57948, 0}  (44, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1972, 928, 57948, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00361   928   NtUserCallNoParam  (29, ...
 00362   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1237676, ... ) }, 1237676, ... ) == 0x0
 00361   928   NtUserCallNoParam  ... ) == 0x0
 00363   928   NtUserSystemParametersInfo  (41, 0, 1524240760, 0, ... ) == 0x1
 00364   928   NtGdiHfontCreate  (1239804, 356, 0, 0, 1331520, ... ) == 0x540a0634
 00365   928   NtGdiHfontCreate  (1239804, 356, 0, 0, 1331512, ... ) == 0x720a0798
 00366   928   NtRequestWaitReplyPort  (44, {32, 56, new_msg, 0, 0, 0, 0, 0}  (44, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1972, 928, 57949, 0} "\0\0\0\0\0\0\0\00\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 1972, 928, 57949, 0}  (44, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1972, 928, 57949, 0} "\0\0\0\0\0\0\0\00\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00367   928   NtMapViewOfSection  (48, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x860000), {0, 0}, 327680, ) == 0x0
 00368   928   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00369   928   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00370   928   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00371   928   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00372   928   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00373   928   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00374   928   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00375   928   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00376   928   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00377   928   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00378   928   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00379   928   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00380   928   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00381   928   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00382   928   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00383   928   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00384   928   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00385   928   NtGdiCreatePatternBrushInternal  (59048383, 0, 0, ... ) == 0x3c10056c
 00386   928   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00387   928   NtUserCallNoParam  (29, ...
 00388   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1237116, ... ) }, 1237116, ... ) == 0x0
 00387   928   NtUserCallNoParam  ... ) == 0x0
 00389   928   NtUserCallNoParam  (29, ...
 00390   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1237112, ... ) }, 1237112, ... ) == 0x0
 00389   928   NtUserCallNoParam  ... ) == 0x0
 00391   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSCTF.dll"}, 1238324, ... ) }, 1238324, ... ) == 0x0
 00392   928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSCTF.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00393   928   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 56, ) == 0x0
 00394   928   NtClose  (52, ... ) == 0x0
 00395   928   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8b0000), 0x0, 294912, ) == 0x0
 00396   928   NtClose  (56, ... ) == 0x0
 00397   928   NtUnmapViewOfSection  (-1, 0x8b0000, ... ) == 0x0
 00398   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSCTF.dll"}, 1238632, ... ) }, 1238632, ... ) == 0x0
 00399   928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSCTF.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00400   928   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 56, ... 52, ) == 0x0
 00401   928   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00402   928   NtClose  (56, ... ) == 0x0
 00403   928   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x74720000), 0x0, 307200, ) == 0x0
 00404   928   NtClose  (52, ... ) == 0x0
 00405   928   NtProtectVirtualMemory  (-1, (0x74721000), 928, 4, ... (0x74721000), 4096, 32, ) == 0x0
 00406   928   NtProtectVirtualMemory  (-1, (0x74721000), 4096, 32, ... (0x74721000), 4096, 4, ) == 0x0
 00407   928   NtFlushInstructionCache  (-1, 1953632256, 928, ... ) == 0x0
 00408   928   NtProtectVirtualMemory  (-1, (0x74721000), 928, 4, ... (0x74721000), 4096, 32, ) == 0x0
 00409   928   NtProtectVirtualMemory  (-1, (0x74721000), 4096, 32, ... (0x74721000), 4096, 4, ) == 0x0
 00410   928   NtFlushInstructionCache  (-1, 1953632256, 928, ... ) == 0x0
 00411   928   NtProtectVirtualMemory  (-1, (0x74721000), 928, 4, ... (0x74721000), 4096, 32, ) == 0x0
 00412   928   NtProtectVirtualMemory  (-1, (0x74721000), 4096, 32, ... (0x74721000), 4096, 4, ) == 0x0
 00413   928   NtFlushInstructionCache  (-1, 1953632256, 928, ... ) == 0x0
 00414   928   NtProtectVirtualMemory  (-1, (0x74721000), 928, 4, ... (0x74721000), 4096, 32, ) == 0x0
 00415   928   NtProtectVirtualMemory  (-1, (0x74721000), 4096, 32, ... (0x74721000), 4096, 4, ) == 0x0
 00416   928   NtFlushInstructionCache  (-1, 1953632256, 928, ... ) == 0x0
 00417   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSCTF.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00418   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ntdll.dll"}, 1235988, ... ) }, 1235988, ... ) == 0x0
 00419   928   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 00420   928   NtUserCallOneParam  (0, 40, ... ) == 0x4090409
 00421   928   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.Private", ... ) , ... ) == 0xc0a1
 00422   928   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.SetFocus", ... ) , ... ) == 0xc0a2
 00423   928   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.ThreadTerminate", ... ) , ... ) == 0xc0a3
 00424   928   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.ThreadItemChange", ... ) , ... ) == 0xc0a4
 00425   928   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.LangBarModal", ... ) , ... ) == 0xc0a5
 00426   928   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.RpcSendReceive", ... ) , ... ) == 0xc0a6
 00427   928   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.ThreadMarshal", ... ) , ... ) == 0xc0a7
 00428   928   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.CheckThreadInputIdel", ... ) , ... ) == 0xc0a8
 00429   928   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.StubCleanUp", ... ) , ... ) == 0xc0a9
 00430   928   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.ShowFloating", ... ) , ... ) == 0xc0aa
 00431   928   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.LBUpdate", ... ) , ... ) == 0xc0ab
 00432   928   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.MuiMgrDirtyUpdate", ... ) , ... ) == 0xc0ac
 00433   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\imm32.dll"}, 1235996, ... ) }, 1235996, ... ) == 0x0
 00434   928   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 3998, 1238388, 0, 0}  (24, {24, 52, new_msg, 0, 3998, 1238388, 0, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\1\0\0\0\240\3\0\0\0\0\0\0" ... {24, 52, reply, 0, 1972, 928, 57950, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\1\0\0\0\240\3\0\0\0\0\0\0" )  ... {24, 52, reply, 0, 1972, 928, 57950, 0}  (24, {24, 52, new_msg, 0, 3998, 1238388, 0, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\1\0\0\0\240\3\0\0\0\0\0\0" ... {24, 52, reply, 0, 1972, 928, 57950, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\1\0\0\0\240\3\0\0\0\0\0\0" )  ) == 0x0
 00435   928   NtUserGetThreadDesktop  (928, 0, ... ) == 0x24
 00436   928   NtUserGetObjectInformation  (36, 2, 1318544, 520, 1238296, ... ) == 0x1
 00437   928   NtOpenProcessToken  (-1, 0x8, ... 52, ) == 0x0
 00438   928   NtQueryInformationToken  (52, User, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00439   928   NtQueryInformationToken  (52, User, 36, ... {token info, class 1, size 36}, 36, ) == 0x0
 00440   928   NtClose  (52, ... ) == 0x0
 00441   928   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00442   928   NtCreateSection  (0xf0007, {24, 52, 0x80, 0, 0,  (0xf0007, {24, 52, 0x80, 0, 0, "CiceroSharedMemDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, {3240, 0}, 4, 134217728, 0, ... 56, ) }, {3240, 0}, 4, 134217728, 0, ... 56, ) == STATUS_OBJECT_NAME_EXISTS
 00443   928   NtMapViewOfSection  (56, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x8b0000), {0, 0}, 4096, ) == 0x0
 00444   928   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\CTF\Compatibility\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00445   928   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\CTF\SystemShared\"}, ... 60, ) }, ... 60, ) == 0x0
 00446   928   NtQueryValueKey  (60,  (60, "CUAS", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "CUAS", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00447   928   NtClose  (60, ... ) == 0x0
 00448   928   NtUserFindExistingCursorIcon  (1237828, 1237844, 1237892, ... ) == 0x10011
 00449   928   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00450   928   NtUserRegisterClassExWOW  (1238100, 1238196, 1238180, 1238168, 0, 386, 0, ... ) == 0x816ec0ad
 00451   928   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "CTF.LBES.MutexDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... 60, ) }, 0, ... 60, ) == STATUS_OBJECT_NAME_EXISTS
 00452   928   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "CTF.Compart.MutexDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... 64, ) }, 0, ... 64, ) == STATUS_OBJECT_NAME_EXISTS
 00453   928   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "CTF.Asm.MutexDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... 68, ) }, 0, ... 68, ) == STATUS_OBJECT_NAME_EXISTS
 00454   928   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "CTF.Layouts.MutexDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... 72, ) }, 0, ... 72, ) == STATUS_OBJECT_NAME_EXISTS
 00455   928   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "CTF.TMD.MutexDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... 76, ) }, 0, ... 76, ) == STATUS_OBJECT_NAME_EXISTS
 00456   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00457   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 00458   928   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00459   928   NtClose  (80, ... ) == 0x0
 00460   928   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 80, ) }, ... 80, ) == 0x0
 00461   928   NtSetInformationObject  (80, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00462   928   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "Keyboard Layout\Toggle"}, ... 84, ) }, ... 84, ) == 0x0
 00463   928   NtQueryValueKey  (84,  (84, "Language Hotkey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00464   928   NtQueryValueKey  (84,  (84, "Hotkey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00465   928   NtQueryValueKey  (84,  (84, "Layout Hotkey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00466   928   NtClose  (84, ... ) == 0x0
 00467   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\KERNEL32.dll"}, 1235816, ... ) }, 1235816, ... ) == 0x0
 00468   928   NtQueryDefaultUILanguage  (1238376, ...
 00469   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00470   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 00471   928   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00472   928   NtClose  (-2147482740, ... ) == 0x0
 00473   928   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00474   928   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00475   928   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 00476   928   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00477   928   NtClose  (-2147481328, ... ) == 0x0
 00478   928   NtClose  (-2147482740, ... ) == 0x0
 00468   928   NtQueryDefaultUILanguage  ... ) == 0x0
 00479   928   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\CTF\"}, ... 84, ) }, ... 84, ) == 0x0
 00480   928   NtQueryValueKey  (84,  (84, "EnableAnchorContext", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00481   928   NtClose  (84, ... ) == 0x0
 00482   928   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "CTF.TimListCache.FMPDefaultS-1-5-21-1292428093-1383384898-725345543-1003MUTEX.DefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... 84, ) }, 0, ... 84, ) == STATUS_OBJECT_NAME_EXISTS
 00483   928   NtOpenSection  (0xf001f, {24, 52, 0x0, 0, 0,  (0xf001f, {24, 52, 0x0, 0, 0, "CTF.TimListCache.FMPDefaultS-1-5-21-1292428093-1383384898-725345543-1003SFM.DefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, ... 88, ) }, ... 88, ) == 0x0
 00484   928   NtMapViewOfSection  (88, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x8c0000), {0, 0}, 262144, ) == 0x0
 00485   928   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 00486   928   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 00487   928   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 00488   928   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 00489   928   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 00490   928   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 00491   928   NtUserSetWindowsHookEx  (1953628160, 1239852, 928, 2, 1953694283, 2, ... ) == 0x601df
 00492   928   NtUserSetWindowsHookEx  (1953628160, 1239852, 928, 7, 1953693577, 2, ... ) == 0x18022f
 00493   928   NtUserSetWindowFNID  (655618, 676, ... ) == 0x1
 00494   928   NtUserCallHwndParam  (655618, 1335228, 79, ... ) == 0x145fbc
 00495   928   NtUserMessageCall  (0xa0102, WM_NCCREATE, 0x0, 0x12eebc, 0, 670, 0, ... ) == 0x1
 00496   928   NtUserSetWindowFNID  (590100, 681, ... ) == 0x1
 00497   928   NtUserSetWindowLong  (590100, 0, 1333176, 0, ... ) == 0x0
 00498   928   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\IMM"}, ... 92, ) }, ... 92, ) == 0x0
 00499   928   NtQueryValueKey  (92,  (92, "Ime File", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0s\0c\0t\0f\0i\0m\0e\0.\0i\0m\0e\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (92, "Ime File", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0s\0c\0t\0f\0i\0m\0e\0.\0i\0m\0e\0\0\0"}, 38, ) }, 38, ) == 0x0
 00500   928   NtClose  (92, ... ) == 0x0
 00501   928   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "version.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00502   928   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 32768, ) == 0x0
 00503   928   NtClose  (92, ... ) == 0x0
 00504   928   NtProtectVirtualMemory  (-1, (0x77c01000), 304, 4, ... (0x77c01000), 4096, 32, ) == 0x0
 00505   928   NtProtectVirtualMemory  (-1, (0x77c01000), 4096, 32, ... (0x77c01000), 4096, 4, ) == 0x0
 00506   928   NtFlushInstructionCache  (-1, 2009075712, 304, ... ) == 0x0
 00507   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\version.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00508   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00509   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00510   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1237116, ... ) }, 1237116, ... ) == 0x0
 00511   928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00512   928   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 92, ... 96, ) == 0x0
 00513   928   NtClose  (92, ... ) == 0x0
 00514   928   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x900000), 0x0, 180224, ) == 0x0
 00515   928   NtClose  (96, ... ) == 0x0
 00516   928   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00517   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1236712, ... ) }, 1236712, ... ) == 0x0
 00518   928   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237456,  (0x80100080, {24, 0, 0x40, 0, 1237456, "\??\C:\WINDOWS\system32\msctfime.ime"}, 0x0, 0, 5, 1, 96, 0, 0, ... 96, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 96, {status=0x0, info=1}, ) == 0x0
 00519   928   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 96, ... 92, ) == 0x0
 00520   928   NtClose  (96, ... ) == 0x0
 00521   928   NtMapViewOfSection  (92, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x900000), {0, 0}, 180224, ) == 0x0
 00522   928   NtClose  (92, ... ) == 0x0
 00523   928   NtQueryDefaultUILanguage  (2090319928, ...
 00524   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00525   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 00526   928   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00527   928   NtClose  (-2147482740, ... ) == 0x0
 00528   928   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 00529   928   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00530   928   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 00531   928   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00532   928   NtClose  (-2147481328, ... ) == 0x0
 00533   928   NtClose  (-2147482740, ... ) == 0x0
 00523   928   NtQueryDefaultUILanguage  ... ) == 0x0
 00534   928   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 00535   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00536   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00537   928   NtQueryDefaultLocale  (1, 1238076, ... ) == 0x0
 00538   928   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00539   928   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00540   928   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00541   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00542   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00543   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1237108, ... ) }, 1237108, ... ) == 0x0
 00544   928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00545   928   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 92, ... 96, ) == 0x0
 00546   928   NtClose  (92, ... ) == 0x0
 00547   928   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x900000), 0x0, 180224, ) == 0x0
 00548   928   NtClose  (96, ... ) == 0x0
 00549   928   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00550   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1236704, ... ) }, 1236704, ... ) == 0x0
 00551   928   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237448,  (0x80100080, {24, 0, 0x40, 0, 1237448, "\??\C:\WINDOWS\system32\msctfime.ime"}, 0x0, 0, 5, 1, 96, 0, 0, ... 96, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 96, {status=0x0, info=1}, ) == 0x0
 00552   928   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 96, ... 92, ) == 0x0
 00553   928   NtClose  (96, ... ) == 0x0
 00554   928   NtMapViewOfSection  (92, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x900000), {0, 0}, 180224, ) == 0x0
 00555   928   NtClose  (92, ... ) == 0x0
 00556   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00557   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00558   928   NtQueryDefaultLocale  (1, 1238068, ... ) == 0x0
 00559   928   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00560   928   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00561   928   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 00562   928   NtUnmapViewOfSection  (-1, 0x77c00000, ... ) == 0x0
 00563   928   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 92, ) }, ... 92, ) == 0x0
 00564   928   NtWaitForSingleObject  (92, 0, {-1000000, -1}, ... ) == 0x0
 00565   928   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 96, ) }, ... 96, ) == 0x0
 00566   928   NtMapViewOfSection  (96, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x900000), {0, 0}, 57344, ) == 0x0
 00567   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00568   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 100, ) == 0x0
 00569   928   NtQueryInformationToken  (100, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00570   928   NtClose  (100, ... ) == 0x0
 00571   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00572   928   NtReleaseMutant  (92, ... 0x0, ) == 0x0
 00573   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1237088, ... ) }, 1237088, ... ) == 0x0
 00574   928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00575   928   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 100, ... 104, ) == 0x0
 00576   928   NtClose  (100, ... ) == 0x0
 00577   928   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x910000), 0x0, 180224, ) == 0x0
 00578   928   NtClose  (104, ... ) == 0x0
 00579   928   NtUnmapViewOfSection  (-1, 0x910000, ... ) == 0x0
 00580   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1237396, ... ) }, 1237396, ... ) == 0x0
 00581   928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00582   928   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 100, ) == 0x0
 00583   928   NtQuerySection  (100, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00584   928   NtClose  (104, ... ) == 0x0
 00585   928   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x755c0000), 0x0, 188416, ) == 0x0
 00586   928   NtClose  (100, ... ) == 0x0
 00587   928   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 00588   928   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 00589   928   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 00590   928   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 00591   928   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 00592   928   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 00593   928   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 00594   928   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 00595   928   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 00596   928   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 00597   928   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 00598   928   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 00599   928   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 00600   928   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 00601   928   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 00602   928   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 00603   928   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 00604   928   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 00605   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msctfime.ime"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00606   928   NtUserGetDC  (0, ... ) == 0x1010051
 00607   928   NtUserSystemParametersInfo  (66, 12, 1237584, 0, ... ) == 0x1
 00608   928   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00609   928   NtGdiCreateCompatibleDC  (0, ... ) == 0x9d01066e
 00610   928   NtGdiCreateCompatibleDC  (0, ... ) == 0xc70104aa
 00611   928   NtGdiCreateCompatibleDC  (0, ... ) == 0x9b010551
 00612   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ole32.dll"}, 1234916, ... ) }, 1234916, ... ) == 0x0
 00613   928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ole32.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00614   928   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 100, ... 104, ) == 0x0
 00615   928   NtClose  (100, ... ) == 0x0
 00616   928   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x910000), 0x0, 1286144, ) == 0x0
 00617   928   NtClose  (104, ... ) == 0x0
 00618   928   NtUnmapViewOfSection  (-1, 0x910000, ... ) == 0x0
 00619   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ole32.dll"}, 1235224, ... ) }, 1235224, ... ) == 0x0
 00620   928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ole32.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00621   928   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 100, ) == 0x0
 00622   928   NtQuerySection  (100, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00623   928   NtClose  (104, ... ) == 0x0
 00624   928   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x774e0000), 0x0, 1298432, ) == 0x0
 00625   928   NtClose  (100, ... ) == 0x0
 00626   928   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00627   928   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00628   928   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00629   928   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00630   928   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00631   928   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00632   928   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00633   928   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00634   928   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00635   928   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00636   928   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00637   928   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00638   928   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00639   928   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00640   928   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00641   928   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00642   928   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00643   928   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00644   928   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00645   928   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00646   928   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00647   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00648   928   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00649   928   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 100, {status=0x0, info=0}, ) }, 7, 16, ... 100, {status=0x0, info=0}, ) == 0x0
 00650   928   NtDeviceIoControlFile  (100, 0, 0x0, 0x0, 0x390008,  (100, 0, 0x0, 0x0, 0x390008, "\273\252H!]h\335\242\2202\270&f\361\236u\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00651   928   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00652   928   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00653   928   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00654   928   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00655   928   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00656   928   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00657   928   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00658   928   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482740, 2, ) }, 0, 0x0, 0, ... -2147482740, 2, ) == 0x0
 00659   928   NtSetValueKey  (-2147482740,  (-2147482740, "Seed", 0, 3, "\343\34\20NX-\16s\235\23\345\17\233]\0\214\4\362\276\22'\6rI\232IW5\217\212\314h&\5qC*x\270\370\266\245\352b"\25\320>\344P\266\23\10\274r\203\2\272\340\225\206C\245Q\375gf~\376\203\204\322\363(\315\300`\3246U", 80, ... ) , 0, 3,  (-2147482740, "Seed", 0, 3, "\343\34\20NX-\16s\235\23\345\17\233]\0\214\4\362\276\22'\6rI\232IW5\217\212\314h&\5qC*x\270\370\266\245\352b"\25\320>\344P\266\23\10\274r\203\2\272\340\225\206C\245Q\375gf~\376\203\204\322\363(\315\300`\3246U", 80, ... ) \25\320>\344P\266\23\10\274r\203\2\272\340\225\206C\245Q\375gf~\376\203\204\322\363(\315\300`\3246U", 80, ... ) == 0x0
 00660   928   NtClose  (-2147482740, ... ) == 0x0
 00650   928   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\6t\353\320\335C?\227]Z\321\350\212'#\30iu\350\302J\\342\24X7EG\216\15\221&5\240h)\11\316\222\250\34}T\247\255Ac\321e\376\3734_$\17\41-\177\270\305|bFF\236K\200K\332]A\35\4\221\210\33\377Kw#\267\340+|N\26\2670\312E\220!q\263\36\7\237\202\4\32l:\262\203|\256/u\325~\24\210=Y\215V\335x\263l\266i\13`\352y$JY\253\341\225\326\10\5\30\365"r\25\17\221E\\340{2,z\212\273\337`\245\224\13\361\216\267\20\306"\244?\345+I\204\205VD\262Ai\302\2\311\214a5\205[\327;1Z[\17\355\237\224]\321{\334v<\365-\301K\220\224J\264\311u\253\252\300\254\201\252\265\246\326\4C\371Y{\2$$\30\356,\337\314\377\301g\304\213\353\16\10\205\354\377\3\21\316>\262\341\372\364\23y\317\250\203\177\351", ) r\25\17\221E\\340{2,z\212\273\337`\245\224\13\361\216\267\20\306 ... {status=0x0, info=256}, "\6t\353\320\335C?\227]Z\321\350\212'#\30iu\350\302J\\342\24X7EG\216\15\221&5\240h)\11\316\222\250\34}T\247\255Ac\321e\376\3734_$\17\41-\177\270\305|bFF\236K\200K\332]A\35\4\221\210\33\377Kw#\267\340+|N\26\2670\312E\220!q\263\36\7\237\202\4\32l:\262\203|\256/u\325~\24\210=Y\215V\335x\263l\266i\13`\352y$JY\253\341\225\326\10\5\30\365"r\25\17\221E\\340{2,z\212\273\337`\245\224\13\361\216\267\20\306"\244?\345+I\204\205VD\262Ai\302\2\311\214a5\205[\327;1Z[\17\355\237\224]\321{\334v<\365-\301K\220\224J\264\311u\253\252\300\254\201\252\265\246\326\4C\371Y{\2$$\30\356,\337\314\377\301g\304\213\353\16\10\205\354\377\3\21\316>\262\341\372\364\23y\317\250\203\177\351", ) , ) == 0x0
 00661   928   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00662   928   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00663   928   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 104, ) }, ... 104, ) == 0x0
 00664   928   NtQueryValueKey  (104,  (104, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00665   928   NtClose  (104, ... ) == 0x0
 00666   928   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Ole"}, ... 104, ) }, ... 104, ) == 0x0
 00667   928   NtQueryValueKey  (104,  (104, "RWLockResourceTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00668   928   NtClose  (104, ... ) == 0x0
 00669   928   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00670   928   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00671   928   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00672   928   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00673   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 104, ) }, ... 104, ) == 0x0
 00674   928   NtQueryValueKey  (104,  (104, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00675   928   NtQueryValueKey  (104,  (104, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00676   928   NtQueryValueKey  (104,  (104, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00677   928   NtClose  (104, ... ) == 0x0
 00678   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 104, ) }, ... 104, ) == 0x0
 00679   928   NtQueryValueKey  (104,  (104, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00680   928   NtQueryValueKey  (104,  (104, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00681   928   NtClose  (104, ... ) == 0x0
 00682   928   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00683   928   NtUserFindExistingCursorIcon  (1236856, 1236872, 1236920, ... ) == 0x10003
 00684   928   NtUserFindExistingCursorIcon  (1236856, 1236872, 1236920, ... ) == 0x10011
 00685   928   NtGdiGetStockObject  (5, ... ) == 0x1900015
 00686   928   NtUserGetClassInfo  (1968963584, 1236988, 1237552, 1236984, 0, ... ) == 0x0
 00687   928   NtUserRegisterClassExWOW  (1236872, 1236940, 1236956, 1236972, 0, 384, 0, ... ) == 0x816ec079
 00688   928   NtUserFindExistingCursorIcon  (1236856, 1236872, 1236920, ... ) == 0x10013
 00689   928   NtUserGetClassInfo  (1968963584, 1236988, 1237552, 1236984, 0, ... ) == 0x0
 00690   928   NtUserRegisterClassExWOW  (1236872, 1236940, 1236956, 1236972, 0, 384, 0, ... ) == 0x816ec07a
 00691   928   NtUserRegisterWindowMessage  ( ("MSIMEService", ... ) , ... ) == 0xc07b
 00692   928   NtUserRegisterWindowMessage  ( ("MSIMEUIReady", ... ) , ... ) == 0xc07c
 00693   928   NtUserRegisterWindowMessage  ( ("MSIMEReconvertRequest", ... ) , ... ) == 0xc07d
 00694   928   NtUserRegisterWindowMessage  ( ("MSIMEReconvert", ... ) , ... ) == 0xc07e
 00695   928   NtUserRegisterWindowMessage  ( ("MSIMEDocumentFeed", ... ) , ... ) == 0xc07f
 00696   928   NtUserRegisterWindowMessage  ( ("MSIMEQueryPosition", ... ) , ... ) == 0xc080
 00697   928   NtUserRegisterWindowMessage  ( ("MSIMEModeBias", ... ) , ... ) == 0xc081
 00698   928   NtUserRegisterWindowMessage  ( ("MSIMEShowImePad", ... ) , ... ) == 0xc082
 00699   928   NtUserRegisterWindowMessage  ( ("MSIMEMouseOperation", ... ) , ... ) == 0xc083
 00700   928   NtUserRegisterWindowMessage  ( ("MSIMEKeyMap", ... ) , ... ) == 0xc084
 00701   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ntdll.dll"}, 1237748, ... ) }, 1237748, ... ) == 0x0
 00702   928   NtUserMessageCall  (0x90114, WM_NCCREATE, 0x0, 0x12eea0, 0, 670, 0, ... ) == 0x1
 00703   928   NtUserMessageCall  (0x90114, WM_NCCALCSIZE, 0x0, 0x12eee4, 0, 670, 0, ... ) == 0x0
 00704   928   NtUserSetProp  (590100, 43288, -1, ... ) == 0x1
 00705   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00706   928   NtUserValidateHandleSecure  (7536899, ... ) == 0x1
 00707   928   NtUserValidateHandleSecure  (7536899, ... ) == 0x1
 00708   928   NtUserUpdateInputContext  (7536899, 1, 590100, ... ) == 0x1
 00709   928   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "SOFTWARE\Microsoft\CTF"}, ... 104, ) }, ... 104, ) == 0x0
 00710   928   NtQueryValueKey  (104,  (104, "Disable Thread Input Manager", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00711   928   NtClose  (104, ... ) == 0x0
 00712   928   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 00713   928   NtOpenProcessToken  (-1, 0xa, ... 104, ) == 0x0
 00714   928   NtDuplicateToken  (104, 0xc, {24, 0, 0x0, 0, 1239580, 0x0}, 0, 2, ... 108, ) == 0x0
 00715   928   NtClose  (104, ... ) == 0x0
 00716   928   NtAccessCheck  (1341280, 108, 0x1, 1239656, 1239708, 56, 1239688, ... (0x1), ) == 0x0
 00717   928   NtClose  (108, ... ) == 0x0
 00718   928   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\CTF\SystemShared"}, ... 108, ) }, ... 108, ) == 0x0
 00719   928   NtQueryValueKey  (108,  (108, "CUAS", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "CUAS", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00720   928   NtClose  (108, ... ) == 0x0
 00721   928   NtUserGetImeInfoEx  (1239472, 0, ... ) == 0x1
 00722   928   NtWaitForSingleObject  (92, 0, {-1000000, -1}, ... ) == 0x0
 00723   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00724   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 00725   928   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00726   928   NtClose  (108, ... ) == 0x0
 00727   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00728   928   NtReleaseMutant  (92, ... 0x0, ) == 0x0
 00729   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1236504, ... ) }, 1236504, ... ) == 0x0
 00730   928   NtUserGetThreadState  (16, ... ) == 0x0
 00731   928   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 00732   928   NtOpenProcessToken  (-1, 0xa, ... 108, ) == 0x0
 00733   928   NtDuplicateToken  (108, 0xc, {24, 0, 0x0, 0, 1238504, 0x0}, 0, 2, ... 104, ) == 0x0
 00734   928   NtClose  (108, ... ) == 0x0
 00735   928   NtAccessCheck  (1341280, 104, 0x1, 1238580, 1238632, 56, 1238612, ... (0x1), ) == 0x0
 00736   928   NtClose  (104, ... ) == 0x0
 00737   928   NtUserGetClassInfo  (1968963584, 1238224, 1238168, 1238216, 0, ... ) == 0xc079
 00738   928   NtUserMessageCall  (0xa0102, WM_NCCALCSIZE, 0x0, 0x12eee4, 0, 670, 0, ... ) == 0x0
 00739   928   NtUserGetClassName  (655618, 0, 1239972, ... ) == 0x6
 00740   928   NtUserRemoveProp  (655618, 43282, ... ) == 0x0
 00741   928   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 2, 327681, 262144, 6881357}  (24, {24, 52, new_msg, 0, 2, 327681, 262144, 6881357} "\0\0\0\0\5\4\3\0o\0f\0t\0 \0\240\3\0\0,\352\22\0" ... {24, 52, reply, 0, 1972, 928, 57951, 0} "\0\0\0\0\5\4\3\0\0\0\0\0t\0 \0\240\3\0\0\0\0\0\0" )  ... {24, 52, reply, 0, 1972, 928, 57951, 0}  (24, {24, 52, new_msg, 0, 2, 327681, 262144, 6881357} "\0\0\0\0\5\4\3\0o\0f\0t\0 \0\240\3\0\0,\352\22\0" ... {24, 52, reply, 0, 1972, 928, 57951, 0} "\0\0\0\0\5\4\3\0\0\0\0\0t\0 \0\240\3\0\0\0\0\0\0" )  ) == 0x0
 00742   928   NtUserGetThreadDesktop  (928, 0, ... ) == 0x24
 00743   928   NtUserGetObjectInformation  (36, 2, 1239656, 520, 0, ... ) == 0x1
 00744   928   NtGdiDeleteObjectApp  (1007682924, ... ) == 0x1
 00745   928   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00746   928   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00747   928   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00748   928   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00749   928   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00750   928   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00751   928   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00752   928   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00753   928   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00754   928   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00755   928   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00756   928   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00757   928   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00758   928   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00759   928   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00760   928   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00761   928   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00762   928   NtGdiCreatePatternBrushInternal  (59048383, 0, 0, ... ) == 0x3d10056c
 00763   928   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00764   928   NtUserSetProp  (655618, 43288, 8661168, ... ) == 0x1
 00307   928   NtUserCreateWindowEx  ... ) == 0xa0102
 00765   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00766   928   NtUserCallHwndLock  (655618, 90, ... ) == 0x1
 00767   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00768   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00769   928   NtUserGetAtomName  (49175, 1240848, ... ) == 0x6
 00770   928   NtUserCreateWindowEx  (4, 49175, 49175,  (4, 49175, 49175, "OK", 1342373889, 188, 60, 75, 23, 655618, 1, 2118189056, 0, 1073742848, 0, ... , 1342373889, 188, 60, 75, 23, 655618, 1, 2118189056, 0, 1073742848, 0, ...
 00771   928   NtUserSetWindowFNID  (1573108, 673, ... ) == 0x1
 00772   928   NtUserSetWindowLong  (1573108, 0, 1341692, 0, ... ) == 0x0
 00773   928   NtUserMessageCall  (0x1800f4, WM_NCCREATE, 0x0, 0x12eebc, 0, 670, 0, ... ) == 0x1
 00774   928   NtUserMessageCall  (0x1800f4, WM_NCCALCSIZE, 0x0, 0x12eee4, 0, 670, 0, ... ) == 0x0
 00775   928   NtUserSetProp  (1573108, 43288, -1, ... ) == 0x1
 00770   928   NtUserCreateWindowEx  ... ) == 0x1800f4
 00776   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00777   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00778   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00779   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00780   928   NtUserGetAtomName  (49177, 1240848, ... ) == 0x6
 00781   928   NtUserCreateWindowEx  (4, 49177, 49177, "1342308355, 11, 11, 0, 0, 655618, 20, 2118189056, 0, 1073742848, 0, ...
 00782   928   NtUserSetWindowFNID  (327932, 680, ... ) == 0x1
 00783   928   NtUserSetWindowLong  (327932, 0, 1341896, 0, ... ) == 0x0
 00784   928   NtUserMessageCall  (0x500fc, WM_NCCREATE, 0x0, 0x12eebc, 0, 670, 0, ... ) == 0x1
 00785   928   NtUserMessageCall  (0x500fc, WM_NCCALCSIZE, 0x0, 0x12eee4, 0, 670, 0, ... ) == 0x0
 00786   928   NtUserSetProp  (327932, 43288, -1, ... ) == 0x1
 00787   928   NtUserFindExistingCursorIcon  (1239596, 1239612, 1239660, ... ) == 0x0
 00788   928   NtUserFindExistingCursorIcon  (1239596, 1239612, 1239660, ... ) == 0x0
 00789   928   NtUserFindExistingCursorIcon  (1239596, 1239612, 1239660, ... ) == 0x10009
 00790   928   NtUserGetIconSize  (65545, 0, 1240216, 1240220, ... ) == 0x1
 00791   928   NtUserGetCursorFrameInfo  (65545, 0, 1240252, 1240228, ... ) == 0x10009
 00792   928   NtUserSetWindowPos  (327932, 0, 0, 0, 32, 32, 22, ...
 00793   928   NtUserMessageCall  (0x500fc, WM_WINDOWPOSCHANGING, 0x0, 0x12ec14, 0, 670, 0, ... ) == 0x0
 00794   928   NtUserMessageCall  (0x500fc, WM_NCCALCSIZE, 0x1, 0x12ebe8, 0, 670, 0, ... ) == 0x0
 00795   928   NtUserValidateHandleSecure  (0, ... ) == 0x0
 00792   928   NtUserSetWindowPos  ... ) == 0x1
 00781   928   NtUserCreateWindowEx  ... ) == 0x500fc
 00796   928   NtUserValidateHandleSecure  (327932, ... ) == 0x1
 00797   928   NtUserValidateHandleSecure  (327932, ... ) == 0x1
 00798   928   NtUserValidateHandleSecure  (327932, ... ) == 0x1
 00799   928   NtUserValidateHandleSecure  (327932, ... ) == 0x1
 00800   928   NtUserGetAtomName  (49177, 1240848, ... ) == 0x6
 00801   928   NtUserCreateWindowEx  (4, 49177, 49177,  (4, 49177, 49177, "Could not initialize installation. File size expected=26523, size returned=26344.", 1342316672, 62, 20, 384, 15, 655618, 65535, 2118189056, 0, 1073742848, 0, ... , 1342316672, 62, 20, 384, 15, 655618, 65535, 2118189056, 0, 1073742848, 0, ...
 00802   928   NtUserSetWindowFNID  (852250, 680, ... ) == 0x1
 00803   928   NtUserSetWindowLong  (852250, 0, 1341872, 0, ... ) == 0x0
 00804   928   NtUserMessageCall  (0xd011a, WM_NCCREATE, 0x0, 0x12eebc, 0, 670, 0, ... ) == 0x1
 00805   928   NtUserMessageCall  (0xd011a, WM_NCCALCSIZE, 0x0, 0x12eee4, 0, 670, 0, ... ) == 0x0
 00806   928   NtUserSetProp  (852250, 43288, -1, ... ) == 0x1
 00801   928   NtUserCreateWindowEx  ... ) == 0xd011a
 00807   928   NtUserValidateHandleSecure  (852250, ... ) == 0x1
 00808   928   NtUserValidateHandleSecure  (852250, ... ) == 0x1
 00809   928   NtUserValidateHandleSecure  (852250, ... ) == 0x1
 00810   928   NtUserValidateHandleSecure  (852250, ... ) == 0x1
 00811   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00812   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00813   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00814   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00815   928   NtUserSetWindowLong  (655618, -21, 1243324, 0, ... ) == 0x0
 00816   928   NtUserCallHwnd  (655618, 73, ... ) == 0xbc64fea8
 00817   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00818   928   NtUserSetFocus  (1573108, ...
 00819   928   NtUserPostThreadMessage  (928, 49313, 17, 1573108, ... ) == 0x1
 00820   928   NtUserGetForegroundWindow  (... ) == 0x0
 00821   928   NtUserMessageCall  (0xa0102, WM_NCACTIVATE, 0x1, 0xffffffff, 0, 670, 0, ... ) == 0x1
 00822   928   NtUserInternalGetWindowText  (0xa0102, 260, ...  (0xa0102, 260, ... "Error", ) , ) == 0x5
 00823   928   NtUserGetWindowDC  (655618, ... ) == 0x1010050
 00824   928   NtGdiGetTextMetricsW  (16842832, 1239856, 68, ... ) == 0x1
 00825   928   NtGdiGetRandomRgn  (16842832, 889455841, 1, ... ) == 0x0
 00826   928   NtGdiIntersectClipRect  (16842832, 0, 0, 0, 0, ... ) == 0x3
 00827   928   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00828   928   NtGdiGetWidthTable  (16842832, 5, 1342616, 261, 1343138, 1341984, 1342000, ... ) == 0x1
 00829   928   NtGdiExtSelectClipRgn  (16842832, 0, 5, ... ) == 0x1
 00830   928   NtUserCallOneParam  (16842832, 57, ... ) == 0x1
 00831   928   NtUserCalcMenuBar  (655618, 3, 3, 29, 8661352, ... ) == 0x0
 00832   928   NtUserMessageCall  (0xa0102, WM_GETICON, 0x2, 0x0, 1239816, 690, 0, ...
 00833   928   NtUserMessageCall  (0xa0102, WM_GETICON, 0x2, 0x0, 0, 670, 0, ... ) == 0x0
 00832   928   NtUserMessageCall  ... ) == 0x0
 00834   928   NtUserMessageCall  (0xa0102, WM_GETICON, 0x0, 0x0, 1239816, 690, 0, ...
 00835   928   NtUserMessageCall  (0xa0102, WM_GETICON, 0x0, 0x0, 0, 670, 0, ... ) == 0x0
 00834   928   NtUserMessageCall  ... ) == 0x0
 00836   928   NtUserMessageCall  (0xa0102, WM_GETICON, 0x1, 0x0, 1239816, 690, 0, ...
 00837   928   NtUserMessageCall  (0xa0102, WM_GETICON, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 00836   928   NtUserMessageCall  ... ) == 0x0
 00838   928   NtUserGetTitleBarInfo  (655618, 1240448, ... ) == 0x1
 00839   928   NtUserGetDCEx  (655618, 0, 66561, ... ) == 0x1010054
 00840   928   NtGdiExcludeClipRect  (16842836, 3, 29, 455, 123, ... ) == 0x3
 00841   928   NtGdiDrawStream  (16842836, 96, 1239932, ... ) == 0x1
 00842   928   NtGdiDrawStream  (16842836, 96, 1239932, ... ) == 0x1
 00843   928   NtGdiDrawStream  (16842836, 96, 1239932, ... ) == 0x1
 00844   928   NtGdiCreateCompatibleBitmap  (16842836, 458, 29, ... ) == 0xae0506b2
 00845   928   NtGdiCreateCompatibleDC  (16842836, ... ) == 0xc0105d6
 00846   928   NtGdiSelectBitmap  (201393622, -1375402318, ... ) == 0x185000f
 00847   928   NtGdiDrawStream  (201393622, 96, 1239824, ... ) == 0x1
 00848   928   NtGdiDrawStream  (201393622, 96, 1239780, ... ) == 0x1
 00849   928   NtGdiDrawStream  (201393622, 96, 1239780, ... ) == 0x1
 00850   928   NtUserInternalGetWindowText  (0xa0102, 260, ...  (0xa0102, 260, ... "Error", ) , ) == 0x5
 00851   928   NtGdiGetRandomRgn  (201393622, 906233057, 1, ... ) == 0x0
 00852   928   NtGdiIntersectClipRect  (201393622, 8, 8, 430, 25, ... ) == 0x3
 00853   928   NtGdiExtSelectClipRgn  (201393622, 0, 5, ... ) == 0x2
 00854   928   NtGdiGetRandomRgn  (201393622, 923010273, 1, ... ) == 0x0
 00855   928   NtGdiIntersectClipRect  (201393622, 7, 7, 429, 25, ... ) == 0x3
 00856   928   NtGdiExtSelectClipRgn  (201393622, 0, 5, ... ) == 0x2
 00857   928   NtGdiBitBlt  (16842836, 0, 0, 458, 29, 201393622, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00858   928   NtGdiSelectBitmap  (201393622, 25493519, ... ) == 0xae0506b2
 00859   928   NtGdiDeleteObjectApp  (201393622, ... ) == 0x1
 00860   928   NtGdiDeleteObjectApp  (-1375402318, ... ) == 0x1
 00861   928   NtUserCallOneParam  (16842836, 57, ... ) == 0x1
 00862   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00863   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00864   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00865   928   NtUserQueryWindow  (1573108, 8, ... ) == 0x730103
 00866   928   NtUserValidateHandleSecure  (7536899, ... ) == 0x1
 00867   928   NtUserGetThreadState  (13, ... ) == 0x0
 00868   928   NtUserUpdateInputContext  (7536899, 0, 1319624, ... ) == 0x1
 00869   928   NtUserValidateHandleSecure  (7536899, ... ) == 0x1
 00870   928   NtUserQueryInputContext  (7536899, 1, ... ) == 0x3a0
 00871   928   NtUserCallOneParam  (0, 40, ... ) == 0x4090409
 00872   928   NtUserQueryInputContext  (7536899, 2, ... ) == 0x90114
 00873   928   NtAllocateVirtualMemory  (-1, 0, 0, 524280, 8192, 4, ... 9502720, 524288, ) == 0x0
 00874   928   NtAllocateVirtualMemory  (-1, 9502720, 0, 4096, 4096, 4, ... 9502720, 4096, ) == 0x0
 00875   928   NtUserCallOneParam  (928, 40, ... ) == 0x4090409
 00876   928   NtUserValidateHandleSecure  (7536899, ... ) == 0x1
 00877   928   NtUserValidateHandleSecure  (7536899, ... ) == 0x1
 00878   928   NtUserValidateHandleSecure  (7536899, ... ) == 0x1
 00879   928   NtUserGetDC  (0, ... ) == 0x1010051
 00880   928   NtGdiGetDCObject  (16842833, 655360, ... ) == 0x18a0021
 00881   928   NtGdiExtGetObjectW  (25821217, 92, 1240308, ... ) == 0x5c
 00882   928   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00883   928   NtUserValidateHandleSecure  (7536899, ... ) == 0x1
 00884   928   NtUserValidateHandleSecure  (7536899, ... ) == 0x1
 00885   928   NtUserValidateHandleSecure  (7536899, ... ) == 0x1
 00886   928   NtUserValidateHandleSecure  (7536899, ... ) == 0x1
 00887   928   NtUserCallOneParam  (0, 40, ... ) == 0x4090409
 00888   928   NtUserCallOneParam  (0, 40, ... ) == 0x4090409
 00889   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00890   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00891   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00892   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00893   928   NtUserQueryWindow  (1573108, 7, ... ) == 0x90114
 00894   928   NtUserGetImeInfoEx  (1239348, 0, ... ) == 0x1
 00895   928   NtUserGetClassInfo  (1968963584, 1238732, 1238676, 1238724, 0, ... ) == 0xc079
 00896   928   NtUserCreateWindowEx  (0, 1239128, 1237892,  (0, 1239128, 1237892, "MSCTFIME UI", -2013265920, 0, 0, 0, 0, 590100, 0, 1968963584, 0, 1073742848, 0, ... , -2013265920, 0, 0, 0, 0, 590100, 0, 1968963584, 0, 1073742848, 0, ...
 00897   928   NtUserGetIconSize  (65539, 0, 1236652, 1236656, ... ) == 0x1
 00898   928   NtUserGetIconInfo  (65539, 1236628, 1236620, 1236612, 1236648, 1, ... ) == 0x1
 00899   928   NtUserFindExistingCursorIcon  (1236392, 1236408, 1236584, ... ) == 0x10003
 00900   928   NtGdiExtGetObjectW  (-1358625102, 24, 1236392, ... ) == 0x18
 00901   928   NtGdiGetDIBitsInternal  (-301922896, -1358625102, 0, 64, 1345432, 1345384, 0, 256, 0, ... ) == 0x40
 00902   928   NtUserGetDC  (0, ... ) == 0x1010051
 00903   928   NtGdiCreateDIBitmapInternal  (16842833, 16, 32, 2, 0, 2118583256, 0, 48, 0, 0, 0, ... ) == 0xa20507d3
 00904   928   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00905   928   NtGdiSelectBitmap  (-301922896, -1576728621, ... ) == 0x185000f
 00906   928   NtGdiDoPalette  (-301922896, 0, 1, 1236252, 4, 0, ... ) == 0x1
 00907   928   NtGdiStretchDIBitsInternal  (-301922896, 0, 0, 16, 32, 0, 0, 32, 64, 1345432, 1343144, 0, 13369376, 48, 256, 0, ... ) == 0x40
 00908   928   NtGdiSelectBitmap  (-301922896, 25493519, ... ) == 0xa20507d3
 00909   928   NtGdiCreateCompatibleDC  (-301922896, ... ) == 0x440106b3
 00910   928   NtGdiExtGetObjectW  (-1576728621, 24, 1236276, ... ) == 0x18
 00911   928   NtGdiCreateBitmap  (16, 32, 1, 1, 0, ... ) == 0x260504d9
 00912   928   NtGdiSelectBitmap  (-301922896, -1576728621, ... ) == 0x185000f
 00913   928   NtGdiSelectBitmap  (1140917939, 637863129, ... ) == 0x185000f
 00914   928   NtGdiBitBlt  (1140917939, 0, 0, 16, 32, -301922896, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00915   928   NtGdiSelectBitmap  (-301922896, 25493519, ... ) == 0xa20507d3
 00916   928   NtGdiSelectBitmap  (1140917939, 25493519, ... ) == 0x260504d9
 00917   928   NtGdiDeleteObjectApp  (-1576728621, ... ) == 0x1
 00918   928   NtGdiDeleteObjectApp  (1140917939, ... ) == 0x1
 00919   928   NtGdiExtGetObjectW  (755304161, 24, 1236392, ... ) == 0x18
 00920   928   NtAllocateVirtualMemory  (-1, 1347584, 0, 8192, 4096, 4, ... 1347584, 8192, ) == 0x0
 00921   928   NtGdiGetDIBitsInternal  (-301922896, 755304161, 0, 32, 1345748, 1345696, 0, 4096, 0, ... ) == 0x20
 00922   928   NtUserGetDC  (0, ... ) == 0x1010051
 00923   928   NtGdiCreateCompatibleBitmap  (16842833, 16, 16, ... ) == 0x460506b3
 00924   928   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00925   928   NtGdiSelectBitmap  (-301922896, 1174734515, ... ) == 0x185000f
 00926   928   NtGdiDoPalette  (-301922896, 0, 1, 1236252, 4, 0, ... ) == 0x0
 00927   928   NtGdiStretchDIBitsInternal  (-301922896, 0, 0, 16, 16, 0, 0, 32, 32, 1345748, 1343144, 0, 13369376, 40, 4096, 0, ... ) == 0x20
 00928   928   NtGdiSelectBitmap  (-301922896, 25493519, ... ) == 0x460506b3
 00929   928   NtGdiDeleteObjectApp  (-1358625102, ... ) == 0x1
 00930   928   NtGdiDeleteObjectApp  (755304161, ... ) == 0x1
 00931   928   NtUserCallOneParam  (0, 33, ... ) == 0x4500e5
 00932   928   NtUserSetCursorIconData  (4522213, 1236436, 1236452, 1236496, ... ) == 0x1
 00933   928   NtUserMessageCall  (0x11012c, WM_NCCREATE, 0x0, 0x12e2fc, 0, 670, 1, ... ) == 0x1
 00934   928   NtUserMessageCall  (0x11012c, WM_NCCALCSIZE, 0x0, 0x12e324, 0, 670, 1, ... ) == 0x0
 00935   928   NtUserSetProp  (1114412, 43288, -1, ... ) == 0x1
 00936   928   NtUserSetWindowLong  (1114412, 4, 1341256, 1, ... ) == 0x0
 00896   928   NtUserCreateWindowEx  ... ) == 0x11012c
 00937   928   NtUserSetWindowLong  (1114412, 0, 7536899, 0, ... ) == 0x0
 00938   928   NtUserGetThreadState  (17, ... ) == 0x0
 00939   928   NtUserQueryWindow  (590100, 3, ... ) == 0x1800f4
 00940   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00941   928   NtUserValidateHandleSecure  (7536899, ... ) == 0x1
 00942   928   NtUserUpdateInputContext  (7536899, 1, 0, ... ) == 0x1
 00943   928   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 00944   928   NtUserSetWindowLong  (1114412, 0, 0, 0, ... ) == 0x730103
 00945   928   NtUserSetImeOwnerWindow  (590100, 0, ... ) == 0x1
 00946   928   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 00947   928   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 00948   928   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 00949   928   NtUserKillTimer  (1114412, 1, ... ) == 0x0
 00950   928   NtUserSetTimer  (1114412, 1, 300, 0, ... ) == 0x1
 00951   928   NtUserCallNoParam  (7, ... ) == 0x1
 00952   928   NtUserQueryWindow  (590100, 3, ... ) == 0x1800f4
 00953   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00954   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00955   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00956   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00957   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00958   928   NtUserQueryWindow  (1573108, 7, ... ) == 0x90114
 00959   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00960   928   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 00961   928   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 00962   928   NtUserCallHwndLock  (590100, 86, ... ) == 0x1
 00963   928   NtUserNotifyIMEStatus  (1573108, 0, 0, ...
 00964   928   NtUserGetForegroundWindow  (... ) == 0xa0102
 00965   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00966   928   NtUserCallOneParam  (0, 40, ... ) == 0x4090409
 00963   928   NtUserNotifyIMEStatus  ... ) == 0x816e5328
 00818   928   NtUserSetFocus  ... ) == 0x0
 00967   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00968   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00969   928   NtUserSetWindowLong  (1573108, -12, 2, 0, ... ) == 0x1
 00970   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00971   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00972   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00973   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00974   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00975   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00976   928   NtUserGetClassName  (1573108, 0, 1241340, ... ) == 0x6
 00977   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00978   928   NtUserGetClassName  (327932, 0, 1241340, ... ) == 0x6
 00979   928   NtUserValidateHandleSecure  (327932, ... ) == 0x1
 00980   928   NtUserGetClassName  (852250, 0, 1241340, ... ) == 0x6
 00981   928   NtUserValidateHandleSecure  (852250, ... ) == 0x1
 00982   928   NtUserGetAncestor  (655618, 1, ... ) == 0x10014
 00983   928   NtUserValidateHandleSecure  (65556, ... ) == 0x1
 00984   928   NtUserSetWindowPos  (655618, 0, 287, 335, 458, 126, 1047, ... ) == 0x1
 00985   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00986   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00987   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00988   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00989   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00990   928   NtUserMessageCall  (0xa0102, 0x128, 0x30001, 0x0, 0, 670, 0, ...
 00991   928   NtUserMessageCall  (0x1800f4, 0x128, 0x30001, 0x0, 0, 670, 0, ... ) == 0x0
 00992   928   NtUserMessageCall  (0x500fc, 0x128, 0x30001, 0x0, 0, 670, 0, ... ) == 0x0
 00993   928   NtUserMessageCall  (0xd011a, 0x128, 0x30001, 0x0, 0, 670, 0, ... ) == 0x0
 00990   928   NtUserMessageCall  ... ) == 0x0
 00994   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00995   928   NtUserPeekMessage  (0, 0, 0, 1, ...
 00996   928   NtUserGetThreadState  (0, ... ) == 0x1800f4
 00997   928   NtUserGetForegroundWindow  (... ) == 0xa0102
 00998   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00999   928   NtUserFindWindowEx  (0, 0,  (0, 0, "Shell_TrayWnd", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x20052
 01000   928   NtUserBuildHwndList  (0, 131154, 1, 0, 64, ... (0x3003e, 0x3003c, 0x30040, 0x30042, 0x30044, 0x30046, 0x10076, 0x10082, 0x1007a, 0x1007e, 0x1, ), 11, ) == 0x0
 01001   928   NtUserValidateHandleSecure  (196670, ... ) == 0x1
 01002   928   NtUserValidateHandleSecure  (196670, ... ) == 0x1
 01003   928   NtUserValidateHandleSecure  (196668, ... ) == 0x1
 01004   928   NtUserValidateHandleSecure  (196668, ... ) == 0x1
 01005   928   NtUserValidateHandleSecure  (196672, ... ) == 0x1
 01006   928   NtUserValidateHandleSecure  (196672, ... ) == 0x1
 01007   928   NtUserValidateHandleSecure  (196674, ... ) == 0x1
 01008   928   NtUserValidateHandleSecure  (196674, ... ) == 0x1
 01009   928   NtUserValidateHandleSecure  (196676, ... ) == 0x1
 01010   928   NtUserValidateHandleSecure  (196676, ... ) == 0x1
 01011   928   NtUserValidateHandleSecure  (196678, ... ) == 0x1
 01012   928   NtUserValidateHandleSecure  (196678, ... ) == 0x1
 01013   928   NtUserValidateHandleSecure  (65654, ... ) == 0x1
 01014   928   NtUserValidateHandleSecure  (65654, ... ) == 0x1
 01015   928   NtUserValidateHandleSecure  (65666, ... ) == 0x1
 01016   928   NtUserValidateHandleSecure  (65666, ... ) == 0x1
 01017   928   NtUserValidateHandleSecure  (65658, ... ) == 0x1
 01018   928   NtUserValidateHandleSecure  (65658, ... ) == 0x1
 01019   928   NtUserValidateHandleSecure  (65662, ... ) == 0x1
 01020   928   NtUserValidateHandleSecure  (65662, ... ) == 0x1
 01021   928   NtUserQueryWindow  (131154, 1, ... ) == 0x6d4
 01022   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01023   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01024   928   NtUserValidateHandleSecure  (0, ... ) == 0x0
 01025   928   NtUserPostThreadMessage  (384, 49313, 1, 0, ... ) == 0x1
 01026   928   NtUserValidateHandleSecure  (0, ... ) == 0x0
 01027   928   NtUserPostThreadMessage  (928, 49313, 0, 0, ... ) == 0x1
 01028   928   NtUserGetKeyboardLayoutList  (0, 0, ... ) == 0x1
 01029   928   NtUserGetKeyboardLayoutList  (1, 1333216, ... ) == 0x1
 01030   928   NtWaitForSingleObject  (68, 0, {-50000000, -1}, ... ) == 0x0
 01031   928   NtOpenSection  (0xf001f, {24, 52, 0x0, 0, 0,  (0xf001f, {24, 52, 0x0, 0, 0, "CTF.AsmListCache.FMPDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, ... 104, ) }, ... 104, ) == 0x0
 01032   928   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x990000), {0, 0}, 4096, ) == 0x0
 01033   928   NtFlushVirtualMemory  (-1, (0x990000), 8, ... ) == STATUS_NOT_MAPPED_DATA
 01034   928   NtQueryInstallUILanguage  (2089305898, ... ) == 0x0
 01035   928   NtQueryDefaultUILanguage  (1239236, ...
 01036   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01037   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 01038   928   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01039   928   NtClose  (-2147482740, ... ) == 0x0
 01040   928   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 01041   928   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01042   928   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 01043   928   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01044   928   NtClose  (-2147481328, ... ) == 0x0
 01045   928   NtClose  (-2147482740, ... ) == 0x0
 01035   928   NtQueryDefaultUILanguage  ... ) == 0x0
 01046   928   NtReleaseMutant  (68, ... 0x0, ) == 0x0
 01047   928   NtUnmapViewOfSection  (-1, 0x990000, ... ) == 0x0
 01048   928   NtClose  (104, ... ) == 0x0
 01049   928   NtReleaseMutant  (68, ...
 01050   928   NtContinue  (-139614372, 0, ...
 01049   928   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 01051   928   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01052   928   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01053   928   NtUserValidateHandleSecure  (0, ... ) == 0x0
 01054   928   NtUserCreateWindowEx  (-2147483648, 1241272, 1240036, "-2013265920, 0, 0, 0, 0, -3, 0, 1953628160, 0, 1073742848, 0, ...
 01055   928   NtUserMessageCall  (0x60144, WM_NCCREATE, 0x0, 0x12eb44, 0, 670, 1, ... ) == 0x1
 01056   928   NtUserMessageCall  (0x60144, WM_NCCALCSIZE, 0x0, 0x12eb84, 0, 670, 1, ... ) == 0x0
 01057   928   NtUserSetProp  (393540, 43288, -1, ... ) == 0x1
 01054   928   NtUserCreateWindowEx  ... ) == 0x60144
 01058   928   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01059   928   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01060   928   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01061   928   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01062   928   NtWaitForSingleObject  (60, 0, {-50000000, -1}, ... ) == 0x0
 01063   928   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01064   928   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01065   928   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01066   928   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01067   928   NtUserPostThreadMessage  (1748, 49314, 0, 0, ... ) == 0x1
 01068   928   NtUserPostThreadMessage  (416, 49314, 0, 0, ... ) == 0x1
 01069   928   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 00995   928   NtUserPeekMessage  ... {0x0, WM_USER+0xbca1, 0x11, 0x1800f4, 0xbb084f, {0, 0}}, ) == 0x1
 01070   928   NtOpenProcessToken  (-1, 0x8, ... 104, ) == 0x0
 01071   928   NtQueryInformationToken  (104, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01072   928   NtClose  (104, ... ) == 0x0
 01073   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01074   928   NtUserCallMsgFilter  (1242108, 0, ... ) == 0x0
 01075   928   NtUserPeekMessage  (0, 0, 0, 1, ... {0x0, WM_USER+0xbca1, 0x0, 0x0, 0xbb087e, {0, 0}}, ) == 0x1
 01076   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01077   928   NtUserCallMsgFilter  (1242108, 0, ... ) == 0x0
 01078   928   NtUserPeekMessage  (0, 0, 0, 1, ... {0x60144, WM_USER+0xbca7, 0x0, 0x0, 0xbb088d, {0, 0}}, ) == 0x1
 01079   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01080   928   NtUserCallMsgFilter  (1242108, 0, ... ) == 0x0
 01081   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01082   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01083   928   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "CTF.ThreadMIConnectionEvent.000006D4.00000000.00000013"}, ... 104, ) }, ... 104, ) == 0x0
 01084   928   NtSetEvent  (104, ... 0x0, ) == 0x0
 01085   928   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01086   928   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01087   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01088   928   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01089   928   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01090   928   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01091   928   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01092   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01093   928   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01094   928   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01095   928   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01096   928   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01097   928   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01098   928   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01099   928   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "Keyboard Layout\Toggle"}, ... 108, ) }, ... 108, ) == 0x0
 01100   928   NtQueryValueKey  (108,  (108, "Language Hotkey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01101   928   NtQueryValueKey  (108,  (108, "Hotkey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01102   928   NtQueryValueKey  (108,  (108, "Layout Hotkey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01103   928   NtClose  (108, ... ) == 0x0
 01104   928   NtQueryDefaultLocale  (1, 1241128, ... ) == 0x0
 01105   928   NtQueryDefaultLocale  (1, 1241128, ... ) == 0x0
 01106   928   NtUserGetKeyboardLayoutList  (0, 0, ... ) == 0x1
 01107   928   NtUserGetKeyboardLayoutList  (1, 1343280, ... ) == 0x1
 01108   928   NtWaitForSingleObject  (60, 0, {-50000000, -1}, ... ) == 0x0
 01109   928   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01110   928   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01111   928   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01112   928   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01113   928   NtUserPostThreadMessage  (1748, 49316, 0, 928, ... ) == 0x1
 01114   928   NtUserPostThreadMessage  (416, 49316, 0, 928, ... ) == 0x1
 01115   928   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 01116   928   NtQueryDefaultLocale  (1, 1241128, ... ) == 0x0
 01117   928   NtQueryDefaultLocale  (1, 1241128, ... ) == 0x0
 01118   928   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01119   928   NtOpenProcessToken  (-1, 0xa, ... 108, ) == 0x0
 01120   928   NtDuplicateToken  (108, 0xc, {24, 0, 0x0, 0, 1241096, 0x0}, 0, 2, ... 112, ) == 0x0
 01121   928   NtClose  (108, ... ) == 0x0
 01122   928   NtAccessCheck  (1341280, 112, 0x1, 1241172, 1241224, 56, 1241204, ... (0x1), ) == 0x0
 01123   928   NtClose  (112, ... ) == 0x0
 01124   928   NtWaitForSingleObject  (60, 0, {-50000000, -1}, ... ) == 0x0
 01125   928   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01126   928   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01127   928   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01128   928   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01129   928   NtUserPostThreadMessage  (1748, 49316, 0, 928, ... ) == 0x1
 01130   928   NtUserPostThreadMessage  (416, 49316, 0, 928, ... ) == 0x1
 01131   928   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 01132   928   NtQueryDefaultLocale  (1, 1241108, ... ) == 0x0
 01133   928   NtQueryDefaultLocale  (1, 1241128, ... ) == 0x0
 01134   928   NtQueryDefaultLocale  (1, 1241128, ... ) == 0x0
 01135   928   NtWaitForSingleObject  (60, 0, {-50000000, -1}, ... ) == 0x0
 01136   928   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01137   928   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01138   928   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01139   928   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01140   928   NtUserPostThreadMessage  (1748, 49316, 0, 928, ... ) == 0x1
 01141   928   NtUserPostThreadMessage  (416, 49316, 0, 928, ... ) == 0x1
 01142   928   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 01143   928   NtUserCallOneParam  (0, 40, ... ) == 0x4090409
 01144   928   NtUserSystemParametersInfo  (31, 60, 1239840, 0, ... ) == 0x1
 01145   928   NtUserGetDC  (0, ... ) == 0x1010051
 01146   928   NtGdiHfontCreate  (1240848, 356, 0, 0, 1331504, ... ) == 0xb10a06b2
 01147   928   NtGdiGetTextMetricsW  (16842833, 1241088, 68, ... ) == 0x1
 01148   928   NtGdiDeleteObjectApp  (-1324742990, ... ) == 0x1
 01149   928   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 01150   928   NtGdiHfontCreate  (1240812, 356, 0, 0, 1331504, ... ) == 0xb20a06b2
 01151   928   NtUserGetDC  (0, ... ) == 0x1010051
 01152   928   NtGdiCreateCompatibleDC  (16842833, ... ) == 0x890106b4
 01153   928   NtGdiCreateCompatibleBitmap  (16842833, 16, 16, ... ) == 0xa40507d3
 01154   928   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 01155   928   NtGdiCreateBitmap  (16, 16, 1, 1, 0, ... ) == 0x830506ae
 01156   928   NtGdiSelectBitmap  (-1996421452, -1543174189, ... ) == 0x185000f
 01157   928   NtGdiGetCharSet  (-1996421452, ... ) == 0x4e4
 01158   928   NtGdiGetCharSet  (-1996421452, ... ) == 0x4e4
 01159   928   NtGdiGetTextCharsetInfo  (-1996421452, 0, 0, ... ) == 0x0
 01160   928   NtGdiGetTextMetricsW  (-1996421452, 1240728, 68, ... ) == 0x1
 01161   928   NtGdiGetRandomRgn  (-1996421452, 939787489, 1, ... ) == 0x0
 01162   928   NtGdiIntersectClipRect  (-1996421452, 0, 0, 16, 16, ... ) == 0x3
 01163   928   NtGdiGetWidthTable  (-1996421452, 2, 1353048, 258, 1353564, 1352416, 1352432, ... ) == 0x1
 01164   928   NtGdiExtSelectClipRgn  (-1996421452, 0, 5, ... ) == 0x2
 01165   928   NtGdiSelectBitmap  (-1996421452, -2096822610, ... ) == 0xa40507d3
 01166   928   NtGdiExtGetObjectW  (-2096822610, 24, 1241108, ... ) == 0x18
 01167   928   NtGdiExtGetObjectW  (-1543174189, 24, 1241084, ... ) == 0x18
 01168   928   NtUserCallOneParam  (0, 33, ... ) == 0x9024b
 01169   928   NtGdiExtGetObjectW  (-1543174189, 24, 1240980, ... ) == 0x18
 01170   928   NtGdiGetDIBitsInternal  (-301922896, -1543174189, 0, 16, 1353100, 1353048, 0, 1024, 0, ... ) == 0x10
 01171   928   NtGdiCreateDIBitmapInternal  (-301922896, 16, 16, 2, 0, 1343144, 0, 40, 0, 0, 0, ... ) == 0x340505d3
 01172   928   NtGdiSelectBitmap  (-301922896, 872744403, ... ) == 0x185000f
 01173   928   NtGdiGetDCforBitmap  (872744403, ... ) == 0xee0105b0
 01174   928   NtGdiSaveDC  (-301922896, ... ) == 0x1
 01175   928   NtGdiSelectBitmap  (-301922896, 872744403, ... ) == 0x340505d3
 01176   928   NtGdiGetDCObject  (-301922896, 524288, ... ) == 0x188000b
 01177   928   NtUserSelectPalette  (-301922896, 25690123, 0, ... ) == 0x188000b
 01178   928   NtGdiSetDIBitsToDeviceInternal  (-301922896, 0, 0, 16, 16, 0, 0, 0, 16, 1353100, 1343144, 0, 1024, 40, 1, 0, ... ) == 0x10
 01179   928   NtUserSelectPalette  (-301922896, 25690123, 0, ... ) == 0x188000b
 01180   928   NtGdiSelectBitmap  (-301922896, 872744403, ... ) == 0x340505d3
 01181   928   NtGdiRestoreDC  (-301922896, -1, ... ) == 0x1
 01182   928   NtGdiSelectBitmap  (-301922896, 25493519, ... ) == 0x340505d3
 01183   928   NtGdiCreateBitmap  (16, 32, 1, 1, 0, ... ) == 0x870504d2
 01184   928   NtGdiCreateCompatibleDC  (-301922896, ... ) == 0xef0105d7
 01185   928   NtGdiSelectBitmap  (-285145641, -2029714222, ... ) == 0x185000f
 01186   928   NtGdiSelectBitmap  (-301922896, -2096822610, ... ) == 0x0
 01187   928   NtGdiBitBlt  (-285145641, 0, 0, 16, 16, -301922896, 0, 0, 13369376, -1, 0, ... ) == 0x1
 01188   928   NtGdiSelectBitmap  (-285145641, 25493519, ... ) == 0x870504d2
 01189   928   NtGdiDeleteObjectApp  (-285145641, ... ) == 0x1
 01190   928   NtUserSetCursorIconData  (590411, 1241024, 1241040, 1241132, ... ) == 0x1
 01191   928   NtGdiSelectBitmap  (-1996421452, 25493519, ... ) == 0x830506ae
 01192   928   NtGdiDeleteObjectApp  (-2096822610, ... ) == 0x1
 01193   928   NtGdiDeleteObjectApp  (-1543174189, ... ) == 0x1
 01194   928   NtGdiDeleteObjectApp  (-1996421452, ... ) == 0x1
 01195   928   NtGdiDeleteObjectApp  (-1307965774, ... ) == 0x1
 01196   928   NtQueryDefaultUILanguage  (1238572, ...
 01197   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01198   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482740, ) == 0x0
 01199   928   NtQueryInformationToken  (-2147482740, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01200   928   NtClose  (-2147482740, ... ) == 0x0
 01201   928   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482740, ) }, ... -2147482740, ) == 0x0
 01202   928   NtOpenKey  (0x80000000, {24, -2147482740, 0x240, 0, 0,  (0x80000000, {24, -2147482740, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01203   928   NtOpenKey  (0x80000000, {24, -2147482740, 0x640, 0, 0,  (0x80000000, {24, -2147482740, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481328, ) }, ... -2147481328, ) == 0x0
 01204   928   NtQueryValueKey  (-2147481328,  (-2147481328, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01205   928   NtClose  (-2147481328, ... ) == 0x0
 01206   928   NtClose  (-2147482740, ... ) == 0x0
 01196   928   NtQueryDefaultUILanguage  ... ) == 0x0
 01207   928   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "SOFTWARE\Microsoft\CTF\LangBarAddIn\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01208   928   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\CTF\LangBarAddIn\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01209   928   NtWaitForSingleObject  (60, 0, {-50000000, -1}, ... ) == 0x0
 01210   928   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01211   928   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01212   928   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01213   928   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01214   928   NtUserPostThreadMessage  (1748, 49316, 0, 928, ... ) == 0x1
 01215   928   NtUserPostThreadMessage  (416, 49316, 0, 928, ... ) == 0x1
 01216   928   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 01217   928   NtCreateSection  (0xf0007, {24, 52, 0x80, 0, 0,  (0xf0007, {24, 52, 0x80, 0, 0, "MSCTF.MarshalInterface.FileMap.AKD..NIIALL"}, {20, 0}, 4, 134217728, 0, ... 112, ) }, {20, 0}, 4, 134217728, 0, ... 112, ) == 0x0
 01218   928   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x990000), {0, 0}, 4096, ) == 0x0
 01219   928   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "CTF.ThreadMarshalInterfaceEvent.000006D4.00000000.00000013"}, ... 108, ) }, ... 108, ) == 0x0
 01220   928   NtSetEvent  (108, ... 0x0, ) == 0x0
 01221   928   NtClose  (108, ... ) == 0x0
 01222   928   NtClose  (104, ... ) == 0x0
 01223   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01224   928   NtUserPeekMessage  (0, 0, 0, 1, ... {0x60144, WM_USER+0xbca6, 0x6d4, 0x28, 0xbb088d, {0, 0}}, ) == 0x1
 01225   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01226   928   NtUserCallMsgFilter  (1242108, 0, ... ) == 0x0
 01227   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01228   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01229   928   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "MSCTF.SendReceiveConection.Event.ENG.IC"}, ... 104, ) }, ... 104, ) == 0x0
 01230   928   NtSetEvent  (104, ... 0x0, ) == 0x0
 01231   928   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "MSCTF.Shared.MUTEX.ENG"}, 0, ... 108, ) }, 0, ... 108, ) == STATUS_OBJECT_NAME_EXISTS
 01232   928   NtOpenSection  (0xf001f, {24, 52, 0x0, 0, 0,  (0xf001f, {24, 52, 0x0, 0, 0, "MSCTF.Shared.SFM.ENG"}, ... 116, ) }, ... 116, ) == 0x0
 01233   928   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x9a0000), {0, 0}, 524288, ) == 0x0
 01234   928   NtWaitForSingleObject  (108, 0, {-50000000, -1}, ... ) == 0x0
 01235   928   NtUnmapViewOfSection  (-1, 0x990000, ... ) == 0x0
 01236   928   NtClose  (112, ... ) == 0x0
 01237   928   NtAllocateVirtualMemory  (-1, 1355776, 0, 8192, 4096, 4, ... 1355776, 8192, ) == 0x0
 01238   928   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 01239   928   NtCreateSection  (0xf0007, {24, 52, 0x80, 0, 0,  (0xf0007, {24, 52, 0x80, 0, 0, "MSCTF.MarshalInterface.FileMap.AKD.B.NIIALL"}, {20, 0}, 4, 134217728, 0, ... 112, ) }, {20, 0}, 4, 134217728, 0, ... 112, ) == 0x0
 01240   928   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x990000), {0, 0}, 4096, ) == 0x0
 01241   928   NtCreateSection  (0xf0007, {24, 52, 0x80, 0, 0,  (0xf0007, {24, 52, 0x80, 0, 0, "MSCTF.MarshalInterface.FileMap.AKD.C.NIIALL"}, {20, 0}, 4, 134217728, 0, ... 120, ) }, {20, 0}, 4, 134217728, 0, ... 120, ) == 0x0
 01242   928   NtMapViewOfSection  (120, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 4096, ) == 0x0
 01243   928   NtCreateSection  (0xf0007, {24, 52, 0x80, 0, 0,  (0xf0007, {24, 52, 0x80, 0, 0, "MSCTF.MarshalInterface.FileMap.AKD.D.NIIALL"}, {20, 0}, 4, 134217728, 0, ... 124, ) }, {20, 0}, 4, 134217728, 0, ... 124, ) == 0x0
 01244   928   NtMapViewOfSection  (124, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa30000), {0, 0}, 4096, ) == 0x0
 01245   928   NtWaitForSingleObject  (108, 0, {-50000000, -1}, ... ) == 0x0
 01246   928   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 01247   928   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "MSCTF.SendReceive.Event.ENG.IC"}, ... 128, ) }, ... 128, ) == 0x0
 01248   928   NtSetEvent  (128, ... 0x0, ) == 0x0
 01249   928   NtClose  (104, ... ) == 0x0
 01250   928   NtClose  (128, ... ) == 0x0
 01251   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01252   928   NtUserPeekMessage  (0, 0, 0, 1, ... {0x60144, WM_USER+0xbca6, 0x6d4, 0x28, 0xbb088d, {0, 0}}, ) == 0x1
 01253   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01254   928   NtUserCallMsgFilter  (1242108, 0, ... ) == 0x0
 01255   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01256   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01257   928   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "MSCTF.SendReceiveConection.Event.ENG.IC"}, ... 128, ) }, ... 128, ) == 0x0
 01258   928   NtSetEvent  (128, ... 0x0, ) == 0x0
 01259   928   NtWaitForSingleObject  (108, 0, {-50000000, -1}, ... ) == 0x0
 01260   928   NtUnmapViewOfSection  (-1, 0x990000, ... ) == 0x0
 01261   928   NtClose  (112, ... ) == 0x0
 01262   928   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 01263   928   NtCreateSection  (0xf0007, {24, 52, 0x80, 0, 0,  (0xf0007, {24, 52, 0x80, 0, 0, "MSCTF.MarshalInterface.FileMap.AKD.E.NJIALL"}, {20, 0}, 4, 134217728, 0, ... 112, ) }, {20, 0}, 4, 134217728, 0, ... 112, ) == 0x0
 01264   928   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x990000), {0, 0}, 4096, ) == 0x0
 01265   928   NtWaitForSingleObject  (108, 0, {-50000000, -1}, ... ) == 0x0
 01266   928   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 01267   928   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "MSCTF.SendReceive.Event.ENG.IC"}, ... 104, ) }, ... 104, ) == 0x0
 01268   928   NtSetEvent  (104, ... 0x0, ) == 0x0
 01269   928   NtClose  (128, ... ) == 0x0
 01270   928   NtClose  (104, ... ) == 0x0
 01271   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01272   928   NtUserPeekMessage  (0, 0, 0, 1, ... {0x60144, WM_USER+0xbca9, 0xbb088d, 0x1, 0xbb089d, {0, 0}}, ) == 0x1
 01273   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01274   928   NtUserCallMsgFilter  (1242108, 0, ... ) == 0x0
 01275   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01276   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01277   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ntdll.dll"}, 1238964, ... ) }, 1238964, ... ) == 0x0
 01278   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01279   928   NtUserPeekMessage  (0, 0, 0, 1, ... {0x60144, WM_USER+0xbca6, 0x6d4, 0x28, 0xbb089d, {0, 0}}, ) == 0x1
 01280   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01281   928   NtUserCallMsgFilter  (1242108, 0, ... ) == 0x0
 01282   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01283   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01284   928   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "MSCTF.SendReceiveConection.Event.ENG.IC"}, ... 104, ) }, ... 104, ) == 0x0
 01285   928   NtSetEvent  (104, ... 0x0, ) == 0x0
 01286   928   NtWaitForSingleObject  (108, 0, {-50000000, -1}, ... ) == 0x0
 01287   928   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01288   928   NtClose  (120, ... ) == 0x0
 01289   928   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 01290   928   NtCreateSection  (0xf0007, {24, 52, 0x80, 0, 0,  (0xf0007, {24, 52, 0x80, 0, 0, "MSCTF.MarshalInterface.FileMap.AKD.F.NJIALL"}, {20, 0}, 4, 134217728, 0, ... 120, ) }, {20, 0}, 4, 134217728, 0, ... 120, ) == 0x0
 01291   928   NtMapViewOfSection  (120, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 4096, ) == 0x0
 01292   928   NtWaitForSingleObject  (108, 0, {-50000000, -1}, ... ) == 0x0
 01293   928   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 01294   928   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "MSCTF.SendReceive.Event.ENG.IC"}, ... 128, ) }, ... 128, ) == 0x0
 01295   928   NtSetEvent  (128, ... 0x0, ) == 0x0
 01296   928   NtClose  (104, ... ) == 0x0
 01297   928   NtClose  (128, ... ) == 0x0
 01298   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01299   928   NtUserPeekMessage  (0, 0, 0, 1, ... {0x60144, WM_USER+0xbca9, 0xbb088d, 0x2, 0xbb089d, {0, 0}}, ) == 0x1
 01300   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01301   928   NtUserCallMsgFilter  (1242108, 0, ... ) == 0x0
 01302   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01303   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01304   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01305   928   NtUserPeekMessage  (0, 0, 0, 1, ... {0x60144, WM_USER+0xbca6, 0x6d4, 0x28, 0xbb089d, {0, 0}}, ) == 0x1
 01306   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01307   928   NtUserCallMsgFilter  (1242108, 0, ... ) == 0x0
 01308   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01309   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01310   928   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "MSCTF.SendReceiveConection.Event.ENG.IC"}, ... 128, ) }, ... 128, ) == 0x0
 01311   928   NtSetEvent  (128, ... 0x0, ) == 0x0
 01312   928   NtWaitForSingleObject  (108, 0, {-50000000, -1}, ... ) == 0x0
 01313   928   NtUnmapViewOfSection  (-1, 0xa30000, ... ) == 0x0
 01314   928   NtClose  (124, ... ) == 0x0
 01315   928   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 01316   928   NtCreateSection  (0xf0007, {24, 52, 0x80, 0, 0,  (0xf0007, {24, 52, 0x80, 0, 0, "MSCTF.MarshalInterface.FileMap.AKD.G.NJIALL"}, {20, 0}, 4, 134217728, 0, ... 124, ) }, {20, 0}, 4, 134217728, 0, ... 124, ) == 0x0
 01317   928   NtMapViewOfSection  (124, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa30000), {0, 0}, 4096, ) == 0x0
 01318   928   NtWaitForSingleObject  (108, 0, {-50000000, -1}, ... ) == 0x0
 01319   928   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 01320   928   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "MSCTF.SendReceive.Event.ENG.IC"}, ... 104, ) }, ... 104, ) == 0x0
 01321   928   NtSetEvent  (104, ... 0x0, ) == 0x0
 01322   928   NtClose  (128, ... ) == 0x0
 01323   928   NtClose  (104, ... ) == 0x0
 01324   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01325   928   NtUserPeekMessage  (0, 0, 0, 1, ... {0x60144, WM_USER+0xbca9, 0xbb088d, 0x3, 0xbb089d, {0, 0}}, ) == 0x1
 01326   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01327   928   NtUserCallMsgFilter  (1242108, 0, ... ) == 0x0
 01328   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01329   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01330   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01331   928   NtUserPeekMessage  (0, 0, 0, 1, ... {0x60144, WM_USER+0xbca6, 0x6d4, 0x28, 0xbb089d, {0, 0}}, ) == 0x1
 01332   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01333   928   NtUserCallMsgFilter  (1242108, 0, ... ) == 0x0
 01334   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01335   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01336   928   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "MSCTF.SendReceiveConection.Event.ENG.IC"}, ... 104, ) }, ... 104, ) == 0x0
 01337   928   NtSetEvent  (104, ... 0x0, ) == 0x0
 01338   928   NtWaitForSingleObject  (108, 0, {-50000000, -1}, ... ) == 0x0
 01339   928   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 01340   928   NtOpenSection  (0xf001f, {24, 52, 0x0, 0, 0,  (0xf001f, {24, 52, 0x0, 0, 0, "MSCTF.MarshalInterface.FileMap.ENG.M.NJIALL"}, ... 128, ) }, ... 128, ) == 0x0
 01341   928   NtMapViewOfSection  (128, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa40000), {0, 0}, 4096, ) == 0x0
 01342   928   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01343   928   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01344   928   NtUserValidateHandleSecure  (65742, ... ) == 0x1
 01345   928   NtUserQueryWindow  (65742, 1, ... ) == 0x6d4
 01346   928   NtUserValidateHandleSecure  (65742, ... ) == 0x1
 01347   928   NtUserQueryWindow  (65742, 1, ... ) == 0x6d4
 01348   928   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01349   928   NtClose  (128, ... ) == 0x0
 01350   928   NtOpenSection  (0xf001f, {24, 52, 0x0, 0, 0,  (0xf001f, {24, 52, 0x0, 0, 0, "MSCTF.MarshalInterface.FileMap.ENG.N.NJIALL"}, ... 128, ) }, ... 128, ) == 0x0
 01351   928   NtMapViewOfSection  (128, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa40000), {0, 0}, 4096, ) == 0x0
 01352   928   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01353   928   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01354   928   NtUserValidateHandleSecure  (65742, ... ) == 0x1
 01355   928   NtUserQueryWindow  (65742, 1, ... ) == 0x6d4
 01356   928   NtUserValidateHandleSecure  (65742, ... ) == 0x1
 01357   928   NtUserQueryWindow  (65742, 1, ... ) == 0x6d4
 01358   928   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01359   928   NtClose  (128, ... ) == 0x0
 01360   928   NtOpenSection  (0xf001f, {24, 52, 0x0, 0, 0,  (0xf001f, {24, 52, 0x0, 0, 0, "MSCTF.MarshalInterface.FileMap.ENG.O.NJIALL"}, ... 128, ) }, ... 128, ) == 0x0
 01361   928   NtMapViewOfSection  (128, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa40000), {0, 0}, 4096, ) == 0x0
 01362   928   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01363   928   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01364   928   NtUserValidateHandleSecure  (65742, ... ) == 0x1
 01365   928   NtUserQueryWindow  (65742, 1, ... ) == 0x6d4
 01366   928   NtUserValidateHandleSecure  (65742, ... ) == 0x1
 01367   928   NtUserQueryWindow  (65742, 1, ... ) == 0x6d4
 01368   928   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01369   928   NtClose  (128, ... ) == 0x0
 01370   928   NtWaitForSingleObject  (108, 0, {-50000000, -1}, ... ) == 0x0
 01371   928   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 01372   928   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "MSCTF.SendReceive.Event.ENG.IC"}, ... 128, ) }, ... 128, ) == 0x0
 01373   928   NtSetEvent  (128, ... 0x0, ) == 0x0
 01374   928   NtClose  (104, ... ) == 0x0
 01375   928   NtClose  (128, ... ) == 0x0
 01376   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01377   928   NtUserPeekMessage  (0, 0, 0, 1, ... {0x60144, WM_USER+0xbca6, 0x6d4, 0x28, 0xbb089d, {0, 0}}, ) == 0x1
 01378   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01379   928   NtUserCallMsgFilter  (1242108, 0, ... ) == 0x0
 01380   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01381   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01382   928   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "MSCTF.SendReceiveConection.Event.ENG.IC"}, ... 128, ) }, ... 128, ) == 0x0
 01383   928   NtSetEvent  (128, ... 0x0, ) == 0x0
 01384   928   NtWaitForSingleObject  (108, 0, {-50000000, -1}, ... ) == 0x0
 01385   928   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01386   928   NtClose  (120, ... ) == 0x0
 01387   928   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 01388   928   NtWaitForSingleObject  (108, 0, {-50000000, -1}, ... ) == 0x0
 01389   928   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 01390   928   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "MSCTF.SendReceive.Event.ENG.IC"}, ... 120, ) }, ... 120, ) == 0x0
 01391   928   NtSetEvent  (120, ... 0x0, ) == 0x0
 01392   928   NtClose  (128, ... ) == 0x0
 01393   928   NtClose  (120, ... ) == 0x0
 01394   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01395   928   NtUserPeekMessage  (0, 0, 0, 1, ... {0x60144, WM_USER+0xbca6, 0x6d4, 0x28, 0xbb089d, {0, 0}}, ) == 0x1
 01396   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01397   928   NtUserCallMsgFilter  (1242108, 0, ... ) == 0x0
 01398   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01399   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01400   928   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "MSCTF.SendReceiveConection.Event.ENG.IC"}, ... 120, ) }, ... 120, ) == 0x0
 01401   928   NtSetEvent  (120, ... 0x0, ) == 0x0
 01402   928   NtWaitForSingleObject  (108, 0, {-50000000, -1}, ... ) == 0x0
 01403   928   NtAllocateVirtualMemory  (-1, 1363968, 0, 12288, 4096, 4, ... 1363968, 12288, ) == 0x0
 01404   928   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 01405   928   NtQueryDefaultLocale  (1, 1239964, ... ) == 0x0
 01406   928   NtQueryDefaultLocale  (1, 1239984, ... ) == 0x0
 01407   928   NtUserGetDC  (0, ... ) == 0x1010051
 01408   928   NtGdiCreateCompatibleBitmap  (16842833, 16, 16, ... ) == 0xb30506b2
 01409   928   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 01410   928   NtGdiSelectBitmap  (-301922896, -1291516238, ... ) == 0x185000f
 01411   928   NtGdiGetDCforBitmap  (-1291516238, ... ) == 0xee0105b0
 01412   928   NtGdiSaveDC  (-301922896, ... ) == 0x1
 01413   928   NtGdiSelectBitmap  (-301922896, -1291516238, ... ) == 0xb30506b2
 01414   928   NtGdiGetDCObject  (-301922896, 524288, ... ) == 0x188000b
 01415   928   NtUserSelectPalette  (-301922896, 25690123, 0, ... ) == 0x188000b
 01416   928   NtGdiSetDIBitsToDeviceInternal  (-301922896, 0, 0, 16, 16, 0, 0, 0, 16, 1953913504, 1358240, 0, 128, 104, 1, 0, ... ) == 0x10
 01417   928   NtUserSelectPalette  (-301922896, 25690123, 0, ... ) == 0x188000b
 01418   928   NtGdiSelectBitmap  (-301922896, -1291516238, ... ) == 0xb30506b2
 01419   928   NtGdiRestoreDC  (-301922896, -1, ... ) == 0x1
 01420   928   NtGdiSelectBitmap  (-301922896, 25493519, ... ) == 0xb30506b2
 01421   928   NtUserGetDC  (0, ... ) == 0x1010051
 01422   928   NtGdiCreateDIBitmapInternal  (16842833, 16, 32, 2, 0, 2118583256, 0, 48, 0, 0, 0, ... ) == 0xa60507d3
 01423   928   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 01424   928   NtGdiSelectBitmap  (-301922896, -1509619757, ... ) == 0x185000f
 01425   928   NtGdiGetDCforBitmap  (-1509619757, ... ) == 0xee0105b0
 01426   928   NtGdiSaveDC  (-301922896, ... ) == 0x1
 01427   928   NtGdiSelectBitmap  (-301922896, -1509619757, ... ) == 0xa60507d3
 01428   928   NtGdiGetDCObject  (-301922896, 524288, ... ) == 0x188000b
 01429   928   NtUserSelectPalette  (-301922896, 25690123, 0, ... ) == 0x188000b
 01430   928   NtGdiSetDIBitsToDeviceInternal  (-301922896, 0, 0, 16, 32, 0, 0, 0, 32, 1953913568, 1358240, 0, 128, 48, 1, 0, ... ) == 0x20
 01431   928   NtUserSelectPalette  (-301922896, 25690123, 0, ... ) == 0x188000b
 01432   928   NtGdiSelectBitmap  (-301922896, -1509619757, ... ) == 0xa60507d3
 01433   928   NtGdiRestoreDC  (-301922896, -1, ... ) == 0x1
 01434   928   NtGdiSelectBitmap  (-301922896, 25493519, ... ) == 0xa60507d3
 01435   928   NtGdiCreateCompatibleDC  (-301922896, ... ) == 0x860106ae
 01436   928   NtGdiExtGetObjectW  (-1509619757, 24, 1239416, ... ) == 0x18
 01437   928   NtGdiCreateBitmap  (16, 32, 1, 1, 0, ... ) == 0xf20505d7
 01438   928   NtGdiSelectBitmap  (-301922896, -1509619757, ... ) == 0x185000f
 01439   928   NtGdiSelectBitmap  (-2046753106, -234551849, ... ) == 0x185000f
 01440   928   NtGdiBitBlt  (-2046753106, 0, 0, 16, 32, -301922896, 0, 0, 13369376, -1, 0, ... ) == 0x1
 01441   928   NtGdiSelectBitmap  (-301922896, 25493519, ... ) == 0xa60507d3
 01442   928   NtGdiSelectBitmap  (-2046753106, 25493519, ... ) == 0xf20505d7
 01443   928   NtGdiDeleteObjectApp  (-1509619757, ... ) == 0x1
 01444   928   NtGdiDeleteObjectApp  (-2046753106, ... ) == 0x1
 01445   928   NtUserCallOneParam  (0, 33, ... ) == 0x402a3
 01446   928   NtUserSetCursorIconData  (262819, 1239464, 1239480, 1239544, ... ) == 0x1
 01447   928   NtUserGetIconInfo  (262819, 1240816, 0, 0, 0, 0, ... ) == 0x1
 01448   928   NtGdiExtGetObjectW  (-1929050444, 24, 1240740, ... ) == 0x18
 01449   928   NtGdiExtGetObjectW  (-2012936530, 24, 1240716, ... ) == 0x18
 01450   928   NtGdiDeleteObjectApp  (-1929050444, ... ) == 0x1
 01451   928   NtGdiDeleteObjectApp  (-2012936530, ... ) == 0x1
 01452   928   NtUserGetIconInfo  (262819, 1240812, 0, 0, 0, 0, ... ) == 0x1
 01453   928   NtGdiExtGetObjectW  (-1912273228, 24, 1240728, ... ) == 0x18
 01454   928   NtGdiExtGetObjectW  (-1996159314, 24, 1240704, ... ) == 0x18
 01455   928   NtGdiGetBitmapBits  (-1912273228, 1024, 1358488, ... ) == 0x400
 01456   928   NtGdiGetBitmapBits  (-1996159314, 32, 1359512, ... ) == 0x20
 01457   928   NtGdiDeleteObjectApp  (-1912273228, ... ) == 0x1
 01458   928   NtGdiDeleteObjectApp  (-1996159314, ... ) == 0x1
 01459   928   NtUserDestroyCursor  (262819, 1, ... ) == 0x1
 01460   928   NtWaitForSingleObject  (108, 0, {-50000000, -1}, ... ) == 0x0
 01461   928   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 01462   928   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "MSCTF.SendReceive.Event.ENG.IC"}, ... 128, ) }, ... 128, ) == 0x0
 01463   928   NtSetEvent  (128, ... 0x0, ) == 0x0
 01464   928   NtClose  (120, ... ) == 0x0
 01465   928   NtClose  (128, ... ) == 0x0
 01466   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01467   928   NtUserShowWindow  (655618, 1, ...
 01468   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01469   928   NtUserGetThreadState  (1, ... ) == 0xa0102
 01470   928   NtUserGetThreadState  (0, ... ) == 0x1800f4
 01471   928   NtUserGetForegroundWindow  (... ) == 0xa0102
 01472   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01473   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01474   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01475   928   NtUserGetKeyboardLayoutList  (0, 0, ... ) == 0x1
 01476   928   NtUserGetKeyboardLayoutList  (1, 1349544, ... ) == 0x1
 01477   928   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01478   928   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01479   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01480   928   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01481   928   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01482   928   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01483   928   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01484   928   NtWaitForSingleObject  (60, 0, {-50000000, -1}, ... ) == 0x0
 01485   928   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01486   928   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01487   928   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01488   928   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01489   928   NtUserPostThreadMessage  (1748, 49314, 0, 0, ... ) == 0x1
 01490   928   NtUserPostThreadMessage  (416, 49314, 0, 0, ... ) == 0x1
 01491   928   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 01492   928   NtUserInternalGetWindowText  (0xa0102, 260, ...  (0xa0102, 260, ... "Error", ) , ) == 0x5
 01493   928   NtUserGetWindowDC  (655618, ... ) == 0x1010054
 01494   928   NtGdiGetRandomRgn  (16842836, 956564705, 1, ... ) == 0x0
 01495   928   NtGdiIntersectClipRect  (16842836, 0, 0, 0, 0, ... ) == 0x3
 01496   928   NtGdiGetCharSet  (16842836, ... ) == 0x4e4
 01497   928   NtGdiExtSelectClipRgn  (16842836, 0, 5, ... ) == 0x2
 01498   928   NtUserCallOneParam  (16842836, 57, ... ) == 0x1
 01499   928   NtUserCalcMenuBar  (655618, 3, 3, 29, 8661352, ... ) == 0x0
 01500   928   NtUserMessageCall  (0xa0102, WM_GETICON, 0x2, 0x0, 1240436, 690, 0, ...
 01501   928   NtUserMessageCall  (0xa0102, WM_GETICON, 0x2, 0x0, 0, 670, 0, ... ) == 0x0
 01500   928   NtUserMessageCall  ... ) == 0x0
 01502   928   NtUserMessageCall  (0xa0102, WM_GETICON, 0x0, 0x0, 1240436, 690, 0, ...
 01503   928   NtUserMessageCall  (0xa0102, WM_GETICON, 0x0, 0x0, 0, 670, 0, ... ) == 0x0
 01502   928   NtUserMessageCall  ... ) == 0x0
 01504   928   NtUserMessageCall  (0xa0102, WM_GETICON, 0x1, 0x0, 1240436, 690, 0, ...
 01505   928   NtUserMessageCall  (0xa0102, WM_GETICON, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 01504   928   NtUserMessageCall  ... ) == 0x0
 01506   928   NtUserGetTitleBarInfo  (655618, 1241068, ... ) == 0x1
 01507   928   NtUserGetDCEx  (655618, 0, 66561, ... ) == 0x1010050
 01508   928   NtGdiExcludeClipRect  (16842832, 3, 29, 455, 123, ... ) == 0x3
 01509   928   NtGdiDrawStream  (16842832, 96, 1240552, ... ) == 0x1
 01510   928   NtGdiDrawStream  (16842832, 96, 1240552, ... ) == 0x1
 01511   928   NtGdiDrawStream  (16842832, 96, 1240552, ... ) == 0x1
 01512   928   NtGdiCreateCompatibleBitmap  (16842832, 458, 29, ... ) == 0x940506b4
 01513   928   NtGdiCreateCompatibleDC  (16842832, ... ) == 0x7101032c
 01514   928   NtGdiSelectBitmap  (1895891756, -1811609932, ... ) == 0x185000f
 01515   928   NtGdiDrawStream  (1895891756, 96, 1240444, ... ) == 0x1
 01516   928   NtGdiDrawStream  (1895891756, 96, 1240400, ... ) == 0x1
 01517   928   NtGdiDrawStream  (1895891756, 96, 1240400, ... ) == 0x1
 01518   928   NtUserInternalGetWindowText  (0xa0102, 260, ...  (0xa0102, 260, ... "Error", ) , ) == 0x5
 01519   928   NtGdiGetRandomRgn  (1895891756, 973341921, 1, ... ) == 0x0
 01520   928   NtGdiIntersectClipRect  (1895891756, 8, 8, 430, 25, ... ) == 0x3
 01521   928   NtGdiExtSelectClipRgn  (1895891756, 0, 5, ... ) == 0x2
 01522   928   NtGdiGetRandomRgn  (1895891756, 990119137, 1, ... ) == 0x0
 01523   928   NtGdiIntersectClipRect  (1895891756, 7, 7, 429, 25, ... ) == 0x3
 01524   928   NtGdiExtSelectClipRgn  (1895891756, 0, 5, ... ) == 0x2
 01525   928   NtGdiBitBlt  (16842832, 0, 0, 458, 29, 1895891756, 0, 0, 13369376, -1, 0, ... ) == 0x1
 01526   928   NtGdiSelectBitmap  (1895891756, 25493519, ... ) == 0x940506b4
 01527   928   NtGdiDeleteObjectApp  (1895891756, ... ) == 0x1
 01528   928   NtGdiDeleteObjectApp  (-1811609932, ... ) == 0x1
 01529   928   NtUserCallOneParam  (16842832, 57, ... ) == 0x1
 01530   928   NtUserFillWindow  (655618, 655618, 16842835, 4, ...
 01531   928   NtUserGetAncestor  (655618, 1, ... ) == 0x10014
 01532   928   NtUserValidateHandleSecure  (65556, ... ) == 0x1
 01533   928   NtUserGetAncestor  (65556, 1, ... ) == 0x0
 01530   928   NtUserFillWindow  ... ) == 0x1
 01534   928   NtUserInternalGetWindowText  (0xa0102, 260, ...  (0xa0102, 260, ... "Error", ) , ) == 0x5
 01535   928   NtUserGetWindowDC  (655618, ... ) == 0x1010054
 01536   928   NtGdiGetRandomRgn  (16842836, 1006896353, 1, ... ) == 0x0
 01537   928   NtGdiIntersectClipRect  (16842836, 0, 0, 0, 0, ... ) == 0x3
 01538   928   NtGdiGetCharSet  (16842836, ... ) == 0x4e4
 01539   928   NtGdiExtSelectClipRgn  (16842836, 0, 5, ... ) == 0x2
 01540   928   NtUserCallOneParam  (16842836, 57, ... ) == 0x1
 01541   928   NtUserCalcMenuBar  (655618, 3, 3, 29, 8661352, ... ) == 0x0
 01542   928   NtUserMessageCall  (0xa0102, WM_GETICON, 0x2, 0x0, 1240728, 690, 0, ...
 01543   928   NtUserMessageCall  (0xa0102, WM_GETICON, 0x2, 0x0, 0, 670, 0, ... ) == 0x0
 01542   928   NtUserMessageCall  ... ) == 0x0
 01544   928   NtUserMessageCall  (0xa0102, WM_GETICON, 0x0, 0x0, 1240728, 690, 0, ...
 01545   928   NtUserMessageCall  (0xa0102, WM_GETICON, 0x0, 0x0, 0, 670, 0, ... ) == 0x0
 01544   928   NtUserMessageCall  ... ) == 0x0
 01546   928   NtUserMessageCall  (0xa0102, WM_GETICON, 0x1, 0x0, 1240728, 690, 0, ...
 01547   928   NtUserMessageCall  (0xa0102, WM_GETICON, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 01546   928   NtUserMessageCall  ... ) == 0x0
 01548   928   NtUserGetTitleBarInfo  (655618, 1241360, ... ) == 0x1
 01549   928   NtUserBuildHwndList  (0, 655618, 1, 0, 64, ... (0x1800f4, 0x500fc, 0xd011a, 0x1, ), 4, ) == 0x0
 01550   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01551   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01552   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01553   928   NtUserValidateHandleSecure  (327932, ... ) == 0x1
 01554   928   NtUserValidateHandleSecure  (327932, ... ) == 0x1
 01555   928   NtUserValidateHandleSecure  (327932, ... ) == 0x1
 01556   928   NtUserValidateHandleSecure  (852250, ... ) == 0x1
 01557   928   NtUserValidateHandleSecure  (852250, ... ) == 0x1
 01558   928   NtUserValidateHandleSecure  (852250, ... ) == 0x1
 01559   928   NtUserGetWindowDC  (0, ... ) == 0x1010052
 01560   928   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 01561   928   NtGdiExtCreateRegion  (0, 112, 8662840, ... ) == 0x960406b4
 01562   928   NtGdiOffsetRgn  (-1778121036, 0, 0, ... ) == 0x3
 01563   928   NtGdiCombineRgn  (1023673569, -1778121036, 1023673569, 5, ... ) == 0x3
 01564   928   NtGdiCreateRectRgn  (0, 0, 1, 1, ... ) == 0x7204032c
 01565   928   NtGdiCombineRgn  (1023673569, 1912865580, 1023673569, 2, ... ) == 0x3
 01566   928   NtGdiCreateRectRgn  (0, 0, 1, 1, ... ) == 0xf60405d7
 01567   928   NtGdiCombineRgn  (1023673569, -167508521, 1023673569, 2, ... ) == 0x3
 01568   928   NtGdiCreateRectRgn  (0, 0, 1, 1, ... ) == 0x8d0406ae
 01569   928   NtGdiCombineRgn  (1023673569, -1929115986, 1023673569, 2, ... ) == 0x3
 01570   928   NtGdiCreateRectRgn  (0, 0, 1, 1, ... ) == 0xb80406b2
 01571   928   NtGdiCombineRgn  (1023673569, -1207695694, 1023673569, 2, ... ) == 0x3
 01572   928   NtGdiCreateRectRgn  (0, 0, 1, 1, ... ) == 0x560403d5
 01573   928   NtGdiCombineRgn  (1443103701, 1023673569, 0, 5, ... ) == 0x3
 01574   928   NtUserSetWindowRgn  (655618, 1023673569, 1, ...
 01575   928   NtUserMessageCall  (0xa0102, WM_NCCALCSIZE, 0x1, 0x12f04c, 0, 670, 0, ... ) == 0x0
 01576   928   NtUserInternalGetWindowText  (0xa0102, 260, ...  (0xa0102, 260, ... "Error", ) , ) == 0x5
 01577   928   NtUserGetWindowDC  (655618, ... ) == 0x1010054
 01578   928   NtGdiGetRandomRgn  (16842836, -1190918478, 1, ... ) == 0x0
 01579   928   NtGdiIntersectClipRect  (16842836, 0, 0, 0, 0, ... ) == 0x3
 01580   928   NtGdiGetCharSet  (16842836, ... ) == 0x4e4
 01581   928   NtGdiExtSelectClipRgn  (16842836, 0, 5, ... ) == 0x3
 01582   928   NtUserCallOneParam  (16842836, 57, ... ) == 0x1
 01583   928   NtUserCalcMenuBar  (655618, 3, 3, 29, 8661352, ... ) == 0x0
 01584   928   NtUserMessageCall  (0xa0102, WM_GETICON, 0x2, 0x0, 1239508, 690, 0, ...
 01585   928   NtUserMessageCall  (0xa0102, WM_GETICON, 0x2, 0x0, 0, 670, 0, ... ) == 0x0
 01584   928   NtUserMessageCall  ... ) == 0x0
 01586   928   NtUserMessageCall  (0xa0102, WM_GETICON, 0x0, 0x0, 1239508, 690, 0, ...
 01587   928   NtUserMessageCall  (0xa0102, WM_GETICON, 0x0, 0x0, 0, 670, 0, ... ) == 0x0
 01586   928   NtUserMessageCall  ... ) == 0x0
 01588   928   NtUserMessageCall  (0xa0102, WM_GETICON, 0x1, 0x0, 1239508, 690, 0, ...
 01589   928   NtUserMessageCall  (0xa0102, WM_GETICON, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 01588   928   NtUserMessageCall  ... ) == 0x0
 01590   928   NtUserGetTitleBarInfo  (655618, 1240140, ... ) == 0x1
 01591   928   NtUserGetDCEx  (655618, 0, 66561, ... ) == 0x1010053
 01592   928   NtGdiExcludeClipRect  (16842835, 3, 29, 455, 123, ... ) == 0x3
 01593   928   NtGdiDrawStream  (16842835, 96, 1239624, ... ) == 0x1
 01594   928   NtGdiDrawStream  (16842835, 96, 1239624, ... ) == 0x1
 01595   928   NtGdiDrawStream  (16842835, 96, 1239624, ... ) == 0x1
 01596   928   NtGdiCreateCompatibleBitmap  (16842835, 458, 29, ... ) == 0x380506a8
 01597   928   NtGdiCreateCompatibleDC  (16842835, ... ) == 0x5a01066b
 01598   928   NtGdiSelectBitmap  (1510016619, 939853480, ... ) == 0x185000f
 01599   928   NtGdiDrawStream  (1510016619, 96, 1239516, ... ) == 0x1
 01600   928   NtGdiDrawStream  (1510016619, 96, 1239472, ... ) == 0x1
 01601   928   NtGdiDrawStream  (1510016619, 96, 1239472, ... ) == 0x1
 01602   928   NtUserInternalGetWindowText  (0xa0102, 260, ...  (0xa0102, 260, ... "Error", ) , ) == 0x5
 01603   928   NtGdiGetRandomRgn  (1510016619, -1174141262, 1, ... ) == 0x0
 01604   928   NtGdiIntersectClipRect  (1510016619, 8, 8, 430, 25, ... ) == 0x3
 01605   928   NtGdiExtSelectClipRgn  (1510016619, 0, 5, ... ) == 0x2
 01606   928   NtGdiGetRandomRgn  (1510016619, -1157364046, 1, ... ) == 0x0
 01607   928   NtGdiIntersectClipRect  (1510016619, 7, 7, 429, 25, ... ) == 0x3
 01608   928   NtGdiExtSelectClipRgn  (1510016619, 0, 5, ... ) == 0x2
 01609   928   NtGdiBitBlt  (16842835, 0, 0, 458, 29, 1510016619, 0, 0, 13369376, -1, 0, ... ) == 0x1
 01610   928   NtGdiSelectBitmap  (1510016619, 25493519, ... ) == 0x380506a8
 01611   928   NtGdiDeleteObjectApp  (1510016619, ... ) == 0x1
 01612   928   NtGdiDeleteObjectApp  (939853480, ... ) == 0x1
 01613   928   NtUserCallOneParam  (16842835, 57, ... ) == 0x1
 01614   928   NtUserFillWindow  (655618, 655618, 16842832, 4, ...
 01615   928   NtUserGetAncestor  (655618, 1, ... ) == 0x10014
 01616   928   NtUserValidateHandleSecure  (65556, ... ) == 0x1
 01617   928   NtUserGetAncestor  (65556, 1, ... ) == 0x0
 01614   928   NtUserFillWindow  ... ) == 0x1
 01574   928   NtUserSetWindowRgn  ... ) == 0x1
 01467   928   NtUserShowWindow  ... ) == 0x0
 01618   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01619   928   NtUserCallHwndLock  (655618, 94, ...
 01620   928   NtUserMessageCall  (0xa0102, WM_PAINT, 0x0, 0x0, 0, 670, 0, ... ) == 0x0
 01621   928   NtUserBeginPaint  (0x1800f4, 1241748, ...
 01622   928   NtUserMessageCall  (0x1800f4, WM_NCPAINT, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 01621   928   NtUserBeginPaint  ... ) == 0x1010050
 01623   928   NtUserGetControlBrush  (0x1800f4, 16842832, 309, ... ) == 0x1100056
 01624   928   NtGdiIntersectClipRect  (16842832, 0, 0, 75, 23, ... ) == 0x3
 01625   928   NtGdiIntersectClipRect  (16842832, 3, 3, 72, 20, ... ) == 0x3
 01626   928   NtUserEndPaint  (0x1800f4, 1241748, ... ) == 0x1
 01627   928   NtUserBeginPaint  (0x500fc, 1241752, ...
 01628   928   NtUserMessageCall  (0x500fc, WM_NCPAINT, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 01627   928   NtUserBeginPaint  ... ) == 0x1010050
 01629   928   NtGdiIntersectClipRect  (16842832, 0, 0, 32, 32, ... ) == 0x3
 01630   928   NtUserGetControlBrush  (0x500fc, 16842832, 312, ...
 01631   928   NtUserValidateHandleSecure  (327932, ... ) == 0x1
 01632   928   NtUserValidateHandleSecure  (327932, ... ) == 0x1
 01630   928   NtUserGetControlBrush  ... ) == 0x1100056
 01633   928   NtGdiGetDCDword  (16842832, 7, 1241436, ... ) == 0x1
 01634   928   NtUserDrawIconEx  (16842832, 0, 0, 65545, 32, 32, 0, 17825878, 3, 0, 1241488, ... ) == 0x1
 01635   928   NtUserEndPaint  (0x500fc, 1241752, ... ) == 0x1
 01636   928   NtUserBeginPaint  (0xd011a, 1241752, ...
 01637   928   NtUserMessageCall  (0xd011a, WM_NCPAINT, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 01636   928   NtUserBeginPaint  ... ) == 0x1010050
 01638   928   NtGdiIntersectClipRect  (16842832, 0, 0, 384, 15, ... ) == 0x3
 01639   928   NtUserGetControlBrush  (0xd011a, 16842832, 312, ...
 01640   928   NtUserValidateHandleSecure  (852250, ... ) == 0x1
 01641   928   NtUserValidateHandleSecure  (852250, ... ) == 0x1
 01639   928   NtUserGetControlBrush  ... ) == 0x1100056
 01642   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01643   928   NtGdiGetTextCharsetInfo  (16842832, 0, 0, ... ) == 0x0
 01644   928   NtUserEndPaint  (0xd011a, 1241752, ... ) == 0x1
 01619   928   NtUserCallHwndLock  ... ) == 0x1
 01645   928   NtUserWaitMessage  (... ) == 0x1
 01646   928   NtUserPeekMessage  (0, 0, 0, 1, ...
 01647   928   NtUserMessageCall  (0xa0102, WM_GETICON, 0x2, 0x0, 0, 670, 0, ... ) == 0x0
 01646   928   NtUserPeekMessage  ... {0x60144, WM_USER+0xbca6, 0x6d4, 0x28, 0xbb089d, {0, 0}}, ) == 0x0
 01648   928   NtUserWaitMessage  (... ) == 0x1
 01649   928   NtUserPeekMessage  (0, 0, 0, 1, ...
 01650   928   NtUserMessageCall  (0xa0102, WM_GETICON, 0x0, 0x0, 0, 670, 0, ... ) == 0x0
 01649   928   NtUserPeekMessage  ... {0x60144, WM_USER+0xbca6, 0x6d4, 0x28, 0xbb089d, {0, 0}}, ) == 0x0
 01651   928   NtUserWaitMessage  (... ) == 0x1
 01652   928   NtUserPeekMessage  (0, 0, 0, 1, ...
 01653   928   NtUserMessageCall  (0xa0102, WM_GETICON, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 01652   928   NtUserPeekMessage  ... {0x60144, WM_USER+0xbca6, 0x6d4, 0x28, 0xbb089d, {0, 0}}, ) == 0x0
 01654   928   NtUserWaitMessage  (... ) == 0x1
 01655   928   NtUserPeekMessage  (0, 0, 0, 1, ... {0x60144, WM_USER+0xbca6, 0x6d4, 0x28, 0xbb0978, {0, 0}}, ) == 0x1
 01656   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01657   928   NtUserCallMsgFilter  (1242108, 0, ... ) == 0x0
 01658   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01659   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01660   928   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "MSCTF.SendReceiveConection.Event.ENG.IC"}, ... 128, ) }, ... 128, ) == 0x0
 01661   928   NtSetEvent  (128, ... 0x0, ) == 0x0
 01662   928   NtWaitForSingleObject  (108, 0, {-50000000, -1}, ... ) == 0x0
 01663   928   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 01664   928   NtWaitForSingleObject  (108, 0, {-50000000, -1}, ... ) == 0x0
 01665   928   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 01666   928   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "MSCTF.SendReceive.Event.ENG.IC"}, ... 120, ) }, ... 120, ) == 0x0
 01667   928   NtSetEvent  (120, ... 0x0, ) == 0x0
 01668   928   NtClose  (128, ... ) == 0x0
 01669   928   NtClose  (120, ... ) == 0x0
 01670   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01671   928   NtUserWaitMessage  (... ) == 0x1
 01672   928   NtUserPeekMessage  (0, 0, 0, 1, ... {0x60144, WM_USER+0xbca6, 0x6d4, 0x28, 0xbb0978, {0, 0}}, ) == 0x1
 01673   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01674   928   NtUserCallMsgFilter  (1242108, 0, ... ) == 0x0
 01675   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01676   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01677   928   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "MSCTF.SendReceiveConection.Event.ENG.IC"}, ... 120, ) }, ... 120, ) == 0x0
 01678   928   NtSetEvent  (120, ... 0x0, ) == 0x0
 01679   928   NtWaitForSingleObject  (108, 0, {-50000000, -1}, ... ) == 0x0
 01680   928   NtUnmapViewOfSection  (-1, 0x990000, ... ) == 0x0
 01681   928   NtClose  (112, ... ) == 0x0
 01682   928   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 01683   928   NtUserGetIconInfo  (590411, 1240892, 0, 0, 0, 0, ... ) == 0x1
 01684   928   NtGdiExtGetObjectW  (-1358625400, 24, 1240748, ... ) == 0x18
 01685   928   NtGdiExtGetObjectW  (-385546756, 24, 1240724, ... ) == 0x18
 01686   928   NtUserCallOneParam  (0, 33, ... ) == 0x902a3
 01687   928   NtGdiExtGetObjectW  (-385546756, 24, 1240620, ... ) == 0x18
 01688   928   NtGdiGetDIBitsInternal  (-301922896, -385546756, 0, 16, 1358644, 1358592, 0, 1024, 0, ... ) == 0x10
 01689   928   NtGdiCreateDIBitmapInternal  (-301922896, 16, 16, 2, 0, 1362432, 0, 40, 0, 0, 0, ... ) == 0xd1050636
 01690   928   NtGdiSelectBitmap  (-301922896, -788199882, ... ) == 0x185000f
 01691   928   NtGdiGetDCforBitmap  (-788199882, ... ) == 0xee0105b0
 01692   928   NtGdiSaveDC  (-301922896, ... ) == 0x1
 01693   928   NtGdiSelectBitmap  (-301922896, -788199882, ... ) == 0xd1050636
 01694   928   NtGdiGetDCObject  (-301922896, 524288, ... ) == 0x188000b
 01695   928   NtUserSelectPalette  (-301922896, 25690123, 0, ... ) == 0x188000b
 01696   928   NtGdiSetDIBitsToDeviceInternal  (-301922896, 0, 0, 16, 16, 0, 0, 0, 16, 1358644, 1362432, 0, 1024, 40, 1, 0, ... ) == 0x10
 01697   928   NtUserSelectPalette  (-301922896, 25690123, 0, ... ) == 0x188000b
 01698   928   NtGdiSelectBitmap  (-301922896, -788199882, ... ) == 0xd1050636
 01699   928   NtGdiRestoreDC  (-301922896, -1, ... ) == 0x1
 01700   928   NtGdiSelectBitmap  (-301922896, 25493519, ... ) == 0xd1050636
 01701   928   NtGdiCreateBitmap  (16, 32, 1, 1, 0, ... ) == 0x3d0504d6
 01702   928   NtGdiCreateCompatibleDC  (-301922896, ... ) == 0x430106a8
 01703   928   NtGdiSelectBitmap  (1124140712, 1023739094, ... ) == 0x185000f
 01704   928   NtGdiSelectBitmap  (-301922896, -1358625400, ... ) == 0x185000f
 01705   928   NtGdiBitBlt  (1124140712, 0, 0, 16, 16, -301922896, 0, 0, 13369376, -1, 0, ... ) == 0x1
 01706   928   NtGdiSelectBitmap  (1124140712, 25493519, ... ) == 0x3d0504d6
 01707   928   NtGdiSelectBitmap  (-301922896, 25493519, ... ) == 0xaf050588
 01708   928   NtGdiDeleteObjectApp  (1124140712, ... ) == 0x1
 01709   928   NtUserSetCursorIconData  (590499, 1240664, 1240680, 1240772, ... ) == 0x1
 01710   928   NtGdiDeleteObjectApp  (-1358625400, ... ) == 0x1
 01711   928   NtGdiDeleteObjectApp  (-385546756, ... ) == 0x1
 01712   928   NtUserGetIconInfo  (590499, 1240816, 0, 0, 0, 0, ... ) == 0x1
 01713   928   NtGdiExtGetObjectW  (-1341848184, 24, 1240740, ... ) == 0x18
 01714   928   NtGdiExtGetObjectW  (-653982502, 24, 1240716, ... ) == 0x18
 01715   928   NtGdiDeleteObjectApp  (-1341848184, ... ) == 0x1
 01716   928   NtGdiDeleteObjectApp  (-653982502, ... ) == 0x1
 01717   928   NtUserGetIconInfo  (590499, 1240812, 0, 0, 0, 0, ... ) == 0x1
 01718   928   NtGdiExtGetObjectW  (-1325070968, 24, 1240728, ... ) == 0x18
 01719   928   NtGdiExtGetObjectW  (-637205286, 24, 1240704, ... ) == 0x18
 01720   928   NtGdiGetBitmapBits  (-1325070968, 1024, 1358720, ... ) == 0x400
 01721   928   NtGdiGetBitmapBits  (-637205286, 32, 1359744, ... ) == 0x20
 01722   928   NtGdiDeleteObjectApp  (-1325070968, ... ) == 0x1
 01723   928   NtGdiDeleteObjectApp  (-637205286, ... ) == 0x1
 01724   928   NtUserDestroyCursor  (590499, 1, ... ) == 0x1
 01725   928   NtWaitForSingleObject  (108, 0, {-50000000, -1}, ... ) == 0x0
 01726   928   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 01727   928   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "MSCTF.SendReceive.Event.ENG.IC"}, ... 112, ) }, ... 112, ) == 0x0
 01728   928   NtSetEvent  (112, ... 0x0, ) == 0x0
 01729   928   NtClose  (120, ... ) == 0x0
 01730   928   NtClose  (112, ... ) == 0x0
 01731   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01732   928   NtUserWaitMessage  (... ) == 0x1
 01733   928   NtUserPeekMessage  (0, 0, 0, 1, ... {0x60144, WM_USER+0xbca6, 0x6d4, 0x28, 0xbb0978, {0, 0}}, ) == 0x1
 01734   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01735   928   NtUserCallMsgFilter  (1242108, 0, ... ) == 0x0
 01736   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01737   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01738   928   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "MSCTF.SendReceiveConection.Event.ENG.IC"}, ... 112, ) }, ... 112, ) == 0x0
 01739   928   NtSetEvent  (112, ... 0x0, ) == 0x0
 01740   928   NtWaitForSingleObject  (108, 0, {-50000000, -1}, ... ) == 0x0
 01741   928   NtUnmapViewOfSection  (-1, 0xa30000, ... ) == 0x0
 01742   928   NtClose  (124, ... ) == 0x0
 01743   928   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 01744   928   NtQueryDefaultLocale  (1, 1239944, ... ) == 0x0
 01745   928   NtQueryDefaultLocale  (1, 1239964, ... ) == 0x0
 01746   928   NtUserGetDC  (0, ... ) == 0x1010053
 01747   928   NtGdiCreateCompatibleBitmap  (16842835, 16, 16, ... ) == 0xdd0504da
 01748   928   NtUserCallOneParam  (16842835, 57, ... ) == 0x1
 01749   928   NtGdiSelectBitmap  (-301922896, -586873638, ... ) == 0x185000f
 01750   928   NtGdiGetDCforBitmap  (-586873638, ... ) == 0xee0105b0
 01751   928   NtGdiSaveDC  (-301922896, ... ) == 0x1
 01752   928   NtGdiSelectBitmap  (-301922896, -586873638, ... ) == 0xdd0504da
 01753   928   NtGdiGetDCObject  (-301922896, 524288, ... ) == 0x188000b
 01754   928   NtUserSelectPalette  (-301922896, 25690123, 0, ... ) == 0x188000b
 01755   928   NtGdiSetDIBitsToDeviceInternal  (-301922896, 0, 0, 16, 16, 0, 0, 0, 16, 1953912544, 1358240, 0, 128, 104, 1, 0, ... ) == 0x10
 01756   928   NtUserSelectPalette  (-301922896, 25690123, 0, ... ) == 0x188000b
 01757   928   NtGdiSelectBitmap  (-301922896, -586873638, ... ) == 0xdd0504da
 01758   928   NtGdiRestoreDC  (-301922896, -1, ... ) == 0x1
 01759   928   NtGdiSelectBitmap  (-301922896, 25493519, ... ) == 0xdd0504da
 01760   928   NtUserGetDC  (0, ... ) == 0x1010053
 01761   928   NtGdiCreateDIBitmapInternal  (16842835, 16, 32, 2, 0, 2118583256, 0, 48, 0, 0, 0, ... ) == 0xb5050588
 01762   928   NtUserCallOneParam  (16842835, 57, ... ) == 0x1
 01763   928   NtGdiSelectBitmap  (-301922896, -1257962104, ... ) == 0x185000f
 01764   928   NtGdiGetDCforBitmap  (-1257962104, ... ) == 0xee0105b0
 01765   928   NtGdiSaveDC  (-301922896, ... ) == 0x1
 01766   928   NtGdiSelectBitmap  (-301922896, -1257962104, ... ) == 0xb5050588
 01767   928   NtGdiGetDCObject  (-301922896, 524288, ... ) == 0x188000b
 01768   928   NtUserSelectPalette  (-301922896, 25690123, 0, ... ) == 0x188000b
 01769   928   NtGdiSetDIBitsToDeviceInternal  (-301922896, 0, 0, 16, 32, 0, 0, 0, 32, 1953912608, 1358240, 0, 128, 48, 1, 0, ... ) == 0x20
 01770   928   NtUserSelectPalette  (-301922896, 25690123, 0, ... ) == 0x188000b
 01771   928   NtGdiSelectBitmap  (-301922896, -1257962104, ... ) == 0xb5050588
 01772   928   NtGdiRestoreDC  (-301922896, -1, ... ) == 0x1
 01773   928   NtGdiSelectBitmap  (-301922896, 25493519, ... ) == 0xb5050588
 01774   928   NtGdiCreateCompatibleDC  (-301922896, ... ) == 0xd7010636
 01775   928   NtGdiExtGetObjectW  (-1257962104, 24, 1239396, ... ) == 0x18
 01776   928   NtGdiCreateBitmap  (16, 32, 1, 1, 0, ... ) == 0x420504d6
 01777   928   NtGdiSelectBitmap  (-301922896, -1257962104, ... ) == 0x185000f
 01778   928   NtGdiSelectBitmap  (-687798730, 1107625174, ... ) == 0x185000f
 01779   928   NtGdiBitBlt  (-687798730, 0, 0, 16, 32, -301922896, 0, 0, 13369376, -1, 0, ... ) == 0x1
 01780   928   NtGdiSelectBitmap  (-301922896, 25493519, ... ) == 0xb5050588
 01781   928   NtGdiSelectBitmap  (-687798730, 25493519, ... ) == 0x420504d6
 01782   928   NtGdiDeleteObjectApp  (-1257962104, ... ) == 0x1
 01783   928   NtGdiDeleteObjectApp  (-687798730, ... ) == 0x1
 01784   928   NtUserCallOneParam  (0, 33, ... ) == 0xb02a3
 01785   928   NtUserSetCursorIconData  (721571, 1239444, 1239460, 1239524, ... ) == 0x1
 01786   928   NtUserGetIconInfo  (721571, 1240816, 0, 0, 0, 0, ... ) == 0x1
 01787   928   NtGdiExtGetObjectW  (-268106244, 24, 1240740, ... ) == 0x18
 01788   928   NtGdiExtGetObjectW  (-653982154, 24, 1240716, ... ) == 0x18
 01789   928   NtGdiDeleteObjectApp  (-268106244, ... ) == 0x1
 01790   928   NtGdiDeleteObjectApp  (-653982154, ... ) == 0x1
 01791   928   NtUserGetIconInfo  (721571, 1240812, 0, 0, 0, 0, ... ) == 0x1
 01792   928   NtGdiExtGetObjectW  (-251329028, 24, 1240728, ... ) == 0x18
 01793   928   NtGdiExtGetObjectW  (-637204938, 24, 1240704, ... ) == 0x18
 01794   928   NtGdiGetBitmapBits  (-251329028, 1024, 1358720, ... ) == 0x400
 01795   928   NtGdiGetBitmapBits  (-637204938, 32, 1359744, ... ) == 0x20
 01796   928   NtGdiDeleteObjectApp  (-251329028, ... ) == 0x1
 01797   928   NtGdiDeleteObjectApp  (-637204938, ... ) == 0x1
 01798   928   NtUserDestroyCursor  (721571, 1, ... ) == 0x1
 01799   928   NtWaitForSingleObject  (108, 0, {-50000000, -1}, ... ) == 0x0
 01800   928   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 01801   928   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "MSCTF.SendReceive.Event.ENG.IC"}, ... 124, ) }, ... 124, ) == 0x0
 01802   928   NtSetEvent  (124, ... 0x0, ) == 0x0
 01803   928   NtClose  (112, ... ) == 0x0
 01804   928   NtClose  (124, ... ) == 0x0
 01805   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01806   928   NtUserWaitMessage  (... ) == 0x1
 01807   928   NtUserPeekMessage  (0, 0, 0, 1, ... {0x60144, WM_USER+0xbca6, 0x6d4, 0x28, 0xbb0978, {0, 0}}, ) == 0x1
 01808   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01809   928   NtUserCallMsgFilter  (1242108, 0, ... ) == 0x0
 01810   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01811   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01812   928   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "MSCTF.SendReceiveConection.Event.ENG.IC"}, ... 124, ) }, ... 124, ) == 0x0
 01813   928   NtSetEvent  (124, ... 0x0, ) == 0x0
 01814   928   NtWaitForSingleObject  (108, 0, {-50000000, -1}, ... ) == 0x0
 01815   928   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 01816   928   NtQueryDefaultLocale  (1, 1239964, ... ) == 0x0
 01817   928   NtQueryDefaultLocale  (1, 1239984, ... ) == 0x0
 01818   928   NtUserGetDC  (0, ... ) == 0x1010053
 01819   928   NtGdiCreateCompatibleBitmap  (16842835, 16, 16, ... ) == 0xf40505fc
 01820   928   NtUserCallOneParam  (16842835, 57, ... ) == 0x1
 01821   928   NtGdiSelectBitmap  (-301922896, -200997380, ... ) == 0x185000f
 01822   928   NtGdiGetDCforBitmap  (-200997380, ... ) == 0xee0105b0
 01823   928   NtGdiSaveDC  (-301922896, ... ) == 0x1
 01824   928   NtGdiSelectBitmap  (-301922896, -200997380, ... ) == 0xf40505fc
 01825   928   NtGdiGetDCObject  (-301922896, 524288, ... ) == 0x188000b
 01826   928   NtUserSelectPalette  (-301922896, 25690123, 0, ... ) == 0x188000b
 01827   928   NtGdiSetDIBitsToDeviceInternal  (-301922896, 0, 0, 16, 16, 0, 0, 0, 16, 1953913504, 1358240, 0, 128, 104, 1, 0, ... ) == 0x10
 01828   928   NtUserSelectPalette  (-301922896, 25690123, 0, ... ) == 0x188000b
 01829   928   NtGdiSelectBitmap  (-301922896, -200997380, ... ) == 0xf40505fc
 01830   928   NtGdiRestoreDC  (-301922896, -1, ... ) == 0x1
 01831   928   NtGdiSelectBitmap  (-301922896, 25493519, ... ) == 0xf40505fc
 01832   928   NtUserGetDC  (0, ... ) == 0x1010053
 01833   928   NtGdiCreateDIBitmapInternal  (16842835, 16, 32, 2, 0, 2118583256, 0, 48, 0, 0, 0, ... ) == 0xa30506bb
 01834   928   NtUserCallOneParam  (16842835, 57, ... ) == 0x1
 01835   928   NtGdiSelectBitmap  (-301922896, -1559951685, ... ) == 0x185000f
 01836   928   NtGdiGetDCforBitmap  (-1559951685, ... ) == 0xee0105b0
 01837   928   NtGdiSaveDC  (-301922896, ... ) == 0x1
 01838   928   NtGdiSelectBitmap  (-301922896, -1559951685, ... ) == 0xa30506bb
 01839   928   NtGdiGetDCObject  (-301922896, 524288, ... ) == 0x188000b
 01840   928   NtUserSelectPalette  (-301922896, 25690123, 0, ... ) == 0x188000b
 01841   928   NtGdiSetDIBitsToDeviceInternal  (-301922896, 0, 0, 16, 32, 0, 0, 0, 32, 1953913568, 1358240, 0, 128, 48, 1, 0, ... ) == 0x20
 01842   928   NtUserSelectPalette  (-301922896, 25690123, 0, ... ) == 0x188000b
 01843   928   NtGdiSelectBitmap  (-301922896, -1559951685, ... ) == 0xa30506bb
 01844   928   NtGdiRestoreDC  (-301922896, -1, ... ) == 0x1
 01845   928   NtGdiSelectBitmap  (-301922896, 25493519, ... ) == 0xa30506bb
 01846   928   NtGdiCreateCompatibleDC  (-301922896, ... ) == 0x480104d6
 01847   928   NtGdiExtGetObjectW  (-1559951685, 24, 1239416, ... ) == 0x18
 01848   928   NtGdiCreateBitmap  (16, 32, 1, 1, 0, ... ) == 0xdf050636
 01849   928   NtGdiSelectBitmap  (-301922896, -1559951685, ... ) == 0x185000f
 01850   928   NtGdiSelectBitmap  (1208026326, -553318858, ... ) == 0x185000f
 01851   928   NtGdiBitBlt  (1208026326, 0, 0, 16, 32, -301922896, 0, 0, 13369376, -1, 0, ... ) == 0x1
 01852   928   NtGdiSelectBitmap  (-301922896, 25493519, ... ) == 0xa30506bb
 01853   928   NtGdiSelectBitmap  (1208026326, 25493519, ... ) == 0xdf050636
 01854   928   NtGdiDeleteObjectApp  (-1559951685, ... ) == 0x1
 01855   928   NtGdiDeleteObjectApp  (1208026326, ... ) == 0x1
 01856   928   NtUserCallOneParam  (0, 33, ... ) == 0xd02a3
 01857   928   NtUserSetCursorIconData  (852643, 1239464, 1239480, 1239544, ... ) == 0x1
 01858   928   NtUserGetIconInfo  (852643, 1240816, 0, 0, 0, 0, ... ) == 0x1
 01859   928   NtGdiExtGetObjectW  (-1157298808, 24, 1240740, ... ) == 0x18
 01860   928   NtGdiExtGetObjectW  (1241842902, 24, 1240716, ... ) == 0x18
 01861   928   NtGdiDeleteObjectApp  (-1157298808, ... ) == 0x1
 01862   928   NtGdiDeleteObjectApp  (1241842902, ... ) == 0x1
 01863   928   NtUserGetIconInfo  (852643, 1240812, 0, 0, 0, 0, ... ) == 0x1
 01864   928   NtGdiExtGetObjectW  (-1140521592, 24, 1240728, ... ) == 0x18
 01865   928   NtGdiExtGetObjectW  (1258620118, 24, 1240704, ... ) == 0x18
 01866   928   NtGdiGetBitmapBits  (-1140521592, 1024, 1358720, ... ) == 0x400
 01867   928   NtGdiGetBitmapBits  (1258620118, 32, 1359744, ... ) == 0x20
 01868   928   NtGdiDeleteObjectApp  (-1140521592, ... ) == 0x1
 01869   928   NtGdiDeleteObjectApp  (1258620118, ... ) == 0x1
 01870   928   NtUserDestroyCursor  (852643, 1, ... ) == 0x1
 01871   928   NtWaitForSingleObject  (108, 0, {-50000000, -1}, ... ) == 0x0
 01872   928   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 01873   928   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "MSCTF.SendReceive.Event.ENG.IC"}, ... 112, ) }, ... 112, ) == 0x0
 01874   928   NtSetEvent  (112, ... 0x0, ) == 0x0
 01875   928   NtClose  (124, ... ) == 0x0
 01876   928   NtClose  (112, ... ) == 0x0
 01877   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01878   928   NtUserWaitMessage  (... ) == 0x1
 01879   928   NtUserPeekMessage  (0, 0, 0, 1, ... {0x11012c, WM_TIMER, 0x1, 0x0, 0xbb09b6, {0, 0}}, ) == 0x1
 01880   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01881   928   NtUserCallMsgFilter  (1242108, 0, ... ) == 0x0
 01882   928   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 01883   928   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 01884   928   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 01885   928   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 01886   928   NtUserKillTimer  (1114412, 1, ... ) == 0x1
 01887   928   NtUserValidateHandleSecure  (0, ... ) == 0x0
 01888   928   NtUserWaitMessage  (... ) == 0x1
 01889   928   NtUserPeekMessage  (0, 0, 0, 1, ... {0x1800f4, WM_KEYFIRST, 0x20, 0x0, 0xbb0a24, {0, 0}}, ) == 0x1
 01890   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01891   928   NtUserCallMsgFilter  (1242108, 0, ... ) == 0x0
 01892   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01893   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01894   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01895   928   NtUserTranslateMessage  (1242200, 0, ... ) == 0x1
 01896   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01897   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01898   928   NtUserSetCapture  (1573108, ... ) == 0x0
 01899   928   NtUserSetFocus  (1573108, ... ) == 0x1800f4
 01900   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01901   928   NtUserGetDC  (1573108, ... ) == 0x1010054
 01902   928   NtUserGetControlBrush  (0x1800f4, 16842836, 309, ... ) == 0x1100056
 01903   928   NtGdiIntersectClipRect  (16842836, 0, 0, 75, 23, ... ) == 0x3
 01904   928   NtGdiIntersectClipRect  (16842836, 3, 3, 72, 20, ... ) == 0x3
 01905   928   NtUserCallOneParam  (16842836, 57, ... ) == 0x1
 01906   928   NtUserPeekMessage  (0, 0, 0, 1, ... {0x1800f4, WM_CHAR, 0x20, 0x0, 0xbb0a24, {0, 0}}, ) == 0x1
 01907   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01908   928   NtUserCallMsgFilter  (1242108, 0, ... ) == 0x0
 01909   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01910   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01911   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01912   928   NtUserWaitMessage  (... ) == 0x1
 01913   928   NtUserPeekMessage  (0, 0, 0, 1, ... {0x1800f4, WM_KEYFIRST, 0xd, 0x0, 0xbb0a24, {0, 0}}, ) == 0x1
 01914   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01915   928   NtUserCallMsgFilter  (1242108, 0, ... ) == 0x0
 01916   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01917   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01918   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01919   928   NtUserGetThreadState  (0, ... ) == 0x1800f4
 01920   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01921   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01922   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01923   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01924   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01925   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01926   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01927   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01928   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01929   928   NtUserGetThreadState  (1, ... ) == 0xa0102
 01930   928   NtUserGetThreadState  (0, ... ) == 0x1800f4
 01931   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01932   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01933   928   NtUserSetFocus  (655618, ...
 01934   928   NtUserPostThreadMessage  (928, 49313, 17, 655618, ... ) == 0x1
 01935   928   NtUserGetDC  (1573108, ... ) == 0x1010054
 01936   928   NtUserGetControlBrush  (0x1800f4, 16842836, 309, ... ) == 0x1100056
 01937   928   NtGdiIntersectClipRect  (16842836, 0, 0, 75, 23, ... ) == 0x3
 01938   928   NtGdiIntersectClipRect  (16842836, 3, 3, 72, 20, ... ) == 0x3
 01939   928   NtUserCallOneParam  (16842836, 57, ... ) == 0x1
 01940   928   NtUserCallNoParam  (13, ... ) == 0x1
 01941   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01942   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01943   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01944   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01945   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01946   928   NtUserGetThreadState  (1, ... ) == 0xa0102
 01947   928   NtUserGetThreadState  (0, ... ) == 0xa0102
 01948   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01949   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01950   928   NtUserSetWindowPos  (655618, 0, 0, 0, 0, 0, 151, ...
 01951   928   NtUserInternalGetWindowText  (0xa0102, 260, ...  (0xa0102, 260, ... "Error", ) , ) == 0x5
 01952   928   NtUserGetWindowDC  (655618, ... ) == 0x1010050
 01953   928   NtGdiGetRandomRgn  (16842832, -1140586830, 1, ... ) == 0x0
 01954   928   NtGdiIntersectClipRect  (16842832, 0, 0, 0, 0, ... ) == 0x3
 01955   928   NtGdiGetCharSet  (16842832, ... ) == 0x4e4
 01956   928   NtGdiExtSelectClipRgn  (16842832, 0, 5, ... ) == 0x1
 01957   928   NtUserCallOneParam  (16842832, 57, ... ) == 0x1
 01958   928   NtUserCalcMenuBar  (655618, 3, 3, 29, 8661352, ... ) == 0x0
 01959   928   NtUserMessageCall  (0xa0102, WM_GETICON, 0x2, 0x0, 1239032, 690, 0, ...
 01960   928   NtUserMessageCall  (0xa0102, WM_GETICON, 0x2, 0x0, 0, 670, 0, ... ) == 0x0
 01959   928   NtUserMessageCall  ... ) == 0x0
 01961   928   NtUserMessageCall  (0xa0102, WM_GETICON, 0x0, 0x0, 1239032, 690, 0, ...
 01962   928   NtUserMessageCall  (0xa0102, WM_GETICON, 0x0, 0x0, 0, 670, 0, ... ) == 0x0
 01961   928   NtUserMessageCall  ... ) == 0x0
 01963   928   NtUserMessageCall  (0xa0102, WM_GETICON, 0x1, 0x0, 1239032, 690, 0, ...
 01964   928   NtUserMessageCall  (0xa0102, WM_GETICON, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 01963   928   NtUserMessageCall  ... ) == 0x0
 01965   928   NtUserGetTitleBarInfo  (655618, 1239664, ... ) == 0x1
 01966   928   NtUserBuildHwndList  (0, 655618, 1, 0, 64, ... (0x1800f4, 0x500fc, 0xd011a, 0x1, ), 4, ) == 0x0
 01967   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01968   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01969   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01970   928   NtUserValidateHandleSecure  (327932, ... ) == 0x1
 01971   928   NtUserValidateHandleSecure  (327932, ... ) == 0x1
 01972   928   NtUserValidateHandleSecure  (327932, ... ) == 0x1
 01973   928   NtUserValidateHandleSecure  (852250, ... ) == 0x1
 01974   928   NtUserValidateHandleSecure  (852250, ... ) == 0x1
 01975   928   NtUserValidateHandleSecure  (852250, ... ) == 0x1
 01950   928   NtUserSetWindowPos  ... ) == 0x1
 01976   928   NtUserGetThreadState  (1, ... ) == 0xa0102
 01977   928   NtUserCallNoParam  (15, ... ) == 0xbc64fea8
 01978   928   NtUserPostMessage  (655618, 0, 0, 0, ... ) == 0x1
 01979   928   NtUserInvalidateRect  (1573108, 0, 0, ... ) == 0x1
 01980   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01981   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01982   928   NtUserCallOneParam  (0, 40, ... ) == 0x4090409
 01983   928   NtUserCallOneParam  (0, 40, ... ) == 0x4090409
 01984   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01985   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01986   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01987   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01988   928   NtUserQueryWindow  (1573108, 7, ... ) == 0x90114
 01989   928   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 01990   928   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 01991   928   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 01992   928   NtUserKillTimer  (1114412, 1, ... ) == 0x0
 01993   928   NtUserSetTimer  (1114412, 1, 300, 0, ... ) == 0x1
 01994   928   NtUserCallNoParam  (7, ... ) == 0x1
 01995   928   NtUserQueryWindow  (590100, 3, ... ) == 0x0
 01996   928   NtUserValidateHandleSecure  (0, ... ) == 0x0
 01997   928   NtUserQueryWindow  (590100, 2, ... ) == 0x0
 01998   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01999   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 02000   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 02001   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 02002   928   NtUserQueryWindow  (1573108, 7, ... ) == 0x90114
 02003   928   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 02004   928   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 02005   928   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 01933   928   NtUserSetFocus  ... ) == 0x1800f4
 02006   928   NtUserSetWindowPos  (655618, 0, 0, 0, 0, 0, 151, ... ) == 0x1
 02007   928   NtUserGetThreadState  (1, ... ) == 0x0
 02008   928   NtUserPostMessage  (655618, 0, 0, 0, ... ) == 0x1
 02009   928   NtUserDestroyWindow  (655618, ...
 02010   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 02011   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 02012   928   NtUserGetThreadState  (0, ... ) == 0x0
 02013   928   NtUserBuildHwndList  (0, 0, 0, 928, 64, ... (0xa0102, 0x11012c, 0x90114, 0x1, ), 4, ) == 0x0
 02014   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 02015   928   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 02016   928   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 02017   928   NtUserValidateHandleSecure  (590100, ... ) == 0x1
 02018   928   NtUserValidateHandleSecure  (590100, ... ) == 0x1
 02019   928   NtUserValidateHandleSecure  (590100, ... ) == 0x1
 02020   928   NtUserCallOneParam  (8, 43, ... ) == 0x80008
 02021   928   NtUserCallOneParam  (8, 43, ... ) == 0x80000
 02022   928   NtUserPeekMessage  (393540, 0, 0, 9961475, ... {0x7e470254, WM_USER+0x148650, 0x145610, 0xa0102, 0x0, {2118223026, 2118313942}}, ) == 0x0
 02023   928   NtUserCallOneParam  (8, 43, ... ) == 0x80000
 02024   928   NtUserPeekMessage  (0, 49313, 49313, 9961475, ... {0x0, WM_USER+0xbca1, 0x11, 0xa0102, 0xbb0a24, {0, 0}}, ) == 0x1
 02025   928   NtUserPeekMessage  (0, 49313, 49313, 9961475, ... {0x0, WM_USER+0xbca1, 0x11, 0xa0102, 0xbb0a24, {0, 0}}, ) == 0x0
 02026   928   NtUserCallOneParam  (8, 43, ... ) == 0x80000
 02027   928   NtUserPeekMessage  (0, 49318, 49318, 9961475, ... {0x0, WM_USER+0xbca1, 0x11, 0xa0102, 0xbb0a24, {0, 0}}, ) == 0x0
 02028   928   NtUserCallOneParam  (8, 43, ... ) == 0x80000
 02029   928   NtUserPeekMessage  (0, 49319, 49319, 9961475, ... {0x0, WM_USER+0xbca1, 0x11, 0xa0102, 0xbb0a24, {0, 0}}, ) == 0x0
 02030   928   NtUserCallOneParam  (8, 43, ... ) == 0x80000
 02031   928   NtUserPeekMessage  (0, 49321, 49321, 9961475, ... {0x0, WM_USER+0xbca1, 0x11, 0xa0102, 0xbb0a24, {0, 0}}, ) == 0x0
 02032   928   NtUserBuildHwndList  (0, 0, 0, 928, 64, ... (0xa0102, 0x11012c, 0x90114, 0x1, ), 4, ) == 0x0
 02033   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 02034   928   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 02035   928   NtUserDestroyCursor  (65545, 1, ... ) == 0x1
 02036   928   NtUserValidateHandleSecure  (590100, ... ) == 0x1
 02037   928   NtUserValidateHandleSecure  (590100, ... ) == 0x1
 02038   928   NtUserGetThreadState  (0, ... ) == 0x0
 02039   928   NtUserBuildHwndList  (0, 0, 0, 928, 64, ... (0xa0102, 0x11012c, 0x90114, 0x1, ), 4, ) == 0x0
 02040   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 02041   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 02042   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 02043   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 02044   928   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 02045   928   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 02046   928   NtUserValidateHandleSecure  (590100, ... ) == 0x1
 02047   928   NtUserCallOneParam  (8, 43, ... ) == 0x80000
 02048   928   NtUserCallOneParam  (8, 43, ... ) == 0x80000
 02049   928   NtUserPeekMessage  (393540, 0, 0, 9961475, ... {0x7e470254, WM_USER+0x148650, 0x145610, 0x90114, 0x0, {2118223026, 2118313942}}, ) == 0x0
 02050   928   NtUserCallOneParam  (8, 43, ... ) == 0x80000
 02051   928   NtUserPeekMessage  (0, 49313, 49313, 9961475, ... {0x7e470254, WM_USER+0x148650, 0x145610, 0x90114, 0x0, {2118223026, 2118313942}}, ) == 0x0
 02052   928   NtUserCallOneParam  (8, 43, ... ) == 0x80000
 02053   928   NtUserPeekMessage  (0, 49318, 49318, 9961475, ... {0x7e470254, WM_USER+0x148650, 0x145610, 0x90114, 0x0, {2118223026, 2118313942}}, ) == 0x0
 02054   928   NtUserCallOneParam  (8, 43, ... ) == 0x80000
 02055   928   NtUserPeekMessage  (0, 49319, 49319, 9961475, ... {0x7e470254, WM_USER+0x148650, 0x145610, 0x90114, 0x0, {2118223026, 2118313942}}, ) == 0x0
 02056   928   NtUserCallOneParam  (8, 43, ... ) == 0x80000
 02057   928   NtUserPeekMessage  (0, 49321, 49321, 9961475, ... {0x7e470254, WM_USER+0x148650, 0x145610, 0x90114, 0x0, {2118223026, 2118313942}}, ) == 0x0
 02058   928   NtUserBuildHwndList  (0, 0, 0, 928, 64, ... (0xa0102, 0x11012c, 0x90114, 0x1, ), 4, ) == 0x0
 02059   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 02060   928   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 02061   928   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 02062   928   NtUserBuildHwndList  (0, 0, 0, 928, 64, ... (0xa0102, 0x11012c, 0x90114, 0x1, ), 4, ) == 0x0
 02063   928   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 02064   928   NtUserKillTimer  (0, 0, ... ) == 0x0
 02065   928   NtUserValidateHandleSecure  (0, ... ) == 0x0
 02066   928   NtUserKillTimer  (0, 0, ... ) == 0x0
 02067   928   NtUserValidateHandleSecure  (0, ... ) == 0x0
 02068   928   NtUserKillTimer  (0, 0, ... ) == 0x0
 02069   928   NtUserValidateHandleSecure  (0, ... ) == 0x0
 02070   928   NtUserKillTimer  (0, 0, ... ) == 0x0
 02071   928   NtUserValidateHandleSecure  (0, ... ) == 0x0
 02072   928   NtUserSetWindowLong  (1114412, 4, 0, 1, ... ) == 0x147748
 02073   928   NtUserKillTimer  (0, 0, ... ) == 0x0
 02074   928   NtUserValidateHandleSecure  (0, ... ) == 0x0
 02075   928   NtUserKillTimer  (0, 0, ... ) == 0x0
 02076   928   NtUserValidateHandleSecure  (0, ... ) == 0x0
 02077   928   NtUserKillTimer  (0, 0, ... ) == 0x0
 02078   928   NtUserValidateHandleSecure  (0, ... ) == 0x0
 02079   928   NtUserKillTimer  (0, 0, ... ) == 0x0
 02080   928   NtUserValidateHandleSecure  (0, ... ) == 0x0
 02081   928   NtUserKillTimer  (0, 0, ... ) == 0x0
 02082   928   NtUserKillTimer  (0, 0, ... ) == 0x0
 02083   928   NtUserKillTimer  (0, 0, ... ) == 0x0
 02084   928   NtUserKillTimer  (0, 0, ... ) == 0x0
 02085   928   NtUserRemoveProp  (1114412, 43288, ... ) == 0xffffffff
 02086   928   NtUserRemoveProp  (1114412, 43282, ... ) == 0x0
 02087   928   NtUserRemoveProp  (1114412, 43287, ... ) == 0x0
 02088   928   NtUserBuildHwndList  (0, 0, 0, 928, 64, ... (0xa0102, 0x90114, 0x1, ), 3, ) == 0x0
 02089   928   NtUserValidateHandleSecure  (1114412, ... ) == 0x0
 02090   928   NtUserSetWindowFNID  (590100, 16384, ... ) == 0x1
 02091   928   NtUserRemoveProp  (590100, 43288, ... ) == 0xffffffff
 02092   928   NtUserRemoveProp  (590100, 43282, ... ) == 0x0
 02093   928   NtUserRemoveProp  (590100, 43287, ... ) == 0x0
 02094   928   NtUserSetWindowFNID  (1573108, 16384, ... ) == 0x1
 02095   928   NtUserRemoveProp  (1573108, 43288, ... ) == 0xffffffff
 02096   928   NtUserRemoveProp  (1573108, 43282, ... ) == 0x0
 02097   928   NtUserRemoveProp  (1573108, 43287, ... ) == 0x0
 02098   928   NtUserSetWindowFNID  (327932, 16384, ... ) == 0x1
 02099   928   NtUserRemoveProp  (327932, 43288, ... ) == 0xffffffff
 02100   928   NtUserRemoveProp  (327932, 43282, ... ) == 0x0
 02101   928   NtUserRemoveProp  (327932, 43287, ... ) == 0x0
 02102   928   NtUserSetWindowFNID  (852250, 16384, ... ) == 0x1
 02103   928   NtUserRemoveProp  (852250, 43288, ... ) == 0xffffffff
 02104   928   NtUserRemoveProp  (852250, 43282, ... ) == 0x0
 02105   928   NtUserRemoveProp  (852250, 43287, ... ) == 0x0
 02106   928   NtUserSetThreadState  (0, 16384, ... ) == 0x816e5328
 02107   928   NtGdiDeleteObjectApp  (705300119, ... ) == 0x1
 02108   928   NtUserCallHwndParam  (655618, 0, 79, ... ) == 0x0
 02109   928   NtUserRemoveProp  (655618, 43285, ... ) == 0x0
 02110   928   NtUserRemoveProp  (655618, 43288, ... ) == 0x8428b0
 02111   928   NtGdiDeleteObjectApp  (-1778121036, ... ) == 0x1
 02112   928   NtUserRemoveProp  (655618, 43282, ... ) == 0x0
 02113   928   NtUserRemoveProp  (655618, 43287, ... ) == 0x0
 02009   928   NtUserDestroyWindow  ... ) == 0x1
 02114   928   NtUserSetCursor  (65557, ... ) == 0x10015
 02115   928   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1242580,  (0x80100080, {24, 0, 0x40, 0, 1242580, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 02116   928   NtQueryInformationFile  (112, 1243016, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 02117   928   NtQueryInformationFile  (112, 1242932, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02118   928   NtQueryInformationFile  (112, 1242748, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02119   928   NtQueryInformationFile  (112, 1353408, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 02120   928   NtQueryInformationFile  (112, 1241196, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02121   928   NtQueryInformationFile  (112, 1241472, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 02122   928   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1241348,  (0x40110080, {24, 0, 0x40, 0, 1241348, "\??\C:\WINDOWS\system32\upu.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 02123   928   NtClose  (-2147482740, ... ) == 0x0
 02122   928   NtCreateFile  ... 124, {status=0x0, info=2}, ) == 0x0
 02124   928   NtQueryVolumeInformationFile  (124, 1241500, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 02125   928   NtQueryInformationFile  (124, 1241084, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02126   928   NtQueryVolumeInformationFile  (112, 1241500, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 02127   928   NtSetInformationFile  (124, 1241400, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02128   928   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 112, ... 120, ) == 0x0
 02129   928   NtMapViewOfSection  (120, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x990000), {0, 0}, 40960, ) == 0x0
 02130   928   NtClose  (120, ... ) == 0x0
 02131   928   NtWriteFile  (124, 0, 0, 0,  (124, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0PE\0\0L\1\2\0FSG!\0\0\0\0\0\0\0\0\340\0\17\1\13\1\0\0\0\12\0\0\0\232\0\0\0\0\0\0]l\1\0\0\20\0\0\14\0\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0p\1\0\0\2\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0"m\1\04\0\0\0\0\320\0\0H\227\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\0\0\0\0\300\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\300\0\0\0\0a\0\0\0\0\240\0\0\0\320\0\0V\235\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\300KERNEL32.dll\0\0\0LoadLibraryA\0\0GetProcAddress\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30mA\0\14mA\0\16mA\0\230\1@\0\0\20@\0\14fA\0\1 @\0\10@\0\0\0\0\0\316\26@\0\1\0\0\0JmA\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 40800, 0x0, 0, ... {status=0x0, info=40800}, ) m\1\04\0\0\0\0\320\0\0H\227\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\0\0\0\0\300\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\300\0\0\0\0a\0\0\0\0\240\0\0\0\320\0\0V\235\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\300KERNEL32.dll\0\0\0LoadLibraryA\0\0GetProcAddress\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30mA\0\14mA\0\16mA\0\230\1@\0\0\20@\0\14fA\0\1 @\0\10@\0\0\0\0\0\316\26@\0\1\0\0\0JmA\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 40800, 0x0, 0, ... {status=0x0, info=40800}, ) == 0x0
 02132   928   NtUnmapViewOfSection  (-1, 0x990000, ... ) == 0x0
 02133   928   NtSetInformationFile  (124, 1242748, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02134   928   NtClose  (112, ... ) == 0x0
 02135   928   NtClose  (124, ... ) == 0x0
 02136   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1243640, ... ) }, 1243640, ... ) == 0x0
 02137   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1242608, ... ) }, 1242608, ... ) == 0x0
 02138   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1241380, ... ) }, 1241380, ... ) == 0x0
 02139   928   NtAllocateVirtualMemory  (-1, 1376256, 0, 16384, 4096, 4, ... 1376256, 16384, ) == 0x0
 02140   928   NtAllocateVirtualMemory  (-1, 1392640, 0, 24576, 4096, 4, ... 1392640, 24576, ) == 0x0
 02141   928   NtQueryDefaultLocale  (1, 1243632, ... ) == 0x0
 02142   928   NtQueryDefaultLocale  (1, 1243632, ... ) == 0x0
 02143   928   NtQueryDefaultLocale  (0, 1243628, ... ) == 0x0
 02144   928   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243676,  (0xc0100080, {24, 0, 0x40, 0, 1243676, "\??\C:\WINDOWS\system32\setupex.exe"}, 0x0, 128, 0, 5, 96, 0, 0, ... }, 0x0, 128, 0, 5, 96, 0, 0, ...
 02145   928   NtClose  (-2147482740, ... ) == 0x0
 02144   928   NtCreateFile  ... 124, {status=0x0, info=2}, ) == 0x0
 02146   928   NtWriteFile  (124, 0, 0, 0,  (124, 0, 0, 0, "MZP\0\2\0\0\0\4\0\17\0PE\0\0L\1\2\0FSG!\0\0\0\0\0\0\0\0\340\0\216\201\13\1\0\0\0B\0\0\0n\0\0\0\0\0\0[/\1\0\0\20\0\0\14\0\0\0\0\0@\0\0\20\0\0\0\2\0\0\1\0\0\0\0\0\0\0\3\0\12\0\0\0\0\0\0@\1\0\0\2\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0 \0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0 0\1\04\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\300\0\0\0\0\0\0\0\0\0`\0\0\0\340\0\0TP\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\300KERNEL32.dll\0\0\0LoadLibraryA\0\0GetProcAddress\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\260A\0\120A\0\140A\0\230\1@\0\0\20@\0\0\340@\0\1`@\0\1\320@\0\0\0\0\0\4\304@\0\1\0\0\0H0A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 21088, 0x0, 0, ... , 21088, 0x0, 0, ...
 02147   928   NtContinue  (-139612716, 0, ...
 02146   928   NtWriteFile  ... {status=0x0, info=21088}, ) == 0x0
 02148   928   NtClose  (124, ... ) == 0x0
 02149   928   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 02150   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\setupex.exe"}, 1239968, ... ) }, 1239968, ... ) == 0x0
 02151   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\setupex.exe"}, 1240704, ... ) }, 1240704, ... ) == 0x0
 02152   928   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\setupex.exe"}, 5, 96, ... 124, {status=0x0, info=1}, ) }, 5, 96, ... 124, {status=0x0, info=1}, ) == 0x0
 02153   928   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 124, ... 112, ) == 0x0
 02154   928   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02155   928   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 120, ) }, ... 120, ) == 0x0
 02156   928   NtQueryValueKey  (120,  (120, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02157   928   NtClose  (120, ... ) == 0x0
 02158   928   NtQueryVolumeInformationFile  (124, 1239980, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02159   928   NtWaitForSingleObject  (92, 0, {-1000000, -1}, ... ) == 0x0
 02160   928   NtReleaseMutant  (92, ... 0x0, ) == 0x0
 02161   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1237912, ... ) }, 1237912, ... ) == 0x0
 02162   928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 120, {status=0x0, info=1}, ) }, 5, 96, ... 120, {status=0x0, info=1}, ) == 0x0
 02163   928   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 120, ... 128, ) == 0x0
 02164   928   NtClose  (120, ... ) == 0x0
 02165   928   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa20000), 0x0, 126976, ) == 0x0
 02166   928   NtClose  (128, ... ) == 0x0
 02167   928   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 02168   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238220, ... ) }, 1238220, ... ) == 0x0
 02169   928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 02170   928   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 128, ... 120, ) == 0x0
 02171   928   NtQuerySection  (120, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02172   928   NtClose  (128, ... ) == 0x0
 02173   928   NtMapViewOfSection  (120, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77b40000), 0x0, 139264, ) == 0x0
 02174   928   NtClose  (120, ... ) == 0x0
 02175   928   NtProtectVirtualMemory  (-1, (0x77b41000), 524, 4, ... (0x77b41000), 4096, 32, ) == 0x0
 02176   928   NtProtectVirtualMemory  (-1, (0x77b41000), 4096, 32, ... (0x77b41000), 4096, 4, ) == 0x0
 02177   928   NtFlushInstructionCache  (-1, 2008289280, 524, ... ) == 0x0
 02178   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Apphelp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02179   928   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 120, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 120, {status=0x0, info=1}, ) == 0x0
 02180   928   NtQueryInformationFile  (120, 1238236, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02181   928   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 120, ... 128, ) == 0x0
 02182   928   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa20000), 0x0, 1191936, ) == 0x0
 02183   928   NtQueryInformationFile  (120, 1238336, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02184   928   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02185   928   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02186   928   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02187   928   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\WPA\TabletPC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02188   928   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\SYSTEM\WPA\MediaCenter"}, ... 104, ) }, ... 104, ) == 0x0
 02189   928   NtQueryValueKey  (104,  (104, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 256, ... TitleIdx=0, Type=4, Data= (104, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02190   928   NtClose  (104, ... ) == 0x0
 02191   928   NtCreateFile  (0x120116, {24, 0, 0x40, 0, 0,  (0x120116, {24, 0, 0x40, 0, 0, "\Device\NamedPipe\ShimViewer"}, 0x0, 128, 0, 1, 0, 0, 0, ... ) }, 0x0, 128, 0, 1, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02192   928   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 104, {status=0x0, info=1}, ) }, 3, 16417, ... 104, {status=0x0, info=1}, ) == 0x0
 02193   928   NtQueryDirectoryFile  (104, 0, 0, 0, 1235932, 616, BothDirectory, 1,  (104, 0, 0, 0, 1235932, 616, BothDirectory, 1, "setupex.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 02194   928   NtClose  (104, ... ) == 0x0
 02195   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02196   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02197   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\setupex.exe"}, 1236308, ... ) }, 1236308, ... ) == 0x0
 02198   928   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 104, {status=0x0, info=1}, ) }, 3, 16417, ... 104, {status=0x0, info=1}, ) == 0x0
 02199   928   NtQueryDirectoryFile  (104, 0, 0, 0, 1235736, 616, BothDirectory, 1,  (104, 0, 0, 0, 1235736, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02200   928   NtClose  (104, ... ) == 0x0
 02201   928   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 104, {status=0x0, info=1}, ) }, 3, 16417, ... 104, {status=0x0, info=1}, ) == 0x0
 02202   928   NtQueryDirectoryFile  (104, 0, 0, 0, 1235736, 616, BothDirectory, 1,  (104, 0, 0, 0, 1235736, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02203   928   NtClose  (104, ... ) == 0x0
 02204   928   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 104, {status=0x0, info=1}, ) }, 3, 16417, ... 104, {status=0x0, info=1}, ) == 0x0
 02205   928   NtQueryDirectoryFile  (104, 0, 0, 0, 1235736, 616, BothDirectory, 1,  (104, 0, 0, 0, 1235736, 616, BothDirectory, 1, "setupex.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 02206   928   NtClose  (104, ... ) == 0x0
 02207   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02208   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02209   928   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02210   928   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02211   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02212   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 02213   928   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02214   928   NtClose  (104, ... ) == 0x0
 02215   928   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02216   928   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\setupex.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02217   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02218   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02219   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\setupex.exe"}, 1237560, ... ) }, 1237560, ... ) == 0x0
 02220   928   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 104, {status=0x0, info=1}, ) }, 3, 16417, ... 104, {status=0x0, info=1}, ) == 0x0
 02221   928   NtQueryDirectoryFile  (104, 0, 0, 0, 1236988, 616, BothDirectory, 1,  (104, 0, 0, 0, 1236988, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02222   928   NtClose  (104, ... ) == 0x0
 02223   928   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 104, {status=0x0, info=1}, ) }, 3, 16417, ... 104, {status=0x0, info=1}, ) == 0x0
 02224   928   NtQueryDirectoryFile  (104, 0, 0, 0, 1236988, 616, BothDirectory, 1,  (104, 0, 0, 0, 1236988, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02225   928   NtClose  (104, ... ) == 0x0
 02226   928   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 104, {status=0x0, info=1}, ) }, 3, 16417, ... 104, {status=0x0, info=1}, ) == 0x0
 02227   928   NtQueryDirectoryFile  (104, 0, 0, 0, 1236988, 616, BothDirectory, 1,  (104, 0, 0, 0, 1236988, 616, BothDirectory, 1, "setupex.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 02228   928   NtClose  (104, ... ) == 0x0
 02229   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02230   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02231   928   NtWaitForSingleObject  (92, 0, {-1000000, -1}, ... ) == 0x0
 02232   928   NtQueryVolumeInformationFile  (124, 1238216, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02233   928   NtQueryInformationFile  (124, 1238196, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02234   928   NtQueryInformationFile  (124, 1238236, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02235   928   NtReleaseMutant  (92, ... 0x0, ) == 0x0
 02236   928   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 02237   928   NtClose  (128, ... ) == 0x0
 02238   928   NtClose  (120, ... ) == 0x0
 02239   928   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 02240   928   NtOpenProcessToken  (-1, 0xa, ... 120, ) == 0x0
 02241   928   NtQueryInformationToken  (120, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 02242   928   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02243   928   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 128, ) }, ... 128, ) == 0x0
 02244   928   NtQueryValueKey  (128,  (128, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (128, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02245   928   NtQueryValueKey  (128,  (128, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (128, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02246   928   NtClose  (128, ... ) == 0x0
 02247   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02248   928   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 128, ) }, ... 128, ) == 0x0
 02249   928   NtQueryValueKey  (128,  (128, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02250   928   NtClose  (128, ... ) == 0x0
 02251   928   NtQueryDefaultLocale  (1, 1239408, ... ) == 0x0
 02252   928   NtQueryDefaultLocale  (1, 1239408, ... ) == 0x0
 02253   928   NtQueryDefaultLocale  (1, 1239408, ... ) == 0x0
 02254   928   NtQueryDefaultLocale  (1, 1239408, ... ) == 0x0
 02255   928   NtQueryDefaultLocale  (1, 1239408, ... ) == 0x0
 02256   928   NtQueryDefaultLocale  (1, 1239408, ... ) == 0x0
 02257   928   NtQueryDefaultLocale  (1, 1239408, ... ) == 0x0
 02258   928   NtQueryDefaultLocale  (1, 1239408, ... ) == 0x0
 02259   928   NtQueryDefaultLocale  (1, 1239408, ... ) == 0x0
 02260   928   NtQueryDefaultLocale  (1, 1239408, ... ) == 0x0
 02261   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 128, ) }, ... 128, ) == 0x0
 02262   928   NtEnumerateKey  (128, 0, Basic, 280, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name= (128, 0, Basic, 280, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 02263   928   NtOpenKey  (0x20019, {24, 128, 0x40, 0, 0,  (0x20019, {24, 128, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 104, ) }, ... 104, ) == 0x0
 02264   928   NtQueryValueKey  (104,  (104, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (104, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 02265   928   NtQueryValueKey  (104,  (104, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (104, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02266   928   NtClose  (104, ... ) == 0x0
 02267   928   NtEnumerateKey  (128, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 02268   928   NtClose  (128, ... ) == 0x0
 02269   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... 128, ) }, ... 128, ) == 0x0
 02270   928   NtEnumerateKey  (128, 0, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (128, 0, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{349d35ab-37b5-462f-9b89-edd5fbde1328}"}, 92, ) }, 92, ) == 0x0
 02271   928   NtOpenKey  (0x20019, {24, 128, 0x40, 0, 0,  (0x20019, {24, 128, 0x40, 0, 0, "{349d35ab-37b5-462f-9b89-edd5fbde1328}"}, ... 104, ) }, ... 104, ) == 0x0
 02272   928   NtQueryValueKey  (104,  (104, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="^\2530O\225zI\211j\0l\341\25@\25"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (104, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="^\2530O\225zI\211j\0l\341\25@\25"}, 28, ) }, 28, ) == 0x0
 02273   928   NtQueryValueKey  (104,  (104, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (104, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 02274   928   NtQueryValueKey  (104,  (104, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\13\3\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (104, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\13\3\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02275   928   NtQueryValueKey  (104,  (104, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (104, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02276   928   NtClose  (104, ... ) == 0x0
 02277   928   NtEnumerateKey  (128, 1, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (128, 1, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}"}, 92, ) }, 92, ) == 0x0
 02278   928   NtOpenKey  (0x20019, {24, 128, 0x40, 0, 0,  (0x20019, {24, 128, 0x40, 0, 0, "{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}"}, ... 104, ) }, ... 104, ) == 0x0
 02279   928   NtQueryValueKey  (104,  (104, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="g\260\324\2134:?\323\274\351\334dg\4\363\224"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (104, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="g\260\324\2134:?\323\274\351\334dg\4\363\224"}, 28, ) }, 28, ) == 0x0
 02280   928   NtQueryValueKey  (104,  (104, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (104, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 02281   928   NtQueryValueKey  (104,  (104, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\5\2\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (104, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\5\2\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02282   928   NtQueryValueKey  (104,  (104, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (104, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02283   928   NtClose  (104, ... ) == 0x0
 02284   928   NtEnumerateKey  (128, 2, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (128, 2, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}"}, 92, ) }, 92, ) == 0x0
 02285   928   NtOpenKey  (0x20019, {24, 128, 0x40, 0, 0,  (0x20019, {24, 128, 0x40, 0, 0, "{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}"}, ... 104, ) }, ... 104, ) == 0x0
 02286   928   NtQueryValueKey  (104,  (104, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="2x\2\334\376\370\310\223\334\212\260\6\335\204}\35"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (104, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="2x\2\334\376\370\310\223\334\212\260\6\335\204}\35"}, 28, ) }, 28, ) == 0x0
 02287   928   NtQueryValueKey  (104,  (104, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (104, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 02288   928   NtQueryValueKey  (104,  (104, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\226\3\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (104, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\226\3\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02289   928   NtQueryValueKey  (104,  (104, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (104, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02290   928   NtClose  (104, ... ) == 0x0
 02291   928   NtEnumerateKey  (128, 3, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (128, 3, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{94e3e076-8f53-42a5-8411-085bcc18a68d}"}, 92, ) }, 92, ) == 0x0
 02292   928   NtOpenKey  (0x20019, {24, 128, 0x40, 0, 0,  (0x20019, {24, 128, 0x40, 0, 0, "{94e3e076-8f53-42a5-8411-085bcc18a68d}"}, ... 104, ) }, ... 104, ) == 0x0
 02293   928   NtQueryValueKey  (104,  (104, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="\275\232*\333B\353\330V\16%\16M\370\26/g"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (104, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="\275\232*\333B\353\330V\16%\16M\370\26/g"}, 28, ) }, 28, ) == 0x0
 02294   928   NtQueryValueKey  (104,  (104, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (104, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 02295   928   NtQueryValueKey  (104,  (104, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\345\0\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (104, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\345\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02296   928   NtQueryValueKey  (104,  (104, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (104, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02297   928   NtClose  (104, ... ) == 0x0
 02298   928   NtEnumerateKey  (128, 4, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (128, 4, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}"}, 92, ) }, 92, ) == 0x0
 02299   928   NtOpenKey  (0x20019, {24, 128, 0x40, 0, 0,  (0x20019, {24, 128, 0x40, 0, 0, "{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}"}, ... 104, ) }, ... 104, ) == 0x0
 02300   928   NtQueryValueKey  (104,  (104, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="8k\10_\204\354\366i\323k\225j"\300\36\200"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (104, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="8k\10_\204\354\366i\323k\225j"\300\36\200"}, 28, ) \300\36\200"}, 28, ) == 0x0
 02301   928   NtQueryValueKey  (104,  (104, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (104, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 02302   928   NtQueryValueKey  (104,  (104, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="r\1\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (104, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="r\1\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02303   928   NtQueryValueKey  (104,  (104, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (104, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02304   928   NtClose  (104, ... ) == 0x0
 02305   928   NtEnumerateKey  (128, 5, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 02306   928   NtClose  (128, ... ) == 0x0
 02307   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02308   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02309   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02310   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02311   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02312   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02313   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02314   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02315   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02316   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02317   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02318   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02319   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02320   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02321   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 02322   928   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02323   928   NtClose  (128, ... ) == 0x0
 02324   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02325   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02326   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 02327   928   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02328   928   NtClose  (128, ... ) == 0x0
 02329   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02330   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02331   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 02332   928   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02333   928   NtClose  (128, ... ) == 0x0
 02334   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02335   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02336   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 02337   928   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02338   928   NtClose  (128, ... ) == 0x0
 02339   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02340   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02341   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 02342   928   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02343   928   NtClose  (128, ... ) == 0x0
 02344   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02345   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02346   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 02347   928   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02348   928   NtClose  (128, ... ) == 0x0
 02349   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02350   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02351   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 02352   928   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02353   928   NtClose  (128, ... ) == 0x0
 02354   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02355   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02356   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 02357   928   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02358   928   NtClose  (128, ... ) == 0x0
 02359   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02360   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02361   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 02362   928   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02363   928   NtClose  (128, ... ) == 0x0
 02364   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02365   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02366   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 02367   928   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02368   928   NtClose  (128, ... ) == 0x0
 02369   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02370   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02371   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 02372   928   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02373   928   NtClose  (128, ... ) == 0x0
 02374   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02375   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02376   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 02377   928   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02378   928   NtClose  (128, ... ) == 0x0
 02379   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02380   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02381   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 02382   928   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02383   928   NtClose  (128, ... ) == 0x0
 02384   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02385   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02386   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 02387   928   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02388   928   NtClose  (128, ... ) == 0x0
 02389   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02390   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02391   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 02392   928   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02393   928   NtClose  (128, ... ) == 0x0
 02394   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02395   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 128, ) }, ... 128, ) == 0x0
 02396   928   NtQueryValueKey  (128,  (128, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (128, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (128, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 02397   928   NtClose  (128, ... ) == 0x0
 02398   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02399   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 02400   928   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02401   928   NtClose  (128, ... ) == 0x0
 02402   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02403   928   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 02404   928   NtOpenProcessToken  (-1, 0xa, ... 128, ) == 0x0
 02405   928   NtDuplicateToken  (128, 0xc, {24, 0, 0x0, 0, 1239840, 0x0}, 0, 2, ... 104, ) == 0x0
 02406   928   NtClose  (128, ... ) == 0x0
 02407   928   NtAccessCheck  (1363440, 104, 0x1, 1239916, 1239968, 56, 1239948, ... (0x1), ) == 0x0
 02408   928   NtClose  (104, ... ) == 0x0
 02409   928   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 104, ) }, ... 104, ) == 0x0
 02410   928   NtQueryValueKey  (104,  (104, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (104, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02411   928   NtClose  (104, ... ) == 0x0
 02412   928   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 104, ) }, ... 104, ) == 0x0
 02413   928   NtQuerySymbolicLinkObject  (104, ...  (104, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 02414   928   NtClose  (104, ... ) == 0x0
 02415   928   NtQueryVolumeInformationFile  (124, 1237672, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02416   928   NtQueryInformationFile  (124, 1237788, 528, Name, ... {status=0x0, info=62}, ) == 0x0
 02417   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02418   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02419   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\setupex.exe"}, 1236960, ... ) }, 1236960, ... ) == 0x0
 02420   928   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 104, {status=0x0, info=1}, ) }, 3, 16417, ... 104, {status=0x0, info=1}, ) == 0x0
 02421   928   NtQueryDirectoryFile  (104, 0, 0, 0, 1236388, 616, BothDirectory, 1,  (104, 0, 0, 0, 1236388, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02422   928   NtClose  (104, ... ) == 0x0
 02423   928   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 104, {status=0x0, info=1}, ) }, 3, 16417, ... 104, {status=0x0, info=1}, ) == 0x0
 02424   928   NtQueryDirectoryFile  (104, 0, 0, 0, 1236388, 616, BothDirectory, 1,  (104, 0, 0, 0, 1236388, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02425   928   NtClose  (104, ... ) == 0x0
 02426   928   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 104, {status=0x0, info=1}, ) }, 3, 16417, ... 104, {status=0x0, info=1}, ) == 0x0
 02427   928   NtQueryDirectoryFile  (104, 0, 0, 0, 1236388, 616, BothDirectory, 1,  (104, 0, 0, 0, 1236388, 616, BothDirectory, 1, "setupex.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 02428   928   NtClose  (104, ... ) == 0x0
 02429   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02430   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02431   928   NtQueryInformationFile  (124, 1239828, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02432   928   NtCreateSection  (0xf0005, 0x0, {21088, 0}, 2, 134217728, 124, ... 104, ) == 0x0
 02433   928   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 21088, 1, 0, 2, ... (0x990000), {0, 0}, 24576, ) == 0x0
 02434   928   NtClose  (104, ... ) == 0x0
 02435   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02436   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 02437   928   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02438   928   NtClose  (104, ... ) == 0x0
 02439   928   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 104, ) }, ... 104, ) == 0x0
 02440   928   NtOpenKey  (0x20019, {24, 104, 0x40, 0, 0,  (0x20019, {24, 104, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 128, ) }, ... 128, ) == 0x0
 02441   928   NtClose  (104, ... ) == 0x0
 02442   928   NtQueryValueKey  (128,  (128, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02443   928   NtQueryValueKey  (128,  (128, "Cache", Partial, 174, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 174, ) , Partial, 174, ... TitleIdx=0, Type=1, Data= (128, "Cache", Partial, 174, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 174, ) }, 174, ) == 0x0
 02444   928   NtClose  (128, ... ) == 0x0
 02445   928   NtUnmapViewOfSection  (-1, 0x990000, ... ) == 0x0
 02446   928   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 10027008, 4096, ) == 0x0
 02447   928   NtAllocateVirtualMemory  (-1, 10027008, 0, 4096, 4096, 4, ... 10027008, 4096, ) == 0x0
 02448   928   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 128, ) }, ... 128, ) == 0x0
 02449   928   NtQueryValueKey  (128,  (128, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02450   928   NtClose  (128, ... ) == 0x0
 02451   928   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02452   928   NtQueryInformationToken  (120, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 02453   928   NtQueryInformationToken  (120, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 02454   928   NtClose  (120, ... ) == 0x0
 02455   928   NtQuerySection  (112, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02456   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setupex.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02457   928   NtQuerySystemInformation  (71, 4, ... {system info, class 71, size 4}, 0x0, ) == 0x0
 02458   928   NtCreateProcessEx  (1241752, 2035711, 0, -1, 0, 112, 0, 0, 0, ... ) == 0x0
 02459   928   NtQueryInformationProcess  (120, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffd4000,AffinityMask=0x1,BasePriority=8,Pid=860,ParentPid=1972,}, 0x0, ) == 0x0
 02460   928   NtReadVirtualMemory  (120, 0x7ffd4008, 4, ...  (120, 0x7ffd4008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 02461   928   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\setupex.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02462   928   NtReadVirtualMemory  (120, 0x400000, 4096, ...  (120, 0x400000, 4096, ... "MZP\0\2\0\0\0\4\0\17\0PE\0\0L\1\2\0FSG!\0\0\0\0\0\0\0\0\340\0\216\201\13\1\0\0\0B\0\0\0n\0\0\0\0\0\0[/\1\0\0\20\0\0\14\0\0\0\0\0@\0\0\20\0\0\0\2\0\0\1\0\0\0\0\0\0\0\3\0\12\0\0\0\0\0\0@\1\0\0\2\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0 \0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0 0\1\04\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\300\0\0\0\0\0\0\0\0\0`\0\0\0\340\0\0TP\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\300KERNEL32.dll\0\0\0LoadLibraryA\0\0GetProcAddress\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\260A\0\120A\0\140A\0\230\1@\0\0\20@\0\0\340@\0\1`@\0\1\320@\0\0\0\0\0\4\304@\0\1\0\0\0H0A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 02463   928   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02464   928   NtQueryInformationProcess  (120, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffd4000,AffinityMask=0x1,BasePriority=8,Pid=860,ParentPid=1972,}, 0x0, ) == 0x0
 02465   928   NtAllocateVirtualMemory  (-1, 0, 0, 2420, 4096, 4, ... 10616832, 4096, ) == 0x0
 02466   928   NtAllocateVirtualMemory  (120, 0, 0, 6432, 4096, 4, ... 65536, 8192, ) == 0x0
 02467   928   NtWriteVirtualMemory  (120, 0x10000,  (120, 0x10000, "=\0A\0:\0=\0A\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0s\0c\0r\0i\0p\0t\0s\0\0\0=\0U\0:\0=\0U\0:\0\\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0R\0O\0O\0T\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0L\0I\0B\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\0", 6432, ... 0x0, ) , 6432, ... 0x0, ) == 0x0
 02468   928   NtAllocateVirtualMemory  (120, 0, 0, 2420, 4096, 4, ... 131072, 4096, ) == 0x0
 02469   928   NtWriteVirtualMemory  (120, 0x20000,  (120, 0x20000, "\0\20\0\0t\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0\26\0\10\2\220\2\0\0\0\0\0\0\364\3\366\3\230\4\0\0>\0@\0\220\10\0\0>\0@\0\320\10\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0>\0@\0\20\11\0\0\36\0 \0P\11\0\0\0\0\2\0p\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 2420, ... 0x0, ) , 2420, ... 0x0, ) == 0x0
 02470   928   NtWriteVirtualMemory  (120, 0x7ffd4010,  (120, 0x7ffd4010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02471   928   NtWriteVirtualMemory  (120, 0x7ffd41e8,  (120, 0x7ffd41e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02472   928   NtFreeVirtualMemory  (-1, (0xa20000), 0, 32768, ... (0xa20000), 4096, ) == 0x0
 02473   928   NtAllocateVirtualMemory  (120, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 02474   928   NtAllocateVirtualMemory  (120, 1232896, 0, 12288, 4096, 4, ... 1232896, 12288, ) == 0x0
 02475   928   NtProtectVirtualMemory  (120, (0x12d000), 4096, 260, ... (0x12d000), 4096, 4, ) == 0x0
 02476   928   NtCreateThread  (0x1f03ff, 0x0, 120, 1241760, 1241424, 1, ... 128, {860, 484}, ) == 0x0
 02477   928   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 2089883030, 2089879275, 1334344, 2147344384}  (24, {168, 196, new_msg, 0, 2089883030, 2089879275, 1334344, 2147344384} "\0\0\0\0\0\0\1\0\10\366\22\0\0\0\0\0{\0\0\0\200\0\0\0\\3\0\0\344\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\244\365\22\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\375\177\0\0\0\0\0\0\221|\224\371\22\0" ... {168, 196, reply, 0, 1972, 928, 57960, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0x\0\0\0\200\0\0\0\\3\0\0\344\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\244\365\22\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\375\177\0\0\0\0\0\0\221|\224\371\22\0" )  ... {168, 196, reply, 0, 1972, 928, 57960, 0}  (24, {168, 196, new_msg, 0, 2089883030, 2089879275, 1334344, 2147344384} "\0\0\0\0\0\0\1\0\10\366\22\0\0\0\0\0{\0\0\0\200\0\0\0\\3\0\0\344\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\244\365\22\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\375\177\0\0\0\0\0\0\221|\224\371\22\0" ... {168, 196, reply, 0, 1972, 928, 57960, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0x\0\0\0\200\0\0\0\\3\0\0\344\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\244\365\22\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\375\177\0\0\0\0\0\0\221|\224\371\22\0" )  ) == 0x0
 02478   928   NtResumeThread  (128, ... 1, ) == 0x0
 02479   928   NtClose  (124, ... ) == 0x0
 02480   928   NtClose  (112, ... ) == 0x0
 02481   928   NtQueryInformationProcess  (120, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffd4000,AffinityMask=0x1,BasePriority=8,Pid=860,ParentPid=1972,}, 0x0, ) == 0x0
 02482   928   NtUserWaitForInputIdle  (860, 30000, 0, ...
 02483   928   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 112, ) == 0x0
 02484   928   NtClose  (112, ... ) == 0x0
 02482   928   NtUserWaitForInputIdle  ... ) == 0x0
 02485   928   NtClose  (120, ... ) == 0x0
 02486   928   NtClose  (128, ... ) == 0x0
 02487   928   NtQueryDefaultLocale  (1, 1243632, ... ) == 0x0
 02488   928   NtQueryDefaultLocale  (1, 1243632, ... ) == 0x0
 02489   928   NtQueryDefaultLocale  (0, 1243628, ... ) == 0x0
 02490   928   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243676,  (0xc0100080, {24, 0, 0x40, 0, 1243676, "\??\C:\WINDOWS\svchost.exe"}, 0x0, 128, 0, 5, 96, 0, 0, ... }, 0x0, 128, 0, 5, 96, 0, 0, ...
 02491   928   NtClose  (-2147482740, ... ) == 0x0
 02490   928   NtCreateFile  ... 128, {status=0x0, info=2}, ) == 0x0
 02492   928   NtWriteFile  (128, 0, 0, 0,  (128, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0PE\0\0L\1\2\0FSG!\0\0\0\0\0\0\0\0\340\0\17\1\13\1\0\0\0N\0\0\0\220\0\0\0\0\0\0N,\1\0\0\20\0\0\14\0\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\00\1\0\0\2\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\23-\1\04\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\0\0\0\0\340\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\300\0\0\0\0a\0\0\0\0@\0\0\0\360\0\0G=\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\300KERNEL32.dll\0\0\0LoadLibraryA\0\0GetProcAddress\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\11-A\0\375,A\0\377,A\0\230\1@\0\0\20@\0\0\360@\0\1`@\0\0\0\0\0\334Y@\0\1\0\0\0;-A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 16208, 0x0, 0, ... , 16208, 0x0, 0, ...
 02493   928   NtContinue  (-139612716, 0, ...
 02492   928   NtWriteFile  ... {status=0x0, info=16208}, ) == 0x0
 02494   928   NtClose  (128, ... ) == 0x0
 02495   928   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\svchost.exe"}, 7, 2113568, ... 128, {status=0x0, info=1}, ) }, 7, 2113568, ... 128, {status=0x0, info=1}, ) == 0x0
 02496   928   NtSetInformationFile  (128, 1243668, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02497   928   NtClose  (128, ... ) == 0x0
 02498   928   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 02499   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\svchost.exe"}, 1239968, ... ) }, 1239968, ... ) == 0x0
 02500   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\svchost.exe"}, 1240704, ... ) }, 1240704, ... ) == 0x0
 02501   928   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\svchost.exe"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 02502   928   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 128, ... 120, ) == 0x0
 02503   928   NtQueryVolumeInformationFile  (128, 1239980, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02504   928   NtWaitForSingleObject  (92, 0, {-1000000, -1}, ... ) == 0x0
 02505   928   NtReleaseMutant  (92, ... 0x0, ) == 0x0
 02506   928   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 112, {status=0x0, info=1}, ) == 0x0
 02507   928   NtQueryInformationFile  (112, 1238236, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02508   928   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 112, ... 124, ) == 0x0
 02509   928   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa20000), 0x0, 1191936, ) == 0x0
 02510   928   NtQueryInformationFile  (112, 1238336, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02511   928   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02512   928   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\WPA\TabletPC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02513   928   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\SYSTEM\WPA\MediaCenter"}, ... 104, ) }, ... 104, ) == 0x0
 02514   928   NtQueryValueKey  (104,  (104, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 256, ... TitleIdx=0, Type=4, Data= (104, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02515   928   NtClose  (104, ... ) == 0x0
 02516   928   NtCreateFile  (0x120116, {24, 0, 0x40, 0, 0,  (0x120116, {24, 0, 0x40, 0, 0, "\Device\NamedPipe\ShimViewer"}, 0x0, 128, 0, 1, 0, 0, 0, ... ) }, 0x0, 128, 0, 1, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02517   928   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 104, {status=0x0, info=1}, ) }, 3, 16417, ... 104, {status=0x0, info=1}, ) == 0x0
 02518   928   NtQueryDirectoryFile  (104, 0, 0, 0, 1235932, 616, BothDirectory, 1,  (104, 0, 0, 0, 1235932, 616, BothDirectory, 1, "svchost.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 02519   928   NtClose  (104, ... ) == 0x0
 02520   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02521   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02522   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\svchost.exe"}, 1236308, ... ) }, 1236308, ... ) == 0x0
 02523   928   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 104, {status=0x0, info=1}, ) }, 3, 16417, ... 104, {status=0x0, info=1}, ) == 0x0
 02524   928   NtQueryDirectoryFile  (104, 0, 0, 0, 1235736, 616, BothDirectory, 1,  (104, 0, 0, 0, 1235736, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02525   928   NtClose  (104, ... ) == 0x0
 02526   928   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 104, {status=0x0, info=1}, ) }, 3, 16417, ... 104, {status=0x0, info=1}, ) == 0x0
 02527   928   NtQueryDirectoryFile  (104, 0, 0, 0, 1235736, 616, BothDirectory, 1,  (104, 0, 0, 0, 1235736, 616, BothDirectory, 1, "svchost.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 02528   928   NtClose  (104, ... ) == 0x0
 02529   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02530   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02531   928   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02532   928   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02533   928   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02534   928   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 02535   928   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02536   928   NtClose  (104, ... ) == 0x0
 02537   928   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02538   928   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\svchost.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02539   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\svchost.exe"}, 1237156, ... ) }, 1237156, ... ) == 0x0
 02540   928   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 104, ) }, ... 104, ) == 0x0
 02541   928   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 32768, ) == 0x0
 02542   928   NtClose  (104, ... ) == 0x0
 02543   928   NtProtectVirtualMemory  (-1, (0x77c01000), 304, 4, ... (0x77c01000), 4096, 32, ) == 0x0
 02544   928   NtProtectVirtualMemory  (-1, (0x77c01000), 4096, 32, ... (0x77c01000), 4096, 4, ) == 0x0
 02545   928   NtFlushInstructionCache  (-1, 2009075712, 304, ... ) == 0x0
 02546   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VERSION.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02547   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02548   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02549   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\svchost.exe"}, 1236008, ... ) }, 1236008, ... ) == 0x0
 02550   928   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\svchost.exe"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 02551   928   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 104, ... 132, ) == 0x0
 02552   928   NtClose  (104, ... ) == 0x0
 02553   928   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xb50000), 0x0, 16384, ) == 0x0
 02554   928   NtClose  (132, ... ) == 0x0
 02555   928   NtUnmapViewOfSection  (-1, 0xb50000, ... ) == 0x0
 02556   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\svchost.exe"}, 1235604, ... ) }, 1235604, ... ) == 0x0
 02557   928   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1236348,  (0x80100080, {24, 0, 0x40, 0, 1236348, "\??\C:\WINDOWS\svchost.exe"}, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 132, {status=0x0, info=1}, ) == 0x0
 02558   928   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 132, ... 104, ) == 0x0
 02559   928   NtClose  (132, ... ) == 0x0
 02560   928   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xb50000), {0, 0}, 16384, ) == 0x0
 02561   928   NtClose  (104, ... ) == 0x0
 02562   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02563   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02564   928   NtUnmapViewOfSection  (-1, 0xb50000, ... ) == 0x0
 02565   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02566   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02567   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\svchost.exe"}, 1237560, ... ) }, 1237560, ... ) == 0x0
 02568   928   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 104, {status=0x0, info=1}, ) }, 3, 16417, ... 104, {status=0x0, info=1}, ) == 0x0
 02569   928   NtQueryDirectoryFile  (104, 0, 0, 0, 1236988, 616, BothDirectory, 1,  (104, 0, 0, 0, 1236988, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02570   928   NtClose  (104, ... ) == 0x0
 02571   928   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 104, {status=0x0, info=1}, ) }, 3, 16417, ... 104, {status=0x0, info=1}, ) == 0x0
 02572   928   NtQueryDirectoryFile  (104, 0, 0, 0, 1236988, 616, BothDirectory, 1,  (104, 0, 0, 0, 1236988, 616, BothDirectory, 1, "svchost.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 02573   928   NtClose  (104, ... ) == 0x0
 02574   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02575   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02576   928   NtWaitForSingleObject  (92, 0, {-1000000, -1}, ... ) == 0x0
 02577   928   NtQueryVolumeInformationFile  (128, 1238216, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02578   928   NtQueryInformationFile  (128, 1238196, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02579   928   NtQueryInformationFile  (128, 1238236, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02580   928   NtReleaseMutant  (92, ... 0x0, ) == 0x0
 02581   928   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 02582   928   NtClose  (124, ... ) == 0x0
 02583   928   NtClose  (112, ... ) == 0x0
 02584   928   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 02585   928   NtOpenProcessToken  (-1, 0xa, ... 112, ) == 0x0
 02586   928   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 124, ) }, ... 124, ) == 0x0
 02587   928   NtQueryKey  (124, Basic, 520, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name= (124, Basic, 520, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name="CodeIdentifierso"}, 46, ) }, 46, ) == 0x0
 02588   928   NtClose  (124, ... ) == 0x0
 02589   928   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02590   928   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 124, ) }, ... 124, ) == 0x0
 02591   928   NtQuerySymbolicLinkObject  (124, ...  (124, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 02592   928   NtClose  (124, ... ) == 0x0
 02593   928   NtQueryVolumeInformationFile  (128, 1237672, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02594   928   NtQueryInformationFile  (128, 1237788, 528, Name, ... {status=0x0, info=44}, ) == 0x0
 02595   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02596   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02597   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\svchost.exe"}, 1236960, ... ) }, 1236960, ... ) == 0x0
 02598   928   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 124, {status=0x0, info=1}, ) }, 3, 16417, ... 124, {status=0x0, info=1}, ) == 0x0
 02599   928   NtQueryDirectoryFile  (124, 0, 0, 0, 1236388, 616, BothDirectory, 1,  (124, 0, 0, 0, 1236388, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02600   928   NtClose  (124, ... ) == 0x0
 02601   928   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 124, {status=0x0, info=1}, ) }, 3, 16417, ... 124, {status=0x0, info=1}, ) == 0x0
 02602   928   NtQueryDirectoryFile  (124, 0, 0, 0, 1236388, 616, BothDirectory, 1,  (124, 0, 0, 0, 1236388, 616, BothDirectory, 1, "svchost.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 02603   928   NtClose  (124, ... ) == 0x0
 02604   928   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02605   928   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02606   928   NtQueryInformationFile  (128, 1239828, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02607   928   NtCreateSection  (0xf0005, 0x0, {16208, 0}, 2, 134217728, 128, ... 124, ) == 0x0
 02608   928   NtMapViewOfSection  (124, -1, (0x0), 0, 0, {0, 0}, 16208, 1, 0, 2, ... (0xa20000), {0, 0}, 16384, ) == 0x0
 02609   928   NtClose  (124, ... ) == 0x0
 02610   928   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 02611   928   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 124, ) }, ... 124, ) == 0x0
 02612   928   NtQueryValueKey  (124,  (124, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02613   928   NtClose  (124, ... ) == 0x0
 02614   928   NtQueryInformationToken  (112, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 02615   928   NtQueryInformationToken  (112, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 02616   928   NtClose  (112, ... ) == 0x0
 02617   928   NtQuerySection  (120, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02618   928   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02619   928   NtQuerySystemInformation  (71, 4, ... {system info, class 71, size 4}, 0x0, ) == 0x0
 02620   928   NtCreateProcessEx  (1241752, 2035711, 0, -1, 0, 120, 0, 0, 0, ... ) == 0x0
 02621   928   NtQueryInformationProcess  (112, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffd5000,AffinityMask=0x1,BasePriority=8,Pid=164,ParentPid=1972,}, 0x0, ) == 0x0
 02622   928   NtReadVirtualMemory  (112, 0x7ffd5008, 4, ...  (112, 0x7ffd5008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 02623   928   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\svchost.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02624   928   NtReadVirtualMemory  (112, 0x400000, 4096, ...  (112, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0PE\0\0L\1\2\0FSG!\0\0\0\0\0\0\0\0\340\0\17\1\13\1\0\0\0N\0\0\0\220\0\0\0\0\0\0N,\1\0\0\20\0\0\14\0\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\00\1\0\0\2\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\23-\1\04\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\0\0\0\0\340\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\300\0\0\0\0a\0\0\0\0@\0\0\0\360\0\0G=\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\300KERNEL32.dll\0\0\0LoadLibraryA\0\0GetProcAddress\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\11-A\0\375,A\0\377,A\0\230\1@\0\0\20@\0\0\360@\0\1`@\0\0\0\0\0\334Y@\0\1\0\0\0;-A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 02625   928   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02626   928   NtQueryInformationProcess  (112, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffd5000,AffinityMask=0x1,BasePriority=8,Pid=164,ParentPid=1972,}, 0x0, ) == 0x0
 02627   928   NtAllocateVirtualMemory  (-1, 0, 0, 2352, 4096, 4, ... 10616832, 4096, ) == 0x0
 02628   928   NtAllocateVirtualMemory  (112, 0, 0, 6432, 4096, 4, ... 65536, 8192, ) == 0x0
 02629   928   NtWriteVirtualMemory  (112, 0x10000,  (112, 0x10000, "=\0A\0:\0=\0A\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0s\0c\0r\0i\0p\0t\0s\0\0\0=\0U\0:\0=\0U\0:\0\\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0R\0O\0O\0T\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0L\0I\0B\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\0", 6432, ... 0x0, ) , 6432, ... 0x0, ) == 0x0
 02630   928   NtAllocateVirtualMemory  (112, 0, 0, 2352, 4096, 4, ... 131072, 4096, ) == 0x0
 02631   928   NtWriteVirtualMemory  (112, 0x20000,  (112, 0x20000, "\0\20\0\00\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0\26\0\10\2\220\2\0\0\0\0\0\0\342\3\344\3\230\4\0\0,\0.\0|\10\0\0,\0.\0\254\10\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0,\0.\0\334\10\0\0\36\0 \0\14\11\0\0\0\0\2\0,\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 2352, ... 0x0, ) , 2352, ... 0x0, ) == 0x0
 02632   928   NtWriteVirtualMemory  (112, 0x7ffd5010,  (112, 0x7ffd5010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02633   928   NtWriteVirtualMemory  (112, 0x7ffd51e8,  (112, 0x7ffd51e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02634   928   NtFreeVirtualMemory  (-1, (0xa20000), 0, 32768, ... (0xa20000), 4096, ) == 0x0
 02635   928   NtAllocateVirtualMemory  (112, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 02636   928   NtAllocateVirtualMemory  (112, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 02637   928   NtProtectVirtualMemory  (112, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 02638   928   NtCreateThread  (0x1f03ff, 0x0, 112, 1241760, 1241424, 1, ... 124, {164, 1564}, ) == 0x0
 02639   928   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1972, 928, 57960, 0}  (24, {168, 196, new_msg, 0, 1972, 928, 57960, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0s\0\0\0|\0\0\0\244\0\0\0\34\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\244\365\22\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\375\177\0\0\0\0\0\0\221|\224\371\22\0" ... {168, 196, reply, 0, 1972, 928, 58005, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0p\0\0\0|\0\0\0\244\0\0\0\34\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\244\365\22\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\375\177\0\0\0\0\0\0\221|\224\371\22\0" )  ... {168, 196, reply, 0, 1972, 928, 58005, 0}  (24, {168, 196, new_msg, 0, 1972, 928, 57960, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0s\0\0\0|\0\0\0\244\0\0\0\34\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\244\365\22\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\375\177\0\0\0\0\0\0\221|\224\371\22\0" ... {168, 196, reply, 0, 1972, 928, 58005, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0p\0\0\0|\0\0\0\244\0\0\0\34\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\244\365\22\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\375\177\0\0\0\0\0\0\221|\224\371\22\0" )  ) == 0x0
 02640   928   NtResumeThread  (124, ... 1, ) == 0x0
 02641   928   NtClose  (128, ... ) == 0x0
 02642   928   NtClose  (120, ... ) == 0x0
 02643   928   NtQueryInformationProcess  (112, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffd5000,AffinityMask=0x1,BasePriority=8,Pid=164,ParentPid=1972,}, 0x0, ) == 0x0
 02644   928   NtUserWaitForInputIdle  (164, 30000, 0, ...
 02645   928   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 120, ) == 0x0
 02646   928   NtClose  (120, ... ) == 0x0
 02644   928   NtUserWaitForInputIdle  ... ) == 0x0
 02647   928   NtClose  (112, ... ) == 0x0
 02648   928   NtClose  (124, ... ) == 0x0
 02649   928   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 02650   928   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 02651   928   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 02652   928   NtTerminateProcess  (0, 0, ... ) == 0x0
 02653   928   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x6,}, 4, ... ) == 0x0
 02654   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Msctf.dll"}, 1241600, ... ) }, 1241600, ... ) == 0x0
 02655   928   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Msctf.dll"}, 1241508, ... ) }, 1241508, ... ) == 0x0
 02656   928   NtUserGetClassInfo  (1968963584, 1243836, 1244400, 1243832, 0, ... ) == 0xc079
 02657   928   NtUserUnregisterClass  (1243840, 1968963584, 1243828, ... ) == 0x1
 02658   928   NtUserDestroyCursor  (65539, 1, ... ) == 0x1
 02659   928   NtUserDestroyCursor  (4522213, 1, ... ) == 0x0
 02660   928   NtUserGetClassInfo  (1968963584, 1243836, 1244400, 1243832, 0, ... ) == 0xc07a
 02661   928   NtUserUnregisterClass  (1243840, 1968963584, 1243828, ... ) == 0x1
 02662   928   NtUserDestroyCursor  (0, 1, ... ) == 0x0
 02663   928   NtUserDestroyCursor  (0, 1, ... ) == 0x0
 02664   928   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 02665   928   NtGdiDeleteObjectApp  (-1660877202, ... ) == 0x1
 02666   928   NtGdiDeleteObjectApp  (-956234582, ... ) == 0x1
 02667   928   NtGdiDeleteObjectApp  (-1694431919, ... ) == 0x1
 02668   928   NtUserPostThreadMessage  (1748, 49315, 0, 928, ... ) == 0x1
 02669   928   NtUserPostThreadMessage  (416, 49315, 0, 928, ... ) == 0x1
 02670   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 02671   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 02672   928   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 02673   928   NtUserSetWindowLong  (393540, -4, 2118243566, 1, ... ) == 0x7473f99e
 02674   928   NtUserUnhookWindowsHookEx  (393695, ... ) == 0x1
 02675   928   NtUserUnhookWindowsHookEx  (1573423, ... ) == 0x1
 02676   928   NtUserPostThreadMessage  (1748, 49316, 0, 928, ... ) == 0x1
 02677   928   NtUserPostThreadMessage  (416, 49316, 0, 928, ... ) == 0x1
 02678   928   NtUserDestroyCursor  (590411, 1, ... ) == 0x1
 02679   928   NtUserPostThreadMessage  (1748, 49316, 0, 928, ... ) == 0x1
 02680   928   NtUserPostThreadMessage  (416, 49316, 0, 928, ... ) == 0x1
 02681   928   NtUserPostThreadMessage  (1748, 49316, 0, 928, ... ) == 0x1
 02682   928   NtUserPostThreadMessage  (416, 49316, 0, 928, ... ) == 0x1
 02683   928   NtUserValidateHandleSecure  (65742, ... ) == 0x1
 02684   928   NtUserPostMessage  (65742, 49321, 12257437, 12, ... ) == 0x1
 02685   928   NtUserValidateHandleSecure  (65742, ... ) == 0x1
 02686   928   NtUserPostMessage  (65742, 49321, 12257437, 13, ... ) == 0x1
 02687   928   NtUserValidateHandleSecure  (65742, ... ) == 0x1
 02688   928   NtUserPostMessage  (65742, 49321, 12257437, 14, ... ) == 0x1
 02689   928   NtUnmapViewOfSection  (-1, 0x9a0000, ... ) == 0x0
 02690   928   NtClose  (116, ... ) == 0x0
 02691   928   NtClose  (108, ... ) == 0x0
 02692   928   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 02693   928   NtUnmapViewOfSection  (-1, 0x8c0000, ... ) == 0x0
 02694   928   NtClose  (88, ... ) == 0x0
 02695   928   NtClose  (84, ... ) == 0x0
 02696   928   NtClose  (60, ... ) == 0x0
 02697   928   NtClose  (64, ... ) == 0x0
 02698   928   NtClose  (68, ... ) == 0x0
 02699   928   NtClose  (72, ... ) == 0x0
 02700   928   NtClose  (76, ... ) == 0x0
 02701   928   NtUnmapViewOfSection  (-1, 0x8b0000, ... ) == 0x0
 02702   928   NtClose  (56, ... ) == 0x0
 02703   928   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 02704   928   NtUnmapViewOfSection  (-1, 0x860000, ... ) == 0x0
 02705   928   NtClose  (48, ... ) == 0x0
 02706   928   NtGdiDeleteObjectApp  (1024460140, ... ) == 0x1
 02707   928   NtUserGetProcessWindowStation  (... ) == 0x20
 02708   928   NtUserBuildNameList  (32, 522, 1334648, 1244040, ... ) == 0x0
 02709   928   NtUserGetProcessWindowStation  (... ) == 0x20
 02710   928   NtUserOpenDesktop  ({24, 32, 0x40, 0, 0,  ({24, 32, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x30
 02711   928   NtUserBuildHwndList  (48, 0, 0, 0, 64, ... (0x5009e, 0x400fa, 0x10074, 0x10080, 0x10070, 0x10084, 0x30048, 0x10072, 0x20052, 0x5009c, 0x10090, 0x500a2, 0x100d0, 0x200b0, 0x100cc, 0xb0102, 0x70104, 0x70100, 0x20118, 0x3014c, 0x1011c, 0x100e6, 0x100d6, 0x100d2, 0x100ca, 0x100c8, 0x100ba, 0x100ae, 0x100ac, 0x300a6, 0x10078, 0x30062, 0x50036, 0x5005c, 0x100be, 0x400fe, 0x10092, 0x10086, 0x40034, 0x50050, 0x1013c, 0x10120, 0x100c2, 0x100bc, 0xe011a, 0x2014e, 0x100d8, 0x100b6, 0x100b8, 0x100b4, 0x100c0, 0x1009a, 0x5005e, 0x1, ), 54, ) == 0x0
 02712   928   NtUserValidateHandleSecure  (327838, ... ) == 0x1
 02713   928   NtUserQueryWindow  (327838, 0, ... ) == 0x6b8
 02714   928   NtUserQueryWindow  (327838, 1, ... ) == 0x6d4
 02715   928   NtUserValidateHandleSecure  (327838, ... ) == 0x1
 02716   928   NtUserValidateHandleSecure  (262394, ... ) == 0x1
 02717   928   NtUserQueryWindow  (262394, 0, ... ) == 0x6b8
 02718   928   NtUserQueryWindow  (262394, 1, ... ) == 0x6d4
 02719   928   NtUserValidateHandleSecure  (262394, ... ) == 0x1
 02720   928   NtUserBuildHwndList  (0, 262394, 1, 0, 64, ... (0x80064, 0x60068, 0x6006c, 0x50094, 0x50096, 0x60066, 0x7006a, 0x90058, 0x6006e, 0x5008a, 0x50088, 0x500a0, 0x1, ), 13, ) == 0x0
 02721   928   NtUserValidateHandleSecure  (524388, ... ) == 0x1
 02722   928   NtUserQueryWindow  (524388, 0, ... ) == 0x6b8
 02723   928   NtUserQueryWindow  (524388, 1, ... ) == 0x6d4
 02724   928   NtUserValidateHandleSecure  (393320, ... ) == 0x1
 02725   928   NtUserQueryWindow  (393320, 0, ... ) == 0x6b8
 02726   928   NtUserQueryWindow  (393320, 1, ... ) == 0x6d4
 02727   928   NtUserValidateHandleSecure  (393324, ... ) == 0x1
 02728   928   NtUserQueryWindow  (393324, 0, ... ) == 0x6b8
 02729   928   NtUserQueryWindow  (393324, 1, ... ) == 0x6d4
 02730   928   NtUserValidateHandleSecure  (327828, ... ) == 0x1
 02731   928   NtUserQueryWindow  (327828, 0, ... ) == 0x6b8
 02732   928   NtUserQueryWindow  (327828, 1, ... ) == 0x6d4
 02733   928   NtUserValidateHandleSecure  (327830, ... ) == 0x1
 02734   928   NtUserQueryWindow  (327830, 0, ... ) == 0x6b8
 02735   928   NtUserQueryWindow  (327830, 1, ... ) == 0x6d4
 02736   928   NtUserValidateHandleSecure  (393318, ... ) == 0x1
 02737   928   NtUserQueryWindow  (393318, 0, ... ) == 0x6b8
 02738   928   NtUserQueryWindow  (393318, 1, ... ) == 0x6d4
 02739   928   NtUserValidateHandleSecure  (458858, ... ) == 0x1
 02740   928   NtUserQueryWindow  (458858, 0, ... ) == 0x6b8
 02741   928   NtUserQueryWindow  (458858, 1, ... ) == 0x6d4
 02742   928   NtUserValidateHandleSecure  (589912, ... ) == 0x1
 02743   928   NtUserQueryWindow  (589912, 0, ... ) == 0x6b8
 02744   928   NtUserQueryWindow  (589912, 1, ... ) == 0x6d4
 02745   928   NtUserValidateHandleSecure  (393326, ... ) == 0x1
 02746   928   NtUserQueryWindow  (393326, 0, ... ) == 0x6b8
 02747   928   NtUserQueryWindow  (393326, 1, ... ) == 0x6d4
 02748   928   NtUserValidateHandleSecure  (327818, ... ) == 0x1
 02749   928   NtUserQueryWindow  (327818, 0, ... ) == 0x6b8
 02750   928   NtUserQueryWindow  (327818, 1, ... ) == 0x6d4
 02751   928   NtUserValidateHandleSecure  (327816, ... ) == 0x1
 02752   928   NtUserQueryWindow  (327816, 0, ... ) == 0x6b8
 02753   928   NtUserQueryWindow  (327816, 1, ... ) == 0x6d4
 02754   928   NtUserValidateHandleSecure  (327840, ... ) == 0x1
 02755   928   NtUserQueryWindow  (327840, 0, ... ) == 0x6b8
 02756   928   NtUserQueryWindow  (327840, 1, ... ) == 0x6d4
 02757   928   NtUserValidateHandleSecure  (65652, ... ) == 0x1
 02758   928   NtUserQueryWindow  (65652, 0, ... ) == 0x6b8
 02759   928   NtUserQueryWindow  (65652, 1, ... ) == 0x6d4
 02760   928   NtUserValidateHandleSecure  (65652, ... ) == 0x1
 02761   928   NtUserValidateHandleSecure  (65664, ... ) == 0x1
 02762   928   NtUserQueryWindow  (65664, 0, ... ) == 0x6b8
 02763   928   NtUserQueryWindow  (65664, 1, ... ) == 0x6d4
 02764   928   NtUserValidateHandleSecure  (65664, ... ) == 0x1
 02765   928   NtUserValidateHandleSecure  (65648, ... ) == 0x1
 02766   928   NtUserQueryWindow  (65648, 0, ... ) == 0x6b8
 02767   928   NtUserQueryWindow  (65648, 1, ... ) == 0x6d4
 02768   928   NtUserValidateHandleSecure  (65648, ... ) == 0x1
 02769   928   NtUserValidateHandleSecure  (65668, ... ) == 0x1
 02770   928   NtUserQueryWindow  (65668, 0, ... ) == 0x6b8
 02771   928   NtUserQueryWindow  (65668, 1, ... ) == 0x6d4
 02772   928   NtUserValidateHandleSecure  (65668, ... ) == 0x1
 02773   928   NtUserValidateHandleSecure  (196680, ... ) == 0x1
 02774   928   NtUserQueryWindow  (196680, 0, ... ) == 0x6b8
 02775   928   NtUserQueryWindow  (196680, 1, ... ) == 0x6d4
 02776   928   NtUserValidateHandleSecure  (196680, ... ) == 0x1
 02777   928   NtUserValidateHandleSecure  (65650, ... ) == 0x1
 02778   928   NtUserQueryWindow  (65650, 0, ... ) == 0x6b8
 02779   928   NtUserQueryWindow  (65650, 1, ... ) == 0x6d4
 02780   928   NtUserValidateHandleSecure  (65650, ... ) == 0x1
 02781   928   NtUserValidateHandleSecure  (131154, ... ) == 0x1
 02782   928   NtUserQueryWindow  (131154, 0, ... ) == 0x6b8
 02783   928   NtUserQueryWindow  (131154, 1, ... ) == 0x6d4
 02784   928   NtUserValidateHandleSecure  (131154, ... ) == 0x1
 02785   928   NtUserBuildHwndList  (0, 131154, 1, 0, 64, ... (0x3003e, 0x3003c, 0x30040, 0x30042, 0x30044, 0x30046, 0x10076, 0x10082, 0x1007a, 0x1007e, 0x1, ), 11, ) == 0x0
 02786   928   NtUserValidateHandleSecure  (196670, ... ) == 0x1
 02787   928   NtUserQueryWindow  (196670, 0, ... ) == 0x6b8
 02788   928   NtUserQueryWindow  (196670, 1, ... ) == 0x6d4
 02789   928   NtUserValidateHandleSecure  (196668, ... ) == 0x1
 02790   928   NtUserQueryWindow  (196668, 0, ... ) == 0x6b8
 02791   928   NtUserQueryWindow  (196668, 1, ... ) == 0x6d4
 02792   928   NtUserValidateHandleSecure  (196672, ... ) == 0x1
 02793   928   NtUserQueryWindow  (196672, 0, ... ) == 0x6b8
 02794   928   NtUserQueryWindow  (196672, 1, ... ) == 0x6d4
 02795   928   NtUserValidateHandleSecure  (196674, ... ) == 0x1
 02796   928   NtUserQueryWindow  (196674, 0, ... ) == 0x6b8
 02797   928   NtUserQueryWindow  (196674, 1, ... ) == 0x6d4
 02798   928   NtUserValidateHandleSecure  (196676, ... ) == 0x1
 02799   928   NtUserQueryWindow  (196676, 0, ... ) == 0x6b8
 02800   928   NtUserQueryWindow  (196676, 1, ... ) == 0x6d4
 02801   928   NtUserValidateHandleSecure  (196678, ... ) == 0x1
 02802   928   NtUserQueryWindow  (196678, 0, ... ) == 0x6b8
 02803   928   NtUserQueryWindow  (196678, 1, ... ) == 0x6d4
 02804   928   NtUserValidateHandleSecure  (65654, ... ) == 0x1
 02805   928   NtUserQueryWindow  (65654, 0, ... ) == 0x6b8
 02806   928   NtUserQueryWindow  (65654, 1, ... ) == 0x6d4
 02807   928   NtUserValidateHandleSecure  (65666, ... ) == 0x1
 02808   928   NtUserQueryWindow  (65666, 0, ... ) == 0x6b8
 02809   928   NtUserQueryWindow  (65666, 1, ... ) == 0x6d4
 02810   928   NtUserValidateHandleSecure  (65658, ... ) == 0x1
 02811   928   NtUserQueryWindow  (65658, 0, ... ) == 0x6b8
 02812   928   NtUserQueryWindow  (65658, 1, ... ) == 0x6d4
 02813   928   NtUserValidateHandleSecure  (65662, ... ) == 0x1
 02814   928   NtUserQueryWindow  (65662, 0, ... ) == 0x6b8
 02815   928   NtUserQueryWindow  (65662, 1, ... ) == 0x6d4
 02816   928   NtUserValidateHandleSecure  (327836, ... ) == 0x1
 02817   928   NtUserQueryWindow  (327836, 0, ... ) == 0x6b8
 02818   928   NtUserQueryWindow  (327836, 1, ... ) == 0x6d4
 02819   928   NtUserValidateHandleSecure  (327836, ... ) == 0x1
 02820   928   NtUserValidateHandleSecure  (65680, ... ) == 0x1
 02821   928   NtUserQueryWindow  (65680, 0, ... ) == 0x6b8
 02822   928   NtUserQueryWindow  (65680, 1, ... ) == 0x6bc
 02823   928   NtUserValidateHandleSecure  (65680, ... ) == 0x1
 02824   928   NtUserValidateHandleSecure  (327842, ... ) == 0x1
 02825   928   NtUserQueryWindow  (327842, 0, ... ) == 0x6b8
 02826   928   NtUserQueryWindow  (327842, 1, ... ) == 0x6d4
 02827   928   NtUserValidateHandleSecure  (327842, ... ) == 0x1
 02828   928   NtUserValidateHandleSecure  (65744, ... ) == 0x1
 02829   928   NtUserQueryWindow  (65744, 0, ... ) == 0x19c
 02830   928   NtUserQueryWindow  (65744, 1, ... ) == 0x1a0
 02831   928   NtUserValidateHandleSecure  (65744, ... ) == 0x1
 02832   928   NtUserValidateHandleSecure  (131248, ... ) == 0x1
 02833   928   NtUserQueryWindow  (131248, 0, ... ) == 0xa0
 02834   928   NtUserQueryWindow  (131248, 1, ... ) == 0xe4
 02835   928   NtUserValidateHandleSecure  (131248, ... ) == 0x1
 02836   928   NtUserValidateHandleSecure  (65740, ... ) == 0x1
 02837   928   NtUserQueryWindow  (65740, 0, ... ) == 0x19c
 02838   928   NtUserQueryWindow  (65740, 1, ... ) == 0x1a0
 02839   928   NtUserValidateHandleSecure  (65740, ... ) == 0x1
 02840   928   NtUserValidateHandleSecure  (721154, ... ) == 0x1
 02841   928   NtUserQueryWindow  (721154, 0, ... ) == 0x35c
 02842   928   NtUserQueryWindow  (721154, 1, ... ) == 0x5c8
 02843   928   NtUserValidateHandleSecure  (721154, ... ) == 0x1
 02844   928   NtUserValidateHandleSecure  (459012, ... ) == 0x1
 02845   928   NtUserQueryWindow  (459012, 0, ... ) == 0x49c
 02846   928   NtUserQueryWindow  (459012, 1, ... ) == 0x180
 02847   928   NtUserValidateHandleSecure  (459012, ... ) == 0x1
 02848   928   NtUserValidateHandleSecure  (459008, ... ) == 0x1
 02849   928   NtUserQueryWindow  (459008, 0, ... ) == 0x5e8
 02850   928   NtUserQueryWindow  (459008, 1, ... ) == 0x1dc
 02851   928   NtUserValidateHandleSecure  (459008, ... ) == 0x1
 02852   928   NtUserValidateHandleSecure  (131352, ... ) == 0x1
 02853   928   NtUserQueryWindow  (131352, 0, ... ) == 0x6ac
 02854   928   NtUserQueryWindow  (131352, 1, ... ) == 0x7f4
 02855   928   NtUserValidateHandleSecure  (131352, ... ) == 0x1
 02856   928   NtUserValidateHandleSecure  (196940, ... ) == 0x1
 02857   928   NtUserQueryWindow  (196940, 0, ... ) == 0x4b4
 02858   928   NtUserQueryWindow  (196940, 1, ... ) == 0x474
 02859   928   NtUserValidateHandleSecure  (196940, ... ) == 0x1
 02860   928   NtUserValidateHandleSecure  (65820, ... ) == 0x1
 02861   928   NtUserQueryWindow  (65820, 0, ... ) == 0x22c
 02862   928   NtUserQueryWindow  (65820, 1, ... ) == 0x220
 02863   928   NtUserValidateHandleSecure  (65820, ... ) == 0x1
 02864   928   NtUserValidateHandleSecure  (65766, ... ) == 0x1
 02865   928   NtUserQueryWindow  (65766, 0, ... ) == 0x6b8
 02866   928   NtUserQueryWindow  (65766, 1, ... ) == 0x13c
 02867   928   NtUserValidateHandleSecure  (65766, ... ) == 0x1
 02868   928   NtUserValidateHandleSecure  (65750, ... ) == 0x1
 02869   928   NtUserQueryWindow  (65750, 0, ... ) == 0x6b8
 02870   928   NtUserQueryWindow  (65750, 1, ... ) == 0x13c
 02871   928   NtUserValidateHandleSecure  (65750, ... ) == 0x1
 02872   928   NtUserBuildHwndList  (0, 65750, 1, 0, 64, ... (0x100da, 0x100dc, 0x100de, 0x100e0, 0x1, ), 5, ) == 0x0
 02873   928   NtUserValidateHandleSecure  (65754, ... ) == 0x1
 02874   928   NtUserQueryWindow  (65754, 0, ... ) == 0x6b8
 02875   928   NtUserQueryWindow  (65754, 1, ... ) == 0x13c
 02876   928   NtUserValidateHandleSecure  (65756, ... ) == 0x1
 02877   928   NtUserQueryWindow  (65756, 0, ... ) == 0x6b8
 02878   928   NtUserQueryWindow  (65756, 1, ... ) == 0x13c
 02879   928   NtUserValidateHandleSecure  (65758, ... ) == 0x1
 02880   928   NtUserQueryWindow  (65758, 0, ... ) == 0x6b8
 02881   928   NtUserQueryWindow  (65758, 1, ... ) == 0x13c
 02882   928   NtUserValidateHandleSecure  (65760, ... ) == 0x1
 02883   928   NtUserQueryWindow  (65760, 0, ... ) == 0x6b8
 02884   928   NtUserQueryWindow  (65760, 1, ... ) == 0x13c
 02885   928   NtUserValidateHandleSecure  (65746, ... ) == 0x1
 02886   928   NtUserQueryWindow  (65746, 0, ... ) == 0x6b8
 02887   928   NtUserQueryWindow  (65746, 1, ... ) == 0x6d4
 02888   928   NtUserValidateHandleSecure  (65746, ... ) == 0x1
 02889   928   NtUserValidateHandleSecure  (65738, ... ) == 0x1
 02890   928   NtUserQueryWindow  (65738, 0, ... ) == 0x19c
 02891   928   NtUserQueryWindow  (65738, 1, ... ) == 0x1a0
 02892   928   NtUserValidateHandleSecure  (65738, ... ) == 0x1
 02893   928   NtUserValidateHandleSecure  (65736, ... ) == 0x1
 02894   928   NtUserQueryWindow  (65736, 0, ... ) == 0xa0
 02895   928   NtUserQueryWindow  (65736, 1, ... ) == 0xe4
 02896   928   NtUserValidateHandleSecure  (65736, ... ) == 0x1
 02897   928   NtUserValidateHandleSecure  (65722, ... ) == 0x1
 02898   928   NtUserQueryWindow  (65722, 0, ... ) == 0x104
 02899   928   NtUserQueryWindow  (65722, 1, ... ) == 0x108
 02900   928   NtUserValidateHandleSecure  (65722, ... ) == 0x1
 02901   928   NtUserValidateHandleSecure  (65710, ... ) == 0x1
 02902   928   NtUserQueryWindow  (65710, 0, ... ) == 0x104
 02903   928   NtUserQueryWindow  (65710, 1, ... ) == 0x108
 02904   928   NtUserValidateHandleSecure  (65710, ... ) == 0x1
 02905   928   NtUserValidateHandleSecure  (65708, ... ) == 0x1
 02906   928   NtUserQueryWindow  (65708, 0, ... ) == 0x120
 02907   928   NtUserQueryWindow  (65708, 1, ... ) == 0x124
 02908   928   NtUserValidateHandleSecure  (65708, ... ) == 0x1
 02909   928   NtUserValidateHandleSecure  (196774, ... ) == 0x1
 02910   928   NtUserQueryWindow  (196774, 0, ... ) == 0xc4
 02911   928   NtUserQueryWindow  (196774, 1, ... ) == 0xc8
 02912   928   NtUserValidateHandleSecure  (196774, ... ) == 0x1
 02913   928   NtUserValidateHandleSecure  (65656, ... ) == 0x1
 02914   928   NtUserQueryWindow  (65656, 0, ... ) == 0x6b8
 02915   928   NtUserQueryWindow  (65656, 1, ... ) == 0x6ec
 02916   928   NtUserValidateHandleSecure  (65656, ... ) == 0x1
 02917   928   NtUserValidateHandleSecure  (196706, ... ) == 0x1
 02918   928   NtUserQueryWindow  (196706, 0, ... ) == 0x6b8
 02919   928   NtUserQueryWindow  (196706, 1, ... ) == 0x6bc
 02920   928   NtUserValidateHandleSecure  (196706, ... ) == 0x1
 02921   928   NtUserValidateHandleSecure  (327734, ... ) == 0x1
 02922   928   NtUserQueryWindow  (327734, 0, ... ) == 0x6b8
 02923   928   NtUserQueryWindow  (327734, 1, ... ) == 0x6bc
 02924   928   NtUserValidateHandleSecure  (327734, ... ) == 0x1
 02925   928   NtUserValidateHandleSecure  (327772, ... ) == 0x1
 02926   928   NtUserQueryWindow  (327772, 0, ... ) == 0x6b8
 02927   928   NtUserQueryWindow  (327772, 1, ... ) == 0x6bc
 02928   928   NtUserValidateHandleSecure  (327772, ... ) == 0x1
 02929   928   NtUserValidateHandleSecure  (65726, ... ) == 0x1
 02930   928   NtUserQueryWindow  (65726, 0, ... ) == 0x19c
 02931   928   NtUserQueryWindow  (65726, 1, ... ) == 0x1a0
 02932   928   NtUserValidateHandleSecure  (65726, ... ) == 0x1
 02933   928   NtUserValidateHandleSecure  (262398, ... ) == 0x1
 02934   928   NtUserQueryWindow  (262398, 0, ... ) == 0x6b8
 02935   928   NtUserQueryWindow  (262398, 1, ... ) == 0x6d4
 02936   928   NtUserValidateHandleSecure  (262398, ... ) == 0x1
 02937   928   NtUserValidateHandleSecure  (65682, ... ) == 0x1
 02938   928   NtUserQueryWindow  (65682, 0, ... ) == 0x6b8
 02939   928   NtUserQueryWindow  (65682, 1, ... ) == 0x6bc
 02940   928   NtUserValidateHandleSecure  (65682, ... ) == 0x1
 02941   928   NtUserValidateHandleSecure  (65670, ... ) == 0x1
 02942   928   NtUserQueryWindow  (65670, 0, ... ) == 0x6b8
 02943   928   NtUserQueryWindow  (65670, 1, ... ) == 0x6bc
 02944   928   NtUserValidateHandleSecure  (65670, ... ) == 0x1
 02945   928   NtUserBuildHwndList  (0, 65670, 1, 0, 64, ... (0x1008c, 0x1008e, 0x1, ), 3, ) == 0x0
 02946   928   NtUserValidateHandleSecure  (65676, ... ) == 0x1
 02947   928   NtUserQueryWindow  (65676, 0, ... ) == 0x6b8
 02948   928   NtUserQueryWindow  (65676, 1, ... ) == 0x6bc
 02949   928   NtUserValidateHandleSecure  (65678, ... ) == 0x1
 02950   928   NtUserQueryWindow  (65678, 0, ... ) == 0x6b8
 02951   928   NtUserQueryWindow  (65678, 1, ... ) == 0x6bc
 02952   928   NtUserValidateHandleSecure  (262196, ... ) == 0x1
 02953   928   NtUserQueryWindow  (262196, 0, ... ) == 0x6b8
 02954   928   NtUserQueryWindow  (262196, 1, ... ) == 0x6d4
 02955   928   NtUserValidateHandleSecure  (262196, ... ) == 0x1
 02956   928   NtUserValidateHandleSecure  (327760, ... ) == 0x1
 02957   928   NtUserQueryWindow  (327760, 0, ... ) == 0x6b8
 02958   928   NtUserQueryWindow  (327760, 1, ... ) == 0x6d4
 02959   928   NtUserValidateHandleSecure  (327760, ... ) == 0x1
 02960   928   NtUserValidateHandleSecure  (65852, ... ) == 0x1
 02961   928   NtUserQueryWindow  (65852, 0, ... ) == 0x22c
 02962   928   NtUserQueryWindow  (65852, 1, ... ) == 0x220
 02963   928   NtUserValidateHandleSecure  (65852, ... ) == 0x1
 02964   928   NtUserValidateHandleSecure  (65824, ... ) == 0x1
 02965   928   NtUserQueryWindow  (65824, 0, ... ) == 0x22c
 02966   928   NtUserQueryWindow  (65824, 1, ... ) == 0x220
 02967   928   NtUserValidateHandleSecure  (65824, ... ) == 0x1
 02968   928   NtUserValidateHandleSecure  (65730, ... ) == 0x1
 02969   928   NtUserQueryWindow  (65730, 0, ... ) == 0xa0
 02970   928   NtUserQueryWindow  (65730, 1, ... ) == 0xe4
 02971   928   NtUserValidateHandleSecure  (65730, ... ) == 0x1
 02972   928   NtUserValidateHandleSecure  (65724, ... ) == 0x1
 02973   928   NtUserQueryWindow  (65724, 0, ... ) == 0xa0
 02974   928   NtUserQueryWindow  (65724, 1, ... ) == 0xe4
 02975   928   NtUserValidateHandleSecure  (65724, ... ) == 0x1
 02976   928   NtUserValidateHandleSecure  (917786, ... ) == 0x1
 02977   928   NtUserQueryWindow  (917786, 0, ... ) == 0x35c
 02978   928   NtUserQueryWindow  (917786, 1, ... ) == 0x5c8
 02979   928   NtUserValidateHandleSecure  (917786, ... ) == 0x1
 02980   928   NtUserValidateHandleSecure  (131406, ... ) == 0x1
 02981   928   NtUserQueryWindow  (131406, 0, ... ) == 0x4b4
 02982   928   NtUserQueryWindow  (131406, 1, ... ) == 0x474
 02983   928   NtUserValidateHandleSecure  (131406, ... ) == 0x1
 02984   928   NtUserValidateHandleSecure  (65752, ... ) == 0x1
 02985   928   NtUserQueryWindow  (65752, 0, ... ) == 0x6b8
 02986   928   NtUserQueryWindow  (65752, 1, ... ) == 0x13c
 02987   928   NtUserValidateHandleSecure  (65752, ... ) == 0x1
 02988   928   NtUserValidateHandleSecure  (65718, ... ) == 0x1
 02989   928   NtUserQueryWindow  (65718, 0, ... ) == 0x104
 02990   928   NtUserQueryWindow  (65718, 1, ... ) == 0x108
 02991   928   NtUserValidateHandleSecure  (65718, ... ) == 0x1
 02992   928   NtUserValidateHandleSecure  (65720, ... ) == 0x1
 02993   928   NtUserQueryWindow  (65720, 0, ... ) == 0x120
 02994   928   NtUserQueryWindow  (65720, 1, ... ) == 0x124
 02995   928   NtUserValidateHandleSecure  (65720, ... ) == 0x1
 02996   928   NtUserValidateHandleSecure  (65716, ... ) == 0x1
 02997   928   NtUserQueryWindow  (65716, 0, ... ) == 0xc4
 02998   928   NtUserQueryWindow  (65716, 1, ... ) == 0xc8
 02999   928   NtUserValidateHandleSecure  (65716, ... ) == 0x1
 03000   928   NtUserValidateHandleSecure  (65728, ... ) == 0x1
 03001   928   NtUserQueryWindow  (65728, 0, ... ) == 0x19c
 03002   928   NtUserQueryWindow  (65728, 1, ... ) == 0x1a0
 03003   928   NtUserValidateHandleSecure  (65728, ... ) == 0x1
 03004   928   NtUserValidateHandleSecure  (65690, ... ) == 0x1
 03005   928   NtUserQueryWindow  (65690, 0, ... ) == 0x6b8
 03006   928   NtUserQueryWindow  (65690, 1, ... ) == 0x6bc
 03007   928   NtUserValidateHandleSecure  (65690, ... ) == 0x1
 03008   928   NtUserValidateHandleSecure  (327774, ... ) == 0x1
 03009   928   NtUserQueryWindow  (327774, 0, ... ) == 0x6b8
 03010   928   NtUserQueryWindow  (327774, 1, ... ) == 0x6bc
 03011   928   NtUserValidateHandleSecure  (327774, ... ) == 0x1
 03012   928   NtUserCloseDesktop  (48, ... ) == 0x1
 03013   928   NtUserGetProcessWindowStation  (... ) == 0x20
 03014   928   NtUserOpenDesktop  ({24, 32, 0x40, 0, 0,  ({24, 32, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 03015   928   NtUserGetProcessWindowStation  (... ) == 0x20
 03016   928   NtUserOpenDesktop  ({24, 32, 0x40, 0, 0,  ({24, 32, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 03017   928   NtGdiDeleteObjectApp  (1409943092, ... ) == 0x1
 03018   928   NtGdiDeleteObjectApp  (1913259928, ... ) == 0x1
 03019   928   NtClose  (44, ... ) == 0x0
 03020   928   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 03021   928   NtClose  (100, ... ) == 0x0
 03022   928   NtFreeVirtualMemory  (-1, (0x990000), 4096, 32768, ... (0x990000), 4096, ) == 0x0
 03023   928   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 100, ) }, ... 100, ) == 0x0
 03024   928   NtQueryValueKey  (100,  (100, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03025   928   NtClose  (100, ... ) == 0x0
 03026   928   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 2089879920, 2090329280, 1329896, 2089305592}  (24, {20, 48, new_msg, 0, 2089879920, 2090329280, 1329896, 2089305592} "\0\0\0\0\3\0\1\0\0@\0\0\2012\221|\0\0\0\0" ... {20, 48, reply, 0, 1972, 928, 58042, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\2012\221|\0\0\0\0" )  ... {20, 48, reply, 0, 1972, 928, 58042, 0}  (24, {20, 48, new_msg, 0, 2089879920, 2090329280, 1329896, 2089305592} "\0\0\0\0\3\0\1\0\0@\0\0\2012\221|\0\0\0\0" ... {20, 48, reply, 0, 1972, 928, 58042, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\2012\221|\0\0\0\0" )  ) == 0x0
 03027   928   NtTerminateProcess  (-1, 0, ...