Summary:


NtCallbackReturn(>)  1 
NtUserCallHwndParam(>)  2 
NtUserWaitForInputIdle(>)  4 
NtUserKillTimer(>)  14 

NtConnectPort(>)  1 
NtUserDestroyWindow(>)  2 
NtGdiCreateBitmap(>)  5 
NtUserGetThreadState(>)  15 

NtCreateKey(>)  1 
NtUserGetIconSize(>)  2 
NtGdiHfontCreate(>)  5 
NtCreateFile(>)  16 

NtDuplicateObject(>)  1 
NtUserGetImeInfoEx(>)  2 
NtUserCalcMenuBar(>)  5 
NtSetEvent(>)  16 

NtFlushVirtualMemory(>)  1 
NtUserNotifyIMEStatus(>)  2 
NtUserGetAncestor(>)  5 
NtUserCallMsgFilter(>)  16 

NtFsControlFile(>)  1 
NtUserQueryInputContext(>)  2 
NtUserGetProcessWindowStation(>)  5 
NtOpenEvent(>)  17 

NtGdiExtCreateRegion(>)  1 
NtUserSetTimer(>)  2 
NtUserGetTitleBarInfo(>)  5 
NtQueryDirectoryFile(>)  17 

NtGdiGetDCDword(>)  1 
NtUserSetWindowRgn(>)  2 
NtUserPostMessage(>)  5 
NtUserRegisterClassExWOW(>)  17 

NtGdiInit(>)  1 
NtUserSetWindowsHookEx(>)  2 
NtUserSetFocus(>)  5 
NtGdiDrawStream(>)  18 

NtGdiOffsetRgn(>)  1 
NtUserShowWindow(>)  2 
NtWriteFile(>)  5 
NtQueryInformationFile(>)  19 

NtGdiQueryFontAssocInfo(>)  1 
NtUserUnhookWindowsHookEx(>)  2 
NtGdiBitBlt(>)  6 
NtSetInformationProcess(>)  19 

NtOpenKeyedEvent(>)  1 
NtUserUnregisterClass(>)  2 
NtGdiCombineRgn(>)  6 
NtUserFindExistingCursorIcon(>)  19 

NtOpenMutant(>)  1 
NtCreateEvent(>)  3 
NtGdiCreateCompatibleBitmap(>)  6 
NtUserRemoveProp(>)  20 

NtQueryKey(>)  1 
NtGdiCreateDIBitmapInternal(>)  3 
NtGdiCreateRectRgn(>)  6 
NtGdiIntersectClipRect(>)  22 

NtQueryObject(>)  1 
NtGdiExcludeClipRect(>)  3 
NtGdiGetCharSet(>)  6 
NtOpenSection(>)  22 

NtRegisterThreadTerminatePort(>)  1 
NtGdiGetDCforBitmap(>)  3 
NtGdiGetStockObject(>)  6 
NtUserRegisterWindowMessage(>)  22 

NtSecureConnectPort(>)  1 
NtGdiGetDIBitsInternal(>)  3 
NtOpenThreadToken(>)  6 
NtQuerySystemInformation(>)  24 

NtSetValueKey(>)  1 
NtGdiGetWidthTable(>)  3 
NtUserBeginPaint(>)  6 
NtUserPostThreadMessage(>)  24 

NtTestAlert(>)  1 
NtGdiRestoreDC(>)  3 
NtUserGetClassInfo(>)  6 
NtUserGetWindowDC(>)  25 

NtUserBuildNameList(>)  1 
NtGdiSaveDC(>)  3 
NtUserGetForegroundWindow(>)  6 
NtUserPeekMessage(>)  28 

NtUserCallHwnd(>)  1 
NtGdiSetDIBitsToDeviceInternal(>)  3 
NtUserGetKeyboardLayoutList(>)  6 
NtQueryDefaultLocale(>)  29 

NtUserCloseDesktop(>)  1 
NtOpenSymbolicLinkObject(>)  3 
NtUserSelectPalette(>)  6 
NtOpenProcessTokenEx(>)  30 

NtUserDrawIconEx(>)  1 
NtQuerySymbolicLinkObject(>)  3 
NtUserSetWindowPos(>)  6 
NtOpenThreadTokenEx(>)  30 

NtUserFindWindowEx(>)  1 
NtSetInformationFile(>)  3 
NtCreateMutant(>)  7 
NtGdiDeleteObjectApp(>)  32 

NtUserGetCursorFrameInfo(>)  1 
NtSetInformationObject(>)  3 
NtSetInformationThread(>)  7 
NtQueryInformationProcess(>)  34 

NtUserGetGUIThreadInfo(>)  1 
NtUserEndPaint(>)  3 
NtUserDestroyCursor(>)  7 
NtUnmapViewOfSection(>)  34 

NtUserInvalidateRect(>)  1 
NtUserGetIconInfo(>)  3 
NtUserGetControlBrush(>)  7 
NtCreateSection(>)  35 

NtUserModifyUserStartupInfoFlags(>)  1 
NtUserGetObjectInformation(>)  3 
NtUserSetProp(>)  7 
NtGdiSelectBitmap(>)  37 

NtUserSetCapture(>)  1 
NtUserGetThreadDesktop(>)  3 
NtEnumerateKey(>)  8 
NtFlushInstructionCache(>)  41 

NtUserSetImeOwnerWindow(>)  1 
NtUserOpenDesktop(>)  3 
NtQueryDefaultUILanguage(>)  8 
NtOpenFile(>)  41 

NtUserSetThreadState(>)  1 
NtUserSetCursor(>)  3 
NtQueryVirtualMemory(>)  8 
NtQueryInformationToken(>)  41 

NtUserTranslateMessage(>)  1 
NtUserSetCursorIconData(>)  3 
NtUserInternalGetWindowText(>)  8 
NtAllocateVirtualMemory(>)  42 

NtUserWaitMessage(>)  1 
NtUserSystemParametersInfo(>)  3 
NtWriteVirtualMemory(>)  8 
NtQueryAttributesFile(>)  47 

NtCreateProcessEx(>)  2 
NtUserUpdateInputContext(>)  3 
NtQuerySection(>)  9 
NtMapViewOfSection(>)  54 

NtCreateThread(>)  2 
NtAccessCheck(>)  4 
NtQueryVolumeInformationFile(>)  9 
NtWaitForSingleObject(>)  57 

NtDeviceIoControlFile(>)  2 
NtContinue(>)  4 
NtUserSetWindowFNID(>)  9 
NtReleaseMutant(>)  59 

NtGdiCreatePatternBrushInternal(>)  2 
NtDuplicateToken(>)  4 
NtOpenProcessToken(>)  10 
NtUserCallOneParam(>)  64 

NtGdiCreateSolidBrush(>)  2 
NtFreeVirtualMemory(>)  4 
NtUserGetDC(>)  10 
NtQueryValueKey(>)  70 

NtGdiDoPalette(>)  2 
NtGdiGetDCObject(>)  4 
NtUserCallNoParam(>)  11 
NtUserMessageCall(>)  72 

NtGdiGetBitmapBits(>)  2 
NtGdiGetTextCharsetInfo(>)  4 
NtUserSetWindowLong(>)  11 
NtProtectVirtualMemory(>)  84 

NtGdiStretchDIBitsInternal(>)  2 
NtGdiGetTextMetricsW(>)  4 
NtRequestWaitReplyPort(>)  12 
NtOpenKey(>)  129 

NtOpenDirectoryObject(>)  2 
NtReadVirtualMemory(>)  4 
NtUserCreateWindowEx(>)  12 
NtUserQueryWindow(>)  182 

NtQueryDebugFilterState(>)  2 
NtUserCallHwndLock(>)  4 
NtGdiExtGetObjectW(>)  13 
NtClose(>)  237 

NtQueryInformationJobObject(>)  2 
NtUserFillWindow(>)  4 
NtGdiCreateCompatibleDC(>)  14 
NtUserValidateHandleSecure(>)  406 

NtQueryInstallUILanguage(>)  2 
NtUserGetAtomName(>)  4 
NtGdiExtSelectClipRgn(>)  14 

NtResumeThread(>)  2 
NtUserGetClassName(>)  4 
NtGdiGetRandomRgn(>)  14 

NtTerminateProcess(>)  2 

Trace:
 00001   484   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   484   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003   484   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005   484   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00006   484   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007   484   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00008   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00010   484   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00011   484   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00012   484   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00013   484   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00014   484   NtClose  (12, ... ) == 0x0
 00015   484   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00016   484   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00017   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   484   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00020   484   NtClose  (16, ... ) == 0x0
 00021   484   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00022   484   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00023   484   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00024   484   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00025   484   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00026   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00027   484   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00028   484   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00029   484   NtClose  (16, ... ) == 0x0
 00030   484   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00031   484   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00032   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00033   484   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00034   484   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00035   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 860, 484, 57961, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 860, 484, 57961, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 860, 484, 57961, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00036   484   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00037   484   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00038   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00039   484   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00040   484   NtClose  (16, ... ) == 0x0
 00041   484   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00042   484   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00043   484   NtClose  (16, ... ) == 0x0
 00044   484   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00045   484   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00046   484   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00047   484   NtClose  (16, ... ) == 0x0
 00048   484   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00049   484   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00050   484   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00051   484   NtClose  (16, ... ) == 0x0
 00052   484   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00053   484   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00054   484   NtClose  (16, ... ) == 0x0
 00055   484   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00056   484   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00057   484   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058   484   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00059   484   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 860, 484, 57962, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ... {24, 52, reply, 0, 860, 484, 57962, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 860, 484, 57962, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ) == 0x0
 00060   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 860, 484, 57963, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 860, 484, 57963, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 860, 484, 57963, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00061   484   NtProtectVirtualMemory  (-1, (0x40d000), 40960, 4, ... (0x40d000), 40960, 8, ) == 0x0
 00062   484   NtProtectVirtualMemory  (-1, (0x40d000), 40960, 8, ... (0x40d000), 40960, 8, ) == 0x0
 00063   484   NtFlushInstructionCache  (-1, 4247552, 40960, ... ) == 0x0
 00064   484   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00065   484   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00066   484   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00067   484   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00068   484   NtClose  (16, ... ) == 0x0
 00069   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00070   484   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00071   484   NtClose  (16, ... ) == 0x0
 00072   484   NtTestAlert  (... ) == 0x0
 00073   484   NtContinue  (1244464, 1, ...
 00074   484   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x416c5d,}, 4, ... ) == 0x0
 00075   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 16, ) }, ... 16, ) == 0x0
 00076   484   NtQueryValueKey  (16,  (16, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00077   484   NtClose  (16, ... ) == 0x0
 00078   484   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00079   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00080   484   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00081   484   NtClose  (16, ... ) == 0x0
 00082   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00083   484   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00084   484   NtClose  (16, ... ) == 0x0
 00085   484   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00086   484   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00087   484   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00088   484   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00089   484   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00090   484   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00091   484   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00092   484   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00093   484   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00094   484   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00095   484   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00096   484   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00097   484   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00098   484   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00099   484   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00100   484   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00101   484   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00102   484   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00103   484   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00104   484   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00105   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00106   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089900645, 127, 2090320576, 1241696}  (24, {28, 56, new_msg, 0, 2089900645, 127, 2090320576, 1241696} "\210\6\31\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 860, 484, 57964, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 860, 484, 57964, 0}  (24, {28, 56, new_msg, 0, 2089900645, 127, 2090320576, 1241696} "\210\6\31\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 860, 484, 57964, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00107   484   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00108   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239088, ... ) }, 1239088, ... ) == 0x0
 00109   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00110   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 16, ... 28, ) == 0x0
 00111   484   NtClose  (16, ... ) == 0x0
 00112   484   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x420000), 0x0, 110592, ) == 0x0
 00113   484   NtClose  (28, ... ) == 0x0
 00114   484   NtUnmapViewOfSection  (-1, 0x420000, ... ) == 0x0
 00115   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1238996, ... ) }, 1238996, ... ) == 0x0
 00116   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00117   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 16, ) == 0x0
 00118   484   NtClose  (28, ... ) == 0x0
 00119   484   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x420000), 0x0, 110592, ) == 0x0
 00120   484   NtClose  (16, ... ) == 0x0
 00121   484   NtUnmapViewOfSection  (-1, 0x420000, ... ) == 0x0
 00122   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239304, ... ) }, 1239304, ... ) == 0x0
 00123   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00124   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 16, ... 28, ) == 0x0
 00125   484   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00126   484   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00127   484   NtQueryInformationToken  (32, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00128   484   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00129   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 36, ) }, ... 36, ) == 0x0
 00130   484   NtQueryValueKey  (36,  (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00131   484   NtClose  (36, ... ) == 0x0
 00132   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00133   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 36, ) == 0x0
 00134   484   NtQueryInformationToken  (36, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00135   484   NtClose  (36, ... ) == 0x0
 00136   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00137   484   NtClose  (32, ... ) == 0x0
 00138   484   NtClose  (16, ... ) == 0x0
 00139   484   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00140   484   NtClose  (28, ... ) == 0x0
 00141   484   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00142   484   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00143   484   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00144   484   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00145   484   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00146   484   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00147   484   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00148   484   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00149   484   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00150   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00151   484   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00152   484   NtClose  (28, ... ) == 0x0
 00153   484   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00154   484   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00155   484   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00156   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00157   484   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00158   484   NtClose  (28, ... ) == 0x0
 00159   484   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00160   484   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00161   484   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00162   484   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00163   484   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00164   484   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00165   484   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00166   484   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00167   484   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00168   484   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00169   484   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00170   484   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00171   484   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00172   484   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00173   484   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00174   484   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00175   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00176   484   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00177   484   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00178   484   NtClose  (28, ... ) == 0x0
 00179   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00180   484   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00181   484   NtClose  (28, ... ) == 0x0
 00182   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00183   484   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00184   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00185   484   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00186   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00187   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236220, ... ) }, 1236220, ... ) == 0x0
 00188   484   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00189   484   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00190   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239624, ... ) }, 1239624, ... ) == 0x0
 00191   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00192   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 16, ) }, ... 16, ) == 0x0
 00193   484   NtQueryValueKey  (16,  (16, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00194   484   NtClose  (16, ... ) == 0x0
 00195   484   NtMapViewOfSection  (-2147482584, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x420000), 0x0, 1060864, ) == 0x0
 00196   484   NtClose  (-2147482584, ... ) == 0x0
 00197   484   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 16, ) == 0x0
 00198   484   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00199   484   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482584, ) == 0x0
 00200   484   NtQueryInformationToken  (-2147482584, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00201   484   NtQueryInformationToken  (-2147482584, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00202   484   NtClose  (-2147482584, ... ) == 0x0
 00203   484   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00204   484   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00205   484   NtDuplicateObject  (-1, 32, -1, 0x0, 0, 2, ... 40, ) == 0x0
 00206   484   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482584, ) }, ... -2147482584, ) == 0x0
 00207   484   NtQueryValueKey  (-2147482584,  (-2147482584, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00208   484   NtClose  (-2147482584, ... ) == 0x0
 00209   484   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482584, ) }, ... -2147482584, ) == 0x0
 00210   484   NtQueryValueKey  (-2147482584,  (-2147482584, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00211   484   NtClose  (-2147482584, ... ) == 0x0
 00212   484   NtQueryDefaultLocale  (0, -139609780, ... ) == 0x0
 00213   484   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00214   484   NtUserCallNoParam  (24, ... ) == 0x0
 00215   484   NtGdiCreateCompatibleDC  (0, ...
 00216   484   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00215   484   NtGdiCreateCompatibleDC  ... ) == 0xee0105b0
 00217   484   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00218   484   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00219   484   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0x76050581
 00220   484   NtGdiCreateSolidBrush  (0, 0, ...
 00221   484   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8585216, 4096, ) == 0x0
 00220   484   NtGdiCreateSolidBrush  ... ) == 0xa51003d2
 00222   484   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00223   484   NtGdiCreateCompatibleDC  (0, ... ) == 0x5201039b
 00224   484   NtGdiSelectBitmap  (1375798171, 1980040577, ... ) == 0x185000f
 00225   484   NtUserGetThreadDesktop  (484, 0, ... ) == 0x24
 00226   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 44, ) }, ... 44, ) == 0x0
 00227   484   NtQueryValueKey  (44,  (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00228   484   NtClose  (44, ... ) == 0x0
 00229   484   NtUserFindExistingCursorIcon  (1240800, 1240816, 1240864, ... ) == 0x10011
 00230   484   NtUserRegisterClassExWOW  (1240812, 1240880, 1240896, 1240912, 673, 128, 0, ... ) == 0x81aec017
 00231   484   NtUserFindExistingCursorIcon  (1240800, 1240816, 1240864, ... ) == 0x10011
 00232   484   NtUserRegisterClassExWOW  (1240812, 1240880, 1240896, 1240912, 674, 128, 0, ... ) == 0x81aec01c
 00233   484   NtUserFindExistingCursorIcon  (1240800, 1240816, 1240864, ... ) == 0x10011
 00234   484   NtUserRegisterClassExWOW  (1240812, 1240880, 1240896, 1240912, 675, 128, 0, ... ) == 0x81aec01e
 00235   484   NtUserFindExistingCursorIcon  (1240800, 1240816, 1240864, ... ) == 0x10011
 00236   484   NtUserRegisterClassExWOW  (1240812, 1240880, 1240896, 1240912, 676, 128, 0, ... ) == 0x81ae8002
 00237   484   NtUserFindExistingCursorIcon  (1240800, 1240816, 1240864, ... ) == 0x10013
 00238   484   NtUserRegisterClassExWOW  (1240812, 1240880, 1240896, 1240912, 677, 128, 0, ... ) == 0x81aec018
 00239   484   NtUserFindExistingCursorIcon  (1240800, 1240816, 1240864, ... ) == 0x10011
 00240   484   NtUserRegisterClassExWOW  (1240812, 1240880, 1240896, 1240912, 678, 128, 0, ... ) == 0x81aec01a
 00241   484   NtUserFindExistingCursorIcon  (1240800, 1240816, 1240864, ... ) == 0x10011
 00242   484   NtUserRegisterClassExWOW  (1240812, 1240880, 1240896, 1240912, 679, 128, 0, ... ) == 0x81aec01d
 00243   484   NtUserFindExistingCursorIcon  (1240800, 1240816, 1240864, ... ) == 0x10011
 00244   484   NtUserRegisterClassExWOW  (1240812, 1240880, 1240896, 1240912, 681, 128, 0, ... ) == 0x81aec026
 00245   484   NtUserFindExistingCursorIcon  (1240800, 1240816, 1240864, ... ) == 0x10011
 00246   484   NtUserRegisterClassExWOW  (1240812, 1240880, 1240896, 1240912, 680, 128, 0, ... ) == 0x81aec019
 00247   484   NtUserRegisterClassExWOW  (1240764, 1240832, 1240848, 1240864, 0, 128, 0, ... ) == 0x81aec020
 00248   484   NtUserRegisterClassExWOW  (1241020, 1241116, 1241100, 1241088, 0, 130, 0, ... ) == 0x81aec022
 00249   484   NtUserRegisterClassExWOW  (1240764, 1240832, 1240848, 1240864, 0, 128, 0, ... ) == 0x81aec023
 00250   484   NtUserRegisterClassExWOW  (1241020, 1241116, 1241100, 1241088, 0, 130, 0, ... ) == 0x81aec024
 00251   484   NtUserRegisterClassExWOW  (1240764, 1240832, 1240848, 1240864, 0, 128, 0, ... ) == 0x81aec025
 00252   484   NtCallbackReturn  (0, 0, 0, ...
 00253   484   NtGdiInit  (... ) == 0x1
 00254   484   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00255   484   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00256   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.dll"}, ... 44, ) }, ... 44, ) == 0x0
 00257   484   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00258   484   NtClose  (44, ... ) == 0x0
 00259   484   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00260   484   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00261   484   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00262   484   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSVCRT.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00263   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00264   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8650752, 65536, ) == 0x0
 00265   484   NtAllocateVirtualMemory  (-1, 8650752, 0, 4096, 4096, 4, ... 8650752, 4096, ) == 0x0
 00266   484   NtAllocateVirtualMemory  (-1, 8654848, 0, 8192, 4096, 4, ... 8654848, 8192, ) == 0x0
 00267   484   NtAllocateVirtualMemory  (-1, 8663040, 0, 4096, 4096, 4, ... 8663040, 4096, ) == 0x0
 00268   484   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 44, ) }, ... 44, ) == 0x0
 00269   484   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x850000), 0x0, 12288, ) == 0x0
 00270   484   NtClose  (44, ... ) == 0x0
 00271   484   NtAllocateVirtualMemory  (-1, 8667136, 0, 4096, 4096, 4, ... 8667136, 4096, ) == 0x0
 00272   484   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00273   484   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00274   484   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00275   484   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00276   484   NtUserModifyUserStartupInfoFlags  (1, 0, ... ) == 0x81aee620
 00277   484   NtUserGetDCEx  (0, 0, 3, ... ) == 0x1010051
 00278   484   NtUserGetForegroundWindow  (... ) == 0x70104
 00279   484   NtUserQueryWindow  (459012, 0, ... ) == 0x49c
 00280   484   NtUserQueryWindow  (459012, 1, ... ) == 0x180
 00281   484   NtGdiGetTextCharsetInfo  (16842833, 0, 0, ... ) == 0x0
 00282   484   NtGdiCreateRectRgn  (0, 0, 1, 1, ... ) == 0x330404e1
 00283   484   NtGdiGetRandomRgn  (16842833, 855901409, 1, ... ) == 0x0
 00284   484   NtGdiIntersectClipRect  (16842833, 0, 0, 565, 738, ... ) == 0x3
 00285   484   NtGdiExtSelectClipRgn  (16842833, 0, 5, ... ) == 0x2
 00286   484   NtGdiGetTextCharsetInfo  (16842833, 0, 0, ... ) == 0x0
 00287   484   NtGdiGetRandomRgn  (16842833, 872678625, 1, ... ) == 0x0
 00288   484   NtGdiIntersectClipRect  (16842833, 0, 0, 147, 738, ... ) == 0x3
 00289   484   NtGdiExtSelectClipRgn  (16842833, 0, 5, ... ) == 0x2
 00290   484   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00291   484   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00292   484   NtUserFindExistingCursorIcon  (1241636, 1241652, 1241700, ... ) == 0x10011
 00293   484   NtUserSetCursor  (65553, ... ) == 0x10015
 00294   484   NtUserCallOneParam  (1, 50, ... ) == 0x1
 00295   484   NtUserFindExistingCursorIcon  (1241588, 1241604, 1241652, ... ) == 0x10015
 00296   484   NtUserSetCursor  (65557, ... ) == 0x10011
 00297   484   NtGdiCreateCompatibleDC  (0, ... ) == 0x52010634
 00298   484   NtGdiExtGetObjectW  (50987262, 92, 1241876, ... ) == 0x5c
 00299   484   NtGdiHfontCreate  (1241348, 356, 0, 0, 1331320, ... ) == 0x2a0a0697
 00300   484   NtGdiGetTextMetricsW  (1375798836, 1241872, 68, ... ) == 0x1
 00301   484   NtGdiGetWidthTable  (1375798836, 52, 1332024, 308, 1332640, 1331392, 1331408, ... ) == 0x1
 00302   484   NtGdiDeleteObjectApp  (1375798836, ... ) == 0x1
 00303   484   NtUserGetForegroundWindow  (... ) == 0x70104
 00304   484   NtUserQueryWindow  (459012, 0, ... ) == 0x49c
 00305   484   NtUserQueryWindow  (459012, 1, ... ) == 0x180
 00306   484   NtUserGetAtomName  (32770, 1240848, ... ) == 0x6
 00307   484   NtUserCreateWindowEx  (65793, 32770, 32770,  (65793, 32770, 32770, "Error", -2134375995, 404, 335, 222, 126, 0, 0, 2118189056, 0, 1073742848, 0, ... , -2134375995, 404, 335, 222, 126, 0, 0, 2118189056, 0, 1073742848, 0, ...
 00308   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1238320, ... ) }, 1238320, ... ) == 0x0
 00309   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 44, {status=0x0, info=1}, ) }, 5, 96, ... 44, {status=0x0, info=1}, ) == 0x0
 00310   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 44, ... 48, ) == 0x0
 00311   484   NtClose  (44, ... ) == 0x0
 00312   484   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x860000), 0x0, 221184, ) == 0x0
 00313   484   NtClose  (48, ... ) == 0x0
 00314   484   NtUnmapViewOfSection  (-1, 0x860000, ... ) == 0x0
 00315   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1238628, ... ) }, 1238628, ... ) == 0x0
 00316   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 48, {status=0x0, info=1}, ) }, 5, 96, ... 48, {status=0x0, info=1}, ) == 0x0
 00317   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 48, ... 44, ) == 0x0
 00318   484   NtQuerySection  (44, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00319   484   NtClose  (48, ... ) == 0x0
 00320   484   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 229376, ) == 0x0
 00321   484   NtClose  (44, ... ) == 0x0
 00322   484   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00323   484   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00324   484   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00325   484   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00326   484   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00327   484   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00328   484   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00329   484   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00330   484   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00331   484   NtProtectVirtualMemory  (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0
 00332   484   NtProtectVirtualMemory  (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0
 00333   484   NtFlushInstructionCache  (-1, 1524043776, 1300, ... ) == 0x0
 00334   484   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uxtheme.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00335   484   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00336   484   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00337   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00338   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 44, ) == 0x0
 00339   484   NtQueryInformationToken  (44, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00340   484   NtClose  (44, ... ) == 0x0
 00341   484   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 44, ) }, ... 44, ) == 0x0
 00342   484   NtOpenKey  (0x1, {24, 44, 0x40, 0, 0,  (0x1, {24, 44, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 48, ) }, ... 48, ) == 0x0
 00343   484   NtQueryValueKey  (48,  (48, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00344   484   NtClose  (48, ... ) == 0x0
 00345   484   NtClose  (44, ... ) == 0x0
 00346   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00347   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 44, ) == 0x0
 00348   484   NtQueryInformationToken  (44, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00349   484   NtClose  (44, ... ) == 0x0
 00350   484   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 44, ) }, ... 44, ) == 0x0
 00351   484   NtOpenKey  (0x1, {24, 44, 0x40, 0, 0,  (0x1, {24, 44, 0x40, 0, 0, "Control Panel\Desktop"}, ... 48, ) }, ... 48, ) == 0x0
 00352   484   NtQueryValueKey  (48,  (48, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00353   484   NtClose  (48, ... ) == 0x0
 00354   484   NtClose  (44, ... ) == 0x0
 00355   484   NtUserGetProcessWindowStation  (... ) == 0x20
 00356   484   NtUserGetObjectInformation  (32, 2, 1240416, 64, 1240412, ... ) == 0x1
 00357   484   NtUserGetGUIThreadInfo  (484, 1240436, ... ) == 0x1
 00358   484   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1240280, 64, ... 44, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1240280, 64, ... 44, 0x0, 0x0, 0x0, 64, ) == 0x0
 00359   484   NtRequestWaitReplyPort  (44, {32, 56, new_msg, 0, 0, 0, 0, 0}  (44, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 860, 484, 57976, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 860, 484, 57976, 0}  (44, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 860, 484, 57976, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00360   484   NtRequestWaitReplyPort  (44, {32, 56, new_msg, 0, 0, 0, 0, 0}  (44, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 860, 484, 57977, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 860, 484, 57977, 0}  (44, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 860, 484, 57977, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00361   484   NtUserCallNoParam  (29, ...
 00362   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1237676, ... ) }, 1237676, ... ) == 0x0
 00361   484   NtUserCallNoParam  ... ) == 0x0
 00363   484   NtUserSystemParametersInfo  (41, 0, 1524240760, 0, ... ) == 0x1
 00364   484   NtGdiHfontCreate  (1239804, 356, 0, 0, 1331312, ... ) == 0x540a0634
 00365   484   NtGdiHfontCreate  (1239804, 356, 0, 0, 1331304, ... ) == 0x720a0798
 00366   484   NtRequestWaitReplyPort  (44, {32, 56, new_msg, 0, 0, 0, 0, 0}  (44, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 860, 484, 57978, 0} "\0\0\0\0\0\0\0\00\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 860, 484, 57978, 0}  (44, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 860, 484, 57978, 0} "\0\0\0\0\0\0\0\00\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00367   484   NtMapViewOfSection  (48, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x860000), {0, 0}, 327680, ) == 0x0
 00368   484   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00369   484   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00370   484   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00371   484   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00372   484   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00373   484   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00374   484   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00375   484   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00376   484   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00377   484   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00378   484   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00379   484   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00380   484   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00381   484   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00382   484   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00383   484   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00384   484   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00385   484   NtGdiCreatePatternBrushInternal  (59048383, 0, 0, ... ) == 0x3c10056c
 00386   484   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00387   484   NtUserCallNoParam  (29, ...
 00388   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1237116, ... ) }, 1237116, ... ) == 0x0
 00387   484   NtUserCallNoParam  ... ) == 0x0
 00389   484   NtUserCallNoParam  (29, ...
 00390   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1237112, ... ) }, 1237112, ... ) == 0x0
 00389   484   NtUserCallNoParam  ... ) == 0x0
 00391   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSCTF.dll"}, 1238324, ... ) }, 1238324, ... ) == 0x0
 00392   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSCTF.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00393   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 56, ) == 0x0
 00394   484   NtClose  (52, ... ) == 0x0
 00395   484   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8b0000), 0x0, 294912, ) == 0x0
 00396   484   NtClose  (56, ... ) == 0x0
 00397   484   NtUnmapViewOfSection  (-1, 0x8b0000, ... ) == 0x0
 00398   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSCTF.dll"}, 1238632, ... ) }, 1238632, ... ) == 0x0
 00399   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSCTF.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00400   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 56, ... 52, ) == 0x0
 00401   484   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00402   484   NtClose  (56, ... ) == 0x0
 00403   484   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x74720000), 0x0, 307200, ) == 0x0
 00404   484   NtClose  (52, ... ) == 0x0
 00405   484   NtProtectVirtualMemory  (-1, (0x74721000), 928, 4, ... (0x74721000), 4096, 32, ) == 0x0
 00406   484   NtProtectVirtualMemory  (-1, (0x74721000), 4096, 32, ... (0x74721000), 4096, 4, ) == 0x0
 00407   484   NtFlushInstructionCache  (-1, 1953632256, 928, ... ) == 0x0
 00408   484   NtProtectVirtualMemory  (-1, (0x74721000), 928, 4, ... (0x74721000), 4096, 32, ) == 0x0
 00409   484   NtProtectVirtualMemory  (-1, (0x74721000), 4096, 32, ... (0x74721000), 4096, 4, ) == 0x0
 00410   484   NtFlushInstructionCache  (-1, 1953632256, 928, ... ) == 0x0
 00411   484   NtProtectVirtualMemory  (-1, (0x74721000), 928, 4, ... (0x74721000), 4096, 32, ) == 0x0
 00412   484   NtProtectVirtualMemory  (-1, (0x74721000), 4096, 32, ... (0x74721000), 4096, 4, ) == 0x0
 00413   484   NtFlushInstructionCache  (-1, 1953632256, 928, ... ) == 0x0
 00414   484   NtProtectVirtualMemory  (-1, (0x74721000), 928, 4, ... (0x74721000), 4096, 32, ) == 0x0
 00415   484   NtProtectVirtualMemory  (-1, (0x74721000), 4096, 32, ... (0x74721000), 4096, 4, ) == 0x0
 00416   484   NtFlushInstructionCache  (-1, 1953632256, 928, ... ) == 0x0
 00417   484   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSCTF.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00418   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ntdll.dll"}, 1235988, ... ) }, 1235988, ... ) == 0x0
 00419   484   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 00420   484   NtUserCallOneParam  (0, 40, ... ) == 0x4090409
 00421   484   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.Private", ... ) , ... ) == 0xc0a1
 00422   484   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.SetFocus", ... ) , ... ) == 0xc0a2
 00423   484   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.ThreadTerminate", ... ) , ... ) == 0xc0a3
 00424   484   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.ThreadItemChange", ... ) , ... ) == 0xc0a4
 00425   484   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.LangBarModal", ... ) , ... ) == 0xc0a5
 00426   484   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.RpcSendReceive", ... ) , ... ) == 0xc0a6
 00427   484   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.ThreadMarshal", ... ) , ... ) == 0xc0a7
 00428   484   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.CheckThreadInputIdel", ... ) , ... ) == 0xc0a8
 00429   484   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.StubCleanUp", ... ) , ... ) == 0xc0a9
 00430   484   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.ShowFloating", ... ) , ... ) == 0xc0aa
 00431   484   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.LBUpdate", ... ) , ... ) == 0xc0ab
 00432   484   NtUserRegisterWindowMessage  ( ("MSUIM.Msg.MuiMgrDirtyUpdate", ... ) , ... ) == 0xc0ac
 00433   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\imm32.dll"}, 1235996, ... ) }, 1235996, ... ) == 0x0
 00434   484   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 3998, 1238388, 0, 0}  (24, {24, 52, new_msg, 0, 3998, 1238388, 0, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\1\0\0\0\344\1\0\0\0\0\0\0" ... {24, 52, reply, 0, 860, 484, 57979, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\1\0\0\0\344\1\0\0\0\0\0\0" )  ... {24, 52, reply, 0, 860, 484, 57979, 0}  (24, {24, 52, new_msg, 0, 3998, 1238388, 0, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\1\0\0\0\344\1\0\0\0\0\0\0" ... {24, 52, reply, 0, 860, 484, 57979, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\1\0\0\0\344\1\0\0\0\0\0\0" )  ) == 0x0
 00435   484   NtUserGetThreadDesktop  (484, 0, ... ) == 0x24
 00436   484   NtUserGetObjectInformation  (36, 2, 1318544, 520, 1238296, ... ) == 0x1
 00437   484   NtOpenProcessToken  (-1, 0x8, ... 52, ) == 0x0
 00438   484   NtQueryInformationToken  (52, User, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00439   484   NtQueryInformationToken  (52, User, 36, ... {token info, class 1, size 36}, 36, ) == 0x0
 00440   484   NtClose  (52, ... ) == 0x0
 00441   484   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00442   484   NtCreateSection  (0xf0007, {24, 52, 0x80, 0, 0,  (0xf0007, {24, 52, 0x80, 0, 0, "CiceroSharedMemDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, {3240, 0}, 4, 134217728, 0, ... 56, ) }, {3240, 0}, 4, 134217728, 0, ... 56, ) == STATUS_OBJECT_NAME_EXISTS
 00443   484   NtMapViewOfSection  (56, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x8b0000), {0, 0}, 4096, ) == 0x0
 00444   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\CTF\Compatibility\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00445   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\CTF\SystemShared\"}, ... 60, ) }, ... 60, ) == 0x0
 00446   484   NtQueryValueKey  (60,  (60, "CUAS", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "CUAS", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00447   484   NtClose  (60, ... ) == 0x0
 00448   484   NtUserFindExistingCursorIcon  (1237828, 1237844, 1237892, ... ) == 0x10011
 00449   484   NtUserRegisterClassExWOW  (1238100, 1238196, 1238180, 1238168, 0, 386, 0, ... ) == 0x81aec0ad
 00450   484   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "CTF.LBES.MutexDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... 60, ) }, 0, ... 60, ) == STATUS_OBJECT_NAME_EXISTS
 00451   484   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "CTF.Compart.MutexDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... 64, ) }, 0, ... 64, ) == STATUS_OBJECT_NAME_EXISTS
 00452   484   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "CTF.Asm.MutexDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... 68, ) }, 0, ... 68, ) == STATUS_OBJECT_NAME_EXISTS
 00453   484   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "CTF.Layouts.MutexDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... 72, ) }, 0, ... 72, ) == STATUS_OBJECT_NAME_EXISTS
 00454   484   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "CTF.TMD.MutexDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... 76, ) }, 0, ... 76, ) == STATUS_OBJECT_NAME_EXISTS
 00455   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00456   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 00457   484   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00458   484   NtClose  (80, ... ) == 0x0
 00459   484   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 80, ) }, ... 80, ) == 0x0
 00460   484   NtSetInformationObject  (80, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00461   484   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "Keyboard Layout\Toggle"}, ... 84, ) }, ... 84, ) == 0x0
 00462   484   NtQueryValueKey  (84,  (84, "Language Hotkey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00463   484   NtQueryValueKey  (84,  (84, "Hotkey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00464   484   NtQueryValueKey  (84,  (84, "Layout Hotkey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00465   484   NtClose  (84, ... ) == 0x0
 00466   484   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00467   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\KERNEL32.dll"}, 1235816, ... ) }, 1235816, ... ) == 0x0
 00468   484   NtQueryDefaultUILanguage  (1238376, ...
 00469   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00470   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482584, ) == 0x0
 00471   484   NtQueryInformationToken  (-2147482584, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00472   484   NtClose  (-2147482584, ... ) == 0x0
 00473   484   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482584, ) }, ... -2147482584, ) == 0x0
 00474   484   NtOpenKey  (0x80000000, {24, -2147482584, 0x240, 0, 0,  (0x80000000, {24, -2147482584, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00475   484   NtOpenKey  (0x80000000, {24, -2147482584, 0x640, 0, 0,  (0x80000000, {24, -2147482584, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481332, ) }, ... -2147481332, ) == 0x0
 00476   484   NtQueryValueKey  (-2147481332,  (-2147481332, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00477   484   NtClose  (-2147481332, ... ) == 0x0
 00478   484   NtClose  (-2147482584, ... ) == 0x0
 00468   484   NtQueryDefaultUILanguage  ... ) == 0x0
 00479   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\CTF\"}, ... 84, ) }, ... 84, ) == 0x0
 00480   484   NtQueryValueKey  (84,  (84, "EnableAnchorContext", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00481   484   NtClose  (84, ... ) == 0x0
 00482   484   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "CTF.TimListCache.FMPDefaultS-1-5-21-1292428093-1383384898-725345543-1003MUTEX.DefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... 84, ) }, 0, ... 84, ) == STATUS_OBJECT_NAME_EXISTS
 00483   484   NtOpenSection  (0xf001f, {24, 52, 0x0, 0, 0,  (0xf001f, {24, 52, 0x0, 0, 0, "CTF.TimListCache.FMPDefaultS-1-5-21-1292428093-1383384898-725345543-1003SFM.DefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, ... 88, ) }, ... 88, ) == 0x0
 00484   484   NtMapViewOfSection  (88, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x8c0000), {0, 0}, 262144, ) == 0x0
 00485   484   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 00486   484   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 00487   484   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 00488   484   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 00489   484   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 00490   484   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 00491   484   NtUserSetWindowsHookEx  (1953628160, 1239852, 484, 2, 1953694283, 2, ... ) == 0x601df
 00492   484   NtUserSetWindowsHookEx  (1953628160, 1239852, 484, 7, 1953693577, 2, ... ) == 0x18022f
 00493   484   NtUserSetWindowFNID  (655618, 676, ... ) == 0x1
 00494   484   NtUserCallHwndParam  (655618, 1335020, 79, ... ) == 0x145eec
 00495   484   NtUserMessageCall  (0xa0102, WM_NCCREATE, 0x0, 0x12eebc, 0, 670, 0, ... ) == 0x1
 00496   484   NtUserSetWindowFNID  (590100, 681, ... ) == 0x1
 00497   484   NtUserSetWindowLong  (590100, 0, 1332968, 0, ... ) == 0x0
 00498   484   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\IMM"}, ... 92, ) }, ... 92, ) == 0x0
 00499   484   NtQueryValueKey  (92,  (92, "Ime File", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0s\0c\0t\0f\0i\0m\0e\0.\0i\0m\0e\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (92, "Ime File", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0s\0c\0t\0f\0i\0m\0e\0.\0i\0m\0e\0\0\0"}, 38, ) }, 38, ) == 0x0
 00500   484   NtClose  (92, ... ) == 0x0
 00501   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "version.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00502   484   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 32768, ) == 0x0
 00503   484   NtClose  (92, ... ) == 0x0
 00504   484   NtProtectVirtualMemory  (-1, (0x77c01000), 304, 4, ... (0x77c01000), 4096, 32, ) == 0x0
 00505   484   NtProtectVirtualMemory  (-1, (0x77c01000), 4096, 32, ... (0x77c01000), 4096, 4, ) == 0x0
 00506   484   NtFlushInstructionCache  (-1, 2009075712, 304, ... ) == 0x0
 00507   484   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\version.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00508   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00509   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00510   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1237116, ... ) }, 1237116, ... ) == 0x0
 00511   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00512   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 92, ... 96, ) == 0x0
 00513   484   NtClose  (92, ... ) == 0x0
 00514   484   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x900000), 0x0, 180224, ) == 0x0
 00515   484   NtClose  (96, ... ) == 0x0
 00516   484   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00517   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1236712, ... ) }, 1236712, ... ) == 0x0
 00518   484   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237456,  (0x80100080, {24, 0, 0x40, 0, 1237456, "\??\C:\WINDOWS\system32\msctfime.ime"}, 0x0, 0, 5, 1, 96, 0, 0, ... 96, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 96, {status=0x0, info=1}, ) == 0x0
 00519   484   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 96, ... 92, ) == 0x0
 00520   484   NtClose  (96, ... ) == 0x0
 00521   484   NtMapViewOfSection  (92, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x900000), {0, 0}, 180224, ) == 0x0
 00522   484   NtClose  (92, ... ) == 0x0
 00523   484   NtQueryDefaultUILanguage  (2090319928, ...
 00524   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00525   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482584, ) == 0x0
 00526   484   NtQueryInformationToken  (-2147482584, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00527   484   NtClose  (-2147482584, ... ) == 0x0
 00528   484   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482584, ) }, ... -2147482584, ) == 0x0
 00529   484   NtOpenKey  (0x80000000, {24, -2147482584, 0x240, 0, 0,  (0x80000000, {24, -2147482584, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00530   484   NtOpenKey  (0x80000000, {24, -2147482584, 0x640, 0, 0,  (0x80000000, {24, -2147482584, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481332, ) }, ... -2147481332, ) == 0x0
 00531   484   NtQueryValueKey  (-2147481332,  (-2147481332, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00532   484   NtClose  (-2147481332, ... ) == 0x0
 00533   484   NtClose  (-2147482584, ... ) == 0x0
 00523   484   NtQueryDefaultUILanguage  ... ) == 0x0
 00534   484   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 00535   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00536   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00537   484   NtQueryDefaultLocale  (1, 1238076, ... ) == 0x0
 00538   484   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00539   484   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00540   484   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00541   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00542   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00543   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1237108, ... ) }, 1237108, ... ) == 0x0
 00544   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00545   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 92, ... 96, ) == 0x0
 00546   484   NtClose  (92, ... ) == 0x0
 00547   484   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x900000), 0x0, 180224, ) == 0x0
 00548   484   NtClose  (96, ... ) == 0x0
 00549   484   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00550   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1236704, ... ) }, 1236704, ... ) == 0x0
 00551   484   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237448,  (0x80100080, {24, 0, 0x40, 0, 1237448, "\??\C:\WINDOWS\system32\msctfime.ime"}, 0x0, 0, 5, 1, 96, 0, 0, ... 96, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 96, {status=0x0, info=1}, ) == 0x0
 00552   484   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 96, ... 92, ) == 0x0
 00553   484   NtClose  (96, ... ) == 0x0
 00554   484   NtMapViewOfSection  (92, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x900000), {0, 0}, 180224, ) == 0x0
 00555   484   NtClose  (92, ... ) == 0x0
 00556   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00557   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00558   484   NtQueryDefaultLocale  (1, 1238068, ... ) == 0x0
 00559   484   NtQueryVirtualMemory  (-1, 0x900000, Basic, 28, ... {BaseAddress=0x900000,AllocationBase=0x900000,AllocationProtect=0x2,RegionSize=0x2c000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00560   484   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00561   484   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 00562   484   NtUnmapViewOfSection  (-1, 0x77c00000, ... ) == 0x0
 00563   484   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 92, ) }, ... 92, ) == 0x0
 00564   484   NtWaitForSingleObject  (92, 0, {-1000000, -1}, ... ) == 0x0
 00565   484   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 96, ) }, ... 96, ) == 0x0
 00566   484   NtMapViewOfSection  (96, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x900000), {0, 0}, 57344, ) == 0x0
 00567   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00568   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 100, ) == 0x0
 00569   484   NtQueryInformationToken  (100, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00570   484   NtClose  (100, ... ) == 0x0
 00571   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00572   484   NtReleaseMutant  (92, ... 0x0, ) == 0x0
 00573   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1237088, ... ) }, 1237088, ... ) == 0x0
 00574   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00575   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 100, ... 104, ) == 0x0
 00576   484   NtClose  (100, ... ) == 0x0
 00577   484   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x910000), 0x0, 180224, ) == 0x0
 00578   484   NtClose  (104, ... ) == 0x0
 00579   484   NtUnmapViewOfSection  (-1, 0x910000, ... ) == 0x0
 00580   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1237396, ... ) }, 1237396, ... ) == 0x0
 00581   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00582   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 100, ) == 0x0
 00583   484   NtQuerySection  (100, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00584   484   NtClose  (104, ... ) == 0x0
 00585   484   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x755c0000), 0x0, 188416, ) == 0x0
 00586   484   NtClose  (100, ... ) == 0x0
 00587   484   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 00588   484   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 00589   484   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 00590   484   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 00591   484   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 00592   484   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 00593   484   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 00594   484   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 00595   484   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 00596   484   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 00597   484   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 00598   484   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 00599   484   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 00600   484   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 00601   484   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 00602   484   NtProtectVirtualMemory  (-1, (0x755c1000), 860, 4, ... (0x755c1000), 4096, 32, ) == 0x0
 00603   484   NtProtectVirtualMemory  (-1, (0x755c1000), 4096, 32, ... (0x755c1000), 4096, 4, ) == 0x0
 00604   484   NtFlushInstructionCache  (-1, 1968967680, 860, ... ) == 0x0
 00605   484   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msctfime.ime"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00606   484   NtUserGetDC  (0, ... ) == 0x1010051
 00607   484   NtUserSystemParametersInfo  (66, 12, 1237584, 0, ... ) == 0x1
 00608   484   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00609   484   NtGdiCreateCompatibleDC  (0, ... ) == 0x9d01066e
 00610   484   NtGdiCreateCompatibleDC  (0, ... ) == 0xc70104aa
 00611   484   NtGdiCreateCompatibleDC  (0, ... ) == 0x9b010551
 00612   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ole32.dll"}, 1234916, ... ) }, 1234916, ... ) == 0x0
 00613   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ole32.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00614   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 100, ... 104, ) == 0x0
 00615   484   NtClose  (100, ... ) == 0x0
 00616   484   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x910000), 0x0, 1286144, ) == 0x0
 00617   484   NtClose  (104, ... ) == 0x0
 00618   484   NtUnmapViewOfSection  (-1, 0x910000, ... ) == 0x0
 00619   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ole32.dll"}, 1235224, ... ) }, 1235224, ... ) == 0x0
 00620   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ole32.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00621   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 100, ) == 0x0
 00622   484   NtQuerySection  (100, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00623   484   NtClose  (104, ... ) == 0x0
 00624   484   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x774e0000), 0x0, 1298432, ) == 0x0
 00625   484   NtClose  (100, ... ) == 0x0
 00626   484   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00627   484   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00628   484   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00629   484   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00630   484   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00631   484   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00632   484   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00633   484   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00634   484   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00635   484   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00636   484   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00637   484   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00638   484   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00639   484   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00640   484   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00641   484   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00642   484   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00643   484   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00644   484   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00645   484   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00646   484   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00647   484   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00648   484   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00649   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 100, {status=0x0, info=0}, ) }, 7, 16, ... 100, {status=0x0, info=0}, ) == 0x0
 00650   484   NtDeviceIoControlFile  (100, 0, 0x0, 0x0, 0x390008,  (100, 0, 0x0, 0x0, 0x390008, "\320\227\372Hw)\275D\371\13\373\10<0\214\231\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00651   484   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00652   484   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00653   484   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00654   484   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00655   484   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00656   484   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00657   484   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00658   484   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482584, 2, ) }, 0, 0x0, 0, ... -2147482584, 2, ) == 0x0
 00659   484   NtSetValueKey  (-2147482584,  (-2147482584, "Seed", 0, 3, "\364e\342\247<\277x\23Zi\304\335\273\0\254\306\232\322\250\14\313\335\256\272R\263\20FD\237\362J\2249\266\312\222\203h\303 \372\301\14QX\271\341\212\261\2230\11\256\266"_\236\370\375Ph\305\247\314\274.G~A\241=\3673\314\240\371\333\215\246", 80, ... ) , 0, 3,  (-2147482584, "Seed", 0, 3, "\364e\342\247<\277x\23Zi\304\335\273\0\254\306\232\322\250\14\313\335\256\272R\263\20FD\237\362J\2249\266\312\222\203h\303 \372\301\14QX\271\341\212\261\2230\11\256\266"_\236\370\375Ph\305\247\314\274.G~A\241=\3673\314\240\371\333\215\246", 80, ... ) _\236\370\375Ph\305\247\314\274.G~A\241=\3673\314\240\371\333\215\246", 80, ... ) == 0x0
 00660   484   NtClose  (-2147482584, ... ) == 0x0
 00650   484   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\7\200\316\226\241\363)\353K&\3465X\216\273?b\207\221\337Y\374\2551\215K\2109\247\302,\360\330\35\3123\256o_\240\362\313C7\267y\247k/\6ey\234\320\26\241\300fFV\301\270aw6s\2366G\10\341w\15*\355\0\2241\234\233\242{\236\6'\2212\2761\267\304\315\214\21\245\250\255Fqx\300\177\341*\177\253\306\277\237X`l\350\205\312\373\340\250\300L\217|)K\307i\213\262f\344p\6\5Vp\373e|\307\307h\2425\21c\241\337Z/\270\1\312\373\35\1[\255\250\213B\254\215V\325Q\23\27u\206w\264\356\5\341\363\273G\310\301\221~Q{A\23\177F\267F+D\246o\200\7\3278\263\350 \373K\227\235V\234n\16\234\225\6\263\34\367\213\324\226*\27\306\377\364\250K\315\242\221_(Y\21u\307\370$\216\325{:\332h.\2452\13\360\376\30\12\265\352\264\22\20\357\330", ) , ) == 0x0
 00661   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00662   484   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00663   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 104, ) }, ... 104, ) == 0x0
 00664   484   NtQueryValueKey  (104,  (104, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00665   484   NtClose  (104, ... ) == 0x0
 00666   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Ole"}, ... 104, ) }, ... 104, ) == 0x0
 00667   484   NtQueryValueKey  (104,  (104, "RWLockResourceTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00668   484   NtClose  (104, ... ) == 0x0
 00669   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00670   484   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00671   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00672   484   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00673   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 104, ) }, ... 104, ) == 0x0
 00674   484   NtQueryValueKey  (104,  (104, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00675   484   NtQueryValueKey  (104,  (104, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00676   484   NtQueryValueKey  (104,  (104, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00677   484   NtClose  (104, ... ) == 0x0
 00678   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 104, ) }, ... 104, ) == 0x0
 00679   484   NtQueryValueKey  (104,  (104, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00680   484   NtQueryValueKey  (104,  (104, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00681   484   NtClose  (104, ... ) == 0x0
 00682   484   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00683   484   NtUserFindExistingCursorIcon  (1236856, 1236872, 1236920, ... ) == 0x10003
 00684   484   NtUserFindExistingCursorIcon  (1236856, 1236872, 1236920, ... ) == 0x10011
 00685   484   NtGdiGetStockObject  (5, ... ) == 0x1900015
 00686   484   NtUserGetClassInfo  (1968963584, 1236988, 1237552, 1236984, 0, ... ) == 0x0
 00687   484   NtUserRegisterClassExWOW  (1236872, 1236940, 1236956, 1236972, 0, 384, 0, ... ) == 0x81aec079
 00688   484   NtUserFindExistingCursorIcon  (1236856, 1236872, 1236920, ... ) == 0x10013
 00689   484   NtUserGetClassInfo  (1968963584, 1236988, 1237552, 1236984, 0, ... ) == 0x0
 00690   484   NtUserRegisterClassExWOW  (1236872, 1236940, 1236956, 1236972, 0, 384, 0, ... ) == 0x81aec07a
 00691   484   NtUserRegisterWindowMessage  ( ("MSIMEService", ... ) , ... ) == 0xc07b
 00692   484   NtUserRegisterWindowMessage  ( ("MSIMEUIReady", ... ) , ... ) == 0xc07c
 00693   484   NtUserRegisterWindowMessage  ( ("MSIMEReconvertRequest", ... ) , ... ) == 0xc07d
 00694   484   NtUserRegisterWindowMessage  ( ("MSIMEReconvert", ... ) , ... ) == 0xc07e
 00695   484   NtUserRegisterWindowMessage  ( ("MSIMEDocumentFeed", ... ) , ... ) == 0xc07f
 00696   484   NtUserRegisterWindowMessage  ( ("MSIMEQueryPosition", ... ) , ... ) == 0xc080
 00697   484   NtUserRegisterWindowMessage  ( ("MSIMEModeBias", ... ) , ... ) == 0xc081
 00698   484   NtUserRegisterWindowMessage  ( ("MSIMEShowImePad", ... ) , ... ) == 0xc082
 00699   484   NtUserRegisterWindowMessage  ( ("MSIMEMouseOperation", ... ) , ... ) == 0xc083
 00700   484   NtUserRegisterWindowMessage  ( ("MSIMEKeyMap", ... ) , ... ) == 0xc084
 00701   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ntdll.dll"}, 1237748, ... ) }, 1237748, ... ) == 0x0
 00702   484   NtUserMessageCall  (0x90114, WM_NCCREATE, 0x0, 0x12eea0, 0, 670, 0, ... ) == 0x1
 00703   484   NtUserMessageCall  (0x90114, WM_NCCALCSIZE, 0x0, 0x12eee4, 0, 670, 0, ... ) == 0x0
 00704   484   NtUserSetProp  (590100, 43288, -1, ... ) == 0x1
 00705   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00706   484   NtUserValidateHandleSecure  (7536899, ... ) == 0x1
 00707   484   NtUserValidateHandleSecure  (7536899, ... ) == 0x1
 00708   484   NtUserUpdateInputContext  (7536899, 1, 590100, ... ) == 0x1
 00709   484   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "SOFTWARE\Microsoft\CTF"}, ... 104, ) }, ... 104, ) == 0x0
 00710   484   NtQueryValueKey  (104,  (104, "Disable Thread Input Manager", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00711   484   NtClose  (104, ... ) == 0x0
 00712   484   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 00713   484   NtOpenProcessToken  (-1, 0xa, ... 104, ) == 0x0
 00714   484   NtDuplicateToken  (104, 0xc, {24, 0, 0x0, 0, 1239580, 0x0}, 0, 2, ... 108, ) == 0x0
 00715   484   NtClose  (104, ... ) == 0x0
 00716   484   NtAccessCheck  (1341080, 108, 0x1, 1239656, 1239708, 56, 1239688, ... (0x1), ) == 0x0
 00717   484   NtClose  (108, ... ) == 0x0
 00718   484   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\CTF\SystemShared"}, ... 108, ) }, ... 108, ) == 0x0
 00719   484   NtQueryValueKey  (108,  (108, "CUAS", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "CUAS", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00720   484   NtClose  (108, ... ) == 0x0
 00721   484   NtUserGetImeInfoEx  (1239472, 0, ... ) == 0x1
 00722   484   NtWaitForSingleObject  (92, 0, {-1000000, -1}, ... ) == 0x0
 00723   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00724   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 108, ) == 0x0
 00725   484   NtQueryInformationToken  (108, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00726   484   NtClose  (108, ... ) == 0x0
 00727   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00728   484   NtReleaseMutant  (92, ... 0x0, ) == 0x0
 00729   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\msctfime.ime"}, 1236504, ... ) }, 1236504, ... ) == 0x0
 00730   484   NtUserGetThreadState  (16, ... ) == 0x0
 00731   484   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 00732   484   NtOpenProcessToken  (-1, 0xa, ... 108, ) == 0x0
 00733   484   NtDuplicateToken  (108, 0xc, {24, 0, 0x0, 0, 1238504, 0x0}, 0, 2, ... 104, ) == 0x0
 00734   484   NtClose  (108, ... ) == 0x0
 00735   484   NtAccessCheck  (1341080, 104, 0x1, 1238580, 1238632, 56, 1238612, ... (0x1), ) == 0x0
 00736   484   NtClose  (104, ... ) == 0x0
 00737   484   NtUserGetClassInfo  (1968963584, 1238224, 1238168, 1238216, 0, ... ) == 0xc079
 00738   484   NtUserMessageCall  (0xa0102, WM_NCCALCSIZE, 0x0, 0x12eee4, 0, 670, 0, ... ) == 0x0
 00739   484   NtUserGetClassName  (655618, 0, 1239972, ... ) == 0x6
 00740   484   NtUserRemoveProp  (655618, 43282, ... ) == 0x0
 00741   484   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 2, 327681, 262144, 6881357}  (24, {24, 52, new_msg, 0, 2, 327681, 262144, 6881357} "\0\0\0\0\5\4\3\0o\0f\0t\0 \0\344\1\0\0,\352\22\0" ... {24, 52, reply, 0, 860, 484, 57980, 0} "\0\0\0\0\5\4\3\0\0\0\0\0t\0 \0\344\1\0\0\0\0\0\0" )  ... {24, 52, reply, 0, 860, 484, 57980, 0}  (24, {24, 52, new_msg, 0, 2, 327681, 262144, 6881357} "\0\0\0\0\5\4\3\0o\0f\0t\0 \0\344\1\0\0,\352\22\0" ... {24, 52, reply, 0, 860, 484, 57980, 0} "\0\0\0\0\5\4\3\0\0\0\0\0t\0 \0\344\1\0\0\0\0\0\0" )  ) == 0x0
 00742   484   NtUserGetThreadDesktop  (484, 0, ... ) == 0x24
 00743   484   NtUserGetObjectInformation  (36, 2, 1239656, 520, 0, ... ) == 0x1
 00744   484   NtGdiDeleteObjectApp  (1007682924, ... ) == 0x1
 00745   484   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00746   484   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00747   484   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00748   484   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00749   484   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00750   484   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00751   484   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00752   484   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00753   484   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00754   484   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00755   484   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00756   484   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00757   484   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00758   484   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00759   484   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00760   484   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00761   484   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00762   484   NtGdiCreatePatternBrushInternal  (59048383, 0, 0, ... ) == 0x3d10056c
 00763   484   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 00764   484   NtUserSetProp  (655618, 43288, 8661168, ... ) == 0x1
 00307   484   NtUserCreateWindowEx  ... ) == 0xa0102
 00765   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00766   484   NtUserCallHwndLock  (655618, 90, ... ) == 0x1
 00767   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00768   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00769   484   NtUserGetAtomName  (49175, 1240848, ... ) == 0x6
 00770   484   NtUserCreateWindowEx  (4, 49175, 49175,  (4, 49175, 49175, "OK", 1342373889, 71, 60, 75, 23, 655618, 1, 2118189056, 0, 1073742848, 0, ... , 1342373889, 71, 60, 75, 23, 655618, 1, 2118189056, 0, 1073742848, 0, ...
 00771   484   NtUserSetWindowFNID  (1573108, 673, ... ) == 0x1
 00772   484   NtUserSetWindowLong  (1573108, 0, 1341492, 0, ... ) == 0x0
 00773   484   NtUserMessageCall  (0x1800f4, WM_NCCREATE, 0x0, 0x12eebc, 0, 670, 0, ... ) == 0x1
 00774   484   NtUserMessageCall  (0x1800f4, WM_NCCALCSIZE, 0x0, 0x12eee4, 0, 670, 0, ... ) == 0x0
 00775   484   NtUserSetProp  (1573108, 43288, -1, ... ) == 0x1
 00770   484   NtUserCreateWindowEx  ... ) == 0x1800f4
 00776   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00777   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00778   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00779   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00780   484   NtUserGetAtomName  (49177, 1240848, ... ) == 0x6
 00781   484   NtUserCreateWindowEx  (4, 49177, 49177, "1342308355, 11, 11, 0, 0, 655618, 20, 2118189056, 0, 1073742848, 0, ...
 00782   484   NtUserSetWindowFNID  (327932, 680, ... ) == 0x1
 00783   484   NtUserSetWindowLong  (327932, 0, 1341696, 0, ... ) == 0x0
 00784   484   NtUserMessageCall  (0x500fc, WM_NCCREATE, 0x0, 0x12eebc, 0, 670, 0, ... ) == 0x1
 00785   484   NtUserMessageCall  (0x500fc, WM_NCCALCSIZE, 0x0, 0x12eee4, 0, 670, 0, ... ) == 0x0
 00786   484   NtUserSetProp  (327932, 43288, -1, ... ) == 0x1
 00787   484   NtUserFindExistingCursorIcon  (1239596, 1239612, 1239660, ... ) == 0x0
 00788   484   NtUserFindExistingCursorIcon  (1239596, 1239612, 1239660, ... ) == 0x0
 00789   484   NtUserFindExistingCursorIcon  (1239596, 1239612, 1239660, ... ) == 0x10009
 00790   484   NtUserGetIconSize  (65545, 0, 1240216, 1240220, ... ) == 0x1
 00791   484   NtUserGetCursorFrameInfo  (65545, 0, 1240252, 1240228, ... ) == 0x10009
 00792   484   NtUserSetWindowPos  (327932, 0, 0, 0, 32, 32, 22, ...
 00793   484   NtUserMessageCall  (0x500fc, WM_WINDOWPOSCHANGING, 0x0, 0x12ec14, 0, 670, 0, ... ) == 0x0
 00794   484   NtUserMessageCall  (0x500fc, WM_NCCALCSIZE, 0x1, 0x12ebe8, 0, 670, 0, ... ) == 0x0
 00795   484   NtUserValidateHandleSecure  (0, ... ) == 0x0
 00792   484   NtUserSetWindowPos  ... ) == 0x1
 00781   484   NtUserCreateWindowEx  ... ) == 0x500fc
 00796   484   NtUserValidateHandleSecure  (327932, ... ) == 0x1
 00797   484   NtUserValidateHandleSecure  (327932, ... ) == 0x1
 00798   484   NtUserValidateHandleSecure  (327932, ... ) == 0x1
 00799   484   NtUserValidateHandleSecure  (327932, ... ) == 0x1
 00800   484   NtUserGetAtomName  (49177, 1240848, ... ) == 0x6
 00801   484   NtUserCreateWindowEx  (4, 49177, 49177,  (4, 49177, 49177, "Pack method not implemented.", 1342316672, 62, 20, 149, 15, 655618, 65535, 2118189056, 0, 1073742848, 0, ... , 1342316672, 62, 20, 149, 15, 655618, 65535, 2118189056, 0, 1073742848, 0, ...
 00802   484   NtUserSetWindowFNID  (852250, 680, ... ) == 0x1
 00803   484   NtUserSetWindowLong  (852250, 0, 1341672, 0, ... ) == 0x0
 00804   484   NtUserMessageCall  (0xd011a, WM_NCCREATE, 0x0, 0x12eebc, 0, 670, 0, ... ) == 0x1
 00805   484   NtUserMessageCall  (0xd011a, WM_NCCALCSIZE, 0x0, 0x12eee4, 0, 670, 0, ... ) == 0x0
 00806   484   NtUserSetProp  (852250, 43288, -1, ... ) == 0x1
 00801   484   NtUserCreateWindowEx  ... ) == 0xd011a
 00807   484   NtUserValidateHandleSecure  (852250, ... ) == 0x1
 00808   484   NtUserValidateHandleSecure  (852250, ... ) == 0x1
 00809   484   NtUserValidateHandleSecure  (852250, ... ) == 0x1
 00810   484   NtUserValidateHandleSecure  (852250, ... ) == 0x1
 00811   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00812   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00813   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00814   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00815   484   NtUserSetWindowLong  (655618, -21, 1243324, 0, ... ) == 0x0
 00816   484   NtUserCallHwnd  (655618, 73, ... ) == 0xbc64fea8
 00817   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00818   484   NtUserSetFocus  (1573108, ...
 00819   484   NtUserPostThreadMessage  (484, 49313, 17, 1573108, ... ) == 0x1
 00820   484   NtUserGetForegroundWindow  (... ) == 0x0
 00821   484   NtUserMessageCall  (0xa0102, WM_NCACTIVATE, 0x1, 0xffffffff, 0, 670, 0, ... ) == 0x1
 00822   484   NtUserInternalGetWindowText  (0xa0102, 260, ...  (0xa0102, 260, ... "Error", ) , ) == 0x5
 00823   484   NtUserGetWindowDC  (655618, ... ) == 0x1010050
 00824   484   NtGdiGetTextMetricsW  (16842832, 1239856, 68, ... ) == 0x1
 00825   484   NtGdiGetRandomRgn  (16842832, 889455841, 1, ... ) == 0x0
 00826   484   NtGdiIntersectClipRect  (16842832, 0, 0, 0, 0, ... ) == 0x3
 00827   484   NtGdiGetWidthTable  (16842832, 5, 1342416, 261, 1342938, 1341784, 1341800, ... ) == 0x1
 00828   484   NtGdiExtSelectClipRgn  (16842832, 0, 5, ... ) == 0x1
 00829   484   NtUserCallOneParam  (16842832, 57, ... ) == 0x1
 00830   484   NtUserCalcMenuBar  (655618, 3, 3, 29, 8661352, ... ) == 0x0
 00831   484   NtUserMessageCall  (0xa0102, WM_GETICON, 0x2, 0x0, 1239816, 690, 0, ...
 00832   484   NtUserMessageCall  (0xa0102, WM_GETICON, 0x2, 0x0, 0, 670, 0, ... ) == 0x0
 00831   484   NtUserMessageCall  ... ) == 0x0
 00833   484   NtUserMessageCall  (0xa0102, WM_GETICON, 0x0, 0x0, 1239816, 690, 0, ...
 00834   484   NtUserMessageCall  (0xa0102, WM_GETICON, 0x0, 0x0, 0, 670, 0, ... ) == 0x0
 00833   484   NtUserMessageCall  ... ) == 0x0
 00835   484   NtUserMessageCall  (0xa0102, WM_GETICON, 0x1, 0x0, 1239816, 690, 0, ...
 00836   484   NtUserMessageCall  (0xa0102, WM_GETICON, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 00835   484   NtUserMessageCall  ... ) == 0x0
 00837   484   NtUserGetTitleBarInfo  (655618, 1240448, ... ) == 0x1
 00838   484   NtUserGetDCEx  (655618, 0, 66561, ... ) == 0x1010054
 00839   484   NtGdiExcludeClipRect  (16842836, 3, 29, 219, 123, ... ) == 0x3
 00840   484   NtGdiDrawStream  (16842836, 96, 1239932, ... ) == 0x1
 00841   484   NtGdiDrawStream  (16842836, 96, 1239932, ... ) == 0x1
 00842   484   NtGdiDrawStream  (16842836, 96, 1239932, ... ) == 0x1
 00843   484   NtGdiCreateCompatibleBitmap  (16842836, 222, 29, ... ) == 0xae0506b2
 00844   484   NtGdiCreateCompatibleDC  (16842836, ... ) == 0xc0105d6
 00845   484   NtGdiSelectBitmap  (201393622, -1375402318, ... ) == 0x185000f
 00846   484   NtGdiDrawStream  (201393622, 96, 1239824, ... ) == 0x1
 00847   484   NtGdiDrawStream  (201393622, 96, 1239780, ... ) == 0x1
 00848   484   NtGdiDrawStream  (201393622, 96, 1239780, ... ) == 0x1
 00849   484   NtUserInternalGetWindowText  (0xa0102, 260, ...  (0xa0102, 260, ... "Error", ) , ) == 0x5
 00850   484   NtGdiGetRandomRgn  (201393622, 906233057, 1, ... ) == 0x0
 00851   484   NtGdiIntersectClipRect  (201393622, 8, 8, 194, 25, ... ) == 0x3
 00852   484   NtGdiExtSelectClipRgn  (201393622, 0, 5, ... ) == 0x2
 00853   484   NtGdiGetRandomRgn  (201393622, 923010273, 1, ... ) == 0x0
 00854   484   NtGdiIntersectClipRect  (201393622, 7, 7, 193, 25, ... ) == 0x3
 00855   484   NtGdiExtSelectClipRgn  (201393622, 0, 5, ... ) == 0x2
 00856   484   NtGdiBitBlt  (16842836, 0, 0, 222, 29, 201393622, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00857   484   NtGdiSelectBitmap  (201393622, 25493519, ... ) == 0xae0506b2
 00858   484   NtGdiDeleteObjectApp  (201393622, ... ) == 0x1
 00859   484   NtGdiDeleteObjectApp  (-1375402318, ... ) == 0x1
 00860   484   NtUserCallOneParam  (16842836, 57, ... ) == 0x1
 00861   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00862   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00863   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00864   484   NtUserQueryWindow  (1573108, 8, ... ) == 0x730103
 00865   484   NtUserValidateHandleSecure  (7536899, ... ) == 0x1
 00866   484   NtUserGetThreadState  (13, ... ) == 0x0
 00867   484   NtUserUpdateInputContext  (7536899, 0, 1319624, ... ) == 0x1
 00868   484   NtUserValidateHandleSecure  (7536899, ... ) == 0x1
 00869   484   NtUserQueryInputContext  (7536899, 1, ... ) == 0x1e4
 00870   484   NtUserCallOneParam  (0, 40, ... ) == 0x4090409
 00871   484   NtUserQueryInputContext  (7536899, 2, ... ) == 0x90114
 00872   484   NtAllocateVirtualMemory  (-1, 0, 0, 524280, 8192, 4, ... 9502720, 524288, ) == 0x0
 00873   484   NtAllocateVirtualMemory  (-1, 9502720, 0, 4096, 4096, 4, ... 9502720, 4096, ) == 0x0
 00874   484   NtUserCallOneParam  (484, 40, ... ) == 0x4090409
 00875   484   NtUserValidateHandleSecure  (7536899, ... ) == 0x1
 00876   484   NtUserValidateHandleSecure  (7536899, ... ) == 0x1
 00877   484   NtUserValidateHandleSecure  (7536899, ... ) == 0x1
 00878   484   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00879   484   NtUserGetDC  (0, ... ) == 0x1010051
 00880   484   NtGdiGetDCObject  (16842833, 655360, ... ) == 0x18a0021
 00881   484   NtGdiExtGetObjectW  (25821217, 92, 1240308, ... ) == 0x5c
 00882   484   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00883   484   NtUserValidateHandleSecure  (7536899, ... ) == 0x1
 00884   484   NtUserValidateHandleSecure  (7536899, ... ) == 0x1
 00885   484   NtUserValidateHandleSecure  (7536899, ... ) == 0x1
 00886   484   NtUserValidateHandleSecure  (7536899, ... ) == 0x1
 00887   484   NtUserCallOneParam  (0, 40, ... ) == 0x4090409
 00888   484   NtUserCallOneParam  (0, 40, ... ) == 0x4090409
 00889   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00890   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00891   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00892   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00893   484   NtUserQueryWindow  (1573108, 7, ... ) == 0x90114
 00894   484   NtUserGetImeInfoEx  (1239348, 0, ... ) == 0x1
 00895   484   NtUserGetClassInfo  (1968963584, 1238732, 1238676, 1238724, 0, ... ) == 0xc079
 00896   484   NtUserCreateWindowEx  (0, 1239128, 1237892,  (0, 1239128, 1237892, "MSCTFIME UI", -2013265920, 0, 0, 0, 0, 590100, 0, 1968963584, 0, 1073742848, 0, ... , -2013265920, 0, 0, 0, 0, 590100, 0, 1968963584, 0, 1073742848, 0, ...
 00897   484   NtUserGetIconSize  (65539, 0, 1236652, 1236656, ... ) == 0x1
 00898   484   NtUserGetIconInfo  (65539, 1236628, 1236620, 1236612, 1236648, 1, ... ) == 0x1
 00899   484   NtUserFindExistingCursorIcon  (1236392, 1236408, 1236584, ... ) == 0x10003
 00900   484   NtGdiExtGetObjectW  (-1358625102, 24, 1236392, ... ) == 0x18
 00901   484   NtGdiGetDIBitsInternal  (-301922896, -1358625102, 0, 64, 1345232, 1345184, 0, 256, 0, ... ) == 0x40
 00902   484   NtUserGetDC  (0, ... ) == 0x1010051
 00903   484   NtGdiCreateDIBitmapInternal  (16842833, 16, 32, 2, 0, 2118583256, 0, 48, 0, 0, 0, ... ) == 0xa20507d3
 00904   484   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00905   484   NtGdiSelectBitmap  (-301922896, -1576728621, ... ) == 0x185000f
 00906   484   NtGdiDoPalette  (-301922896, 0, 1, 1236252, 4, 0, ... ) == 0x1
 00907   484   NtGdiStretchDIBitsInternal  (-301922896, 0, 0, 16, 32, 0, 0, 32, 64, 1345232, 1342944, 0, 13369376, 48, 256, 0, ... ) == 0x40
 00908   484   NtGdiSelectBitmap  (-301922896, 25493519, ... ) == 0xa20507d3
 00909   484   NtGdiCreateCompatibleDC  (-301922896, ... ) == 0x440106b3
 00910   484   NtGdiExtGetObjectW  (-1576728621, 24, 1236276, ... ) == 0x18
 00911   484   NtGdiCreateBitmap  (16, 32, 1, 1, 0, ... ) == 0x260504d9
 00912   484   NtGdiSelectBitmap  (-301922896, -1576728621, ... ) == 0x185000f
 00913   484   NtGdiSelectBitmap  (1140917939, 637863129, ... ) == 0x185000f
 00914   484   NtGdiBitBlt  (1140917939, 0, 0, 16, 32, -301922896, 0, 0, 13369376, -1, 0, ... ) == 0x1
 00915   484   NtGdiSelectBitmap  (-301922896, 25493519, ... ) == 0xa20507d3
 00916   484   NtGdiSelectBitmap  (1140917939, 25493519, ... ) == 0x260504d9
 00917   484   NtGdiDeleteObjectApp  (-1576728621, ... ) == 0x1
 00918   484   NtGdiDeleteObjectApp  (1140917939, ... ) == 0x1
 00919   484   NtGdiExtGetObjectW  (755304161, 24, 1236392, ... ) == 0x18
 00920   484   NtAllocateVirtualMemory  (-1, 1347584, 0, 8192, 4096, 4, ... 1347584, 8192, ) == 0x0
 00921   484   NtGdiGetDIBitsInternal  (-301922896, 755304161, 0, 32, 1345548, 1345496, 0, 4096, 0, ... ) == 0x20
 00922   484   NtUserGetDC  (0, ... ) == 0x1010051
 00923   484   NtGdiCreateCompatibleBitmap  (16842833, 16, 16, ... ) == 0x460506b3
 00924   484   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 00925   484   NtGdiSelectBitmap  (-301922896, 1174734515, ... ) == 0x185000f
 00926   484   NtGdiDoPalette  (-301922896, 0, 1, 1236252, 4, 0, ... ) == 0x0
 00927   484   NtGdiStretchDIBitsInternal  (-301922896, 0, 0, 16, 16, 0, 0, 32, 32, 1345548, 1342944, 0, 13369376, 40, 4096, 0, ... ) == 0x20
 00928   484   NtGdiSelectBitmap  (-301922896, 25493519, ... ) == 0x460506b3
 00929   484   NtGdiDeleteObjectApp  (-1358625102, ... ) == 0x1
 00930   484   NtGdiDeleteObjectApp  (755304161, ... ) == 0x1
 00931   484   NtUserCallOneParam  (0, 33, ... ) == 0x4500e5
 00932   484   NtUserSetCursorIconData  (4522213, 1236436, 1236452, 1236496, ... ) == 0x1
 00933   484   NtUserMessageCall  (0x11012c, WM_NCCREATE, 0x0, 0x12e2fc, 0, 670, 1, ... ) == 0x1
 00934   484   NtUserMessageCall  (0x11012c, WM_NCCALCSIZE, 0x0, 0x12e324, 0, 670, 1, ... ) == 0x0
 00935   484   NtUserSetProp  (1114412, 43288, -1, ... ) == 0x1
 00936   484   NtUserSetWindowLong  (1114412, 4, 1341056, 1, ... ) == 0x0
 00896   484   NtUserCreateWindowEx  ... ) == 0x11012c
 00937   484   NtUserSetWindowLong  (1114412, 0, 7536899, 0, ... ) == 0x0
 00938   484   NtUserGetThreadState  (17, ... ) == 0x0
 00939   484   NtUserQueryWindow  (590100, 3, ... ) == 0x1800f4
 00940   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00941   484   NtUserValidateHandleSecure  (7536899, ... ) == 0x1
 00942   484   NtUserUpdateInputContext  (7536899, 1, 0, ... ) == 0x1
 00943   484   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 00944   484   NtUserSetWindowLong  (1114412, 0, 0, 0, ... ) == 0x730103
 00945   484   NtUserSetImeOwnerWindow  (590100, 0, ... ) == 0x1
 00946   484   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 00947   484   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 00948   484   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 00949   484   NtUserKillTimer  (1114412, 1, ... ) == 0x0
 00950   484   NtUserSetTimer  (1114412, 1, 300, 0, ... ) == 0x1
 00951   484   NtUserCallNoParam  (7, ... ) == 0x1
 00952   484   NtUserQueryWindow  (590100, 3, ... ) == 0x1800f4
 00953   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00954   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00955   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00956   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00957   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00958   484   NtUserQueryWindow  (1573108, 7, ... ) == 0x90114
 00959   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00960   484   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 00961   484   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 00962   484   NtUserCallHwndLock  (590100, 86, ... ) == 0x1
 00963   484   NtUserNotifyIMEStatus  (1573108, 0, 0, ...
 00964   484   NtUserGetForegroundWindow  (... ) == 0xa0102
 00965   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00966   484   NtUserCallOneParam  (0, 40, ... ) == 0x4090409
 00963   484   NtUserNotifyIMEStatus  ... ) == 0x81aee620
 00818   484   NtUserSetFocus  ... ) == 0x0
 00967   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00968   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00969   484   NtUserSetWindowLong  (1573108, -12, 2, 0, ... ) == 0x1
 00970   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00971   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00972   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00973   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00974   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00975   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00976   484   NtUserGetClassName  (1573108, 0, 1241340, ... ) == 0x6
 00977   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 00978   484   NtUserGetClassName  (327932, 0, 1241340, ... ) == 0x6
 00979   484   NtUserValidateHandleSecure  (327932, ... ) == 0x1
 00980   484   NtUserGetClassName  (852250, 0, 1241340, ... ) == 0x6
 00981   484   NtUserValidateHandleSecure  (852250, ... ) == 0x1
 00982   484   NtUserGetAncestor  (655618, 1, ... ) == 0x10014
 00983   484   NtUserValidateHandleSecure  (65556, ... ) == 0x1
 00984   484   NtUserSetWindowPos  (655618, 0, 404, 335, 222, 126, 1047, ... ) == 0x1
 00985   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00986   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00987   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00988   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00989   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00990   484   NtUserMessageCall  (0xa0102, 0x128, 0x30001, 0x0, 0, 670, 0, ...
 00991   484   NtUserMessageCall  (0x1800f4, 0x128, 0x30001, 0x0, 0, 670, 0, ... ) == 0x0
 00992   484   NtUserMessageCall  (0x500fc, 0x128, 0x30001, 0x0, 0, 670, 0, ... ) == 0x0
 00993   484   NtUserMessageCall  (0xd011a, 0x128, 0x30001, 0x0, 0, 670, 0, ... ) == 0x0
 00990   484   NtUserMessageCall  ... ) == 0x0
 00994   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00995   484   NtUserPeekMessage  (0, 0, 0, 1, ...
 00996   484   NtUserGetThreadState  (0, ... ) == 0x1800f4
 00997   484   NtUserGetForegroundWindow  (... ) == 0xa0102
 00998   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 00999   484   NtUserFindWindowEx  (0, 0,  (0, 0, "Shell_TrayWnd", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x20052
 01000   484   NtUserBuildHwndList  (0, 131154, 1, 0, 64, ... (0x3003e, 0x3003c, 0x30040, 0x30042, 0x30044, 0x30046, 0x10076, 0x10082, 0x1007a, 0x1007e, 0x1, ), 11, ) == 0x0
 01001   484   NtUserValidateHandleSecure  (196670, ... ) == 0x1
 01002   484   NtUserValidateHandleSecure  (196670, ... ) == 0x1
 01003   484   NtUserValidateHandleSecure  (196668, ... ) == 0x1
 01004   484   NtUserValidateHandleSecure  (196668, ... ) == 0x1
 01005   484   NtUserValidateHandleSecure  (196672, ... ) == 0x1
 01006   484   NtUserValidateHandleSecure  (196672, ... ) == 0x1
 01007   484   NtUserValidateHandleSecure  (196674, ... ) == 0x1
 01008   484   NtUserValidateHandleSecure  (196674, ... ) == 0x1
 01009   484   NtUserValidateHandleSecure  (196676, ... ) == 0x1
 01010   484   NtUserValidateHandleSecure  (196676, ... ) == 0x1
 01011   484   NtUserValidateHandleSecure  (196678, ... ) == 0x1
 01012   484   NtUserValidateHandleSecure  (196678, ... ) == 0x1
 01013   484   NtUserValidateHandleSecure  (65654, ... ) == 0x1
 01014   484   NtUserValidateHandleSecure  (65654, ... ) == 0x1
 01015   484   NtUserValidateHandleSecure  (65666, ... ) == 0x1
 01016   484   NtUserValidateHandleSecure  (65666, ... ) == 0x1
 01017   484   NtUserValidateHandleSecure  (65658, ... ) == 0x1
 01018   484   NtUserValidateHandleSecure  (65658, ... ) == 0x1
 01019   484   NtUserValidateHandleSecure  (65662, ... ) == 0x1
 01020   484   NtUserValidateHandleSecure  (65662, ... ) == 0x1
 01021   484   NtUserQueryWindow  (131154, 1, ... ) == 0x6d4
 01022   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01023   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01024   484   NtUserValidateHandleSecure  (0, ... ) == 0x0
 01025   484   NtUserPostThreadMessage  (384, 49313, 1, 0, ... ) == 0x1
 01026   484   NtUserValidateHandleSecure  (0, ... ) == 0x0
 01027   484   NtUserPostThreadMessage  (484, 49313, 0, 0, ... ) == 0x1
 01028   484   NtUserGetKeyboardLayoutList  (0, 0, ... ) == 0x1
 01029   484   NtUserGetKeyboardLayoutList  (1, 1333008, ... ) == 0x1
 01030   484   NtWaitForSingleObject  (68, 0, {-50000000, -1}, ... ) == 0x0
 01031   484   NtOpenSection  (0xf001f, {24, 52, 0x0, 0, 0,  (0xf001f, {24, 52, 0x0, 0, 0, "CTF.AsmListCache.FMPDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, ... 104, ) }, ... 104, ) == 0x0
 01032   484   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x990000), {0, 0}, 4096, ) == 0x0
 01033   484   NtFlushVirtualMemory  (-1, (0x990000), 8, ... ) == STATUS_NOT_MAPPED_DATA
 01034   484   NtQueryInstallUILanguage  (2089305898, ... ) == 0x0
 01035   484   NtQueryDefaultUILanguage  (1239236, ...
 01036   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01037   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482584, ) == 0x0
 01038   484   NtQueryInformationToken  (-2147482584, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01039   484   NtClose  (-2147482584, ... ) == 0x0
 01040   484   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482584, ) }, ... -2147482584, ) == 0x0
 01041   484   NtOpenKey  (0x80000000, {24, -2147482584, 0x240, 0, 0,  (0x80000000, {24, -2147482584, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01042   484   NtOpenKey  (0x80000000, {24, -2147482584, 0x640, 0, 0,  (0x80000000, {24, -2147482584, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481332, ) }, ... -2147481332, ) == 0x0
 01043   484   NtQueryValueKey  (-2147481332,  (-2147481332, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01044   484   NtClose  (-2147481332, ... ) == 0x0
 01045   484   NtClose  (-2147482584, ... ) == 0x0
 01035   484   NtQueryDefaultUILanguage  ... ) == 0x0
 01046   484   NtReleaseMutant  (68, ... 0x0, ) == 0x0
 01047   484   NtUnmapViewOfSection  (-1, 0x990000, ... ) == 0x0
 01048   484   NtClose  (104, ... ) == 0x0
 01049   484   NtReleaseMutant  (68, ...
 01050   484   NtContinue  (-139614372, 0, ...
 01049   484   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 01051   484   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01052   484   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01053   484   NtUserValidateHandleSecure  (0, ... ) == 0x0
 01054   484   NtUserCreateWindowEx  (-2147483648, 1241272, 1240036, "-2013265920, 0, 0, 0, 0, -3, 0, 1953628160, 0, 1073742848, 0, ...
 01055   484   NtUserMessageCall  (0x60144, WM_NCCREATE, 0x0, 0x12eb44, 0, 670, 1, ... ) == 0x1
 01056   484   NtUserMessageCall  (0x60144, WM_NCCALCSIZE, 0x0, 0x12eb84, 0, 670, 1, ... ) == 0x0
 01057   484   NtUserSetProp  (393540, 43288, -1, ... ) == 0x1
 01054   484   NtUserCreateWindowEx  ... ) == 0x60144
 01058   484   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01059   484   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01060   484   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01061   484   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01062   484   NtWaitForSingleObject  (60, 0, {-50000000, -1}, ... ) == 0x0
 01063   484   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01064   484   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01065   484   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01066   484   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01067   484   NtUserPostThreadMessage  (1748, 49314, 0, 0, ... ) == 0x1
 01068   484   NtUserPostThreadMessage  (416, 49314, 0, 0, ... ) == 0x1
 01069   484   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 00995   484   NtUserPeekMessage  ... {0x0, WM_USER+0xbca1, 0x11, 0x1800f4, 0xbb134b, {0, 0}}, ) == 0x1
 01070   484   NtOpenProcessToken  (-1, 0x8, ... 104, ) == 0x0
 01071   484   NtQueryInformationToken  (104, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01072   484   NtClose  (104, ... ) == 0x0
 01073   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01074   484   NtUserCallMsgFilter  (1242108, 0, ... ) == 0x0
 01075   484   NtUserPeekMessage  (0, 0, 0, 1, ... {0x0, WM_USER+0xbca1, 0x0, 0x0, 0xbb137a, {0, 0}}, ) == 0x1
 01076   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01077   484   NtUserCallMsgFilter  (1242108, 0, ... ) == 0x0
 01078   484   NtUserPeekMessage  (0, 0, 0, 1, ... {0x60144, WM_USER+0xbca7, 0x0, 0x0, 0xbb138a, {0, 0}}, ) == 0x1
 01079   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01080   484   NtUserCallMsgFilter  (1242108, 0, ... ) == 0x0
 01081   484   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01082   484   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01083   484   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "CTF.ThreadMIConnectionEvent.000006D4.00000000.00000013"}, ... 104, ) }, ... 104, ) == 0x0
 01084   484   NtSetEvent  (104, ... 0x0, ) == 0x0
 01085   484   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01086   484   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01087   484   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01088   484   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01089   484   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01090   484   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01091   484   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01092   484   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01093   484   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01094   484   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01095   484   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01096   484   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01097   484   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01098   484   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01099   484   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "Keyboard Layout\Toggle"}, ... 108, ) }, ... 108, ) == 0x0
 01100   484   NtQueryValueKey  (108,  (108, "Language Hotkey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01101   484   NtQueryValueKey  (108,  (108, "Hotkey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01102   484   NtQueryValueKey  (108,  (108, "Layout Hotkey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01103   484   NtClose  (108, ... ) == 0x0
 01104   484   NtQueryDefaultLocale  (1, 1241128, ... ) == 0x0
 01105   484   NtQueryDefaultLocale  (1, 1241128, ... ) == 0x0
 01106   484   NtUserGetKeyboardLayoutList  (0, 0, ... ) == 0x1
 01107   484   NtUserGetKeyboardLayoutList  (1, 1343080, ... ) == 0x1
 01108   484   NtWaitForSingleObject  (60, 0, {-50000000, -1}, ... ) == 0x0
 01109   484   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01110   484   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01111   484   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01112   484   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01113   484   NtUserPostThreadMessage  (1748, 49316, 0, 484, ... ) == 0x1
 01114   484   NtUserPostThreadMessage  (416, 49316, 0, 484, ... ) == 0x1
 01115   484   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 01116   484   NtQueryDefaultLocale  (1, 1241128, ... ) == 0x0
 01117   484   NtQueryDefaultLocale  (1, 1241128, ... ) == 0x0
 01118   484   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01119   484   NtOpenProcessToken  (-1, 0xa, ... 108, ) == 0x0
 01120   484   NtDuplicateToken  (108, 0xc, {24, 0, 0x0, 0, 1241096, 0x0}, 0, 2, ... 112, ) == 0x0
 01121   484   NtClose  (108, ... ) == 0x0
 01122   484   NtAccessCheck  (1341080, 112, 0x1, 1241172, 1241224, 56, 1241204, ... (0x1), ) == 0x0
 01123   484   NtClose  (112, ... ) == 0x0
 01124   484   NtWaitForSingleObject  (60, 0, {-50000000, -1}, ... ) == 0x0
 01125   484   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01126   484   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01127   484   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01128   484   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01129   484   NtUserPostThreadMessage  (1748, 49316, 0, 484, ... ) == 0x1
 01130   484   NtUserPostThreadMessage  (416, 49316, 0, 484, ... ) == 0x1
 01131   484   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 01132   484   NtQueryDefaultLocale  (1, 1241108, ... ) == 0x0
 01133   484   NtQueryDefaultLocale  (1, 1241128, ... ) == 0x0
 01134   484   NtQueryDefaultLocale  (1, 1241128, ... ) == 0x0
 01135   484   NtWaitForSingleObject  (60, 0, {-50000000, -1}, ... ) == 0x0
 01136   484   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01137   484   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01138   484   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01139   484   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01140   484   NtUserPostThreadMessage  (1748, 49316, 0, 484, ... ) == 0x1
 01141   484   NtUserPostThreadMessage  (416, 49316, 0, 484, ... ) == 0x1
 01142   484   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 01143   484   NtUserCallOneParam  (0, 40, ... ) == 0x4090409
 01144   484   NtUserSystemParametersInfo  (31, 60, 1239840, 0, ... ) == 0x1
 01145   484   NtUserGetDC  (0, ... ) == 0x1010051
 01146   484   NtGdiHfontCreate  (1240848, 356, 0, 0, 1331296, ... ) == 0xb10a06b2
 01147   484   NtGdiGetTextMetricsW  (16842833, 1241088, 68, ... ) == 0x1
 01148   484   NtGdiDeleteObjectApp  (-1324742990, ... ) == 0x1
 01149   484   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 01150   484   NtGdiHfontCreate  (1240812, 356, 0, 0, 1331296, ... ) == 0xb20a06b2
 01151   484   NtUserGetDC  (0, ... ) == 0x1010051
 01152   484   NtGdiCreateCompatibleDC  (16842833, ... ) == 0x890106b4
 01153   484   NtGdiCreateCompatibleBitmap  (16842833, 16, 16, ... ) == 0xa40507d3
 01154   484   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 01155   484   NtGdiCreateBitmap  (16, 16, 1, 1, 0, ... ) == 0x830506ae
 01156   484   NtGdiSelectBitmap  (-1996421452, -1543174189, ... ) == 0x185000f
 01157   484   NtGdiGetCharSet  (-1996421452, ... ) == 0x4e4
 01158   484   NtGdiGetCharSet  (-1996421452, ... ) == 0x4e4
 01159   484   NtGdiGetTextCharsetInfo  (-1996421452, 0, 0, ... ) == 0x0
 01160   484   NtGdiGetTextMetricsW  (-1996421452, 1240728, 68, ... ) == 0x1
 01161   484   NtGdiGetRandomRgn  (-1996421452, 939787489, 1, ... ) == 0x0
 01162   484   NtGdiIntersectClipRect  (-1996421452, 0, 0, 16, 16, ... ) == 0x3
 01163   484   NtGdiGetWidthTable  (-1996421452, 2, 1352848, 258, 1353364, 1352216, 1352232, ... ) == 0x1
 01164   484   NtGdiExtSelectClipRgn  (-1996421452, 0, 5, ... ) == 0x2
 01165   484   NtGdiSelectBitmap  (-1996421452, -2096822610, ... ) == 0xa40507d3
 01166   484   NtGdiExtGetObjectW  (-2096822610, 24, 1241108, ... ) == 0x18
 01167   484   NtGdiExtGetObjectW  (-1543174189, 24, 1241084, ... ) == 0x18
 01168   484   NtUserCallOneParam  (0, 33, ... ) == 0x9024b
 01169   484   NtGdiExtGetObjectW  (-1543174189, 24, 1240980, ... ) == 0x18
 01170   484   NtGdiGetDIBitsInternal  (-301922896, -1543174189, 0, 16, 1352900, 1352848, 0, 1024, 0, ... ) == 0x10
 01171   484   NtGdiCreateDIBitmapInternal  (-301922896, 16, 16, 2, 0, 1342944, 0, 40, 0, 0, 0, ... ) == 0x340505d3
 01172   484   NtGdiSelectBitmap  (-301922896, 872744403, ... ) == 0x185000f
 01173   484   NtGdiGetDCforBitmap  (872744403, ... ) == 0xee0105b0
 01174   484   NtGdiSaveDC  (-301922896, ... ) == 0x1
 01175   484   NtGdiSelectBitmap  (-301922896, 872744403, ... ) == 0x340505d3
 01176   484   NtGdiGetDCObject  (-301922896, 524288, ... ) == 0x188000b
 01177   484   NtUserSelectPalette  (-301922896, 25690123, 0, ... ) == 0x188000b
 01178   484   NtGdiSetDIBitsToDeviceInternal  (-301922896, 0, 0, 16, 16, 0, 0, 0, 16, 1352900, 1342944, 0, 1024, 40, 1, 0, ... ) == 0x10
 01179   484   NtUserSelectPalette  (-301922896, 25690123, 0, ... ) == 0x188000b
 01180   484   NtGdiSelectBitmap  (-301922896, 872744403, ... ) == 0x340505d3
 01181   484   NtGdiRestoreDC  (-301922896, -1, ... ) == 0x1
 01182   484   NtGdiSelectBitmap  (-301922896, 25493519, ... ) == 0x340505d3
 01183   484   NtGdiCreateBitmap  (16, 32, 1, 1, 0, ... ) == 0x870504d2
 01184   484   NtGdiCreateCompatibleDC  (-301922896, ... ) == 0xef0105d7
 01185   484   NtGdiSelectBitmap  (-285145641, -2029714222, ... ) == 0x185000f
 01186   484   NtGdiSelectBitmap  (-301922896, -2096822610, ... ) == 0x0
 01187   484   NtGdiBitBlt  (-285145641, 0, 0, 16, 16, -301922896, 0, 0, 13369376, -1, 0, ... ) == 0x1
 01188   484   NtGdiSelectBitmap  (-285145641, 25493519, ... ) == 0x870504d2
 01189   484   NtGdiDeleteObjectApp  (-285145641, ... ) == 0x1
 01190   484   NtUserSetCursorIconData  (590411, 1241024, 1241040, 1241132, ... ) == 0x1
 01191   484   NtGdiSelectBitmap  (-1996421452, 25493519, ... ) == 0x830506ae
 01192   484   NtGdiDeleteObjectApp  (-2096822610, ... ) == 0x1
 01193   484   NtGdiDeleteObjectApp  (-1543174189, ... ) == 0x1
 01194   484   NtGdiDeleteObjectApp  (-1996421452, ... ) == 0x1
 01195   484   NtGdiDeleteObjectApp  (-1307965774, ... ) == 0x1
 01196   484   NtQueryDefaultUILanguage  (1238572, ...
 01197   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01198   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482584, ) == 0x0
 01199   484   NtQueryInformationToken  (-2147482584, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01200   484   NtClose  (-2147482584, ... ) == 0x0
 01201   484   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482584, ) }, ... -2147482584, ) == 0x0
 01202   484   NtOpenKey  (0x80000000, {24, -2147482584, 0x240, 0, 0,  (0x80000000, {24, -2147482584, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01203   484   NtOpenKey  (0x80000000, {24, -2147482584, 0x640, 0, 0,  (0x80000000, {24, -2147482584, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481332, ) }, ... -2147481332, ) == 0x0
 01204   484   NtQueryValueKey  (-2147481332,  (-2147481332, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01205   484   NtClose  (-2147481332, ... ) == 0x0
 01206   484   NtClose  (-2147482584, ... ) == 0x0
 01196   484   NtQueryDefaultUILanguage  ... ) == 0x0
 01207   484   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "SOFTWARE\Microsoft\CTF\LangBarAddIn\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01208   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\CTF\LangBarAddIn\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01209   484   NtWaitForSingleObject  (60, 0, {-50000000, -1}, ... ) == 0x0
 01210   484   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01211   484   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01212   484   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01213   484   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01214   484   NtUserPostThreadMessage  (1748, 49316, 0, 484, ... ) == 0x1
 01215   484   NtUserPostThreadMessage  (416, 49316, 0, 484, ... ) == 0x1
 01216   484   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 01217   484   NtCreateSection  (0xf0007, {24, 52, 0x80, 0, 0,  (0xf0007, {24, 52, 0x80, 0, 0, "MSCTF.MarshalInterface.FileMap.EOB..KIDBLL"}, {20, 0}, 4, 134217728, 0, ... 112, ) }, {20, 0}, 4, 134217728, 0, ... 112, ) == 0x0
 01218   484   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x990000), {0, 0}, 4096, ) == 0x0
 01219   484   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "CTF.ThreadMarshalInterfaceEvent.000006D4.00000000.00000013"}, ... 108, ) }, ... 108, ) == 0x0
 01220   484   NtSetEvent  (108, ... 0x0, ) == 0x0
 01221   484   NtClose  (108, ... ) == 0x0
 01222   484   NtClose  (104, ... ) == 0x0
 01223   484   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01224   484   NtUserPeekMessage  (0, 0, 0, 1, ... {0x60144, WM_USER+0xbca6, 0x6d4, 0x28, 0xbb138a, {0, 0}}, ) == 0x1
 01225   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01226   484   NtUserCallMsgFilter  (1242108, 0, ... ) == 0x0
 01227   484   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01228   484   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01229   484   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "MSCTF.SendReceiveConection.Event.ENG.IC"}, ... 104, ) }, ... 104, ) == 0x0
 01230   484   NtSetEvent  (104, ... 0x0, ) == 0x0
 01231   484   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "MSCTF.Shared.MUTEX.ENG"}, 0, ... 108, ) }, 0, ... 108, ) == STATUS_OBJECT_NAME_EXISTS
 01232   484   NtOpenSection  (0xf001f, {24, 52, 0x0, 0, 0,  (0xf001f, {24, 52, 0x0, 0, 0, "MSCTF.Shared.SFM.ENG"}, ... 116, ) }, ... 116, ) == 0x0
 01233   484   NtMapViewOfSection  (116, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x9a0000), {0, 0}, 524288, ) == 0x0
 01234   484   NtWaitForSingleObject  (108, 0, {-50000000, -1}, ... ) == 0x0
 01235   484   NtUnmapViewOfSection  (-1, 0x990000, ... ) == 0x0
 01236   484   NtClose  (112, ... ) == 0x0
 01237   484   NtAllocateVirtualMemory  (-1, 1355776, 0, 8192, 4096, 4, ... 1355776, 8192, ) == 0x0
 01238   484   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 01239   484   NtCreateSection  (0xf0007, {24, 52, 0x80, 0, 0,  (0xf0007, {24, 52, 0x80, 0, 0, "MSCTF.MarshalInterface.FileMap.EOB.B.KIDBLL"}, {20, 0}, 4, 134217728, 0, ... 112, ) }, {20, 0}, 4, 134217728, 0, ... 112, ) == 0x0
 01240   484   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x990000), {0, 0}, 4096, ) == 0x0
 01241   484   NtCreateSection  (0xf0007, {24, 52, 0x80, 0, 0,  (0xf0007, {24, 52, 0x80, 0, 0, "MSCTF.MarshalInterface.FileMap.EOB.C.KIDBLL"}, {20, 0}, 4, 134217728, 0, ... 120, ) }, {20, 0}, 4, 134217728, 0, ... 120, ) == 0x0
 01242   484   NtMapViewOfSection  (120, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 4096, ) == 0x0
 01243   484   NtCreateSection  (0xf0007, {24, 52, 0x80, 0, 0,  (0xf0007, {24, 52, 0x80, 0, 0, "MSCTF.MarshalInterface.FileMap.EOB.D.KIDBLL"}, {20, 0}, 4, 134217728, 0, ... 124, ) }, {20, 0}, 4, 134217728, 0, ... 124, ) == 0x0
 01244   484   NtMapViewOfSection  (124, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa30000), {0, 0}, 4096, ) == 0x0
 01245   484   NtWaitForSingleObject  (108, 0, {-50000000, -1}, ... ) == 0x0
 01246   484   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 01247   484   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "MSCTF.SendReceive.Event.ENG.IC"}, ... 128, ) }, ... 128, ) == 0x0
 01248   484   NtSetEvent  (128, ... 0x0, ) == 0x0
 01249   484   NtClose  (104, ... ) == 0x0
 01250   484   NtClose  (128, ... ) == 0x0
 01251   484   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01252   484   NtUserPeekMessage  (0, 0, 0, 1, ... {0x60144, WM_USER+0xbca6, 0x6d4, 0x28, 0xbb138a, {0, 0}}, ) == 0x1
 01253   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01254   484   NtUserCallMsgFilter  (1242108, 0, ... ) == 0x0
 01255   484   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01256   484   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01257   484   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "MSCTF.SendReceiveConection.Event.ENG.IC"}, ... 128, ) }, ... 128, ) == 0x0
 01258   484   NtSetEvent  (128, ... 0x0, ) == 0x0
 01259   484   NtWaitForSingleObject  (108, 0, {-50000000, -1}, ... ) == 0x0
 01260   484   NtUnmapViewOfSection  (-1, 0x990000, ... ) == 0x0
 01261   484   NtClose  (112, ... ) == 0x0
 01262   484   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 01263   484   NtCreateSection  (0xf0007, {24, 52, 0x80, 0, 0,  (0xf0007, {24, 52, 0x80, 0, 0, "MSCTF.MarshalInterface.FileMap.EOB.E.KJDBLL"}, {20, 0}, 4, 134217728, 0, ... 112, ) }, {20, 0}, 4, 134217728, 0, ... 112, ) == 0x0
 01264   484   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x990000), {0, 0}, 4096, ) == 0x0
 01265   484   NtWaitForSingleObject  (108, 0, {-50000000, -1}, ... ) == 0x0
 01266   484   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 01267   484   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "MSCTF.SendReceive.Event.ENG.IC"}, ... 104, ) }, ... 104, ) == 0x0
 01268   484   NtSetEvent  (104, ... 0x0, ) == 0x0
 01269   484   NtClose  (128, ... ) == 0x0
 01270   484   NtClose  (104, ... ) == 0x0
 01271   484   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01272   484   NtUserPeekMessage  (0, 0, 0, 1, ... {0x60144, WM_USER+0xbca9, 0xbb138a, 0x1, 0xbb139a, {0, 0}}, ) == 0x1
 01273   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01274   484   NtUserCallMsgFilter  (1242108, 0, ... ) == 0x0
 01275   484   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01276   484   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01277   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ntdll.dll"}, 1238964, ... ) }, 1238964, ... ) == 0x0
 01278   484   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01279   484   NtUserPeekMessage  (0, 0, 0, 1, ... {0x60144, WM_USER+0xbca6, 0x6d4, 0x28, 0xbb139a, {0, 0}}, ) == 0x1
 01280   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01281   484   NtUserCallMsgFilter  (1242108, 0, ... ) == 0x0
 01282   484   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01283   484   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01284   484   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "MSCTF.SendReceiveConection.Event.ENG.IC"}, ... 104, ) }, ... 104, ) == 0x0
 01285   484   NtSetEvent  (104, ... 0x0, ) == 0x0
 01286   484   NtWaitForSingleObject  (108, 0, {-50000000, -1}, ... ) == 0x0
 01287   484   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01288   484   NtClose  (120, ... ) == 0x0
 01289   484   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 01290   484   NtCreateSection  (0xf0007, {24, 52, 0x80, 0, 0,  (0xf0007, {24, 52, 0x80, 0, 0, "MSCTF.MarshalInterface.FileMap.EOB.F.KJDBLL"}, {20, 0}, 4, 134217728, 0, ... 120, ) }, {20, 0}, 4, 134217728, 0, ... 120, ) == 0x0
 01291   484   NtMapViewOfSection  (120, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 4096, ) == 0x0
 01292   484   NtWaitForSingleObject  (108, 0, {-50000000, -1}, ... ) == 0x0
 01293   484   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 01294   484   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "MSCTF.SendReceive.Event.ENG.IC"}, ... 128, ) }, ... 128, ) == 0x0
 01295   484   NtSetEvent  (128, ... 0x0, ) == 0x0
 01296   484   NtClose  (104, ... ) == 0x0
 01297   484   NtClose  (128, ... ) == 0x0
 01298   484   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01299   484   NtUserPeekMessage  (0, 0, 0, 1, ... {0x60144, WM_USER+0xbca9, 0xbb138a, 0x2, 0xbb139a, {0, 0}}, ) == 0x1
 01300   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01301   484   NtUserCallMsgFilter  (1242108, 0, ... ) == 0x0
 01302   484   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01303   484   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01304   484   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01305   484   NtUserPeekMessage  (0, 0, 0, 1, ... {0x60144, WM_USER+0xbca6, 0x6d4, 0x28, 0xbb139a, {0, 0}}, ) == 0x1
 01306   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01307   484   NtUserCallMsgFilter  (1242108, 0, ... ) == 0x0
 01308   484   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01309   484   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01310   484   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "MSCTF.SendReceiveConection.Event.ENG.IC"}, ... 128, ) }, ... 128, ) == 0x0
 01311   484   NtSetEvent  (128, ... 0x0, ) == 0x0
 01312   484   NtWaitForSingleObject  (108, 0, {-50000000, -1}, ... ) == 0x0
 01313   484   NtUnmapViewOfSection  (-1, 0xa30000, ... ) == 0x0
 01314   484   NtClose  (124, ... ) == 0x0
 01315   484   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 01316   484   NtCreateSection  (0xf0007, {24, 52, 0x80, 0, 0,  (0xf0007, {24, 52, 0x80, 0, 0, "MSCTF.MarshalInterface.FileMap.EOB.G.KJDBLL"}, {20, 0}, 4, 134217728, 0, ... 124, ) }, {20, 0}, 4, 134217728, 0, ... 124, ) == 0x0
 01317   484   NtMapViewOfSection  (124, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa30000), {0, 0}, 4096, ) == 0x0
 01318   484   NtWaitForSingleObject  (108, 0, {-50000000, -1}, ... ) == 0x0
 01319   484   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 01320   484   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "MSCTF.SendReceive.Event.ENG.IC"}, ... 104, ) }, ... 104, ) == 0x0
 01321   484   NtSetEvent  (104, ... 0x0, ) == 0x0
 01322   484   NtClose  (128, ... ) == 0x0
 01323   484   NtClose  (104, ... ) == 0x0
 01324   484   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01325   484   NtUserPeekMessage  (0, 0, 0, 1, ... {0x60144, WM_USER+0xbca9, 0xbb138a, 0x3, 0xbb139a, {0, 0}}, ) == 0x1
 01326   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01327   484   NtUserCallMsgFilter  (1242108, 0, ... ) == 0x0
 01328   484   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01329   484   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01330   484   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01331   484   NtUserPeekMessage  (0, 0, 0, 1, ... {0x60144, WM_USER+0xbca6, 0x6d4, 0x28, 0xbb139a, {0, 0}}, ) == 0x1
 01332   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01333   484   NtUserCallMsgFilter  (1242108, 0, ... ) == 0x0
 01334   484   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01335   484   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01336   484   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "MSCTF.SendReceiveConection.Event.ENG.IC"}, ... 104, ) }, ... 104, ) == 0x0
 01337   484   NtSetEvent  (104, ... 0x0, ) == 0x0
 01338   484   NtWaitForSingleObject  (108, 0, {-50000000, -1}, ... ) == 0x0
 01339   484   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 01340   484   NtOpenSection  (0xf001f, {24, 52, 0x0, 0, 0,  (0xf001f, {24, 52, 0x0, 0, 0, "MSCTF.MarshalInterface.FileMap.ENG.M.KJDBLL"}, ... 128, ) }, ... 128, ) == 0x0
 01341   484   NtMapViewOfSection  (128, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa40000), {0, 0}, 4096, ) == 0x0
 01342   484   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01343   484   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01344   484   NtUserValidateHandleSecure  (65742, ... ) == 0x1
 01345   484   NtUserQueryWindow  (65742, 1, ... ) == 0x6d4
 01346   484   NtUserValidateHandleSecure  (65742, ... ) == 0x1
 01347   484   NtUserQueryWindow  (65742, 1, ... ) == 0x6d4
 01348   484   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01349   484   NtClose  (128, ... ) == 0x0
 01350   484   NtOpenSection  (0xf001f, {24, 52, 0x0, 0, 0,  (0xf001f, {24, 52, 0x0, 0, 0, "MSCTF.MarshalInterface.FileMap.ENG.N.KJDBLL"}, ... 128, ) }, ... 128, ) == 0x0
 01351   484   NtMapViewOfSection  (128, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa40000), {0, 0}, 4096, ) == 0x0
 01352   484   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01353   484   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01354   484   NtUserValidateHandleSecure  (65742, ... ) == 0x1
 01355   484   NtUserQueryWindow  (65742, 1, ... ) == 0x6d4
 01356   484   NtUserValidateHandleSecure  (65742, ... ) == 0x1
 01357   484   NtUserQueryWindow  (65742, 1, ... ) == 0x6d4
 01358   484   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01359   484   NtClose  (128, ... ) == 0x0
 01360   484   NtOpenSection  (0xf001f, {24, 52, 0x0, 0, 0,  (0xf001f, {24, 52, 0x0, 0, 0, "MSCTF.MarshalInterface.FileMap.ENG.O.KJDBLL"}, ... 128, ) }, ... 128, ) == 0x0
 01361   484   NtMapViewOfSection  (128, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa40000), {0, 0}, 4096, ) == 0x0
 01362   484   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01363   484   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01364   484   NtUserValidateHandleSecure  (65742, ... ) == 0x1
 01365   484   NtUserQueryWindow  (65742, 1, ... ) == 0x6d4
 01366   484   NtUserValidateHandleSecure  (65742, ... ) == 0x1
 01367   484   NtUserQueryWindow  (65742, 1, ... ) == 0x6d4
 01368   484   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01369   484   NtClose  (128, ... ) == 0x0
 01370   484   NtWaitForSingleObject  (108, 0, {-50000000, -1}, ... ) == 0x0
 01371   484   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 01372   484   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "MSCTF.SendReceive.Event.ENG.IC"}, ... 128, ) }, ... 128, ) == 0x0
 01373   484   NtSetEvent  (128, ... 0x0, ) == 0x0
 01374   484   NtClose  (104, ... ) == 0x0
 01375   484   NtClose  (128, ... ) == 0x0
 01376   484   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01377   484   NtUserPeekMessage  (0, 0, 0, 1, ... {0x60144, WM_USER+0xbca6, 0x6d4, 0x28, 0xbb139a, {0, 0}}, ) == 0x1
 01378   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01379   484   NtUserCallMsgFilter  (1242108, 0, ... ) == 0x0
 01380   484   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01381   484   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01382   484   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "MSCTF.SendReceiveConection.Event.ENG.IC"}, ... 128, ) }, ... 128, ) == 0x0
 01383   484   NtSetEvent  (128, ... 0x0, ) == 0x0
 01384   484   NtWaitForSingleObject  (108, 0, {-50000000, -1}, ... ) == 0x0
 01385   484   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01386   484   NtClose  (120, ... ) == 0x0
 01387   484   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 01388   484   NtWaitForSingleObject  (108, 0, {-50000000, -1}, ... ) == 0x0
 01389   484   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 01390   484   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "MSCTF.SendReceive.Event.ENG.IC"}, ... 120, ) }, ... 120, ) == 0x0
 01391   484   NtSetEvent  (120, ... 0x0, ) == 0x0
 01392   484   NtClose  (128, ... ) == 0x0
 01393   484   NtClose  (120, ... ) == 0x0
 01394   484   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01395   484   NtUserPeekMessage  (0, 0, 0, 1, ... {0x60144, WM_USER+0xbca6, 0x6d4, 0x28, 0xbb139a, {0, 0}}, ) == 0x1
 01396   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01397   484   NtUserCallMsgFilter  (1242108, 0, ... ) == 0x0
 01398   484   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01399   484   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01400   484   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "MSCTF.SendReceiveConection.Event.ENG.IC"}, ... 120, ) }, ... 120, ) == 0x0
 01401   484   NtSetEvent  (120, ... 0x0, ) == 0x0
 01402   484   NtWaitForSingleObject  (108, 0, {-50000000, -1}, ... ) == 0x0
 01403   484   NtAllocateVirtualMemory  (-1, 1363968, 0, 12288, 4096, 4, ... 1363968, 12288, ) == 0x0
 01404   484   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 01405   484   NtQueryDefaultLocale  (1, 1239964, ... ) == 0x0
 01406   484   NtQueryDefaultLocale  (1, 1239984, ... ) == 0x0
 01407   484   NtUserGetDC  (0, ... ) == 0x1010051
 01408   484   NtGdiCreateCompatibleBitmap  (16842833, 16, 16, ... ) == 0xb30506b2
 01409   484   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 01410   484   NtGdiSelectBitmap  (-301922896, -1291516238, ... ) == 0x185000f
 01411   484   NtGdiGetDCforBitmap  (-1291516238, ... ) == 0xee0105b0
 01412   484   NtGdiSaveDC  (-301922896, ... ) == 0x1
 01413   484   NtGdiSelectBitmap  (-301922896, -1291516238, ... ) == 0xb30506b2
 01414   484   NtGdiGetDCObject  (-301922896, 524288, ... ) == 0x188000b
 01415   484   NtUserSelectPalette  (-301922896, 25690123, 0, ... ) == 0x188000b
 01416   484   NtGdiSetDIBitsToDeviceInternal  (-301922896, 0, 0, 16, 16, 0, 0, 0, 16, 1953913504, 1358040, 0, 128, 104, 1, 0, ... ) == 0x10
 01417   484   NtUserSelectPalette  (-301922896, 25690123, 0, ... ) == 0x188000b
 01418   484   NtGdiSelectBitmap  (-301922896, -1291516238, ... ) == 0xb30506b2
 01419   484   NtGdiRestoreDC  (-301922896, -1, ... ) == 0x1
 01420   484   NtGdiSelectBitmap  (-301922896, 25493519, ... ) == 0xb30506b2
 01421   484   NtUserGetDC  (0, ... ) == 0x1010051
 01422   484   NtGdiCreateDIBitmapInternal  (16842833, 16, 32, 2, 0, 2118583256, 0, 48, 0, 0, 0, ... ) == 0xa60507d3
 01423   484   NtUserCallOneParam  (16842833, 57, ... ) == 0x1
 01424   484   NtGdiSelectBitmap  (-301922896, -1509619757, ... ) == 0x185000f
 01425   484   NtGdiGetDCforBitmap  (-1509619757, ... ) == 0xee0105b0
 01426   484   NtGdiSaveDC  (-301922896, ... ) == 0x1
 01427   484   NtGdiSelectBitmap  (-301922896, -1509619757, ... ) == 0xa60507d3
 01428   484   NtGdiGetDCObject  (-301922896, 524288, ... ) == 0x188000b
 01429   484   NtUserSelectPalette  (-301922896, 25690123, 0, ... ) == 0x188000b
 01430   484   NtGdiSetDIBitsToDeviceInternal  (-301922896, 0, 0, 16, 32, 0, 0, 0, 32, 1953913568, 1358040, 0, 128, 48, 1, 0, ... ) == 0x20
 01431   484   NtUserSelectPalette  (-301922896, 25690123, 0, ... ) == 0x188000b
 01432   484   NtGdiSelectBitmap  (-301922896, -1509619757, ... ) == 0xa60507d3
 01433   484   NtGdiRestoreDC  (-301922896, -1, ... ) == 0x1
 01434   484   NtGdiSelectBitmap  (-301922896, 25493519, ... ) == 0xa60507d3
 01435   484   NtGdiCreateCompatibleDC  (-301922896, ... ) == 0x860106ae
 01436   484   NtGdiExtGetObjectW  (-1509619757, 24, 1239416, ... ) == 0x18
 01437   484   NtGdiCreateBitmap  (16, 32, 1, 1, 0, ... ) == 0xf20505d7
 01438   484   NtGdiSelectBitmap  (-301922896, -1509619757, ... ) == 0x185000f
 01439   484   NtGdiSelectBitmap  (-2046753106, -234551849, ... ) == 0x185000f
 01440   484   NtGdiBitBlt  (-2046753106, 0, 0, 16, 32, -301922896, 0, 0, 13369376, -1, 0, ... ) == 0x1
 01441   484   NtGdiSelectBitmap  (-301922896, 25493519, ... ) == 0xa60507d3
 01442   484   NtGdiSelectBitmap  (-2046753106, 25493519, ... ) == 0xf20505d7
 01443   484   NtGdiDeleteObjectApp  (-1509619757, ... ) == 0x1
 01444   484   NtGdiDeleteObjectApp  (-2046753106, ... ) == 0x1
 01445   484   NtUserCallOneParam  (0, 33, ... ) == 0x402a3
 01446   484   NtUserSetCursorIconData  (262819, 1239464, 1239480, 1239544, ... ) == 0x1
 01447   484   NtUserGetIconInfo  (262819, 1240816, 0, 0, 0, 0, ... ) == 0x1
 01448   484   NtGdiExtGetObjectW  (-1929050444, 24, 1240740, ... ) == 0x18
 01449   484   NtGdiExtGetObjectW  (-2012936530, 24, 1240716, ... ) == 0x18
 01450   484   NtGdiDeleteObjectApp  (-1929050444, ... ) == 0x1
 01451   484   NtGdiDeleteObjectApp  (-2012936530, ... ) == 0x1
 01452   484   NtUserGetIconInfo  (262819, 1240812, 0, 0, 0, 0, ... ) == 0x1
 01453   484   NtGdiExtGetObjectW  (-1912273228, 24, 1240728, ... ) == 0x18
 01454   484   NtGdiExtGetObjectW  (-1996159314, 24, 1240704, ... ) == 0x18
 01455   484   NtGdiGetBitmapBits  (-1912273228, 1024, 1358288, ... ) == 0x400
 01456   484   NtGdiGetBitmapBits  (-1996159314, 32, 1359312, ... ) == 0x20
 01457   484   NtGdiDeleteObjectApp  (-1912273228, ... ) == 0x1
 01458   484   NtGdiDeleteObjectApp  (-1996159314, ... ) == 0x1
 01459   484   NtUserDestroyCursor  (262819, 1, ... ) == 0x1
 01460   484   NtWaitForSingleObject  (108, 0, {-50000000, -1}, ... ) == 0x0
 01461   484   NtReleaseMutant  (108, ... 0x0, ) == 0x0
 01462   484   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "MSCTF.SendReceive.Event.ENG.IC"}, ... 128, ) }, ... 128, ) == 0x0
 01463   484   NtSetEvent  (128, ... 0x0, ) == 0x0
 01464   484   NtClose  (120, ... ) == 0x0
 01465   484   NtClose  (128, ... ) == 0x0
 01466   484   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01467   484   NtUserShowWindow  (655618, 1, ...
 01468   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01469   484   NtUserGetThreadState  (1, ... ) == 0xa0102
 01470   484   NtUserGetThreadState  (0, ... ) == 0x1800f4
 01471   484   NtUserGetForegroundWindow  (... ) == 0xa0102
 01472   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01473   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01474   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01475   484   NtUserGetKeyboardLayoutList  (0, 0, ... ) == 0x1
 01476   484   NtUserGetKeyboardLayoutList  (1, 1349344, ... ) == 0x1
 01477   484   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01478   484   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01479   484   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 01480   484   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01481   484   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01482   484   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01483   484   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01484   484   NtWaitForSingleObject  (60, 0, {-50000000, -1}, ... ) == 0x0
 01485   484   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01486   484   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01487   484   NtWaitForSingleObject  (84, 0, {-50000000, -1}, ... ) == 0x0
 01488   484   NtReleaseMutant  (84, ... 0x0, ) == 0x0
 01489   484   NtUserPostThreadMessage  (1748, 49314, 0, 0, ... ) == 0x1
 01490   484   NtUserPostThreadMessage  (416, 49314, 0, 0, ... ) == 0x1
 01491   484   NtReleaseMutant  (60, ... 0x0, ) == 0x0
 01492   484   NtUserInternalGetWindowText  (0xa0102, 260, ...  (0xa0102, 260, ... "Error", ) , ) == 0x5
 01493   484   NtUserGetWindowDC  (655618, ... ) == 0x1010054
 01494   484   NtGdiGetRandomRgn  (16842836, 956564705, 1, ... ) == 0x0
 01495   484   NtGdiIntersectClipRect  (16842836, 0, 0, 0, 0, ... ) == 0x3
 01496   484   NtGdiGetCharSet  (16842836, ... ) == 0x4e4
 01497   484   NtGdiExtSelectClipRgn  (16842836, 0, 5, ... ) == 0x2
 01498   484   NtUserCallOneParam  (16842836, 57, ... ) == 0x1
 01499   484   NtUserCalcMenuBar  (655618, 3, 3, 29, 8661352, ... ) == 0x0
 01500   484   NtUserMessageCall  (0xa0102, WM_GETICON, 0x2, 0x0, 1240436, 690, 0, ...
 01501   484   NtUserMessageCall  (0xa0102, WM_GETICON, 0x2, 0x0, 0, 670, 0, ... ) == 0x0
 01500   484   NtUserMessageCall  ... ) == 0x0
 01502   484   NtUserMessageCall  (0xa0102, WM_GETICON, 0x0, 0x0, 1240436, 690, 0, ...
 01503   484   NtUserMessageCall  (0xa0102, WM_GETICON, 0x0, 0x0, 0, 670, 0, ... ) == 0x0
 01502   484   NtUserMessageCall  ... ) == 0x0
 01504   484   NtUserMessageCall  (0xa0102, WM_GETICON, 0x1, 0x0, 1240436, 690, 0, ...
 01505   484   NtUserMessageCall  (0xa0102, WM_GETICON, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 01504   484   NtUserMessageCall  ... ) == 0x0
 01506   484   NtUserGetTitleBarInfo  (655618, 1241068, ... ) == 0x1
 01507   484   NtUserGetDCEx  (655618, 0, 66561, ... ) == 0x1010050
 01508   484   NtGdiExcludeClipRect  (16842832, 3, 29, 219, 123, ... ) == 0x3
 01509   484   NtGdiDrawStream  (16842832, 96, 1240552, ... ) == 0x1
 01510   484   NtGdiDrawStream  (16842832, 96, 1240552, ... ) == 0x1
 01511   484   NtGdiDrawStream  (16842832, 96, 1240552, ... ) == 0x1
 01512   484   NtGdiCreateCompatibleBitmap  (16842832, 222, 29, ... ) == 0x940506b4
 01513   484   NtGdiCreateCompatibleDC  (16842832, ... ) == 0x7101032c
 01514   484   NtGdiSelectBitmap  (1895891756, -1811609932, ... ) == 0x185000f
 01515   484   NtGdiDrawStream  (1895891756, 96, 1240444, ... ) == 0x1
 01516   484   NtGdiDrawStream  (1895891756, 96, 1240400, ... ) == 0x1
 01517   484   NtGdiDrawStream  (1895891756, 96, 1240400, ... ) == 0x1
 01518   484   NtUserInternalGetWindowText  (0xa0102, 260, ...  (0xa0102, 260, ... "Error", ) , ) == 0x5
 01519   484   NtGdiGetRandomRgn  (1895891756, 973341921, 1, ... ) == 0x0
 01520   484   NtGdiIntersectClipRect  (1895891756, 8, 8, 194, 25, ... ) == 0x3
 01521   484   NtGdiExtSelectClipRgn  (1895891756, 0, 5, ... ) == 0x2
 01522   484   NtGdiGetRandomRgn  (1895891756, 990119137, 1, ... ) == 0x0
 01523   484   NtGdiIntersectClipRect  (1895891756, 7, 7, 193, 25, ... ) == 0x3
 01524   484   NtGdiExtSelectClipRgn  (1895891756, 0, 5, ... ) == 0x2
 01525   484   NtGdiBitBlt  (16842832, 0, 0, 222, 29, 1895891756, 0, 0, 13369376, -1, 0, ... ) == 0x1
 01526   484   NtGdiSelectBitmap  (1895891756, 25493519, ... ) == 0x940506b4
 01527   484   NtGdiDeleteObjectApp  (1895891756, ... ) == 0x1
 01528   484   NtGdiDeleteObjectApp  (-1811609932, ... ) == 0x1
 01529   484   NtUserCallOneParam  (16842832, 57, ... ) == 0x1
 01530   484   NtUserFillWindow  (655618, 655618, 16842835, 4, ...
 01531   484   NtUserGetAncestor  (655618, 1, ... ) == 0x10014
 01532   484   NtUserValidateHandleSecure  (65556, ... ) == 0x1
 01533   484   NtUserGetAncestor  (65556, 1, ... ) == 0x0
 01530   484   NtUserFillWindow  ... ) == 0x1
 01534   484   NtUserInternalGetWindowText  (0xa0102, 260, ...  (0xa0102, 260, ... "Error", ) , ) == 0x5
 01535   484   NtUserGetWindowDC  (655618, ... ) == 0x1010054
 01536   484   NtGdiGetRandomRgn  (16842836, 1006896353, 1, ... ) == 0x0
 01537   484   NtGdiIntersectClipRect  (16842836, 0, 0, 0, 0, ... ) == 0x3
 01538   484   NtGdiGetCharSet  (16842836, ... ) == 0x4e4
 01539   484   NtGdiExtSelectClipRgn  (16842836, 0, 5, ... ) == 0x2
 01540   484   NtUserCallOneParam  (16842836, 57, ... ) == 0x1
 01541   484   NtUserCalcMenuBar  (655618, 3, 3, 29, 8661352, ... ) == 0x0
 01542   484   NtUserMessageCall  (0xa0102, WM_GETICON, 0x2, 0x0, 1240728, 690, 0, ...
 01543   484   NtUserMessageCall  (0xa0102, WM_GETICON, 0x2, 0x0, 0, 670, 0, ... ) == 0x0
 01542   484   NtUserMessageCall  ... ) == 0x0
 01544   484   NtUserMessageCall  (0xa0102, WM_GETICON, 0x0, 0x0, 1240728, 690, 0, ...
 01545   484   NtUserMessageCall  (0xa0102, WM_GETICON, 0x0, 0x0, 0, 670, 0, ... ) == 0x0
 01544   484   NtUserMessageCall  ... ) == 0x0
 01546   484   NtUserMessageCall  (0xa0102, WM_GETICON, 0x1, 0x0, 1240728, 690, 0, ...
 01547   484   NtUserMessageCall  (0xa0102, WM_GETICON, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 01546   484   NtUserMessageCall  ... ) == 0x0
 01548   484   NtUserGetTitleBarInfo  (655618, 1241360, ... ) == 0x1
 01549   484   NtUserBuildHwndList  (0, 655618, 1, 0, 64, ... (0x1800f4, 0x500fc, 0xd011a, 0x1, ), 4, ) == 0x0
 01550   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01551   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01552   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01553   484   NtUserValidateHandleSecure  (327932, ... ) == 0x1
 01554   484   NtUserValidateHandleSecure  (327932, ... ) == 0x1
 01555   484   NtUserValidateHandleSecure  (327932, ... ) == 0x1
 01556   484   NtUserValidateHandleSecure  (852250, ... ) == 0x1
 01557   484   NtUserValidateHandleSecure  (852250, ... ) == 0x1
 01558   484   NtUserValidateHandleSecure  (852250, ... ) == 0x1
 01559   484   NtUserGetWindowDC  (0, ... ) == 0x1010052
 01560   484   NtUserCallOneParam  (16842834, 57, ... ) == 0x1
 01561   484   NtGdiExtCreateRegion  (0, 112, 8662840, ... ) == 0x960406b4
 01562   484   NtGdiOffsetRgn  (-1778121036, 0, 0, ... ) == 0x3
 01563   484   NtGdiCombineRgn  (1023673569, -1778121036, 1023673569, 5, ... ) == 0x3
 01564   484   NtGdiCreateRectRgn  (0, 0, 1, 1, ... ) == 0x7204032c
 01565   484   NtGdiCombineRgn  (1023673569, 1912865580, 1023673569, 2, ... ) == 0x3
 01566   484   NtGdiCreateRectRgn  (0, 0, 1, 1, ... ) == 0xf60405d7
 01567   484   NtGdiCombineRgn  (1023673569, -167508521, 1023673569, 2, ... ) == 0x3
 01568   484   NtGdiCreateRectRgn  (0, 0, 1, 1, ... ) == 0x8d0406ae
 01569   484   NtGdiCombineRgn  (1023673569, -1929115986, 1023673569, 2, ... ) == 0x3
 01570   484   NtGdiCreateRectRgn  (0, 0, 1, 1, ... ) == 0xb80406b2
 01571   484   NtGdiCombineRgn  (1023673569, -1207695694, 1023673569, 2, ... ) == 0x3
 01572   484   NtGdiCreateRectRgn  (0, 0, 1, 1, ... ) == 0x560403d5
 01573   484   NtGdiCombineRgn  (1443103701, 1023673569, 0, 5, ... ) == 0x3
 01574   484   NtUserSetWindowRgn  (655618, 1023673569, 1, ...
 01575   484   NtUserMessageCall  (0xa0102, WM_NCCALCSIZE, 0x1, 0x12f04c, 0, 670, 0, ... ) == 0x0
 01576   484   NtUserInternalGetWindowText  (0xa0102, 260, ...  (0xa0102, 260, ... "Error", ) , ) == 0x5
 01577   484   NtUserGetWindowDC  (655618, ... ) == 0x1010054
 01578   484   NtGdiGetRandomRgn  (16842836, -1190918478, 1, ... ) == 0x0
 01579   484   NtGdiIntersectClipRect  (16842836, 0, 0, 0, 0, ... ) == 0x3
 01580   484   NtGdiGetCharSet  (16842836, ... ) == 0x4e4
 01581   484   NtGdiExtSelectClipRgn  (16842836, 0, 5, ... ) == 0x3
 01582   484   NtUserCallOneParam  (16842836, 57, ... ) == 0x1
 01583   484   NtUserCalcMenuBar  (655618, 3, 3, 29, 8661352, ... ) == 0x0
 01584   484   NtUserMessageCall  (0xa0102, WM_GETICON, 0x2, 0x0, 1239508, 690, 0, ...
 01585   484   NtUserMessageCall  (0xa0102, WM_GETICON, 0x2, 0x0, 0, 670, 0, ... ) == 0x0
 01584   484   NtUserMessageCall  ... ) == 0x0
 01586   484   NtUserMessageCall  (0xa0102, WM_GETICON, 0x0, 0x0, 1239508, 690, 0, ...
 01587   484   NtUserMessageCall  (0xa0102, WM_GETICON, 0x0, 0x0, 0, 670, 0, ... ) == 0x0
 01586   484   NtUserMessageCall  ... ) == 0x0
 01588   484   NtUserMessageCall  (0xa0102, WM_GETICON, 0x1, 0x0, 1239508, 690, 0, ...
 01589   484   NtUserMessageCall  (0xa0102, WM_GETICON, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 01588   484   NtUserMessageCall  ... ) == 0x0
 01590   484   NtUserGetTitleBarInfo  (655618, 1240140, ... ) == 0x1
 01591   484   NtUserGetDCEx  (655618, 0, 66561, ... ) == 0x1010053
 01592   484   NtGdiExcludeClipRect  (16842835, 3, 29, 219, 123, ... ) == 0x3
 01593   484   NtGdiDrawStream  (16842835, 96, 1239624, ... ) == 0x1
 01594   484   NtGdiDrawStream  (16842835, 96, 1239624, ... ) == 0x1
 01595   484   NtGdiDrawStream  (16842835, 96, 1239624, ... ) == 0x1
 01596   484   NtGdiCreateCompatibleBitmap  (16842835, 222, 29, ... ) == 0x380506a8
 01597   484   NtGdiCreateCompatibleDC  (16842835, ... ) == 0x5a01066b
 01598   484   NtGdiSelectBitmap  (1510016619, 939853480, ... ) == 0x185000f
 01599   484   NtGdiDrawStream  (1510016619, 96, 1239516, ... ) == 0x1
 01600   484   NtGdiDrawStream  (1510016619, 96, 1239472, ... ) == 0x1
 01601   484   NtGdiDrawStream  (1510016619, 96, 1239472, ... ) == 0x1
 01602   484   NtUserInternalGetWindowText  (0xa0102, 260, ...  (0xa0102, 260, ... "Error", ) , ) == 0x5
 01603   484   NtGdiGetRandomRgn  (1510016619, -1174141262, 1, ... ) == 0x0
 01604   484   NtGdiIntersectClipRect  (1510016619, 8, 8, 194, 25, ... ) == 0x3
 01605   484   NtGdiExtSelectClipRgn  (1510016619, 0, 5, ... ) == 0x2
 01606   484   NtGdiGetRandomRgn  (1510016619, -1157364046, 1, ... ) == 0x0
 01607   484   NtGdiIntersectClipRect  (1510016619, 7, 7, 193, 25, ... ) == 0x3
 01608   484   NtGdiExtSelectClipRgn  (1510016619, 0, 5, ... ) == 0x2
 01609   484   NtGdiBitBlt  (16842835, 0, 0, 222, 29, 1510016619, 0, 0, 13369376, -1, 0, ... ) == 0x1
 01610   484   NtGdiSelectBitmap  (1510016619, 25493519, ... ) == 0x380506a8
 01611   484   NtGdiDeleteObjectApp  (1510016619, ... ) == 0x1
 01612   484   NtGdiDeleteObjectApp  (939853480, ... ) == 0x1
 01613   484   NtUserCallOneParam  (16842835, 57, ... ) == 0x1
 01614   484   NtUserFillWindow  (655618, 655618, 16842832, 4, ...
 01615   484   NtUserGetAncestor  (655618, 1, ... ) == 0x10014
 01616   484   NtUserValidateHandleSecure  (65556, ... ) == 0x1
 01617   484   NtUserGetAncestor  (65556, 1, ... ) == 0x0
 01614   484   NtUserFillWindow  ... ) == 0x1
 01574   484   NtUserSetWindowRgn  ... ) == 0x1
 01467   484   NtUserShowWindow  ... ) == 0x0
 01618   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01619   484   NtUserCallHwndLock  (655618, 94, ...
 01620   484   NtUserMessageCall  (0xa0102, WM_PAINT, 0x0, 0x0, 0, 670, 0, ... ) == 0x0
 01621   484   NtUserBeginPaint  (0x1800f4, 1241748, ...
 01622   484   NtUserMessageCall  (0x1800f4, WM_NCPAINT, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 01621   484   NtUserBeginPaint  ... ) == 0x1010050
 01623   484   NtUserGetControlBrush  (0x1800f4, 16842832, 309, ... ) == 0x1100056
 01624   484   NtGdiIntersectClipRect  (16842832, 0, 0, 75, 23, ... ) == 0x3
 01625   484   NtGdiIntersectClipRect  (16842832, 3, 3, 72, 20, ... ) == 0x3
 01626   484   NtUserEndPaint  (0x1800f4, 1241748, ... ) == 0x1
 01627   484   NtUserBeginPaint  (0x500fc, 1241752, ...
 01628   484   NtUserMessageCall  (0x500fc, WM_NCPAINT, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 01627   484   NtUserBeginPaint  ... ) == 0x1010050
 01629   484   NtGdiIntersectClipRect  (16842832, 0, 0, 32, 32, ... ) == 0x3
 01630   484   NtUserGetControlBrush  (0x500fc, 16842832, 312, ...
 01631   484   NtUserValidateHandleSecure  (327932, ... ) == 0x1
 01632   484   NtUserValidateHandleSecure  (327932, ... ) == 0x1
 01630   484   NtUserGetControlBrush  ... ) == 0x1100056
 01633   484   NtGdiGetDCDword  (16842832, 7, 1241436, ... ) == 0x1
 01634   484   NtUserDrawIconEx  (16842832, 0, 0, 65545, 32, 32, 0, 17825878, 3, 0, 1241488, ... ) == 0x1
 01635   484   NtUserEndPaint  (0x500fc, 1241752, ... ) == 0x1
 01636   484   NtUserBeginPaint  (0xd011a, 1241752, ...
 01637   484   NtUserMessageCall  (0xd011a, WM_NCPAINT, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 01636   484   NtUserBeginPaint  ... ) == 0x1010050
 01638   484   NtGdiIntersectClipRect  (16842832, 0, 0, 149, 15, ... ) == 0x3
 01639   484   NtUserGetControlBrush  (0xd011a, 16842832, 312, ...
 01640   484   NtUserValidateHandleSecure  (852250, ... ) == 0x1
 01641   484   NtUserValidateHandleSecure  (852250, ... ) == 0x1
 01639   484   NtUserGetControlBrush  ... ) == 0x1100056
 01642   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01643   484   NtGdiGetTextCharsetInfo  (16842832, 0, 0, ... ) == 0x0
 01644   484   NtUserEndPaint  (0xd011a, 1241752, ... ) == 0x1
 01619   484   NtUserCallHwndLock  ... ) == 0x1
 01645   484   NtUserWaitMessage  (... ) == 0x1
 01646   484   NtUserPeekMessage  (0, 0, 0, 1, ... {0x1800f4, WM_KEYFIRST, 0x20, 0x0, 0xbb1417, {0, 0}}, ) == 0x1
 01647   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01648   484   NtUserCallMsgFilter  (1242108, 0, ... ) == 0x0
 01649   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01650   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01651   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01652   484   NtUserTranslateMessage  (1242200, 0, ... ) == 0x1
 01653   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01654   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01655   484   NtUserSetCapture  (1573108, ... ) == 0x0
 01656   484   NtUserSetFocus  (1573108, ... ) == 0x1800f4
 01657   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01658   484   NtUserGetDC  (1573108, ... ) == 0x1010050
 01659   484   NtUserGetControlBrush  (0x1800f4, 16842832, 309, ... ) == 0x1100056
 01660   484   NtGdiIntersectClipRect  (16842832, 0, 0, 75, 23, ... ) == 0x3
 01661   484   NtGdiIntersectClipRect  (16842832, 3, 3, 72, 20, ... ) == 0x3
 01662   484   NtUserCallOneParam  (16842832, 57, ... ) == 0x1
 01663   484   NtUserPeekMessage  (0, 0, 0, 1, ... {0x1800f4, WM_CHAR, 0x20, 0x0, 0xbb1417, {0, 0}}, ) == 0x1
 01664   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01665   484   NtUserCallMsgFilter  (1242108, 0, ... ) == 0x0
 01666   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01667   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01668   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01669   484   NtUserPeekMessage  (0, 0, 0, 1, ... {0x1800f4, WM_KEYFIRST, 0xd, 0x0, 0xbb1417, {0, 0}}, ) == 0x1
 01670   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01671   484   NtUserCallMsgFilter  (1242108, 0, ... ) == 0x0
 01672   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01673   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01674   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01675   484   NtUserGetThreadState  (0, ... ) == 0x1800f4
 01676   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01677   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01678   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01679   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01680   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01681   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01682   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01683   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01684   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01685   484   NtUserGetThreadState  (1, ... ) == 0xa0102
 01686   484   NtUserGetThreadState  (0, ... ) == 0x1800f4
 01687   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01688   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01689   484   NtUserSetFocus  (655618, ...
 01690   484   NtUserPostThreadMessage  (484, 49313, 17, 655618, ... ) == 0x1
 01691   484   NtUserGetDC  (1573108, ... ) == 0x1010050
 01692   484   NtUserGetControlBrush  (0x1800f4, 16842832, 309, ... ) == 0x1100056
 01693   484   NtGdiIntersectClipRect  (16842832, 0, 0, 75, 23, ... ) == 0x3
 01694   484   NtGdiIntersectClipRect  (16842832, 3, 3, 72, 20, ... ) == 0x3
 01695   484   NtUserCallOneParam  (16842832, 57, ... ) == 0x1
 01696   484   NtUserCallNoParam  (13, ... ) == 0x1
 01697   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01698   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01699   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01700   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01701   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01702   484   NtUserGetThreadState  (1, ... ) == 0xa0102
 01703   484   NtUserGetThreadState  (0, ... ) == 0xa0102
 01704   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01705   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01706   484   NtUserSetWindowPos  (655618, 0, 0, 0, 0, 0, 151, ...
 01707   484   NtUserInternalGetWindowText  (0xa0102, 260, ...  (0xa0102, 260, ... "Error", ) , ) == 0x5
 01708   484   NtUserGetWindowDC  (655618, ... ) == 0x1010053
 01709   484   NtGdiGetRandomRgn  (16842835, -1140586830, 1, ... ) == 0x0
 01710   484   NtGdiIntersectClipRect  (16842835, 0, 0, 0, 0, ... ) == 0x3
 01711   484   NtGdiGetCharSet  (16842835, ... ) == 0x4e4
 01712   484   NtGdiExtSelectClipRgn  (16842835, 0, 5, ... ) == 0x1
 01713   484   NtUserCallOneParam  (16842835, 57, ... ) == 0x1
 01714   484   NtUserCalcMenuBar  (655618, 3, 3, 29, 8661352, ... ) == 0x0
 01715   484   NtUserMessageCall  (0xa0102, WM_GETICON, 0x2, 0x0, 1239032, 690, 0, ...
 01716   484   NtUserMessageCall  (0xa0102, WM_GETICON, 0x2, 0x0, 0, 670, 0, ... ) == 0x0
 01715   484   NtUserMessageCall  ... ) == 0x0
 01717   484   NtUserMessageCall  (0xa0102, WM_GETICON, 0x0, 0x0, 1239032, 690, 0, ...
 01718   484   NtUserMessageCall  (0xa0102, WM_GETICON, 0x0, 0x0, 0, 670, 0, ... ) == 0x0
 01717   484   NtUserMessageCall  ... ) == 0x0
 01719   484   NtUserMessageCall  (0xa0102, WM_GETICON, 0x1, 0x0, 1239032, 690, 0, ...
 01720   484   NtUserMessageCall  (0xa0102, WM_GETICON, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 01719   484   NtUserMessageCall  ... ) == 0x0
 01721   484   NtUserGetTitleBarInfo  (655618, 1239664, ... ) == 0x1
 01722   484   NtUserBuildHwndList  (0, 655618, 1, 0, 64, ... (0x1800f4, 0x500fc, 0xd011a, 0x1, ), 4, ) == 0x0
 01723   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01724   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01725   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01726   484   NtUserValidateHandleSecure  (327932, ... ) == 0x1
 01727   484   NtUserValidateHandleSecure  (327932, ... ) == 0x1
 01728   484   NtUserValidateHandleSecure  (327932, ... ) == 0x1
 01729   484   NtUserValidateHandleSecure  (852250, ... ) == 0x1
 01730   484   NtUserValidateHandleSecure  (852250, ... ) == 0x1
 01731   484   NtUserValidateHandleSecure  (852250, ... ) == 0x1
 01706   484   NtUserSetWindowPos  ... ) == 0x1
 01732   484   NtUserGetThreadState  (1, ... ) == 0xa0102
 01733   484   NtUserCallNoParam  (15, ... ) == 0xbc64fea8
 01734   484   NtUserPostMessage  (655618, 0, 0, 0, ... ) == 0x1
 01735   484   NtUserInvalidateRect  (1573108, 0, 0, ... ) == 0x1
 01736   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01737   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01738   484   NtUserCallOneParam  (0, 40, ... ) == 0x4090409
 01739   484   NtUserCallOneParam  (0, 40, ... ) == 0x4090409
 01740   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01741   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01742   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01743   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01744   484   NtUserQueryWindow  (1573108, 7, ... ) == 0x90114
 01745   484   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 01746   484   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 01747   484   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 01748   484   NtUserKillTimer  (1114412, 1, ... ) == 0x1
 01749   484   NtUserSetTimer  (1114412, 1, 300, 0, ... ) == 0x1
 01750   484   NtUserCallNoParam  (7, ... ) == 0x1
 01751   484   NtUserQueryWindow  (590100, 3, ... ) == 0x0
 01752   484   NtUserValidateHandleSecure  (0, ... ) == 0x0
 01753   484   NtUserQueryWindow  (590100, 2, ... ) == 0x0
 01754   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01755   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01756   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01757   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01758   484   NtUserQueryWindow  (1573108, 7, ... ) == 0x90114
 01759   484   NtUserValidateHandleSecure  (1573108, ... ) == 0x1
 01760   484   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 01761   484   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 01689   484   NtUserSetFocus  ... ) == 0x1800f4
 01762   484   NtUserSetWindowPos  (655618, 0, 0, 0, 0, 0, 151, ... ) == 0x1
 01763   484   NtUserGetThreadState  (1, ... ) == 0x0
 01764   484   NtUserPostMessage  (655618, 0, 0, 0, ... ) == 0x1
 01765   484   NtUserDestroyWindow  (655618, ...
 01766   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01767   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01768   484   NtUserGetThreadState  (0, ... ) == 0x0
 01769   484   NtUserBuildHwndList  (0, 0, 0, 484, 64, ... (0xa0102, 0x11012c, 0x90114, 0x1, ), 4, ) == 0x0
 01770   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01771   484   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 01772   484   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 01773   484   NtUserValidateHandleSecure  (590100, ... ) == 0x1
 01774   484   NtUserValidateHandleSecure  (590100, ... ) == 0x1
 01775   484   NtUserValidateHandleSecure  (590100, ... ) == 0x1
 01776   484   NtUserCallOneParam  (8, 43, ... ) == 0x80008
 01777   484   NtUserCallOneParam  (8, 43, ... ) == 0x80000
 01778   484   NtUserPeekMessage  (393540, 0, 0, 9961475, ... {0x7e470254, WM_USER+0x148588, 0x145540, 0xa0102, 0x0, {2118223026, 2118313942}}, ) == 0x0
 01779   484   NtUserCallOneParam  (8, 43, ... ) == 0x80000
 01780   484   NtUserPeekMessage  (0, 49313, 49313, 9961475, ... {0x0, WM_USER+0xbca1, 0x11, 0xa0102, 0xbb1417, {0, 0}}, ) == 0x1
 01781   484   NtUserPeekMessage  (0, 49313, 49313, 9961475, ... {0x0, WM_USER+0xbca1, 0x11, 0xa0102, 0xbb1417, {0, 0}}, ) == 0x0
 01782   484   NtUserCallOneParam  (8, 43, ... ) == 0x80000
 01783   484   NtUserPeekMessage  (0, 49318, 49318, 9961475, ... {0x0, WM_USER+0xbca1, 0x11, 0xa0102, 0xbb1417, {0, 0}}, ) == 0x0
 01784   484   NtUserCallOneParam  (8, 43, ... ) == 0x80000
 01785   484   NtUserPeekMessage  (0, 49319, 49319, 9961475, ... {0x0, WM_USER+0xbca1, 0x11, 0xa0102, 0xbb1417, {0, 0}}, ) == 0x0
 01786   484   NtUserCallOneParam  (8, 43, ... ) == 0x80000
 01787   484   NtUserPeekMessage  (0, 49321, 49321, 9961475, ... {0x0, WM_USER+0xbca1, 0x11, 0xa0102, 0xbb1417, {0, 0}}, ) == 0x0
 01788   484   NtUserBuildHwndList  (0, 0, 0, 484, 64, ... (0xa0102, 0x11012c, 0x90114, 0x1, ), 4, ) == 0x0
 01789   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01790   484   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 01791   484   NtUserDestroyCursor  (65545, 1, ... ) == 0x1
 01792   484   NtUserValidateHandleSecure  (590100, ... ) == 0x1
 01793   484   NtUserValidateHandleSecure  (590100, ... ) == 0x1
 01794   484   NtUserGetThreadState  (0, ... ) == 0x0
 01795   484   NtUserBuildHwndList  (0, 0, 0, 484, 64, ... (0xa0102, 0x11012c, 0x90114, 0x1, ), 4, ) == 0x0
 01796   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01797   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01798   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01799   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01800   484   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 01801   484   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 01802   484   NtUserValidateHandleSecure  (590100, ... ) == 0x1
 01803   484   NtUserCallOneParam  (8, 43, ... ) == 0x80000
 01804   484   NtUserCallOneParam  (8, 43, ... ) == 0x80000
 01805   484   NtUserPeekMessage  (393540, 0, 0, 9961475, ... {0x7e470254, WM_USER+0x148588, 0x145540, 0x90114, 0x0, {2118223026, 2118313942}}, ) == 0x0
 01806   484   NtUserCallOneParam  (8, 43, ... ) == 0x80000
 01807   484   NtUserPeekMessage  (0, 49313, 49313, 9961475, ... {0x7e470254, WM_USER+0x148588, 0x145540, 0x90114, 0x0, {2118223026, 2118313942}}, ) == 0x0
 01808   484   NtUserCallOneParam  (8, 43, ... ) == 0x80000
 01809   484   NtUserPeekMessage  (0, 49318, 49318, 9961475, ... {0x7e470254, WM_USER+0x148588, 0x145540, 0x90114, 0x0, {2118223026, 2118313942}}, ) == 0x0
 01810   484   NtUserCallOneParam  (8, 43, ... ) == 0x80000
 01811   484   NtUserPeekMessage  (0, 49319, 49319, 9961475, ... {0x7e470254, WM_USER+0x148588, 0x145540, 0x90114, 0x0, {2118223026, 2118313942}}, ) == 0x0
 01812   484   NtUserCallOneParam  (8, 43, ... ) == 0x80000
 01813   484   NtUserPeekMessage  (0, 49321, 49321, 9961475, ... {0x7e470254, WM_USER+0x148588, 0x145540, 0x90114, 0x0, {2118223026, 2118313942}}, ) == 0x0
 01814   484   NtUserBuildHwndList  (0, 0, 0, 484, 64, ... (0xa0102, 0x11012c, 0x90114, 0x1, ), 4, ) == 0x0
 01815   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01816   484   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 01817   484   NtUserValidateHandleSecure  (1114412, ... ) == 0x1
 01818   484   NtUserBuildHwndList  (0, 0, 0, 484, 64, ... (0xa0102, 0x11012c, 0x90114, 0x1, ), 4, ) == 0x0
 01819   484   NtUserValidateHandleSecure  (655618, ... ) == 0x1
 01820   484   NtUserKillTimer  (0, 0, ... ) == 0x0
 01821   484   NtUserValidateHandleSecure  (0, ... ) == 0x0
 01822   484   NtUserKillTimer  (0, 0, ... ) == 0x0
 01823   484   NtUserValidateHandleSecure  (0, ... ) == 0x0
 01824   484   NtUserKillTimer  (0, 0, ... ) == 0x0
 01825   484   NtUserValidateHandleSecure  (0, ... ) == 0x0
 01826   484   NtUserKillTimer  (0, 0, ... ) == 0x0
 01827   484   NtUserValidateHandleSecure  (0, ... ) == 0x0
 01828   484   NtUserSetWindowLong  (1114412, 4, 0, 1, ... ) == 0x147680
 01829   484   NtUserKillTimer  (0, 0, ... ) == 0x0
 01830   484   NtUserValidateHandleSecure  (0, ... ) == 0x0
 01831   484   NtUserKillTimer  (0, 0, ... ) == 0x0
 01832   484   NtUserValidateHandleSecure  (0, ... ) == 0x0
 01833   484   NtUserKillTimer  (0, 0, ... ) == 0x0
 01834   484   NtUserValidateHandleSecure  (0, ... ) == 0x0
 01835   484   NtUserKillTimer  (0, 0, ... ) == 0x0
 01836   484   NtUserValidateHandleSecure  (0, ... ) == 0x0
 01837   484   NtUserKillTimer  (0, 0, ... ) == 0x0
 01838   484   NtUserKillTimer  (0, 0, ... ) == 0x0
 01839   484   NtUserKillTimer  (0, 0, ... ) == 0x0
 01840   484   NtUserKillTimer  (0, 0, ... ) == 0x0
 01841   484   NtUserRemoveProp  (1114412, 43288, ... ) == 0xffffffff
 01842   484   NtUserRemoveProp  (1114412, 43282, ... ) == 0x0
 01843   484   NtUserRemoveProp  (1114412, 43287, ... ) == 0x0
 01844   484   NtUserBuildHwndList  (0, 0, 0, 484, 64, ... (0xa0102, 0x90114, 0x1, ), 3, ) == 0x0
 01845   484   NtUserValidateHandleSecure  (1114412, ... ) == 0x0
 01846   484   NtUserSetWindowFNID  (590100, 16384, ... ) == 0x1
 01847   484   NtUserRemoveProp  (590100, 43288, ... ) == 0xffffffff
 01848   484   NtUserRemoveProp  (590100, 43282, ... ) == 0x0
 01849   484   NtUserRemoveProp  (590100, 43287, ... ) == 0x0
 01850   484   NtUserSetWindowFNID  (1573108, 16384, ... ) == 0x1
 01851   484   NtUserRemoveProp  (1573108, 43288, ... ) == 0xffffffff
 01852   484   NtUserRemoveProp  (1573108, 43282, ... ) == 0x0
 01853   484   NtUserRemoveProp  (1573108, 43287, ... ) == 0x0
 01854   484   NtUserSetWindowFNID  (327932, 16384, ... ) == 0x1
 01855   484   NtUserRemoveProp  (327932, 43288, ... ) == 0xffffffff
 01856   484   NtUserRemoveProp  (327932, 43282, ... ) == 0x0
 01857   484   NtUserRemoveProp  (327932, 43287, ... ) == 0x0
 01858   484   NtUserSetWindowFNID  (852250, 16384, ... ) == 0x1
 01859   484   NtUserRemoveProp  (852250, 43288, ... ) == 0xffffffff
 01860   484   NtUserRemoveProp  (852250, 43282, ... ) == 0x0
 01861   484   NtUserRemoveProp  (852250, 43287, ... ) == 0x0
 01862   484   NtUserSetThreadState  (0, 16384, ... ) == 0x81aee620
 01863   484   NtGdiDeleteObjectApp  (705300119, ... ) == 0x1
 01864   484   NtUserCallHwndParam  (655618, 0, 79, ... ) == 0x0
 01865   484   NtUserRemoveProp  (655618, 43285, ... ) == 0x0
 01866   484   NtUserRemoveProp  (655618, 43288, ... ) == 0x8428b0
 01867   484   NtGdiDeleteObjectApp  (-1778121036, ... ) == 0x1
 01868   484   NtUserRemoveProp  (655618, 43282, ... ) == 0x0
 01869   484   NtUserRemoveProp  (655618, 43287, ... ) == 0x0
 01765   484   NtUserDestroyWindow  ... ) == 0x1
 01870   484   NtUserSetCursor  (65557, ... ) == 0x10015
 01871   484   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1242580,  (0x80100080, {24, 0, 0x40, 0, 1242580, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 128, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 128, {status=0x0, info=1}, ) == 0x0
 01872   484   NtQueryInformationFile  (128, 1243016, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01873   484   NtQueryInformationFile  (128, 1242932, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01874   484   NtQueryInformationFile  (128, 1242748, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01875   484   NtQueryInformationFile  (128, 1353208, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01876   484   NtQueryInformationFile  (128, 1241196, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01877   484   NtQueryInformationFile  (128, 1241472, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01878   484   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1241348,  (0x40110080, {24, 0, 0x40, 0, 1241348, "\??\C:\WINDOWS\system32\upu.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01879   484   NtClose  (-2147482584, ... ) == 0x0
 01878   484   NtCreateFile  ... 120, {status=0x0, info=2}, ) == 0x0
 01880   484   NtQueryVolumeInformationFile  (120, 1241500, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01881   484   NtQueryInformationFile  (120, 1241084, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01882   484   NtQueryVolumeInformationFile  (128, 1241500, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01883   484   NtSetInformationFile  (120, 1241400, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01884   484   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 128, ... 104, ) == 0x0
 01885   484   NtMapViewOfSection  (104, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xa20000), {0, 0}, 40960, ) == 0x0
 01886   484   NtClose  (104, ... ) == 0x0
 01887   484   NtWriteFile  (120, 0, 0, 0,  (120, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0PE\0\0L\1\2\0FSG!\0\0\0\0\0\0\0\0\340\0\17\1\13\1\0\0\0\12\0\0\0\232\0\0\0\0\0\0]l\1\0\0\20\0\0\14\0\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0p\1\0\0\2\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0"m\1\04\0\0\0\0\320\0\0H\227\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\0\0\0\0\300\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\300\0\0\0\0a\0\0\0\0\240\0\0\0\320\0\0V\235\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\300KERNEL32.dll\0\0\0LoadLibraryA\0\0GetProcAddress\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30mA\0\14mA\0\16mA\0\230\1@\0\0\20@\0\14fA\0\1 @\0\10@\0\0\0\0\0\316\26@\0\1\0\0\0JmA\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 40800, 0x0, 0, ... {status=0x0, info=40800}, ) m\1\04\0\0\0\0\320\0\0H\227\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\0\0\0\0\300\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\300\0\0\0\0a\0\0\0\0\240\0\0\0\320\0\0V\235\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\300KERNEL32.dll\0\0\0LoadLibraryA\0\0GetProcAddress\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30mA\0\14mA\0\16mA\0\230\1@\0\0\20@\0\14fA\0\1 @\0\10@\0\0\0\0\0\316\26@\0\1\0\0\0JmA\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 40800, 0x0, 0, ... {status=0x0, info=40800}, ) == 0x0
 01888   484   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01889   484   NtSetInformationFile  (120, 1242748, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01890   484   NtClose  (128, ... ) == 0x0
 01891   484   NtClose  (120, ... ) == 0x0
 01892   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1243640, ... ) }, 1243640, ... ) == 0x0
 01893   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1242608, ... ) }, 1242608, ... ) == 0x0
 01894   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 1241380, ... ) }, 1241380, ... ) == 0x0
 01895   484   NtAllocateVirtualMemory  (-1, 1376256, 0, 16384, 4096, 4, ... 1376256, 16384, ) == 0x0
 01896   484   NtAllocateVirtualMemory  (-1, 1392640, 0, 24576, 4096, 4, ... 1392640, 24576, ) == 0x0
 01897   484   NtQueryDefaultLocale  (1, 1243632, ... ) == 0x0
 01898   484   NtQueryDefaultLocale  (1, 1243632, ... ) == 0x0
 01899   484   NtQueryDefaultLocale  (0, 1243628, ... ) == 0x0
 01900   484   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243676,  (0xc0100080, {24, 0, 0x40, 0, 1243676, "\??\C:\WINDOWS\system32\setupex.exe"}, 0x0, 128, 0, 5, 96, 0, 0, ... }, 0x0, 128, 0, 5, 96, 0, 0, ...
 01901   484   NtClose  (-2147482584, ... ) == 0x0
 01900   484   NtCreateFile  ... 120, {status=0x0, info=2}, ) == 0x0
 01902   484   NtWriteFile  (120, 0, 0, 0,  (120, 0, 0, 0, "MZP\0\2\0\0\0\4\0\17\0PE\0\0L\1\2\0FSG!\0\0\0\0\0\0\0\0\340\0\216\201\13\1\0\0\0B\0\0\0n\0\0\0\0\0\0c/\1\0\0\20\0\0\14\0\0\0\0\0@\0\0\20\0\0\0\2\0\0\1\0\0\0\0\0\0\0\3\0\12\0\0\0\0\0\0@\1\0\0\2\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0 \0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0(0\1\04\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\300\0\0\0\0\0\0\0\0\0`\0\0\0\340\0\0\P\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\300KERNEL32.dll\0\0\0LoadLibraryA\0\0GetProcAddress\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360A\0\220A\0\240A\0\230\1@\0\0\20@\0\0\340@\0\1`@\0\1\320@\0\0\0\0\0\4\304@\0\1\0\0\0P0A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 21088, 0x0, 0, ... , 21088, 0x0, 0, ...
 01903   484   NtContinue  (-139612716, 0, ...
 01902   484   NtWriteFile  ... {status=0x0, info=21088}, ) == 0x0
 01904   484   NtClose  (120, ... ) == 0x0
 01905   484   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 01906   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\setupex.exe"}, 1239968, ... ) }, 1239968, ... ) == 0x0
 01907   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\setupex.exe"}, 1240704, ... ) }, 1240704, ... ) == 0x0
 01908   484   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\setupex.exe"}, 5, 96, ... 120, {status=0x0, info=1}, ) }, 5, 96, ... 120, {status=0x0, info=1}, ) == 0x0
 01909   484   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 120, ... 128, ) == 0x0
 01910   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01911   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 104, ) }, ... 104, ) == 0x0
 01912   484   NtQueryValueKey  (104,  (104, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01913   484   NtClose  (104, ... ) == 0x0
 01914   484   NtQueryVolumeInformationFile  (120, 1239980, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01915   484   NtWaitForSingleObject  (92, 0, {-1000000, -1}, ... ) == 0x0
 01916   484   NtReleaseMutant  (92, ... 0x0, ) == 0x0
 01917   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1237912, ... ) }, 1237912, ... ) == 0x0
 01918   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 01919   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 104, ... 132, ) == 0x0
 01920   484   NtClose  (104, ... ) == 0x0
 01921   484   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa40000), 0x0, 126976, ) == 0x0
 01922   484   NtClose  (132, ... ) == 0x0
 01923   484   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01924   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238220, ... ) }, 1238220, ... ) == 0x0
 01925   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 01926   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 132, ... 104, ) == 0x0
 01927   484   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01928   484   NtClose  (132, ... ) == 0x0
 01929   484   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77b40000), 0x0, 139264, ) == 0x0
 01930   484   NtClose  (104, ... ) == 0x0
 01931   484   NtProtectVirtualMemory  (-1, (0x77b41000), 524, 4, ... (0x77b41000), 4096, 32, ) == 0x0
 01932   484   NtProtectVirtualMemory  (-1, (0x77b41000), 4096, 32, ... (0x77b41000), 4096, 4, ) == 0x0
 01933   484   NtFlushInstructionCache  (-1, 2008289280, 524, ... ) == 0x0
 01934   484   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Apphelp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01935   484   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 104, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 104, {status=0x0, info=1}, ) == 0x0
 01936   484   NtQueryInformationFile  (104, 1238236, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01937   484   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 104, ... 132, ) == 0x0
 01938   484   NtMapViewOfSection  (132, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa40000), 0x0, 1191936, ) == 0x0
 01939   484   NtQueryInformationFile  (104, 1238336, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01940   484   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01941   484   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01942   484   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01943   484   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\WPA\TabletPC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01944   484   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\SYSTEM\WPA\MediaCenter"}, ... 136, ) }, ... 136, ) == 0x0
 01945   484   NtQueryValueKey  (136,  (136, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 256, ... TitleIdx=0, Type=4, Data= (136, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01946   484   NtClose  (136, ... ) == 0x0
 01947   484   NtCreateFile  (0x120116, {24, 0, 0x40, 0, 0,  (0x120116, {24, 0, 0x40, 0, 0, "\Device\NamedPipe\ShimViewer"}, 0x0, 128, 0, 1, 0, 0, 0, ... ) }, 0x0, 128, 0, 1, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01948   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 136, {status=0x0, info=1}, ) }, 3, 16417, ... 136, {status=0x0, info=1}, ) == 0x0
 01949   484   NtQueryDirectoryFile  (136, 0, 0, 0, 1235932, 616, BothDirectory, 1,  (136, 0, 0, 0, 1235932, 616, BothDirectory, 1, "setupex.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 01950   484   NtClose  (136, ... ) == 0x0
 01951   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01952   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01953   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\setupex.exe"}, 1236308, ... ) }, 1236308, ... ) == 0x0
 01954   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 136, {status=0x0, info=1}, ) }, 3, 16417, ... 136, {status=0x0, info=1}, ) == 0x0
 01955   484   NtQueryDirectoryFile  (136, 0, 0, 0, 1235736, 616, BothDirectory, 1,  (136, 0, 0, 0, 1235736, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01956   484   NtClose  (136, ... ) == 0x0
 01957   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 136, {status=0x0, info=1}, ) }, 3, 16417, ... 136, {status=0x0, info=1}, ) == 0x0
 01958   484   NtQueryDirectoryFile  (136, 0, 0, 0, 1235736, 616, BothDirectory, 1,  (136, 0, 0, 0, 1235736, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01959   484   NtClose  (136, ... ) == 0x0
 01960   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 136, {status=0x0, info=1}, ) }, 3, 16417, ... 136, {status=0x0, info=1}, ) == 0x0
 01961   484   NtQueryDirectoryFile  (136, 0, 0, 0, 1235736, 616, BothDirectory, 1,  (136, 0, 0, 0, 1235736, 616, BothDirectory, 1, "setupex.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 01962   484   NtClose  (136, ... ) == 0x0
 01963   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01964   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01965   484   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01966   484   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01967   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01968   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 136, ) == 0x0
 01969   484   NtQueryInformationToken  (136, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01970   484   NtClose  (136, ... ) == 0x0
 01971   484   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01972   484   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\setupex.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01973   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01974   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01975   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\setupex.exe"}, 1237560, ... ) }, 1237560, ... ) == 0x0
 01976   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 136, {status=0x0, info=1}, ) }, 3, 16417, ... 136, {status=0x0, info=1}, ) == 0x0
 01977   484   NtQueryDirectoryFile  (136, 0, 0, 0, 1236988, 616, BothDirectory, 1,  (136, 0, 0, 0, 1236988, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01978   484   NtClose  (136, ... ) == 0x0
 01979   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 136, {status=0x0, info=1}, ) }, 3, 16417, ... 136, {status=0x0, info=1}, ) == 0x0
 01980   484   NtQueryDirectoryFile  (136, 0, 0, 0, 1236988, 616, BothDirectory, 1,  (136, 0, 0, 0, 1236988, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01981   484   NtClose  (136, ... ) == 0x0
 01982   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 136, {status=0x0, info=1}, ) }, 3, 16417, ... 136, {status=0x0, info=1}, ) == 0x0
 01983   484   NtQueryDirectoryFile  (136, 0, 0, 0, 1236988, 616, BothDirectory, 1,  (136, 0, 0, 0, 1236988, 616, BothDirectory, 1, "setupex.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 01984   484   NtClose  (136, ... ) == 0x0
 01985   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01986   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01987   484   NtWaitForSingleObject  (92, 0, {-1000000, -1}, ... ) == 0x0
 01988   484   NtQueryVolumeInformationFile  (120, 1238216, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01989   484   NtQueryInformationFile  (120, 1238196, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01990   484   NtQueryInformationFile  (120, 1238236, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01991   484   NtReleaseMutant  (92, ... 0x0, ) == 0x0
 01992   484   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01993   484   NtClose  (132, ... ) == 0x0
 01994   484   NtClose  (104, ... ) == 0x0
 01995   484   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01996   484   NtOpenProcessToken  (-1, 0xa, ... 104, ) == 0x0
 01997   484   NtQueryInformationToken  (104, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 01998   484   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01999   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 132, ) }, ... 132, ) == 0x0
 02000   484   NtQueryValueKey  (132,  (132, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (132, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02001   484   NtQueryValueKey  (132,  (132, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (132, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02002   484   NtClose  (132, ... ) == 0x0
 02003   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02004   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 132, ) }, ... 132, ) == 0x0
 02005   484   NtQueryValueKey  (132,  (132, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02006   484   NtClose  (132, ... ) == 0x0
 02007   484   NtQueryDefaultLocale  (1, 1239408, ... ) == 0x0
 02008   484   NtQueryDefaultLocale  (1, 1239408, ... ) == 0x0
 02009   484   NtQueryDefaultLocale  (1, 1239408, ... ) == 0x0
 02010   484   NtQueryDefaultLocale  (1, 1239408, ... ) == 0x0
 02011   484   NtQueryDefaultLocale  (1, 1239408, ... ) == 0x0
 02012   484   NtQueryDefaultLocale  (1, 1239408, ... ) == 0x0
 02013   484   NtQueryDefaultLocale  (1, 1239408, ... ) == 0x0
 02014   484   NtQueryDefaultLocale  (1, 1239408, ... ) == 0x0
 02015   484   NtQueryDefaultLocale  (1, 1239408, ... ) == 0x0
 02016   484   NtQueryDefaultLocale  (1, 1239408, ... ) == 0x0
 02017   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 132, ) }, ... 132, ) == 0x0
 02018   484   NtEnumerateKey  (132, 0, Basic, 280, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name= (132, 0, Basic, 280, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 02019   484   NtOpenKey  (0x20019, {24, 132, 0x40, 0, 0,  (0x20019, {24, 132, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 136, ) }, ... 136, ) == 0x0
 02020   484   NtQueryValueKey  (136,  (136, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (136, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 02021   484   NtQueryValueKey  (136,  (136, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (136, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02022   484   NtClose  (136, ... ) == 0x0
 02023   484   NtEnumerateKey  (132, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 02024   484   NtClose  (132, ... ) == 0x0
 02025   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... 132, ) }, ... 132, ) == 0x0
 02026   484   NtEnumerateKey  (132, 0, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (132, 0, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{349d35ab-37b5-462f-9b89-edd5fbde1328}"}, 92, ) }, 92, ) == 0x0
 02027   484   NtOpenKey  (0x20019, {24, 132, 0x40, 0, 0,  (0x20019, {24, 132, 0x40, 0, 0, "{349d35ab-37b5-462f-9b89-edd5fbde1328}"}, ... 136, ) }, ... 136, ) == 0x0
 02028   484   NtQueryValueKey  (136,  (136, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="^\2530O\225zI\211j\0l\341\25@\25"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (136, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="^\2530O\225zI\211j\0l\341\25@\25"}, 28, ) }, 28, ) == 0x0
 02029   484   NtQueryValueKey  (136,  (136, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (136, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 02030   484   NtQueryValueKey  (136,  (136, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\13\3\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (136, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\13\3\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02031   484   NtQueryValueKey  (136,  (136, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (136, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02032   484   NtClose  (136, ... ) == 0x0
 02033   484   NtEnumerateKey  (132, 1, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (132, 1, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}"}, 92, ) }, 92, ) == 0x0
 02034   484   NtOpenKey  (0x20019, {24, 132, 0x40, 0, 0,  (0x20019, {24, 132, 0x40, 0, 0, "{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}"}, ... 136, ) }, ... 136, ) == 0x0
 02035   484   NtQueryValueKey  (136,  (136, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="g\260\324\2134:?\323\274\351\334dg\4\363\224"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (136, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="g\260\324\2134:?\323\274\351\334dg\4\363\224"}, 28, ) }, 28, ) == 0x0
 02036   484   NtQueryValueKey  (136,  (136, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (136, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 02037   484   NtQueryValueKey  (136,  (136, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\5\2\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (136, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\5\2\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02038   484   NtQueryValueKey  (136,  (136, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (136, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02039   484   NtClose  (136, ... ) == 0x0
 02040   484   NtEnumerateKey  (132, 2, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (132, 2, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}"}, 92, ) }, 92, ) == 0x0
 02041   484   NtOpenKey  (0x20019, {24, 132, 0x40, 0, 0,  (0x20019, {24, 132, 0x40, 0, 0, "{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}"}, ... 136, ) }, ... 136, ) == 0x0
 02042   484   NtQueryValueKey  (136,  (136, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="2x\2\334\376\370\310\223\334\212\260\6\335\204}\35"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (136, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="2x\2\334\376\370\310\223\334\212\260\6\335\204}\35"}, 28, ) }, 28, ) == 0x0
 02043   484   NtQueryValueKey  (136,  (136, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (136, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 02044   484   NtQueryValueKey  (136,  (136, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\226\3\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (136, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\226\3\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02045   484   NtQueryValueKey  (136,  (136, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (136, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02046   484   NtClose  (136, ... ) == 0x0
 02047   484   NtEnumerateKey  (132, 3, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (132, 3, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{94e3e076-8f53-42a5-8411-085bcc18a68d}"}, 92, ) }, 92, ) == 0x0
 02048   484   NtOpenKey  (0x20019, {24, 132, 0x40, 0, 0,  (0x20019, {24, 132, 0x40, 0, 0, "{94e3e076-8f53-42a5-8411-085bcc18a68d}"}, ... 136, ) }, ... 136, ) == 0x0
 02049   484   NtQueryValueKey  (136,  (136, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="\275\232*\333B\353\330V\16%\16M\370\26/g"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (136, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="\275\232*\333B\353\330V\16%\16M\370\26/g"}, 28, ) }, 28, ) == 0x0
 02050   484   NtQueryValueKey  (136,  (136, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (136, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 02051   484   NtQueryValueKey  (136,  (136, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\345\0\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (136, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\345\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02052   484   NtQueryValueKey  (136,  (136, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (136, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02053   484   NtClose  (136, ... ) == 0x0
 02054   484   NtEnumerateKey  (132, 4, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (132, 4, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}"}, 92, ) }, 92, ) == 0x0
 02055   484   NtOpenKey  (0x20019, {24, 132, 0x40, 0, 0,  (0x20019, {24, 132, 0x40, 0, 0, "{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}"}, ... 136, ) }, ... 136, ) == 0x0
 02056   484   NtQueryValueKey  (136,  (136, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="8k\10_\204\354\366i\323k\225j"\300\36\200"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (136, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="8k\10_\204\354\366i\323k\225j"\300\36\200"}, 28, ) \300\36\200"}, 28, ) == 0x0
 02057   484   NtQueryValueKey  (136,  (136, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (136, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0
 02058   484   NtQueryValueKey  (136,  (136, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="r\1\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (136, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="r\1\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 02059   484   NtQueryValueKey  (136,  (136, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (136, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02060   484   NtClose  (136, ... ) == 0x0
 02061   484   NtEnumerateKey  (132, 5, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 02062   484   NtClose  (132, ... ) == 0x0
 02063   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02064   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02065   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02066   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02067   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02068   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02069   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02070   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02071   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02072   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02073   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02074   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02075   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02076   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02077   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 02078   484   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02079   484   NtClose  (132, ... ) == 0x0
 02080   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02081   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02082   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 02083   484   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02084   484   NtClose  (132, ... ) == 0x0
 02085   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02086   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02087   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 02088   484   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02089   484   NtClose  (132, ... ) == 0x0
 02090   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02091   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02092   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 02093   484   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02094   484   NtClose  (132, ... ) == 0x0
 02095   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02096   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02097   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 02098   484   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02099   484   NtClose  (132, ... ) == 0x0
 02100   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02101   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02102   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 02103   484   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02104   484   NtClose  (132, ... ) == 0x0
 02105   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02106   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02107   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 02108   484   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02109   484   NtClose  (132, ... ) == 0x0
 02110   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02111   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02112   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 02113   484   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02114   484   NtClose  (132, ... ) == 0x0
 02115   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02116   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02117   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 02118   484   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02119   484   NtClose  (132, ... ) == 0x0
 02120   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02121   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02122   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 02123   484   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02124   484   NtClose  (132, ... ) == 0x0
 02125   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02126   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02127   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 02128   484   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02129   484   NtClose  (132, ... ) == 0x0
 02130   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02131   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02132   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 02133   484   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02134   484   NtClose  (132, ... ) == 0x0
 02135   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02136   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02137   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 02138   484   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02139   484   NtClose  (132, ... ) == 0x0
 02140   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02141   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02142   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 02143   484   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02144   484   NtClose  (132, ... ) == 0x0
 02145   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02146   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02147   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 02148   484   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02149   484   NtClose  (132, ... ) == 0x0
 02150   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02151   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 132, ) }, ... 132, ) == 0x0
 02152   484   NtQueryValueKey  (132,  (132, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (132, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (132, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 02153   484   NtClose  (132, ... ) == 0x0
 02154   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02155   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 02156   484   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02157   484   NtClose  (132, ... ) == 0x0
 02158   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02159   484   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 02160   484   NtOpenProcessToken  (-1, 0xa, ... 132, ) == 0x0
 02161   484   NtDuplicateToken  (132, 0xc, {24, 0, 0x0, 0, 1239840, 0x0}, 0, 2, ... 136, ) == 0x0
 02162   484   NtClose  (132, ... ) == 0x0
 02163   484   NtAccessCheck  (1363240, 136, 0x1, 1239916, 1239968, 56, 1239948, ... (0x1), ) == 0x0
 02164   484   NtClose  (136, ... ) == 0x0
 02165   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 136, ) }, ... 136, ) == 0x0
 02166   484   NtQueryValueKey  (136,  (136, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (136, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02167   484   NtClose  (136, ... ) == 0x0
 02168   484   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 136, ) }, ... 136, ) == 0x0
 02169   484   NtQuerySymbolicLinkObject  (136, ...  (136, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 02170   484   NtClose  (136, ... ) == 0x0
 02171   484   NtQueryVolumeInformationFile  (120, 1237672, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02172   484   NtQueryInformationFile  (120, 1237788, 528, Name, ... {status=0x0, info=62}, ) == 0x0
 02173   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02174   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02175   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\setupex.exe"}, 1236960, ... ) }, 1236960, ... ) == 0x0
 02176   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 136, {status=0x0, info=1}, ) }, 3, 16417, ... 136, {status=0x0, info=1}, ) == 0x0
 02177   484   NtQueryDirectoryFile  (136, 0, 0, 0, 1236388, 616, BothDirectory, 1,  (136, 0, 0, 0, 1236388, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02178   484   NtClose  (136, ... ) == 0x0
 02179   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 136, {status=0x0, info=1}, ) }, 3, 16417, ... 136, {status=0x0, info=1}, ) == 0x0
 02180   484   NtQueryDirectoryFile  (136, 0, 0, 0, 1236388, 616, BothDirectory, 1,  (136, 0, 0, 0, 1236388, 616, BothDirectory, 1, "system32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02181   484   NtClose  (136, ... ) == 0x0
 02182   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 136, {status=0x0, info=1}, ) }, 3, 16417, ... 136, {status=0x0, info=1}, ) == 0x0
 02183   484   NtQueryDirectoryFile  (136, 0, 0, 0, 1236388, 616, BothDirectory, 1,  (136, 0, 0, 0, 1236388, 616, BothDirectory, 1, "setupex.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 02184   484   NtClose  (136, ... ) == 0x0
 02185   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02186   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02187   484   NtQueryInformationFile  (120, 1239828, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02188   484   NtCreateSection  (0xf0005, 0x0, {21088, 0}, 2, 134217728, 120, ... 136, ) == 0x0
 02189   484   NtMapViewOfSection  (136, -1, (0x0), 0, 0, {0, 0}, 21088, 1, 0, 2, ... (0xa20000), {0, 0}, 24576, ) == 0x0
 02190   484   NtClose  (136, ... ) == 0x0
 02191   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02192   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 136, ) == 0x0
 02193   484   NtQueryInformationToken  (136, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02194   484   NtClose  (136, ... ) == 0x0
 02195   484   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 136, ) }, ... 136, ) == 0x0
 02196   484   NtOpenKey  (0x20019, {24, 136, 0x40, 0, 0,  (0x20019, {24, 136, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 132, ) }, ... 132, ) == 0x0
 02197   484   NtClose  (136, ... ) == 0x0
 02198   484   NtQueryValueKey  (132,  (132, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02199   484   NtQueryValueKey  (132,  (132, "Cache", Partial, 174, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 174, ) , Partial, 174, ... TitleIdx=0, Type=1, Data= (132, "Cache", Partial, 174, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 174, ) }, 174, ) == 0x0
 02200   484   NtClose  (132, ... ) == 0x0
 02201   484   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 02202   484   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 10616832, 4096, ) == 0x0
 02203   484   NtAllocateVirtualMemory  (-1, 10616832, 0, 4096, 4096, 4, ... 10616832, 4096, ) == 0x0
 02204   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 132, ) }, ... 132, ) == 0x0
 02205   484   NtQueryValueKey  (132,  (132, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02206   484   NtClose  (132, ... ) == 0x0
 02207   484   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02208   484   NtQueryInformationToken  (104, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 02209   484   NtQueryInformationToken  (104, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 02210   484   NtClose  (104, ... ) == 0x0
 02211   484   NtQuerySection  (128, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02212   484   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setupex.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02213   484   NtQuerySystemInformation  (71, 4, ... {system info, class 71, size 4}, 0x0, ) == 0x0
 02214   484   NtCreateProcessEx  (1241752, 2035711, 0, -1, 0, 128, 0, 0, 0, ... ) == 0x0
 02215   484   NtQueryInformationProcess  (104, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffd6000,AffinityMask=0x1,BasePriority=8,Pid=1980,ParentPid=860,}, 0x0, ) == 0x0
 02216   484   NtReadVirtualMemory  (104, 0x7ffd6008, 4, ...  (104, 0x7ffd6008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 02217   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\setupex.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02218   484   NtReadVirtualMemory  (104, 0x400000, 4096, ...  (104, 0x400000, 4096, ... "MZP\0\2\0\0\0\4\0\17\0PE\0\0L\1\2\0FSG!\0\0\0\0\0\0\0\0\340\0\216\201\13\1\0\0\0B\0\0\0n\0\0\0\0\0\0c/\1\0\0\20\0\0\14\0\0\0\0\0@\0\0\20\0\0\0\2\0\0\1\0\0\0\0\0\0\0\3\0\12\0\0\0\0\0\0@\1\0\0\2\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0 \0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0(0\1\04\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\300\0\0\0\0\0\0\0\0\0`\0\0\0\340\0\0\P\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\300KERNEL32.dll\0\0\0LoadLibraryA\0\0GetProcAddress\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360A\0\220A\0\240A\0\230\1@\0\0\20@\0\0\340@\0\1`@\0\1\320@\0\0\0\0\0\4\304@\0\1\0\0\0P0A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 02219   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02220   484   NtQueryInformationProcess  (104, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffd6000,AffinityMask=0x1,BasePriority=8,Pid=1980,ParentPid=860,}, 0x0, ) == 0x0
 02221   484   NtAllocateVirtualMemory  (-1, 0, 0, 2420, 4096, 4, ... 10747904, 4096, ) == 0x0
 02222   484   NtAllocateVirtualMemory  (104, 0, 0, 6432, 4096, 4, ... 65536, 8192, ) == 0x0
 02223   484   NtWriteVirtualMemory  (104, 0x10000,  (104, 0x10000, "=\0A\0:\0=\0A\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0s\0c\0r\0i\0p\0t\0s\0\0\0=\0U\0:\0=\0U\0:\0\\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0R\0O\0O\0T\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0L\0I\0B\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\0", 6432, ... 0x0, ) , 6432, ... 0x0, ) == 0x0
 02224   484   NtAllocateVirtualMemory  (104, 0, 0, 2420, 4096, 4, ... 131072, 4096, ) == 0x0
 02225   484   NtWriteVirtualMemory  (104, 0x20000,  (104, 0x20000, "\0\20\0\0t\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0\26\0\10\2\220\2\0\0\0\0\0\0\364\3\366\3\230\4\0\0>\0@\0\220\10\0\0>\0@\0\320\10\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0>\0@\0\20\11\0\0\36\0 \0P\11\0\0\0\0\2\0p\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 2420, ... 0x0, ) , 2420, ... 0x0, ) == 0x0
 02226   484   NtWriteVirtualMemory  (104, 0x7ffd6010,  (104, 0x7ffd6010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02227   484   NtWriteVirtualMemory  (104, 0x7ffd61e8,  (104, 0x7ffd61e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02228   484   NtFreeVirtualMemory  (-1, (0xa40000), 0, 32768, ... (0xa40000), 4096, ) == 0x0
 02229   484   NtAllocateVirtualMemory  (104, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 02230   484   NtAllocateVirtualMemory  (104, 1232896, 0, 12288, 4096, 4, ... 1232896, 12288, ) == 0x0
 02231   484   NtProtectVirtualMemory  (104, (0x12d000), 4096, 260, ... (0x12d000), 4096, 4, ) == 0x0
 02232   484   NtCreateThread  (0x1f03ff, 0x0, 104, 1241760, 1241424, 1, ... 132, {1980, 1784}, ) == 0x0
 02233   484   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 2089883030, 2089879275, 1329928, 2147340288}  (24, {168, 196, new_msg, 0, 2089883030, 2089879275, 1329928, 2147340288} "\0\0\0\0\0\0\1\0\10\366\22\0\0\0\0\0k\0\0\0\204\0\0\0\274\7\0\0\370\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\244\365\22\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\375\177\0\0\0\0\0\0\221|\224\371\22\0" ... {168, 196, reply, 0, 860, 484, 57989, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0h\0\0\0\204\0\0\0\274\7\0\0\370\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\244\365\22\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\375\177\0\0\0\0\0\0\221|\224\371\22\0" )  ... {168, 196, reply, 0, 860, 484, 57989, 0}  (24, {168, 196, new_msg, 0, 2089883030, 2089879275, 1329928, 2147340288} "\0\0\0\0\0\0\1\0\10\366\22\0\0\0\0\0k\0\0\0\204\0\0\0\274\7\0\0\370\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\244\365\22\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\375\177\0\0\0\0\0\0\221|\224\371\22\0" ... {168, 196, reply, 0, 860, 484, 57989, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0h\0\0\0\204\0\0\0\274\7\0\0\370\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\244\365\22\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\375\177\0\0\0\0\0\0\221|\224\371\22\0" )  ) == 0x0
 02234   484   NtResumeThread  (132, ... 1, ) == 0x0
 02235   484   NtClose  (120, ... ) == 0x0
 02236   484   NtClose  (128, ... ) == 0x0
 02237   484   NtQueryInformationProcess  (104, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffd6000,AffinityMask=0x1,BasePriority=8,Pid=1980,ParentPid=860,}, 0x0, ) == 0x0
 02238   484   NtUserWaitForInputIdle  (1980, 30000, 0, ...
 02239   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 128, ) == 0x0
 02240   484   NtClose  (128, ... ) == 0x0
 02238   484   NtUserWaitForInputIdle  ... ) == 0x0
 02241   484   NtClose  (104, ... ) == 0x0
 02242   484   NtClose  (132, ... ) == 0x0
 02243   484   NtQueryDefaultLocale  (1, 1243632, ... ) == 0x0
 02244   484   NtQueryDefaultLocale  (1, 1243632, ... ) == 0x0
 02245   484   NtQueryDefaultLocale  (0, 1243628, ... ) == 0x0
 02246   484   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243676,  (0xc0100080, {24, 0, 0x40, 0, 1243676, "\??\C:\WINDOWS\svchost.exe"}, 0x0, 128, 0, 5, 96, 0, 0, ... }, 0x0, 128, 0, 5, 96, 0, 0, ...
 02247   484   NtClose  (-2147482584, ... ) == 0x0
 02246   484   NtCreateFile  ... 132, {status=0x0, info=2}, ) == 0x0
 02248   484   NtWriteFile  (132, 0, 0, 0,  (132, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0PE\0\0L\1\2\0FSG!\0\0\0\0\0\0\0\0\340\0\17\1\13\1\0\0\0N\0\0\0\220\0\0\0\0\0\0N,\1\0\0\20\0\0\14\0\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\00\1\0\0\2\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\23-\1\04\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\0\0\0\0\340\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\300\0\0\0\0a\0\0\0\0@\0\0\0\360\0\0G=\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\300KERNEL32.dll\0\0\0LoadLibraryA\0\0GetProcAddress\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\11-A\0\375,A\0\377,A\0\230\1@\0\0\20@\0\0\360@\0\1`@\0\0\0\0\0\334Y@\0\1\0\0\0;-A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 16208, 0x0, 0, ... , 16208, 0x0, 0, ...
 02249   484   NtContinue  (-139612716, 0, ...
 02248   484   NtWriteFile  ... {status=0x0, info=16208}, ) == 0x0
 02250   484   NtClose  (132, ... ) == 0x0
 02251   484   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\svchost.exe"}, 7, 2113568, ... 132, {status=0x0, info=1}, ) }, 7, 2113568, ... 132, {status=0x0, info=1}, ) == 0x0
 02252   484   NtSetInformationFile  (132, 1243668, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02253   484   NtClose  (132, ... ) == 0x0
 02254   484   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 02255   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\svchost.exe"}, 1239968, ... ) }, 1239968, ... ) == 0x0
 02256   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\svchost.exe"}, 1240704, ... ) }, 1240704, ... ) == 0x0
 02257   484   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\svchost.exe"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 02258   484   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 132, ... 104, ) == 0x0
 02259   484   NtQueryVolumeInformationFile  (132, 1239980, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02260   484   NtWaitForSingleObject  (92, 0, {-1000000, -1}, ... ) == 0x0
 02261   484   NtReleaseMutant  (92, ... 0x0, ) == 0x0
 02262   484   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 128, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 128, {status=0x0, info=1}, ) == 0x0
 02263   484   NtQueryInformationFile  (128, 1238236, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02264   484   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 128, ... 120, ) == 0x0
 02265   484   NtMapViewOfSection  (120, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa40000), 0x0, 1191936, ) == 0x0
 02266   484   NtQueryInformationFile  (128, 1238336, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02267   484   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02268   484   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\WPA\TabletPC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02269   484   NtOpenKey  (0x101, {24, 0, 0x40, 0, 0,  (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\SYSTEM\WPA\MediaCenter"}, ... 136, ) }, ... 136, ) == 0x0
 02270   484   NtQueryValueKey  (136,  (136, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 256, ... TitleIdx=0, Type=4, Data= (136, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02271   484   NtClose  (136, ... ) == 0x0
 02272   484   NtCreateFile  (0x120116, {24, 0, 0x40, 0, 0,  (0x120116, {24, 0, 0x40, 0, 0, "\Device\NamedPipe\ShimViewer"}, 0x0, 128, 0, 1, 0, 0, 0, ... ) }, 0x0, 128, 0, 1, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02273   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 136, {status=0x0, info=1}, ) }, 3, 16417, ... 136, {status=0x0, info=1}, ) == 0x0
 02274   484   NtQueryDirectoryFile  (136, 0, 0, 0, 1235932, 616, BothDirectory, 1,  (136, 0, 0, 0, 1235932, 616, BothDirectory, 1, "svchost.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 02275   484   NtClose  (136, ... ) == 0x0
 02276   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02277   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02278   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\svchost.exe"}, 1236308, ... ) }, 1236308, ... ) == 0x0
 02279   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 136, {status=0x0, info=1}, ) }, 3, 16417, ... 136, {status=0x0, info=1}, ) == 0x0
 02280   484   NtQueryDirectoryFile  (136, 0, 0, 0, 1235736, 616, BothDirectory, 1,  (136, 0, 0, 0, 1235736, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02281   484   NtClose  (136, ... ) == 0x0
 02282   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 136, {status=0x0, info=1}, ) }, 3, 16417, ... 136, {status=0x0, info=1}, ) == 0x0
 02283   484   NtQueryDirectoryFile  (136, 0, 0, 0, 1235736, 616, BothDirectory, 1,  (136, 0, 0, 0, 1235736, 616, BothDirectory, 1, "svchost.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 02284   484   NtClose  (136, ... ) == 0x0
 02285   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02286   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02287   484   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02288   484   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02289   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02290   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 136, ) == 0x0
 02291   484   NtQueryInformationToken  (136, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02292   484   NtClose  (136, ... ) == 0x0
 02293   484   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02294   484   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\svchost.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02295   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\svchost.exe"}, 1237156, ... ) }, 1237156, ... ) == 0x0
 02296   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 136, ) }, ... 136, ) == 0x0
 02297   484   NtMapViewOfSection  (136, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 32768, ) == 0x0
 02298   484   NtClose  (136, ... ) == 0x0
 02299   484   NtProtectVirtualMemory  (-1, (0x77c01000), 304, 4, ... (0x77c01000), 4096, 32, ) == 0x0
 02300   484   NtProtectVirtualMemory  (-1, (0x77c01000), 4096, 32, ... (0x77c01000), 4096, 4, ) == 0x0
 02301   484   NtFlushInstructionCache  (-1, 2009075712, 304, ... ) == 0x0
 02302   484   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VERSION.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02303   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02304   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02305   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\svchost.exe"}, 1236008, ... ) }, 1236008, ... ) == 0x0
 02306   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\svchost.exe"}, 5, 96, ... 136, {status=0x0, info=1}, ) }, 5, 96, ... 136, {status=0x0, info=1}, ) == 0x0
 02307   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 136, ... 140, ) == 0x0
 02308   484   NtClose  (136, ... ) == 0x0
 02309   484   NtMapViewOfSection  (140, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xb70000), 0x0, 16384, ) == 0x0
 02310   484   NtClose  (140, ... ) == 0x0
 02311   484   NtUnmapViewOfSection  (-1, 0xb70000, ... ) == 0x0
 02312   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\svchost.exe"}, 1235604, ... ) }, 1235604, ... ) == 0x0
 02313   484   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1236348,  (0x80100080, {24, 0, 0x40, 0, 1236348, "\??\C:\WINDOWS\svchost.exe"}, 0x0, 0, 5, 1, 96, 0, 0, ... 140, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 140, {status=0x0, info=1}, ) == 0x0
 02314   484   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 140, ... 136, ) == 0x0
 02315   484   NtClose  (140, ... ) == 0x0
 02316   484   NtMapViewOfSection  (136, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xb70000), {0, 0}, 16384, ) == 0x0
 02317   484   NtClose  (136, ... ) == 0x0
 02318   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02319   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02320   484   NtUnmapViewOfSection  (-1, 0xb70000, ... ) == 0x0
 02321   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02322   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02323   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\svchost.exe"}, 1237560, ... ) }, 1237560, ... ) == 0x0
 02324   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 136, {status=0x0, info=1}, ) }, 3, 16417, ... 136, {status=0x0, info=1}, ) == 0x0
 02325   484   NtQueryDirectoryFile  (136, 0, 0, 0, 1236988, 616, BothDirectory, 1,  (136, 0, 0, 0, 1236988, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02326   484   NtClose  (136, ... ) == 0x0
 02327   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 136, {status=0x0, info=1}, ) }, 3, 16417, ... 136, {status=0x0, info=1}, ) == 0x0
 02328   484   NtQueryDirectoryFile  (136, 0, 0, 0, 1236988, 616, BothDirectory, 1,  (136, 0, 0, 0, 1236988, 616, BothDirectory, 1, "svchost.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 02329   484   NtClose  (136, ... ) == 0x0
 02330   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02331   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02332   484   NtWaitForSingleObject  (92, 0, {-1000000, -1}, ... ) == 0x0
 02333   484   NtQueryVolumeInformationFile  (132, 1238216, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02334   484   NtQueryInformationFile  (132, 1238196, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02335   484   NtQueryInformationFile  (132, 1238236, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02336   484   NtReleaseMutant  (92, ... 0x0, ) == 0x0
 02337   484   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 02338   484   NtClose  (120, ... ) == 0x0
 02339   484   NtClose  (128, ... ) == 0x0
 02340   484   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 02341   484   NtOpenProcessToken  (-1, 0xa, ... 128, ) == 0x0
 02342   484   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 120, ) }, ... 120, ) == 0x0
 02343   484   NtQueryKey  (120, Basic, 520, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name= (120, Basic, 520, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name="CodeIdentifierso"}, 46, ) }, 46, ) == 0x0
 02344   484   NtClose  (120, ... ) == 0x0
 02345   484   NtOpenKey  (0x2000000, {24, 80, 0x40, 0, 0,  (0x2000000, {24, 80, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02346   484   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 120, ) }, ... 120, ) == 0x0
 02347   484   NtQuerySymbolicLinkObject  (120, ...  (120, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 02348   484   NtClose  (120, ... ) == 0x0
 02349   484   NtQueryVolumeInformationFile  (132, 1237672, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02350   484   NtQueryInformationFile  (132, 1237788, 528, Name, ... {status=0x0, info=44}, ) == 0x0
 02351   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02352   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02353   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\svchost.exe"}, 1236960, ... ) }, 1236960, ... ) == 0x0
 02354   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 02355   484   NtQueryDirectoryFile  (120, 0, 0, 0, 1236388, 616, BothDirectory, 1,  (120, 0, 0, 0, 1236388, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02356   484   NtClose  (120, ... ) == 0x0
 02357   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 120, {status=0x0, info=1}, ) }, 3, 16417, ... 120, {status=0x0, info=1}, ) == 0x0
 02358   484   NtQueryDirectoryFile  (120, 0, 0, 0, 1236388, 616, BothDirectory, 1,  (120, 0, 0, 0, 1236388, 616, BothDirectory, 1, "svchost.exe", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 02359   484   NtClose  (120, ... ) == 0x0
 02360   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02361   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02362   484   NtQueryInformationFile  (132, 1239828, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02363   484   NtCreateSection  (0xf0005, 0x0, {16208, 0}, 2, 134217728, 132, ... 120, ) == 0x0
 02364   484   NtMapViewOfSection  (120, -1, (0x0), 0, 0, {0, 0}, 16208, 1, 0, 2, ... (0xa40000), {0, 0}, 16384, ) == 0x0
 02365   484   NtClose  (120, ... ) == 0x0
 02366   484   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 02367   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 120, ) }, ... 120, ) == 0x0
 02368   484   NtQueryValueKey  (120,  (120, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02369   484   NtClose  (120, ... ) == 0x0
 02370   484   NtQueryInformationToken  (128, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 02371   484   NtQueryInformationToken  (128, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 02372   484   NtClose  (128, ... ) == 0x0
 02373   484   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02374   484   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02375   484   NtQuerySystemInformation  (71, 4, ... {system info, class 71, size 4}, 0x0, ) == 0x0
 02376   484   NtCreateProcessEx  (1241752, 2035711, 0, -1, 0, 104, 0, 0, 0, ... ) == 0x0
 02377   484   NtQueryInformationProcess  (128, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffde000,AffinityMask=0x1,BasePriority=8,Pid=1692,ParentPid=860,}, 0x0, ) == 0x0
 02378   484   NtReadVirtualMemory  (128, 0x7ffde008, 4, ...  (128, 0x7ffde008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0
 02379   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\svchost.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02380   484   NtReadVirtualMemory  (128, 0x400000, 4096, ...  (128, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0PE\0\0L\1\2\0FSG!\0\0\0\0\0\0\0\0\340\0\17\1\13\1\0\0\0N\0\0\0\220\0\0\0\0\0\0N,\1\0\0\20\0\0\14\0\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\00\1\0\0\2\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\23-\1\04\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\0\0\0\0\340\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\300\0\0\0\0a\0\0\0\0@\0\0\0\360\0\0G=\0\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\300KERNEL32.dll\0\0\0LoadLibraryA\0\0GetProcAddress\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\11-A\0\375,A\0\377,A\0\230\1@\0\0\20@\0\0\360@\0\1`@\0\0\0\0\0\334Y@\0\1\0\0\0;-A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 02381   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02382   484   NtQueryInformationProcess  (128, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffde000,AffinityMask=0x1,BasePriority=8,Pid=1692,ParentPid=860,}, 0x0, ) == 0x0
 02383   484   NtAllocateVirtualMemory  (-1, 0, 0, 2352, 4096, 4, ... 10747904, 4096, ) == 0x0
 02384   484   NtAllocateVirtualMemory  (128, 0, 0, 6432, 4096, 4, ... 65536, 8192, ) == 0x0
 02385   484   NtWriteVirtualMemory  (128, 0x10000,  (128, 0x10000, "=\0A\0:\0=\0A\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0s\0c\0r\0i\0p\0t\0s\0\0\0=\0U\0:\0=\0U\0:\0\\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0R\0O\0O\0T\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0L\0I\0B\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\0", 6432, ... 0x0, ) , 6432, ... 0x0, ) == 0x0
 02386   484   NtAllocateVirtualMemory  (128, 0, 0, 2352, 4096, 4, ... 131072, 4096, ) == 0x0
 02387   484   NtWriteVirtualMemory  (128, 0x20000,  (128, 0x20000, "\0\20\0\00\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0\26\0\10\2\220\2\0\0\0\0\0\0\342\3\344\3\230\4\0\0,\0.\0|\10\0\0,\0.\0\254\10\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0,\0.\0\334\10\0\0\36\0 \0\14\11\0\0\0\0\2\0,\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 2352, ... 0x0, ) , 2352, ... 0x0, ) == 0x0
 02388   484   NtWriteVirtualMemory  (128, 0x7ffde010,  (128, 0x7ffde010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02389   484   NtWriteVirtualMemory  (128, 0x7ffde1e8,  (128, 0x7ffde1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02390   484   NtFreeVirtualMemory  (-1, (0xa40000), 0, 32768, ... (0xa40000), 4096, ) == 0x0
 02391   484   NtAllocateVirtualMemory  (128, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 02392   484   NtAllocateVirtualMemory  (128, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 02393   484   NtProtectVirtualMemory  (128, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 02394   484   NtCreateThread  (0x1f03ff, 0x0, 128, 1241760, 1241424, 1, ... 120, {1692, 1792}, ) == 0x0
 02395   484   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 860, 484, 57989, 0}  (24, {168, 196, new_msg, 0, 860, 484, 57989, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\203\0\0\0x\0\0\0\234\6\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\244\365\22\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\375\177\0\0\0\0\0\0\221|\224\371\22\0" ... {168, 196, reply, 0, 860, 484, 58023, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\200\0\0\0x\0\0\0\234\6\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\244\365\22\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\375\177\0\0\0\0\0\0\221|\224\371\22\0" )  ... {168, 196, reply, 0, 860, 484, 58023, 0}  (24, {168, 196, new_msg, 0, 860, 484, 57989, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\203\0\0\0x\0\0\0\234\6\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\244\365\22\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\375\177\0\0\0\0\0\0\221|\224\371\22\0" ... {168, 196, reply, 0, 860, 484, 58023, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\200\0\0\0x\0\0\0\234\6\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\244\365\22\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\375\177\0\0\0\0\0\0\221|\224\371\22\0" )  ) == 0x0
 02396   484   NtResumeThread  (120, ... 1, ) == 0x0
 02397   484   NtClose  (132, ... ) == 0x0
 02398   484   NtClose  (104, ... ) == 0x0
 02399   484   NtQueryInformationProcess  (128, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffde000,AffinityMask=0x1,BasePriority=8,Pid=1692,ParentPid=860,}, 0x0, ) == 0x0
 02400   484   NtUserWaitForInputIdle  (1692, 30000, 0, ...
 02401   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 104, ) == 0x0
 02402   484   NtClose  (104, ... ) == 0x0
 02400   484   NtUserWaitForInputIdle  ... ) == 0x0
 02403   484   NtClose  (128, ... ) == 0x0
 02404   484   NtClose  (120, ... ) == 0x0
 02405   484   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 02406   484   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 02407   484   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 02408   484   NtTerminateProcess  (0, 0, ... ) == 0x0
 02409   484   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x6,}, 4, ... ) == 0x0
 02410   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Msctf.dll"}, 1241600, ... ) }, 1241600, ... ) == 0x0
 02411   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Msctf.dll"}, 1241508, ... ) }, 1241508, ... ) == 0x0
 02412   484   NtUserGetClassInfo  (1968963584, 1243836, 1244400, 1243832, 0, ... ) == 0xc079
 02413   484   NtUserUnregisterClass  (1243840, 1968963584, 1243828, ... ) == 0x1
 02414   484   NtUserDestroyCursor  (65539, 1, ... ) == 0x1
 02415   484   NtUserDestroyCursor  (4522213, 1, ... ) == 0x0
 02416   484   NtUserGetClassInfo  (1968963584, 1243836, 1244400, 1243832, 0, ... ) == 0xc07a
 02417   484   NtUserUnregisterClass  (1243840, 1968963584, 1243828, ... ) == 0x1
 02418   484   NtUserDestroyCursor  (0, 1, ... ) == 0x0
 02419   484   NtUserDestroyCursor  (0, 1, ... ) == 0x0
 02420   484   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 02421   484   NtGdiDeleteObjectApp  (-1660877202, ... ) == 0x1
 02422   484   NtGdiDeleteObjectApp  (-956234582, ... ) == 0x1
 02423   484   NtGdiDeleteObjectApp  (-1694431919, ... ) == 0x1
 02424   484   NtUserPostThreadMessage  (1748, 49315, 0, 484, ... ) == 0x1
 02425   484   NtUserPostThreadMessage  (416, 49315, 0, 484, ... ) == 0x1
 02426   484   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 02427   484   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 02428   484   NtUserValidateHandleSecure  (393540, ... ) == 0x1
 02429   484   NtUserSetWindowLong  (393540, -4, 2118243566, 1, ... ) == 0x7473f99e
 02430   484   NtUserUnhookWindowsHookEx  (393695, ... ) == 0x1
 02431   484   NtUserUnhookWindowsHookEx  (1573423, ... ) == 0x1
 02432   484   NtUserPostThreadMessage  (1748, 49316, 0, 484, ... ) == 0x1
 02433   484   NtUserPostThreadMessage  (416, 49316, 0, 484, ... ) == 0x1
 02434   484   NtUserDestroyCursor  (590411, 1, ... ) == 0x1
 02435   484   NtUserPostThreadMessage  (1748, 49316, 0, 484, ... ) == 0x1
 02436   484   NtUserPostThreadMessage  (416, 49316, 0, 484, ... ) == 0x1
 02437   484   NtUserPostThreadMessage  (1748, 49316, 0, 484, ... ) == 0x1
 02438   484   NtUserPostThreadMessage  (416, 49316, 0, 484, ... ) == 0x1
 02439   484   NtUnmapViewOfSection  (-1, 0x990000, ... ) == 0x0
 02440   484   NtClose  (112, ... ) == 0x0
 02441   484   NtUnmapViewOfSection  (-1, 0xa30000, ... ) == 0x0
 02442   484   NtClose  (124, ... ) == 0x0
 02443   484   NtUserValidateHandleSecure  (65742, ... ) == 0x1
 02444   484   NtUserPostMessage  (65742, 49321, 12260250, 12, ... ) == 0x1
 02445   484   NtUserValidateHandleSecure  (65742, ... ) == 0x1
 02446   484   NtUserPostMessage  (65742, 49321, 12260250, 13, ... ) == 0x1
 02447   484   NtUserValidateHandleSecure  (65742, ... ) == 0x1
 02448   484   NtUserPostMessage  (65742, 49321, 12260250, 14, ... ) == 0x1
 02449   484   NtUnmapViewOfSection  (-1, 0x9a0000, ... ) == 0x0
 02450   484   NtClose  (116, ... ) == 0x0
 02451   484   NtClose  (108, ... ) == 0x0
 02452   484   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 02453   484   NtUnmapViewOfSection  (-1, 0x8c0000, ... ) == 0x0
 02454   484   NtClose  (88, ... ) == 0x0
 02455   484   NtClose  (84, ... ) == 0x0
 02456   484   NtClose  (60, ... ) == 0x0
 02457   484   NtClose  (64, ... ) == 0x0
 02458   484   NtClose  (68, ... ) == 0x0
 02459   484   NtClose  (72, ... ) == 0x0
 02460   484   NtClose  (76, ... ) == 0x0
 02461   484   NtUnmapViewOfSection  (-1, 0x8b0000, ... ) == 0x0
 02462   484   NtClose  (56, ... ) == 0x0
 02463   484   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 02464   484   NtUnmapViewOfSection  (-1, 0x860000, ... ) == 0x0
 02465   484   NtClose  (48, ... ) == 0x0
 02466   484   NtGdiDeleteObjectApp  (1024460140, ... ) == 0x1
 02467   484   NtUserGetProcessWindowStation  (... ) == 0x20
 02468   484   NtUserBuildNameList  (32, 522, 1334440, 1244040, ... ) == 0x0
 02469   484   NtUserGetProcessWindowStation  (... ) == 0x20
 02470   484   NtUserOpenDesktop  ({24, 32, 0x40, 0, 0,  ({24, 32, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x30
 02471   484   NtUserBuildHwndList  (48, 0, 0, 0, 64, ... (0x5009e, 0x400fa, 0x10074, 0x10080, 0x10070, 0x10084, 0x30048, 0x10072, 0x20052, 0x5009c, 0x10090, 0x500a2, 0x100d0, 0x200b0, 0x100cc, 0xb0102, 0x70104, 0x70100, 0x20118, 0x3014c, 0x1011c, 0x100e6, 0x100d6, 0x100d2, 0x100ca, 0x100c8, 0x100ba, 0x100ae, 0x100ac, 0x300a6, 0x10078, 0x30062, 0x50036, 0x5005c, 0x100be, 0x400fe, 0x10092, 0x10086, 0x40034, 0x50050, 0x1013c, 0x10120, 0x100c2, 0x100bc, 0xe011a, 0x2014e, 0x100d8, 0x100b6, 0x100b8, 0x100b4, 0x100c0, 0x1009a, 0x5005e, 0x1, ), 54, ) == 0x0
 02472   484   NtUserValidateHandleSecure  (327838, ... ) == 0x1
 02473   484   NtUserQueryWindow  (327838, 0, ... ) == 0x6b8
 02474   484   NtUserQueryWindow  (327838, 1, ... ) == 0x6d4
 02475   484   NtUserValidateHandleSecure  (327838, ... ) == 0x1
 02476   484   NtUserValidateHandleSecure  (262394, ... ) == 0x1
 02477   484   NtUserQueryWindow  (262394, 0, ... ) == 0x6b8
 02478   484   NtUserQueryWindow  (262394, 1, ... ) == 0x6d4
 02479   484   NtUserValidateHandleSecure  (262394, ... ) == 0x1
 02480   484   NtUserBuildHwndList  (0, 262394, 1, 0, 64, ... (0x80064, 0x60068, 0x6006c, 0x50094, 0x50096, 0x60066, 0x7006a, 0x90058, 0x6006e, 0x5008a, 0x50088, 0x500a0, 0x1, ), 13, ) == 0x0
 02481   484   NtUserValidateHandleSecure  (524388, ... ) == 0x1
 02482   484   NtUserQueryWindow  (524388, 0, ... ) == 0x6b8
 02483   484   NtUserQueryWindow  (524388, 1, ... ) == 0x6d4
 02484   484   NtUserValidateHandleSecure  (393320, ... ) == 0x1
 02485   484   NtUserQueryWindow  (393320, 0, ... ) == 0x6b8
 02486   484   NtUserQueryWindow  (393320, 1, ... ) == 0x6d4
 02487   484   NtUserValidateHandleSecure  (393324, ... ) == 0x1
 02488   484   NtUserQueryWindow  (393324, 0, ... ) == 0x6b8
 02489   484   NtUserQueryWindow  (393324, 1, ... ) == 0x6d4
 02490   484   NtUserValidateHandleSecure  (327828, ... ) == 0x1
 02491   484   NtUserQueryWindow  (327828, 0, ... ) == 0x6b8
 02492   484   NtUserQueryWindow  (327828, 1, ... ) == 0x6d4
 02493   484   NtUserValidateHandleSecure  (327830, ... ) == 0x1
 02494   484   NtUserQueryWindow  (327830, 0, ... ) == 0x6b8
 02495   484   NtUserQueryWindow  (327830, 1, ... ) == 0x6d4
 02496   484   NtUserValidateHandleSecure  (393318, ... ) == 0x1
 02497   484   NtUserQueryWindow  (393318, 0, ... ) == 0x6b8
 02498   484   NtUserQueryWindow  (393318, 1, ... ) == 0x6d4
 02499   484   NtUserValidateHandleSecure  (458858, ... ) == 0x1
 02500   484   NtUserQueryWindow  (458858, 0, ... ) == 0x6b8
 02501   484   NtUserQueryWindow  (458858, 1, ... ) == 0x6d4
 02502   484   NtUserValidateHandleSecure  (589912, ... ) == 0x1
 02503   484   NtUserQueryWindow  (589912, 0, ... ) == 0x6b8
 02504   484   NtUserQueryWindow  (589912, 1, ... ) == 0x6d4
 02505   484   NtUserValidateHandleSecure  (393326, ... ) == 0x1
 02506   484   NtUserQueryWindow  (393326, 0, ... ) == 0x6b8
 02507   484   NtUserQueryWindow  (393326, 1, ... ) == 0x6d4
 02508   484   NtUserValidateHandleSecure  (327818, ... ) == 0x1
 02509   484   NtUserQueryWindow  (327818, 0, ... ) == 0x6b8
 02510   484   NtUserQueryWindow  (327818, 1, ... ) == 0x6d4
 02511   484   NtUserValidateHandleSecure  (327816, ... ) == 0x1
 02512   484   NtUserQueryWindow  (327816, 0, ... ) == 0x6b8
 02513   484   NtUserQueryWindow  (327816, 1, ... ) == 0x6d4
 02514   484   NtUserValidateHandleSecure  (327840, ... ) == 0x1
 02515   484   NtUserQueryWindow  (327840, 0, ... ) == 0x6b8
 02516   484   NtUserQueryWindow  (327840, 1, ... ) == 0x6d4
 02517   484   NtUserValidateHandleSecure  (65652, ... ) == 0x1
 02518   484   NtUserQueryWindow  (65652, 0, ... ) == 0x6b8
 02519   484   NtUserQueryWindow  (65652, 1, ... ) == 0x6d4
 02520   484   NtUserValidateHandleSecure  (65652, ... ) == 0x1
 02521   484   NtUserValidateHandleSecure  (65664, ... ) == 0x1
 02522   484   NtUserQueryWindow  (65664, 0, ... ) == 0x6b8
 02523   484   NtUserQueryWindow  (65664, 1, ... ) == 0x6d4
 02524   484   NtUserValidateHandleSecure  (65664, ... ) == 0x1
 02525   484   NtUserValidateHandleSecure  (65648, ... ) == 0x1
 02526   484   NtUserQueryWindow  (65648, 0, ... ) == 0x6b8
 02527   484   NtUserQueryWindow  (65648, 1, ... ) == 0x6d4
 02528   484   NtUserValidateHandleSecure  (65648, ... ) == 0x1
 02529   484   NtUserValidateHandleSecure  (65668, ... ) == 0x1
 02530   484   NtUserQueryWindow  (65668, 0, ... ) == 0x6b8
 02531   484   NtUserQueryWindow  (65668, 1, ... ) == 0x6d4
 02532   484   NtUserValidateHandleSecure  (65668, ... ) == 0x1
 02533   484   NtUserValidateHandleSecure  (196680, ... ) == 0x1
 02534   484   NtUserQueryWindow  (196680, 0, ... ) == 0x6b8
 02535   484   NtUserQueryWindow  (196680, 1, ... ) == 0x6d4
 02536   484   NtUserValidateHandleSecure  (196680, ... ) == 0x1
 02537   484   NtUserValidateHandleSecure  (65650, ... ) == 0x1
 02538   484   NtUserQueryWindow  (65650, 0, ... ) == 0x6b8
 02539   484   NtUserQueryWindow  (65650, 1, ... ) == 0x6d4
 02540   484   NtUserValidateHandleSecure  (65650, ... ) == 0x1
 02541   484   NtUserValidateHandleSecure  (131154, ... ) == 0x1
 02542   484   NtUserQueryWindow  (131154, 0, ... ) == 0x6b8
 02543   484   NtUserQueryWindow  (131154, 1, ... ) == 0x6d4
 02544   484   NtUserValidateHandleSecure  (131154, ... ) == 0x1
 02545   484   NtUserBuildHwndList  (0, 131154, 1, 0, 64, ... (0x3003e, 0x3003c, 0x30040, 0x30042, 0x30044, 0x30046, 0x10076, 0x10082, 0x1007a, 0x1007e, 0x1, ), 11, ) == 0x0
 02546   484   NtUserValidateHandleSecure  (196670, ... ) == 0x1
 02547   484   NtUserQueryWindow  (196670, 0, ... ) == 0x6b8
 02548   484   NtUserQueryWindow  (196670, 1, ... ) == 0x6d4
 02549   484   NtUserValidateHandleSecure  (196668, ... ) == 0x1
 02550   484   NtUserQueryWindow  (196668, 0, ... ) == 0x6b8
 02551   484   NtUserQueryWindow  (196668, 1, ... ) == 0x6d4
 02552   484   NtUserValidateHandleSecure  (196672, ... ) == 0x1
 02553   484   NtUserQueryWindow  (196672, 0, ... ) == 0x6b8
 02554   484   NtUserQueryWindow  (196672, 1, ... ) == 0x6d4
 02555   484   NtUserValidateHandleSecure  (196674, ... ) == 0x1
 02556   484   NtUserQueryWindow  (196674, 0, ... ) == 0x6b8
 02557   484   NtUserQueryWindow  (196674, 1, ... ) == 0x6d4
 02558   484   NtUserValidateHandleSecure  (196676, ... ) == 0x1
 02559   484   NtUserQueryWindow  (196676, 0, ... ) == 0x6b8
 02560   484   NtUserQueryWindow  (196676, 1, ... ) == 0x6d4
 02561   484   NtUserValidateHandleSecure  (196678, ... ) == 0x1
 02562   484   NtUserQueryWindow  (196678, 0, ... ) == 0x6b8
 02563   484   NtUserQueryWindow  (196678, 1, ... ) == 0x6d4
 02564   484   NtUserValidateHandleSecure  (65654, ... ) == 0x1
 02565   484   NtUserQueryWindow  (65654, 0, ... ) == 0x6b8
 02566   484   NtUserQueryWindow  (65654, 1, ... ) == 0x6d4
 02567   484   NtUserValidateHandleSecure  (65666, ... ) == 0x1
 02568   484   NtUserQueryWindow  (65666, 0, ... ) == 0x6b8
 02569   484   NtUserQueryWindow  (65666, 1, ... ) == 0x6d4
 02570   484   NtUserValidateHandleSecure  (65658, ... ) == 0x1
 02571   484   NtUserQueryWindow  (65658, 0, ... ) == 0x6b8
 02572   484   NtUserQueryWindow  (65658, 1, ... ) == 0x6d4
 02573   484   NtUserValidateHandleSecure  (65662, ... ) == 0x1
 02574   484   NtUserQueryWindow  (65662, 0, ... ) == 0x6b8
 02575   484   NtUserQueryWindow  (65662, 1, ... ) == 0x6d4
 02576   484   NtUserValidateHandleSecure  (327836, ... ) == 0x1
 02577   484   NtUserQueryWindow  (327836, 0, ... ) == 0x6b8
 02578   484   NtUserQueryWindow  (327836, 1, ... ) == 0x6d4
 02579   484   NtUserValidateHandleSecure  (327836, ... ) == 0x1
 02580   484   NtUserValidateHandleSecure  (65680, ... ) == 0x1
 02581   484   NtUserQueryWindow  (65680, 0, ... ) == 0x6b8
 02582   484   NtUserQueryWindow  (65680, 1, ... ) == 0x6bc
 02583   484   NtUserValidateHandleSecure  (65680, ... ) == 0x1
 02584   484   NtUserValidateHandleSecure  (327842, ... ) == 0x1
 02585   484   NtUserQueryWindow  (327842, 0, ... ) == 0x6b8
 02586   484   NtUserQueryWindow  (327842, 1, ... ) == 0x6d4
 02587   484   NtUserValidateHandleSecure  (327842, ... ) == 0x1
 02588   484   NtUserValidateHandleSecure  (65744, ... ) == 0x1
 02589   484   NtUserQueryWindow  (65744, 0, ... ) == 0x19c
 02590   484   NtUserQueryWindow  (65744, 1, ... ) == 0x1a0
 02591   484   NtUserValidateHandleSecure  (65744, ... ) == 0x1
 02592   484   NtUserValidateHandleSecure  (131248, ... ) == 0x1
 02593   484   NtUserQueryWindow  (131248, 0, ... ) == 0xa0
 02594   484   NtUserQueryWindow  (131248, 1, ... ) == 0xe4
 02595   484   NtUserValidateHandleSecure  (131248, ... ) == 0x1
 02596   484   NtUserValidateHandleSecure  (65740, ... ) == 0x1
 02597   484   NtUserQueryWindow  (65740, 0, ... ) == 0x19c
 02598   484   NtUserQueryWindow  (65740, 1, ... ) == 0x1a0
 02599   484   NtUserValidateHandleSecure  (65740, ... ) == 0x1
 02600   484   NtUserValidateHandleSecure  (721154, ... ) == 0x1
 02601   484   NtUserQueryWindow  (721154, 0, ... ) == 0x7bc
 02602   484   NtUserQueryWindow  (721154, 1, ... ) == 0x4e8
 02603   484   NtUserValidateHandleSecure  (721154, ... ) == 0x1
 02604   484   NtUserValidateHandleSecure  (459012, ... ) == 0x1
 02605   484   NtUserQueryWindow  (459012, 0, ... ) == 0x49c
 02606   484   NtUserQueryWindow  (459012, 1, ... ) == 0x180
 02607   484   NtUserValidateHandleSecure  (459012, ... ) == 0x1
 02608   484   NtUserValidateHandleSecure  (459008, ... ) == 0x1
 02609   484   NtUserQueryWindow  (459008, 0, ... ) == 0x5e8
 02610   484   NtUserQueryWindow  (459008, 1, ... ) == 0x1dc
 02611   484   NtUserValidateHandleSecure  (459008, ... ) == 0x1
 02612   484   NtUserValidateHandleSecure  (131352, ... ) == 0x1
 02613   484   NtUserQueryWindow  (131352, 0, ... ) == 0x6ac
 02614   484   NtUserQueryWindow  (131352, 1, ... ) == 0x7f4
 02615   484   NtUserValidateHandleSecure  (131352, ... ) == 0x1
 02616   484   NtUserValidateHandleSecure  (196940, ... ) == 0x1
 02617   484   NtUserQueryWindow  (196940, 0, ... ) == 0x4b4
 02618   484   NtUserQueryWindow  (196940, 1, ... ) == 0x474
 02619   484   NtUserValidateHandleSecure  (196940, ... ) == 0x1
 02620   484   NtUserValidateHandleSecure  (65820, ... ) == 0x1
 02621   484   NtUserQueryWindow  (65820, 0, ... ) == 0x22c
 02622   484   NtUserQueryWindow  (65820, 1, ... ) == 0x220
 02623   484   NtUserValidateHandleSecure  (65820, ... ) == 0x1
 02624   484   NtUserValidateHandleSecure  (65766, ... ) == 0x1
 02625   484   NtUserQueryWindow  (65766, 0, ... ) == 0x6b8
 02626   484   NtUserQueryWindow  (65766, 1, ... ) == 0x13c
 02627   484   NtUserValidateHandleSecure  (65766, ... ) == 0x1
 02628   484   NtUserValidateHandleSecure  (65750, ... ) == 0x1
 02629   484   NtUserQueryWindow  (65750, 0, ... ) == 0x6b8
 02630   484   NtUserQueryWindow  (65750, 1, ... ) == 0x13c
 02631   484   NtUserValidateHandleSecure  (65750, ... ) == 0x1
 02632   484   NtUserBuildHwndList  (0, 65750, 1, 0, 64, ... (0x100da, 0x100dc, 0x100de, 0x100e0, 0x1, ), 5, ) == 0x0
 02633   484   NtUserValidateHandleSecure  (65754, ... ) == 0x1
 02634   484   NtUserQueryWindow  (65754, 0, ... ) == 0x6b8
 02635   484   NtUserQueryWindow  (65754, 1, ... ) == 0x13c
 02636   484   NtUserValidateHandleSecure  (65756, ... ) == 0x1
 02637   484   NtUserQueryWindow  (65756, 0, ... ) == 0x6b8
 02638   484   NtUserQueryWindow  (65756, 1, ... ) == 0x13c
 02639   484   NtUserValidateHandleSecure  (65758, ... ) == 0x1
 02640   484   NtUserQueryWindow  (65758, 0, ... ) == 0x6b8
 02641   484   NtUserQueryWindow  (65758, 1, ... ) == 0x13c
 02642   484   NtUserValidateHandleSecure  (65760, ... ) == 0x1
 02643   484   NtUserQueryWindow  (65760, 0, ... ) == 0x6b8
 02644   484   NtUserQueryWindow  (65760, 1, ... ) == 0x13c
 02645   484   NtUserValidateHandleSecure  (65746, ... ) == 0x1
 02646   484   NtUserQueryWindow  (65746, 0, ... ) == 0x6b8
 02647   484   NtUserQueryWindow  (65746, 1, ... ) == 0x6d4
 02648   484   NtUserValidateHandleSecure  (65746, ... ) == 0x1
 02649   484   NtUserValidateHandleSecure  (65738, ... ) == 0x1
 02650   484   NtUserQueryWindow  (65738, 0, ... ) == 0x19c
 02651   484   NtUserQueryWindow  (65738, 1, ... ) == 0x1a0
 02652   484   NtUserValidateHandleSecure  (65738, ... ) == 0x1
 02653   484   NtUserValidateHandleSecure  (65736, ... ) == 0x1
 02654   484   NtUserQueryWindow  (65736, 0, ... ) == 0xa0
 02655   484   NtUserQueryWindow  (65736, 1, ... ) == 0xe4
 02656   484   NtUserValidateHandleSecure  (65736, ... ) == 0x1
 02657   484   NtUserValidateHandleSecure  (65722, ... ) == 0x1
 02658   484   NtUserQueryWindow  (65722, 0, ... ) == 0x104
 02659   484   NtUserQueryWindow  (65722, 1, ... ) == 0x108
 02660   484   NtUserValidateHandleSecure  (65722, ... ) == 0x1
 02661   484   NtUserValidateHandleSecure  (65710, ... ) == 0x1
 02662   484   NtUserQueryWindow  (65710, 0, ... ) == 0x104
 02663   484   NtUserQueryWindow  (65710, 1, ... ) == 0x108
 02664   484   NtUserValidateHandleSecure  (65710, ... ) == 0x1
 02665   484   NtUserValidateHandleSecure  (65708, ... ) == 0x1
 02666   484   NtUserQueryWindow  (65708, 0, ... ) == 0x120
 02667   484   NtUserQueryWindow  (65708, 1, ... ) == 0x124
 02668   484   NtUserValidateHandleSecure  (65708, ... ) == 0x1
 02669   484   NtUserValidateHandleSecure  (196774, ... ) == 0x1
 02670   484   NtUserQueryWindow  (196774, 0, ... ) == 0xc4
 02671   484   NtUserQueryWindow  (196774, 1, ... ) == 0xc8
 02672   484   NtUserValidateHandleSecure  (196774, ... ) == 0x1
 02673   484   NtUserValidateHandleSecure  (65656, ... ) == 0x1
 02674   484   NtUserQueryWindow  (65656, 0, ... ) == 0x6b8
 02675   484   NtUserQueryWindow  (65656, 1, ... ) == 0x6ec
 02676   484   NtUserValidateHandleSecure  (65656, ... ) == 0x1
 02677   484   NtUserValidateHandleSecure  (196706, ... ) == 0x1
 02678   484   NtUserQueryWindow  (196706, 0, ... ) == 0x6b8
 02679   484   NtUserQueryWindow  (196706, 1, ... ) == 0x6bc
 02680   484   NtUserValidateHandleSecure  (196706, ... ) == 0x1
 02681   484   NtUserValidateHandleSecure  (327734, ... ) == 0x1
 02682   484   NtUserQueryWindow  (327734, 0, ... ) == 0x6b8
 02683   484   NtUserQueryWindow  (327734, 1, ... ) == 0x6bc
 02684   484   NtUserValidateHandleSecure  (327734, ... ) == 0x1
 02685   484   NtUserValidateHandleSecure  (327772, ... ) == 0x1
 02686   484   NtUserQueryWindow  (327772, 0, ... ) == 0x6b8
 02687   484   NtUserQueryWindow  (327772, 1, ... ) == 0x6bc
 02688   484   NtUserValidateHandleSecure  (327772, ... ) == 0x1
 02689   484   NtUserValidateHandleSecure  (65726, ... ) == 0x1
 02690   484   NtUserQueryWindow  (65726, 0, ... ) == 0x19c
 02691   484   NtUserQueryWindow  (65726, 1, ... ) == 0x1a0
 02692   484   NtUserValidateHandleSecure  (65726, ... ) == 0x1
 02693   484   NtUserValidateHandleSecure  (262398, ... ) == 0x1
 02694   484   NtUserQueryWindow  (262398, 0, ... ) == 0x6b8
 02695   484   NtUserQueryWindow  (262398, 1, ... ) == 0x6d4
 02696   484   NtUserValidateHandleSecure  (262398, ... ) == 0x1
 02697   484   NtUserValidateHandleSecure  (65682, ... ) == 0x1
 02698   484   NtUserQueryWindow  (65682, 0, ... ) == 0x6b8
 02699   484   NtUserQueryWindow  (65682, 1, ... ) == 0x6bc
 02700   484   NtUserValidateHandleSecure  (65682, ... ) == 0x1
 02701   484   NtUserValidateHandleSecure  (65670, ... ) == 0x1
 02702   484   NtUserQueryWindow  (65670, 0, ... ) == 0x6b8
 02703   484   NtUserQueryWindow  (65670, 1, ... ) == 0x6bc
 02704   484   NtUserValidateHandleSecure  (65670, ... ) == 0x1
 02705   484   NtUserBuildHwndList  (0, 65670, 1, 0, 64, ... (0x1008c, 0x1008e, 0x1, ), 3, ) == 0x0
 02706   484   NtUserValidateHandleSecure  (65676, ... ) == 0x1
 02707   484   NtUserQueryWindow  (65676, 0, ... ) == 0x6b8
 02708   484   NtUserQueryWindow  (65676, 1, ... ) == 0x6bc
 02709   484   NtUserValidateHandleSecure  (65678, ... ) == 0x1
 02710   484   NtUserQueryWindow  (65678, 0, ... ) == 0x6b8
 02711   484   NtUserQueryWindow  (65678, 1, ... ) == 0x6bc
 02712   484   NtUserValidateHandleSecure  (262196, ... ) == 0x1
 02713   484   NtUserQueryWindow  (262196, 0, ... ) == 0x6b8
 02714   484   NtUserQueryWindow  (262196, 1, ... ) == 0x6d4
 02715   484   NtUserValidateHandleSecure  (262196, ... ) == 0x1
 02716   484   NtUserValidateHandleSecure  (327760, ... ) == 0x1
 02717   484   NtUserQueryWindow  (327760, 0, ... ) == 0x6b8
 02718   484   NtUserQueryWindow  (327760, 1, ... ) == 0x6d4
 02719   484   NtUserValidateHandleSecure  (327760, ... ) == 0x1
 02720   484   NtUserValidateHandleSecure  (65852, ... ) == 0x1
 02721   484   NtUserQueryWindow  (65852, 0, ... ) == 0x22c
 02722   484   NtUserQueryWindow  (65852, 1, ... ) == 0x220
 02723   484   NtUserValidateHandleSecure  (65852, ... ) == 0x1
 02724   484   NtUserValidateHandleSecure  (65824, ... ) == 0x1
 02725   484   NtUserQueryWindow  (65824, 0, ... ) == 0x22c
 02726   484   NtUserQueryWindow  (65824, 1, ... ) == 0x220
 02727   484   NtUserValidateHandleSecure  (65824, ... ) == 0x1
 02728   484   NtUserValidateHandleSecure  (65730, ... ) == 0x1
 02729   484   NtUserQueryWindow  (65730, 0, ... ) == 0xa0
 02730   484   NtUserQueryWindow  (65730, 1, ... ) == 0xe4
 02731   484   NtUserValidateHandleSecure  (65730, ... ) == 0x1
 02732   484   NtUserValidateHandleSecure  (65724, ... ) == 0x1
 02733   484   NtUserQueryWindow  (65724, 0, ... ) == 0xa0
 02734   484   NtUserQueryWindow  (65724, 1, ... ) == 0xe4
 02735   484   NtUserValidateHandleSecure  (65724, ... ) == 0x1
 02736   484   NtUserValidateHandleSecure  (917786, ... ) == 0x1
 02737   484   NtUserQueryWindow  (917786, 0, ... ) == 0x7bc
 02738   484   NtUserQueryWindow  (917786, 1, ... ) == 0x4e8
 02739   484   NtUserValidateHandleSecure  (917786, ... ) == 0x1
 02740   484   NtUserValidateHandleSecure  (131406, ... ) == 0x1
 02741   484   NtUserQueryWindow  (131406, 0, ... ) == 0x4b4
 02742   484   NtUserQueryWindow  (131406, 1, ... ) == 0x474
 02743   484   NtUserValidateHandleSecure  (131406, ... ) == 0x1
 02744   484   NtUserValidateHandleSecure  (65752, ... ) == 0x1
 02745   484   NtUserQueryWindow  (65752, 0, ... ) == 0x6b8
 02746   484   NtUserQueryWindow  (65752, 1, ... ) == 0x13c
 02747   484   NtUserValidateHandleSecure  (65752, ... ) == 0x1
 02748   484   NtUserValidateHandleSecure  (65718, ... ) == 0x1
 02749   484   NtUserQueryWindow  (65718, 0, ... ) == 0x104
 02750   484   NtUserQueryWindow  (65718, 1, ... ) == 0x108
 02751   484   NtUserValidateHandleSecure  (65718, ... ) == 0x1
 02752   484   NtUserValidateHandleSecure  (65720, ... ) == 0x1
 02753   484   NtUserQueryWindow  (65720, 0, ... ) == 0x120
 02754   484   NtUserQueryWindow  (65720, 1, ... ) == 0x124
 02755   484   NtUserValidateHandleSecure  (65720, ... ) == 0x1
 02756   484   NtUserValidateHandleSecure  (65716, ... ) == 0x1
 02757   484   NtUserQueryWindow  (65716, 0, ... ) == 0xc4
 02758   484   NtUserQueryWindow  (65716, 1, ... ) == 0xc8
 02759   484   NtUserValidateHandleSecure  (65716, ... ) == 0x1
 02760   484   NtUserValidateHandleSecure  (65728, ... ) == 0x1
 02761   484   NtUserQueryWindow  (65728, 0, ... ) == 0x19c
 02762   484   NtUserQueryWindow  (65728, 1, ... ) == 0x1a0
 02763   484   NtUserValidateHandleSecure  (65728, ... ) == 0x1
 02764   484   NtUserValidateHandleSecure  (65690, ... ) == 0x1
 02765   484   NtUserQueryWindow  (65690, 0, ... ) == 0x6b8
 02766   484   NtUserQueryWindow  (65690, 1, ... ) == 0x6bc
 02767   484   NtUserValidateHandleSecure  (65690, ... ) == 0x1
 02768   484   NtUserValidateHandleSecure  (327774, ... ) == 0x1
 02769   484   NtUserQueryWindow  (327774, 0, ... ) == 0x6b8
 02770   484   NtUserQueryWindow  (327774, 1, ... ) == 0x6bc
 02771   484   NtUserValidateHandleSecure  (327774, ... ) == 0x1
 02772   484   NtUserCloseDesktop  (48, ... ) == 0x1
 02773   484   NtUserGetProcessWindowStation  (... ) == 0x20
 02774   484   NtUserOpenDesktop  ({24, 32, 0x40, 0, 0,  ({24, 32, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 02775   484   NtUserGetProcessWindowStation  (... ) == 0x20
 02776   484   NtUserOpenDesktop  ({24, 32, 0x40, 0, 0,  ({24, 32, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 02777   484   NtGdiDeleteObjectApp  (1409943092, ... ) == 0x1
 02778   484   NtGdiDeleteObjectApp  (1913259928, ... ) == 0x1
 02779   484   NtClose  (44, ... ) == 0x0
 02780   484   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 02781   484   NtClose  (100, ... ) == 0x0
 02782   484   NtFreeVirtualMemory  (-1, (0xa20000), 4096, 32768, ... (0xa20000), 4096, ) == 0x0
 02783   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 100, ) }, ... 100, ) == 0x0
 02784   484   NtQueryValueKey  (100,  (100, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02785   484   NtClose  (100, ... ) == 0x0
 02786   484   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 2089879920, 2090329280, 1329896, 2089305592}  (24, {20, 48, new_msg, 0, 2089879920, 2090329280, 1329896, 2089305592} "\0\0\0\0\3\0\1\0\0@\0\0\2012\221|\0\0\0\0" ... {20, 48, reply, 0, 860, 484, 58058, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\2012\221|\0\0\0\0" )  ... {20, 48, reply, 0, 860, 484, 58058, 0}  (24, {20, 48, new_msg, 0, 2089879920, 2090329280, 1329896, 2089305592} "\0\0\0\0\3\0\1\0\0@\0\0\2012\221|\0\0\0\0" ... {20, 48, reply, 0, 860, 484, 58058, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\2012\221|\0\0\0\0" )  ) == 0x0
 02787   484   NtTerminateProcess  (-1, 0, ...
NtCallbackReturn(>)	1	NtUserCallHwndParam(>)	2	NtUserWaitForInputIdle(>)	4	NtUserKillTimer(>)	14
NtConnectPort(>)	1	NtUserDestroyWindow(>)	2	NtGdiCreateBitmap(>)	5	NtUserGetThreadState(>)	15
NtCreateKey(>)	1	NtUserGetIconSize(>)	2	NtGdiHfontCreate(>)	5	NtCreateFile(>)	16
NtDuplicateObject(>)	1	NtUserGetImeInfoEx(>)	2	NtUserCalcMenuBar(>)	5	NtSetEvent(>)	16
NtFlushVirtualMemory(>)	1	NtUserNotifyIMEStatus(>)	2	NtUserGetAncestor(>)	5	NtUserCallMsgFilter(>)	16
NtFsControlFile(>)	1	NtUserQueryInputContext(>)	2	NtUserGetProcessWindowStation(>)	5	NtOpenEvent(>)	17
NtGdiExtCreateRegion(>)	1	NtUserSetTimer(>)	2	NtUserGetTitleBarInfo(>)	5	NtQueryDirectoryFile(>)	17
NtGdiGetDCDword(>)	1	NtUserSetWindowRgn(>)	2	NtUserPostMessage(>)	5	NtUserRegisterClassExWOW(>)	17
NtGdiInit(>)	1	NtUserSetWindowsHookEx(>)	2	NtUserSetFocus(>)	5	NtGdiDrawStream(>)	18
NtGdiOffsetRgn(>)	1	NtUserShowWindow(>)	2	NtWriteFile(>)	5	NtQueryInformationFile(>)	19
NtGdiQueryFontAssocInfo(>)	1	NtUserUnhookWindowsHookEx(>)	2	NtGdiBitBlt(>)	6	NtSetInformationProcess(>)	19
NtOpenKeyedEvent(>)	1	NtUserUnregisterClass(>)	2	NtGdiCombineRgn(>)	6	NtUserFindExistingCursorIcon(>)	19
NtOpenMutant(>)	1	NtCreateEvent(>)	3	NtGdiCreateCompatibleBitmap(>)	6	NtUserRemoveProp(>)	20
NtQueryKey(>)	1	NtGdiCreateDIBitmapInternal(>)	3	NtGdiCreateRectRgn(>)	6	NtGdiIntersectClipRect(>)	22
NtQueryObject(>)	1	NtGdiExcludeClipRect(>)	3	NtGdiGetCharSet(>)	6	NtOpenSection(>)	22
NtRegisterThreadTerminatePort(>)	1	NtGdiGetDCforBitmap(>)	3	NtGdiGetStockObject(>)	6	NtUserRegisterWindowMessage(>)	22
NtSecureConnectPort(>)	1	NtGdiGetDIBitsInternal(>)	3	NtOpenThreadToken(>)	6	NtQuerySystemInformation(>)	24
NtSetValueKey(>)	1	NtGdiGetWidthTable(>)	3	NtUserBeginPaint(>)	6	NtUserPostThreadMessage(>)	24
NtTestAlert(>)	1	NtGdiRestoreDC(>)	3	NtUserGetClassInfo(>)	6	NtUserGetWindowDC(>)	25
NtUserBuildNameList(>)	1	NtGdiSaveDC(>)	3	NtUserGetForegroundWindow(>)	6	NtUserPeekMessage(>)	28
NtUserCallHwnd(>)	1	NtGdiSetDIBitsToDeviceInternal(>)	3	NtUserGetKeyboardLayoutList(>)	6	NtQueryDefaultLocale(>)	29
NtUserCloseDesktop(>)	1	NtOpenSymbolicLinkObject(>)	3	NtUserSelectPalette(>)	6	NtOpenProcessTokenEx(>)	30
NtUserDrawIconEx(>)	1	NtQuerySymbolicLinkObject(>)	3	NtUserSetWindowPos(>)	6	NtOpenThreadTokenEx(>)	30
NtUserFindWindowEx(>)	1	NtSetInformationFile(>)	3	NtCreateMutant(>)	7	NtGdiDeleteObjectApp(>)	32
NtUserGetCursorFrameInfo(>)	1	NtSetInformationObject(>)	3	NtSetInformationThread(>)	7	NtQueryInformationProcess(>)	34
NtUserGetGUIThreadInfo(>)	1	NtUserEndPaint(>)	3	NtUserDestroyCursor(>)	7	NtUnmapViewOfSection(>)	34
NtUserInvalidateRect(>)	1	NtUserGetIconInfo(>)	3	NtUserGetControlBrush(>)	7	NtCreateSection(>)	35
NtUserModifyUserStartupInfoFlags(>)	1	NtUserGetObjectInformation(>)	3	NtUserSetProp(>)	7	NtGdiSelectBitmap(>)	37
NtUserSetCapture(>)	1	NtUserGetThreadDesktop(>)	3	NtEnumerateKey(>)	8	NtFlushInstructionCache(>)	41
NtUserSetImeOwnerWindow(>)	1	NtUserOpenDesktop(>)	3	NtQueryDefaultUILanguage(>)	8	NtOpenFile(>)	41
NtUserSetThreadState(>)	1	NtUserSetCursor(>)	3	NtQueryVirtualMemory(>)	8	NtQueryInformationToken(>)	41
NtUserTranslateMessage(>)	1	NtUserSetCursorIconData(>)	3	NtUserInternalGetWindowText(>)	8	NtAllocateVirtualMemory(>)	42
NtUserWaitMessage(>)	1	NtUserSystemParametersInfo(>)	3	NtWriteVirtualMemory(>)	8	NtQueryAttributesFile(>)	47
NtCreateProcessEx(>)	2	NtUserUpdateInputContext(>)	3	NtQuerySection(>)	9	NtMapViewOfSection(>)	54
NtCreateThread(>)	2	NtAccessCheck(>)	4	NtQueryVolumeInformationFile(>)	9	NtWaitForSingleObject(>)	57
NtDeviceIoControlFile(>)	2	NtContinue(>)	4	NtUserSetWindowFNID(>)	9	NtReleaseMutant(>)	59
NtGdiCreatePatternBrushInternal(>)	2	NtDuplicateToken(>)	4	NtOpenProcessToken(>)	10	NtUserCallOneParam(>)	64
NtGdiCreateSolidBrush(>)	2	NtFreeVirtualMemory(>)	4	NtUserGetDC(>)	10	NtQueryValueKey(>)	70
NtGdiDoPalette(>)	2	NtGdiGetDCObject(>)	4	NtUserCallNoParam(>)	11	NtUserMessageCall(>)	72
NtGdiGetBitmapBits(>)	2	NtGdiGetTextCharsetInfo(>)	4	NtUserSetWindowLong(>)	11	NtProtectVirtualMemory(>)	84
NtGdiStretchDIBitsInternal(>)	2	NtGdiGetTextMetricsW(>)	4	NtRequestWaitReplyPort(>)	12	NtOpenKey(>)	129
NtOpenDirectoryObject(>)	2	NtReadVirtualMemory(>)	4	NtUserCreateWindowEx(>)	12	NtUserQueryWindow(>)	182
NtQueryDebugFilterState(>)	2	NtUserCallHwndLock(>)	4	NtGdiExtGetObjectW(>)	13	NtClose(>)	237
NtQueryInformationJobObject(>)	2	NtUserFillWindow(>)	4	NtGdiCreateCompatibleDC(>)	14	NtUserValidateHandleSecure(>)	406
NtQueryInstallUILanguage(>)	2	NtUserGetAtomName(>)	4	NtGdiExtSelectClipRgn(>)	14
NtResumeThread(>)	2	NtUserGetClassName(>)	4	NtGdiGetRandomRgn(>)	14
NtTerminateProcess(>)	2