Summary:


NtAdjustPrivilegesToken(>)  1 
NtFreeVirtualMemory(>)  2 
NtFsControlFile(>)  4 
NtGdiGetRandomRgn(>)  12 

NtCallbackReturn(>)  1 
NtGdiCreatePatternBrushInternal(>)  2 
NtGdiSetupPublicCFONT(>)  4 
NtQuerySystemInformation(>)  13 

NtConnectPort(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtOpenProcessToken(>)  4 
NtQueryAttributesFile(>)  15 

NtGdiCreateBitmap(>)  1 
NtGdiGetWidthTable(>)  2 
NtQuerySection(>)  4 
NtGdiIntersectClipRect(>)  16 

NtGdiExtCreateRegion(>)  1 
NtOpenDirectoryObject(>)  2 
NtReadFile(>)  4 
NtGdiDrawStream(>)  18 

NtGdiExtGetObjectW(>)  1 
NtOpenThreadToken(>)  2 
NtUserCalcMenuBar(>)  4 
NtOpenProcess(>)  18 

NtGdiGetDCDword(>)  1 
NtQueryDefaultUILanguage(>)  2 
NtUserCallHwndLock(>)  4 
NtUserGetClassInfo(>)  18 

NtGdiGetTextExtent(>)  1 
NtQueryVirtualMemory(>)  2 
NtUserFillWindow(>)  4 
NtWaitForSingleObject(>)  18 

NtGdiInit(>)  1 
NtSetEvent(>)  2 
NtUserGetAtomName(>)  4 
NtUserCallMsgFilter(>)  19 

NtGdiOffsetRgn(>)  1 
NtSetInformationFile(>)  2 
NtUserGetClassName(>)  4 
NtUserWaitMessage(>)  23 

NtGdiQueryFontAssocInfo(>)  1 
NtUserGetForegroundWindow(>)  2 
NtUserGetDCEx(>)  4 
NtQueryInformationThread(>)  24 

NtOpenKeyedEvent(>)  1 
NtUserGetThreadDesktop(>)  2 
NtUserGetTitleBarInfo(>)  4 
NtUserGetWindowDC(>)  24 

NtOpenMutant(>)  1 
NtUserRegisterWindowMessage(>)  2 
NtUserQueryWindow(>)  4 
NtCreateThread(>)  25 

NtOpenSymbolicLinkObject(>)  1 
NtUserSetCursor(>)  2 
NtUserSetProp(>)  4 
NtRegisterThreadTerminatePort(>)  25 

NtQueryInstallUILanguage(>)  1 
NtUserSetFocus(>)  2 
NtUserSetWindowFNID(>)  4 
NtResumeThread(>)  25 

NtQueryObject(>)  1 
NtUserSetWindowRgn(>)  2 
NtUserThunkedMenuItemInfo(>)  4 
NtTestAlert(>)  25 

NtQueryPerformanceCounter(>)  1 
NtUserShowWindow(>)  2 
NtGdiGetStockObject(>)  5 
NtContinue(>)  26 

NtQuerySymbolicLinkObject(>)  1 
NtDuplicateObject(>)  3 
NtUserGetAncestor(>)  5 
NtCreateEvent(>)  26 

NtQuerySystemTime(>)  1 
NtGdiBitBlt(>)  3 
NtUserSetWindowLong(>)  5 
NtUnmapViewOfSection(>)  26 

NtQueryTimerResolution(>)  1 
NtGdiCreateCompatibleBitmap(>)  3 
NtUserSystemParametersInfo(>)  5 
NtUserCallOneParam(>)  29 

NtQueryVolumeInformationFile(>)  1 
NtGdiExcludeClipRect(>)  3 
NtGdiCombineRgn(>)  6 
NtUserFindExistingCursorIcon(>)  29 

NtSecureConnectPort(>)  1 
NtGdiGetCharSet(>)  3 
NtGdiCreateRectRgn(>)  6 
NtOpenSection(>)  32 

NtUserBuildHwndList(>)  1 
NtGdiGetTextCharsetInfo(>)  3 
NtOpenFile(>)  6 
NtRequestWaitReplyPort(>)  32 

NtUserCallHwnd(>)  1 
NtGdiGetTextMetricsW(>)  3 
NtOpenProcessTokenEx(>)  6 
NtSetInformationThread(>)  32 

NtUserCallHwndParam(>)  1 
NtGdiHfontCreate(>)  3 
NtOpenThreadTokenEx(>)  6 
NtOpenKey(>)  33 

NtUserDrawIconEx(>)  1 
NtQueryDefaultLocale(>)  3 
NtUserBeginPaint(>)  6 
NtUserRegisterClassExWOW(>)  34 

NtUserGetCursorFrameInfo(>)  1 
NtQueryInformationFile(>)  3 
NtGdiCreateCompatibleDC(>)  7 
NtWriteVirtualMemory(>)  51 

NtUserGetGUIThreadInfo(>)  1 
NtQueryInformationProcess(>)  3 
NtGdiSelectBitmap(>)  7 
NtQueryValueKey(>)  57 

NtUserGetIconSize(>)  1 
NtSetInformationObject(>)  3 
NtUserInternalGetWindowText(>)  7 
NtMapViewOfSection(>)  61 

NtUserGetProcessWindowStation(>)  1 
NtUserEndPaint(>)  3 
NtCreateSection(>)  8 
NtUserPeekMessage(>)  63 

NtUserModifyUserStartupInfoFlags(>)  1 
NtUserGetControlBrush(>)  3 
NtGdiDeleteObjectApp(>)  8 
NtUserMessageCall(>)  79 

NtUserRemoveProp(>)  1 
NtUserGetObjectInformation(>)  3 
NtUserCreateWindowEx(>)  8 
NtProtectVirtualMemory(>)  84 

NtWriteFile(>)  1 
NtUserSetWindowPos(>)  3 
NtUserCallNoParam(>)  9 
NtAllocateVirtualMemory(>)  86 

NtCreateIoCompletion(>)  2 
NtCreateFile(>)  4 
NtQueryInformationToken(>)  10 
NtClose(>)  96 

NtCreateSemaphore(>)  2 
NtFlushInstructionCache(>)  4 
NtGdiExtSelectClipRgn(>)  12 
NtDelayExecution(>)  520 


Trace:
 00001   296   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   296   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   296   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   296   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   296   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   296   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   296   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   296   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   296   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   296   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   296   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   296   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   296   NtClose  (12, ... ) == 0x0
 00014   296   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   296   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   296   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   296   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   296   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   296   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   296   NtClose  (16, ... ) == 0x0
 00021   296   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   296   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   296   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   296   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   296   NtClose  (16, ... ) == 0x0
 00026   296   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   296   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   296   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   296   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   296   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   296   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 292, 296, 1434, 0} " \214\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 292, 296, 1434, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 292, 296, 1434, 0} " \214\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   296   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   296   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   296   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   296   NtClose  (16, ... ) == 0x0
 00036   296   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   296   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   296   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   296   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   296   NtClose  (28, ... ) == 0x0
 00041   296   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   296   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   296   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   296   NtClose  (28, ... ) == 0x0
 00045   296   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   296   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   296   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   296   NtClose  (28, ... ) == 0x0
 00049   296   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   296   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   296   NtClose  (28, ... ) == 0x0
 00052   296   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   296   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   296   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   296   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 292, 296, 1437, 0} "\220\270\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 292, 296, 1437, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 292, 296, 1437, 0} "\220\270\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   296   NtProtectVirtualMemory  (-1, (0x536000), 4096, 4, ... (0x536000), 4096, 8, ) == 0x0
 00057   296   NtProtectVirtualMemory  (-1, (0x536000), 4096, 8, ... (0x536000), 4096, 4, ) == 0x0
 00058   296   NtFlushInstructionCache  (-1, 5464064, 4096, ... ) == 0x0
 00059   296   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   296   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00061   296   NtClose  (28, ... ) == 0x0
 00062   296   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   296   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   296   NtClose  (28, ... ) == 0x0
 00065   296   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   296   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00067   296   NtClose  (28, ... ) == 0x0
 00068   296   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   296   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00070   296   NtClose  (28, ... ) == 0x0
 00071   296   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00072   296   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00073   296   NtClose  (28, ... ) == 0x0
 00074   296   NtProtectVirtualMemory  (-1, (0x536000), 4096, 4, ... (0x536000), 4096, 4, ) == 0x0
 00075   296   NtProtectVirtualMemory  (-1, (0x536000), 4096, 4, ... (0x536000), 4096, 4, ) == 0x0
 00076   296   NtFlushInstructionCache  (-1, 5464064, 4096, ... ) == 0x0
 00077   296   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00078   296   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00079   296   NtClose  (28, ... ) == 0x0
 00080   296   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00081   296   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00082   296   NtClose  (28, ... ) == 0x0
 00083   296   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00084   296   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\31\1\0\0\0\0\314\4\23\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 292, 296, 1440, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 292, 296, 1440, 0}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\31\1\0\0\0\0\314\4\23\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 292, 296, 1440, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00085   296   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00086   296   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x620000), 0x0, 1060864, ) == 0x0
 00087   296   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 32, ) == 0x0
 00088   296   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00089   296   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482044, ) == 0x0
 00090   296   NtQueryInformationToken  (-2147482044, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00091   296   NtQueryInformationToken  (-2147482044, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00092   296   NtClose  (-2147482044, ... ) == 0x0
 00093   296   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00094   296   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00095   296   NtDuplicateObject  (-1, 36, -1, 0x0, 0, 2, ... 44, ) == 0x0
 00096   296   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 00097   296   NtQueryValueKey  (-2147482044,  (-2147482044, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00098   296   NtClose  (-2147482044, ... ) == 0x0
 00099   296   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 00100   296   NtQueryValueKey  (-2147482044,  (-2147482044, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00101   296   NtClose  (-2147482044, ... ) == 0x0
 00102   296   NtQueryDefaultLocale  (0, -136115700, ... ) == 0x0
 00103   296   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00104   296   NtUserCallNoParam  (24, ... ) == 0x0
 00105   296   NtGdiCreateCompatibleDC  (0, ...
 00106   296   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00105   296   NtGdiCreateCompatibleDC  ... ) == 0x90103df
 00107   296   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00108   296   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00109   296   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x13050321
 00110   296   NtGdiCreateSolidBrush  (0, 0, ...
 00111   296   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 10682368, 4096, ) == 0x0
 00110   296   NtGdiCreateSolidBrush  ... ) == 0x81003da
 00112   296   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00113   296   NtGdiCreateCompatibleDC  (0, ... ) == 0x1101031c
 00114   296   NtGdiSelectBitmap  (285279004, 319095585, ... ) == 0x185000f
 00115   296   NtUserGetThreadDesktop  (296, 0, ... ) == 0x28
 00116   296   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 48, ) }, ... 48, ) == 0x0
 00117   296   NtQueryValueKey  (48,  (48, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (48, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00118   296   NtClose  (48, ... ) == 0x0
 00119   296   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00120   296   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810ec017
 00121   296   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00122   296   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810ec01c
 00123   296   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00124   296   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810ec01e
 00125   296   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00126   296   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810e8002
 00127   296   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00128   296   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810ec018
 00129   296   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00130   296   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810ec01a
 00131   296   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00132   296   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810ec01d
 00133   296   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00134   296   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810ec026
 00135   296   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00136   296   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810ec019
 00137   296   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ...
 00138   296   NtAllocateVirtualMemory  (-1, 7630848, 0, 4096, 4096, 32, ... 7630848, 4096, ) == 0x0
 00137   296   NtUserRegisterClassExWOW  ... ) == 0x810ec020
 00139   296   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810ec022
 00140   296   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810ec023
 00141   296   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00142   296   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810ec024
 00143   296   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810ec025
 00144   296   NtCallbackReturn  (0, 0, 0, ...
 00145   296   NtGdiInit  (... ) == 0x1
 00146   296   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00147   296   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00148   296   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 48, ) }, ... 48, ) == 0x0
 00149   296   NtQueryValueKey  (48,  (48, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (48, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00150   296   NtQueryValueKey  (48,  (48, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (48, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00151   296   NtClose  (48, ... ) == 0x0
 00152   296   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 48, ) }, ... 48, ) == 0x0
 00153   296   NtQueryValueKey  (48,  (48, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00154   296   NtClose  (48, ... ) == 0x0
 00155   296   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 48, ) }, ... 48, ) == 0x0
 00156   296   NtSetInformationObject  (48, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00157   296   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00158   296   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00159   296   NtQueryValueKey  (52,  (52, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00160   296   NtClose  (52, ... ) == 0x0
 00161   296   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {292, 0}, ... 52, ) == 0x0
 00162   296   NtQueryInformationProcess  (52, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00163   296   NtClose  (52, ... ) == 0x0
 00164   296   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00165   296   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00166   296   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00167   296   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00168   296   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 52, ) == 0x0
 00169   296   NtQueryInformationToken  (52, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00170   296   NtClose  (52, ... ) == 0x0
 00171   296   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 52, ) }, ... 52, ) == 0x0
 00172   296   NtSetInformationObject  (52, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00173   296   NtOpenKey  (0x20019, {24, 52, 0x40, 0, 0,  (0x20019, {24, 52, 0x40, 0, 0, "Control Panel\Desktop"}, ... 56, ) }, ... 56, ) == 0x0
 00174   296   NtQueryValueKey  (56,  (56, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00175   296   NtClose  (56, ... ) == 0x0
 00176   296   NtUserSystemParametersInfo  (41, 500, 1243132, 0, ... ) == 0x1
 00177   296   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00178   296   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00179   296   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00180   296   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810ec03b
 00181   296   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00182   296   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810ec03d
 00183   296   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00184   296   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00185   296   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810ec03f
 00186   296   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00187   296   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00188   296   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810ec041
 00189   296   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00190   296   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00191   296   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810ec043
 00192   296   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00193   296   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810ec045
 00194   296   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00195   296   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00196   296   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810ec047
 00197   296   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00198   296   NtUserFindExistingCursorIcon  (1242920, 1242936, 1243504, ... ) == 0x10011
 00199   296   NtUserRegisterClassExWOW  (1243372, 1243452, 1243436, 1243468, 0, 384, 0, ... ) == 0x810ec049
 00200   296   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00201   296   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00202   296   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810ec04b
 00203   296   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00204   296   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00205   296   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810ec04d
 00206   296   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00207   296   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00208   296   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810ec04f
 00209   296   NtUserGetClassInfo  (1999896576, 1243544, 1243496, 1243572, 0, ... ) == 0x0
 00210   296   NtUserRegisterClassExWOW  (1243380, 1243460, 1243444, 1243476, 0, 384, 0, ... ) == 0x810ec051
 00211   296   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00212   296   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00213   296   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810ec053
 00214   296   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00215   296   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00216   296   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810ec055
 00217   296   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810ec057
 00218   296   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00219   296   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00220   296   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810ec059
 00221   296   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00222   296   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10013
 00223   296   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810ec05b
 00224   296   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00225   296   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00226   296   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810ec05d
 00227   296   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0x0
 00228   296   NtUserFindExistingCursorIcon  (1242924, 1242940, 1243508, ... ) == 0x10011
 00229   296   NtUserRegisterClassExWOW  (1243376, 1243456, 1243440, 1243472, 0, 384, 0, ... ) == 0x810ec05f
 00230   296   NtTestAlert  (... ) == 0x0
 00231   296   NtContinue  (1244464, 1, ...
 00232   296   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x591400,}, 4, ... ) == 0x0
 00233   296   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 56, ) }, ... 56, ) == 0x0
 00234   296   NtCreateEvent  (0x1f0003, {24, 56, 0x80, 1245092, 0,  (0x1f0003, {24, 56, 0x80, 1245092, 0, "VT_3"}, 1, 0, ... 60, ) }, 1, 0, ... 60, ) == 0x0
 00235   296   NtCreateSection  (0xf0007, {24, 56, 0x80, 1245092, 0,  (0xf0007, {24, 56, 0x80, 1245092, 0, "W32_Virtu"}, {22585, 0}, 4, 134217728, 0, ... 64, ) }, {22585, 0}, 4, 134217728, 0, ... 64, ) == 0x0
 00236   296   NtMapViewOfSection  (64, -1, (0x0), 0, 22585, 0x0, 22585, 2, 0, 4, ... (0xa40000), 0x0, 24576, ) == 0x0
 00237   296   NtOpenProcessToken  (-1, 0x20, ... 68, ) == 0x0
 00238   296   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00239   296   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00240   296   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 72, ) }, ... 72, ) == 0x0
 00241   296   NtQueryValueKey  (72,  (72, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00242   296   NtClose  (72, ... ) == 0x0
 00243   296   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00244   296   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 72, ) == 0x0
 00245   296   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00246   296   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 76, ) == 0x0
 00247   296   NtQuerySystemTime  (... {641676492, 29889223}, ) == 0x0
 00248   296   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 80, ) == 0x0
 00249   296   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00250   296   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00251   296   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00252   296   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00253   296   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 84, ) == 0x0
 00254   296   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 88, ) == 0x0
 00255   296   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 92, ) }, ... 92, ) == 0x0
 00256   296   NtOpenKey  (0x20019, {24, 92, 0x40, 0, 0,  (0x20019, {24, 92, 0x40, 0, 0, "ActiveComputerName"}, ... 96, ) }, ... 96, ) == 0x0
 00257   296   NtQueryValueKey  (96,  (96, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (96, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (96, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 00258   296   NtClose  (96, ... ) == 0x0
 00259   296   NtClose  (92, ... ) == 0x0
 00260   296   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 92, ) == 0x0
 00261   296   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 96, ) == 0x0
 00262   296   NtDuplicateObject  (-1, 92, -1, 0x0, 0, 2, ... 100, ) == 0x0
 00263   296   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00264   296   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00265   296   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 104, ) == 0x0
 00266   296   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00267   296   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00268   296   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243268,  (0xc0100080, {24, 0, 0x40, 0, 1243268, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 108, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 108, {status=0x0, info=1}, ) == 0x0
 00269   296   NtSetInformationFile  (108, 1243324, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00270   296   NtSetInformationFile  (108, 1243316, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00271   296   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00272   296   NtWriteFile  (108, 85, 0, 0,  (108, 85, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00273   296   NtReadFile  (108, 85, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (108, 85, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\205\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 00274   296   NtFsControlFile  (108, 85, 0x0, 0x0, 0x11c017,  (108, 85, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\205\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (108, 85, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0<\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\205\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 00275   296   NtFsControlFile  (108, 85, 0x0, 0x0, 0x11c017,  (108, 85, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\31\213tc\272~\334\21\261\310\0\14)\371\246\305 \0"\0\330/\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\31\213tc\272~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \0\330/\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (108, 85, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0\31\213tc\272~\334\21\261\310\0\14)\371\246\305 \0"\0\330/\24\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\31\213tc\272~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\31\213tc\272~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) == 0x103
 00276   296   NtFsControlFile  (108, 85, 0x0, 0x0, 0x11c017,  (108, 85, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\31\213tc\272~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (108, 85, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\31\213tc\272~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 00277   296   NtClose  (104, ... ) == 0x0
 00278   296   NtClose  (108, ... ) == 0x0
 00279   296   NtAdjustPrivilegesToken  (68, 0, 1245096, 0, 0, 0, ... ) == 0x0
 00280   296   NtClose  (68, ... ) == 0x0
 00281   296   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 4096, 4, ... 10813440, 65536, ) == 0x0
 00282   296   NtQuerySystemInformation  (ProcessesAndThreads, 65536, ... {system info, class 5, size 500}, 0x0, ) == 0x0
 00283   296   NtCreateSection  (0xf0007, 0x0, {11728, 0}, 4, 134217728, 0, ... 68, ) == 0x0
 00284   296   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa60000), {0, 0}, 12288, ) == 0x0
 00285   296   NtUnmapViewOfSection  (-1, 0xa60000, ... ) == 0x0
 00286   296   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa60000), {0, 0}, 12288, ) == 0x0
 00287   296   NtFreeVirtualMemory  (-1, (0xa50000), 0, 32768, ... (0xa50000), 65536, ) == 0x0
 00288   296   NtUnmapViewOfSection  (-1, 0xa60000, ... ) == 0x0
 00289   296   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa50000), {0, 0}, 12288, ) == 0x0
 00290   296   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 00291   296   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa50000), {0, 0}, 12288, ) == 0x0
 00292   296   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 00293   296   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa50000), {0, 0}, 12288, ) == 0x0
 00294   296   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 00295   296   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa50000), {0, 0}, 12288, ) == 0x0
 00296   296   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 00297   296   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa50000), {0, 0}, 12288, ) == 0x0
 00298   296   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 00299   296   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {616, 0}, ... 108, ) == 0x0
 00300   296   NtOpenSection  (0x6, {24, 56, 0x0, 0, 0,  (0x6, {24, 56, 0x0, 0, 0, "W32_Virtu"}, ... 104, ) }, ... 104, ) == 0x0
 00301   296   NtMapViewOfSection  (104, 108, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ff90000), 0x0, 24576, ) == 0x0
 00302   296   NtClose  (104, ... ) == 0x0
 00303   296   NtProtectVirtualMemory  (108, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00304   296   NtWriteVirtualMemory  (108, 0x77f7e603,  (108, 0x77f7e603, "\350q-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00305   296   NtProtectVirtualMemory  (108, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00306   296   NtWriteVirtualMemory  (108, 0x77f7e6a3,  (108, 0x77f7e6a3, "\350\36-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00307   296   NtProtectVirtualMemory  (108, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00308   296   NtWriteVirtualMemory  (108, 0x77f7e6b3,  (108, 0x77f7e6b3, "\350\33-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00309   296   NtAllocateVirtualMemory  (108, 0, 0, 1048576, 8192, 4, ... 21102592, 1048576, ) == 0x0
 00310   296   NtAllocateVirtualMemory  (108, 22142976, 0, 8192, 4096, 4, ... 22142976, 8192, ) == 0x0
 00311   296   NtProtectVirtualMemory  (108, (0x151e000), 4096, 260, ... (0x151e000), 4096, 4, ) == 0x0
 00312   296   NtCreateThread  (0x1f03ff, 0x0, 108, 1244008, 1244724, 1, ... 104, {616, 540}, ) == 0x0
 00313   296   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1244852, 2012750850, 2012697848, -1}  (24, {28, 56, new_msg, 0, 1244852, 2012750850, 2012697848, -1} "\0\0\0\0\1\0\1\0\0\0\24\0\0\0\0\0h\0\0\0h\2\0\0\34\2\0\0" ... {28, 56, reply, 0, 292, 296, 1450, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\0\0\0h\2\0\0\34\2\0\0" )  ... {28, 56, reply, 0, 292, 296, 1450, 0}  (24, {28, 56, new_msg, 0, 1244852, 2012750850, 2012697848, -1} "\0\0\0\0\1\0\1\0\0\0\24\0\0\0\0\0h\0\0\0h\2\0\0\34\2\0\0" ... {28, 56, reply, 0, 292, 296, 1450, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\0\0\0h\2\0\0\34\2\0\0" )  ) == 0x0
 00314   296   NtResumeThread  (104, ... 1, ) == 0x0
 00315   296   NtClose  (108, ... ) == 0x0
 00316   296   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa50000), {0, 0}, 12288, ) == 0x0
 00317   296   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 00318   296   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {660, 0}, ... 108, ) == 0x0
 00319   296   NtOpenSection  (0x6, {24, 56, 0x0, 0, 0,  (0x6, {24, 56, 0x0, 0, 0, "W32_Virtu"}, ... 112, ) }, ... 112, ) == 0x0
 00320   296   NtMapViewOfSection  (112, 108, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00321   296   NtClose  (112, ... ) == 0x0
 00322   296   NtProtectVirtualMemory  (108, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00323   296   NtWriteVirtualMemory  (108, 0x77f7e603,  (108, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00324   296   NtProtectVirtualMemory  (108, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00325   296   NtWriteVirtualMemory  (108, 0x77f7e6a3,  (108, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00326   296   NtProtectVirtualMemory  (108, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00327   296   NtWriteVirtualMemory  (108, 0x77f7e6b3,  (108, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00328   296   NtClose  (108, ... ) == 0x0
 00329   296   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa50000), {0, 0}, 12288, ) == 0x0
 00330   296   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 00331   296   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {672, 0}, ... 108, ) == 0x0
 00332   296   NtOpenSection  (0x6, {24, 56, 0x0, 0, 0,  (0x6, {24, 56, 0x0, 0, 0, "W32_Virtu"}, ... 112, ) }, ... 112, ) == 0x0
 00333   296   NtMapViewOfSection  (112, 108, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ff90000), 0x0, 24576, ) == 0x0
 00334   296   NtClose  (112, ... ) == 0x0
 00335   296   NtProtectVirtualMemory  (108, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00336   296   NtWriteVirtualMemory  (108, 0x77f7e603,  (108, 0x77f7e603, "\350q-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00337   296   NtProtectVirtualMemory  (108, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00338   296   NtWriteVirtualMemory  (108, 0x77f7e6a3,  (108, 0x77f7e6a3, "\350\36-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00339   296   NtProtectVirtualMemory  (108, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00340   296   NtWriteVirtualMemory  (108, 0x77f7e6b3,  (108, 0x77f7e6b3, "\350\33-\1\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00341   296   NtClose  (108, ... ) == 0x0
 00342   296   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa50000), {0, 0}, 12288, ) == 0x0
 00343   296   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 00344   296   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {844, 0}, ... 108, ) == 0x0
 00345   296   NtOpenSection  (0x6, {24, 56, 0x0, 0, 0,  (0x6, {24, 56, 0x0, 0, 0, "W32_Virtu"}, ... 112, ) }, ... 112, ) == 0x0
 00346   296   NtMapViewOfSection  (112, 108, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00347   296   NtClose  (112, ... ) == 0x0
 00348   296   NtProtectVirtualMemory  (108, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00349   296   NtWriteVirtualMemory  (108, 0x77f7e603,  (108, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00350   296   NtProtectVirtualMemory  (108, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00351   296   NtWriteVirtualMemory  (108, 0x77f7e6a3,  (108, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00352   296   NtProtectVirtualMemory  (108, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00353   296   NtWriteVirtualMemory  (108, 0x77f7e6b3,  (108, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00354   296   NtClose  (108, ... ) == 0x0
 00355   296   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa50000), {0, 0}, 12288, ) == 0x0
 00356   296   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 00357   296   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {964, 0}, ... 108, ) == 0x0
 00358   296   NtOpenSection  (0x6, {24, 56, 0x0, 0, 0,  (0x6, {24, 56, 0x0, 0, 0, "W32_Virtu"}, ... 112, ) }, ... 112, ) == 0x0
 00359   296   NtMapViewOfSection  (112, 108, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ff70000), 0x0, 24576, ) == 0x0
 00360   296   NtClose  (112, ... ) == 0x0
 00361   296   NtProtectVirtualMemory  (108, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00362   296   NtWriteVirtualMemory  (108, 0x77f7e603,  (108, 0x77f7e603, "\350q-\377\7", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00363   296   NtProtectVirtualMemory  (108, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00364   296   NtWriteVirtualMemory  (108, 0x77f7e6a3,  (108, 0x77f7e6a3, "\350\36-\377\7", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00365   296   NtProtectVirtualMemory  (108, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00366   296   NtWriteVirtualMemory  (108, 0x77f7e6b3,  (108, 0x77f7e6b3, "\350\33-\377\7", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00367   296   NtClose  (108, ... ) == 0x0
 00368   296   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa50000), {0, 0}, 12288, ) == 0x0
 00369   296   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 00370   296   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1044, 0}, ... 108, ) == 0x0
 00371   296   NtOpenSection  (0x6, {24, 56, 0x0, 0, 0,  (0x6, {24, 56, 0x0, 0, 0, "W32_Virtu"}, ... 112, ) }, ... 112, ) == 0x0
 00372   296   NtMapViewOfSection  (112, 108, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00373   296   NtClose  (112, ... ) == 0x0
 00374   296   NtProtectVirtualMemory  (108, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00375   296   NtWriteVirtualMemory  (108, 0x77f7e603,  (108, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00376   296   NtProtectVirtualMemory  (108, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00377   296   NtWriteVirtualMemory  (108, 0x77f7e6a3,  (108, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00378   296   NtProtectVirtualMemory  (108, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00379   296   NtWriteVirtualMemory  (108, 0x77f7e6b3,  (108, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00380   296   NtClose  (108, ... ) == 0x0
 00381   296   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa50000), {0, 0}, 12288, ) == 0x0
 00382   296   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 00383   296   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1076, 0}, ... 108, ) == 0x0
 00384   296   NtOpenSection  (0x6, {24, 56, 0x0, 0, 0,  (0x6, {24, 56, 0x0, 0, 0, "W32_Virtu"}, ... 112, ) }, ... 112, ) == 0x0
 00385   296   NtMapViewOfSection  (112, 108, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00386   296   NtClose  (112, ... ) == 0x0
 00387   296   NtProtectVirtualMemory  (108, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00388   296   NtWriteVirtualMemory  (108, 0x77f7e603,  (108, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00389   296   NtProtectVirtualMemory  (108, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00390   296   NtWriteVirtualMemory  (108, 0x77f7e6a3,  (108, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00391   296   NtProtectVirtualMemory  (108, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00392   296   NtWriteVirtualMemory  (108, 0x77f7e6b3,  (108, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00393   296   NtClose  (108, ... ) == 0x0
 00394   296   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa50000), {0, 0}, 12288, ) == 0x0
 00395   296   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 00396   296   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1372, 0}, ... 108, ) == 0x0
 00397   296   NtOpenSection  (0x6, {24, 56, 0x0, 0, 0,  (0x6, {24, 56, 0x0, 0, 0, "W32_Virtu"}, ... 112, ) }, ... 112, ) == 0x0
 00398   296   NtMapViewOfSection  (112, 108, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00399   296   NtClose  (112, ... ) == 0x0
 00400   296   NtProtectVirtualMemory  (108, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00401   296   NtWriteVirtualMemory  (108, 0x77f7e603,  (108, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00402   296   NtProtectVirtualMemory  (108, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00403   296   NtWriteVirtualMemory  (108, 0x77f7e6a3,  (108, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00404   296   NtProtectVirtualMemory  (108, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00405   296   NtWriteVirtualMemory  (108, 0x77f7e6b3,  (108, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00406   296   NtClose  (108, ... ) == 0x0
 00407   296   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa50000), {0, 0}, 12288, ) == 0x0
 00408   296   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 00409   296   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1648, 0}, ... 108, ) == 0x0
 00410   296   NtOpenSection  (0x6, {24, 56, 0x0, 0, 0,  (0x6, {24, 56, 0x0, 0, 0, "W32_Virtu"}, ... 112, ) }, ... 112, ) == 0x0
 00411   296   NtMapViewOfSection  (112, 108, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00412   296   NtClose  (112, ... ) == 0x0
 00413   296   NtProtectVirtualMemory  (108, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00414   296   NtWriteVirtualMemory  (108, 0x77f7e603,  (108, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00415   296   NtProtectVirtualMemory  (108, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00416   296   NtWriteVirtualMemory  (108, 0x77f7e6a3,  (108, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00417   296   NtProtectVirtualMemory  (108, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00418   296   NtWriteVirtualMemory  (108, 0x77f7e6b3,  (108, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00419   296   NtClose  (108, ... ) == 0x0
 00420   296   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa50000), {0, 0}, 12288, ) == 0x0
 00421   296   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 00422   296   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1940, 0}, ... 108, ) == 0x0
 00423   296   NtOpenSection  (0x6, {24, 56, 0x0, 0, 0,  (0x6, {24, 56, 0x0, 0, 0, "W32_Virtu"}, ... 112, ) }, ... 112, ) == 0x0
 00424   296   NtMapViewOfSection  (112, 108, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00425   296   NtClose  (112, ... ) == 0x0
 00426   296   NtProtectVirtualMemory  (108, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00427   296   NtWriteVirtualMemory  (108, 0x77f7e603,  (108, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00428   296   NtProtectVirtualMemory  (108, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00429   296   NtWriteVirtualMemory  (108, 0x77f7e6a3,  (108, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00430   296   NtProtectVirtualMemory  (108, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00431   296   NtWriteVirtualMemory  (108, 0x77f7e6b3,  (108, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00432   296   NtClose  (108, ... ) == 0x0
 00433   296   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa50000), {0, 0}, 12288, ) == 0x0
 00434   296   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 00435   296   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {1988, 0}, ... 108, ) == 0x0
 00436   296   NtOpenSection  (0x6, {24, 56, 0x0, 0, 0,  (0x6, {24, 56, 0x0, 0, 0, "W32_Virtu"}, ... 112, ) }, ... 112, ) == 0x0
 00437   296   NtMapViewOfSection  (112, 108, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00438   296   NtClose  (112, ... ) == 0x0
 00439   296   NtProtectVirtualMemory  (108, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00440   296   NtWriteVirtualMemory  (108, 0x77f7e603,  (108, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00441   296   NtProtectVirtualMemory  (108, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00442   296   NtWriteVirtualMemory  (108, 0x77f7e6a3,  (108, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00443   296   NtProtectVirtualMemory  (108, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00444   296   NtWriteVirtualMemory  (108, 0x77f7e6b3,  (108, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00445   296   NtClose  (108, ... ) == 0x0
 00446   296   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa50000), {0, 0}, 12288, ) == 0x0
 00447   296   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 00448   296   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {168, 0}, ... 108, ) == 0x0
 00449   296   NtOpenSection  (0x6, {24, 56, 0x0, 0, 0,  (0x6, {24, 56, 0x0, 0, 0, "W32_Virtu"}, ... 112, ) }, ... 112, ) == 0x0
 00450   296   NtMapViewOfSection  (112, 108, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00451   296   NtClose  (112, ... ) == 0x0
 00452   296   NtProtectVirtualMemory  (108, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00453   296   NtWriteVirtualMemory  (108, 0x77f7e603,  (108, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00454   296   NtProtectVirtualMemory  (108, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00455   296   NtWriteVirtualMemory  (108, 0x77f7e6a3,  (108, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00456   296   NtProtectVirtualMemory  (108, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00457   296   NtWriteVirtualMemory  (108, 0x77f7e6b3,  (108, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00458   296   NtClose  (108, ... ) == 0x0
 00459   296   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa50000), {0, 0}, 12288, ) == 0x0
 00460   296   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 00461   296   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {184, 0}, ... 108, ) == 0x0
 00462   296   NtOpenSection  (0x6, {24, 56, 0x0, 0, 0,  (0x6, {24, 56, 0x0, 0, 0, "W32_Virtu"}, ... 112, ) }, ... 112, ) == 0x0
 00463   296   NtMapViewOfSection  (112, 108, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00464   296   NtClose  (112, ... ) == 0x0
 00465   296   NtProtectVirtualMemory  (108, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00466   296   NtWriteVirtualMemory  (108, 0x77f7e603,  (108, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00467   296   NtProtectVirtualMemory  (108, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00468   296   NtWriteVirtualMemory  (108, 0x77f7e6a3,  (108, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00469   296   NtProtectVirtualMemory  (108, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00470   296   NtWriteVirtualMemory  (108, 0x77f7e6b3,  (108, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00471   296   NtClose  (108, ... ) == 0x0
 00472   296   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa50000), {0, 0}, 12288, ) == 0x0
 00473   296   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 00474   296   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {196, 0}, ... 108, ) == 0x0
 00475   296   NtOpenSection  (0x6, {24, 56, 0x0, 0, 0,  (0x6, {24, 56, 0x0, 0, 0, "W32_Virtu"}, ... 112, ) }, ... 112, ) == 0x0
 00476   296   NtMapViewOfSection  (112, 108, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00477   296   NtClose  (112, ... ) == 0x0
 00478   296   NtProtectVirtualMemory  (108, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00479   296   NtWriteVirtualMemory  (108, 0x77f7e603,  (108, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00480   296   NtProtectVirtualMemory  (108, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00481   296   NtWriteVirtualMemory  (108, 0x77f7e6a3,  (108, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00482   296   NtProtectVirtualMemory  (108, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00483   296   NtWriteVirtualMemory  (108, 0x77f7e6b3,  (108, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00484   296   NtClose  (108, ... ) == 0x0
 00485   296   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa50000), {0, 0}, 12288, ) == 0x0
 00486   296   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 00487   296   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {224, 0}, ... 108, ) == 0x0
 00488   296   NtOpenSection  (0x6, {24, 56, 0x0, 0, 0,  (0x6, {24, 56, 0x0, 0, 0, "W32_Virtu"}, ... 112, ) }, ... 112, ) == 0x0
 00489   296   NtMapViewOfSection  (112, 108, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00490   296   NtClose  (112, ... ) == 0x0
 00491   296   NtProtectVirtualMemory  (108, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00492   296   NtWriteVirtualMemory  (108, 0x77f7e603,  (108, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00493   296   NtProtectVirtualMemory  (108, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00494   296   NtWriteVirtualMemory  (108, 0x77f7e6a3,  (108, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00495   296   NtProtectVirtualMemory  (108, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00496   296   NtWriteVirtualMemory  (108, 0x77f7e6b3,  (108, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00497   296   NtClose  (108, ... ) == 0x0
 00498   296   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa50000), {0, 0}, 12288, ) == 0x0
 00499   296   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 00500   296   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {268, 0}, ... 108, ) == 0x0
 00501   296   NtOpenSection  (0x6, {24, 56, 0x0, 0, 0,  (0x6, {24, 56, 0x0, 0, 0, "W32_Virtu"}, ... 112, ) }, ... 112, ) == 0x0
 00502   296   NtMapViewOfSection  (112, 108, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00503   296   NtClose  (112, ... ) == 0x0
 00504   296   NtProtectVirtualMemory  (108, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00505   296   NtWriteVirtualMemory  (108, 0x77f7e603,  (108, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00506   296   NtProtectVirtualMemory  (108, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00507   296   NtWriteVirtualMemory  (108, 0x77f7e6a3,  (108, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00508   296   NtProtectVirtualMemory  (108, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00509   296   NtWriteVirtualMemory  (108, 0x77f7e6b3,  (108, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00510   296   NtClose  (108, ... ) == 0x0
 00511   296   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa50000), {0, 0}, 12288, ) == 0x0
 00512   296   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 00513   296   NtOpenProcess  (0x2a, {24, 0, 0x0, 0, 0, 0x0}, {292, 0}, ... 108, ) == 0x0
 00514   296   NtOpenSection  (0x6, {24, 56, 0x0, 0, 0,  (0x6, {24, 56, 0x0, 0, 0, "W32_Virtu"}, ... 112, ) }, ... 112, ) == 0x0
 00515   296   NtMapViewOfSection  (112, 108, (0x0), 0, 22585, 0x0, 22585, 2, 1048576, 4, ... (0x7ffa0000), 0x0, 24576, ) == 0x0
 00516   296   NtClose  (112, ... ) == 0x0
 00517   296   NtProtectVirtualMemory  (108, (0x77f7e603), 5, 64, ... (0x77f7e000), 4096, 32, ) == 0x0
 00518   296   NtWriteVirtualMemory  (108, 0x77f7e603,  (108, 0x77f7e603, "\350q-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00519   296   NtProtectVirtualMemory  (108, (0x77f7e6a3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00520   296   NtWriteVirtualMemory  (108, 0x77f7e6a3,  (108, 0x77f7e6a3, "\350\36-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00521   296   NtProtectVirtualMemory  (108, (0x77f7e6b3), 5, 64, ... (0x77f7e000), 4096, 64, ) == 0x0
 00522   296   NtWriteVirtualMemory  (108, 0x77f7e6b3,  (108, 0x77f7e6b3, "\350\33-\2\10", 5, ... 0x0, ) , 5, ... 0x0, ) == 0x0
 00523   296   NtClose  (108, ... ) == 0x0
 00524   296   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa50000), {0, 0}, 12288, ) == 0x0
 00525   296   NtUnmapViewOfSection  (-1, 0xa50000, ... ) == 0x0
 00526   296   NtClose  (68, ... ) == 0x0
 00527   296   NtClose  (60, ... ) == 0x0
 00528   296   NtOpenKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Software\Wine"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00529   296   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00530   296   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00531   296   NtContinue  (1244368, 0, ...
 00532   296   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244952,  (0x80100080, {24, 0, 0x40, 0, 1244952, "\??\C:\WINDOWS\System32\KERNEL32.dll"}, 0x0, 4, 1, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) }, 0x0, 4, 1, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) == 0x0
 00533   296   NtQueryInformationFile  (60, 1245004, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00534   296   NtAllocateVirtualMemory  (-1, 0, 0, 926720, 4096, 64, ... 10813440, 929792, ) == 0x0
 00535   296   NtReadFile  (60, 0, 0, 0, 926720, 0x0, 0, ... {status=0x0, info=926720},  (60, 0, 0, 0, 926720, 0x0, 0, ... {status=0x0, info=926720}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\233\10S\206\337i=\325\337i=\325\337i=\325\337i<\325]h=\325%J$\325\334i=\325\337i=\325\335i=\325%J\2\325\336i=\325HJx\325\336i=\325%J}\325\334i=\325\5J!\325\16i=\325\5J \325\334i=\325%J\0\325\336i=\325Rich\337i=\325\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\16\376};\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0H\7\0\0\336\6\0\0\0\0\0A\242\1\0\0\20\0\0\0\20\7\0\0\0\346w\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0P\16\0\0\4\0\0\222\207\16\0\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0@!\2\0\210i\0\0\304-\7\0(\0\0\0\0\220\7\0\330^\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\15\0\20S\0\0 V\7\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\250f\7\0@\0\0\0\220\2\0\0\34\0\0\0\0\20\0\0\10\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.tex", ) , ) == 0x0
 00536   296   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244952,  (0x80100080, {24, 0, 0x40, 0, 1244952, "\??\C:\WINDOWS\System32\USER32.dll"}, 0x0, 4, 1, 1, 96, 0, 0, ... 68, {status=0x0, info=1}, ) }, 0x0, 4, 1, 1, 96, 0, 0, ... 68, {status=0x0, info=1}, ) == 0x0
 00537   296   NtQueryInformationFile  (68, 1245004, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00538   296   NtAllocateVirtualMemory  (-1, 0, 0, 561152, 4096, 64, ... 11796480, 561152, ) == 0x0
 00539   296   NtReadFile  (68, 0, 0, 0, 561152, 0x0, 0, ... {status=0x0, info=561152},  (68, 0, 0, 0, 561152, 0x0, 0, ... {status=0x0, info=561152}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0cf;e'\7U6'\7U6'\7U6'\7T6`\6U6\335$L6 \7U6'\7U6%\7U6\335$j6&\7U6\260$\206&\7U6\335$\256!\7U6\375$I6U\7U6\335$h6&\7U6Rich'\7U6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\16\376};\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0\262\5\0\0\340\2\0\0\0\0\0KQ\0\0\0\20\0\0\0P\5\0\0\0\324w\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\320\10\0\0\4\0\0\35?\11\0\2\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0pk\1\0\251K\0\0\230\244\5\0P\0\0\0\0\360\5\0\210\240\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\240\10\0\270+\0\0\0\300\5\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\210\2\0\0L\0\0\0\0\20\0\0\324\4\0\0\300\241\5\0\240\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\08\260\5\0", ) , ) == 0x0
 00540   296   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244956,  (0x80100080, {24, 0, 0x40, 0, 1244956, "\??\C:\WINDOWS\System32\ADVAPI32.dll"}, 0x0, 4, 1, 1, 96, 0, 0, ... 108, {status=0x0, info=1}, ) }, 0x0, 4, 1, 1, 96, 0, 0, ... 108, {status=0x0, info=1}, ) == 0x0
 00541   296   NtQueryInformationFile  (108, 1245008, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00542   296   NtAllocateVirtualMemory  (-1, 0, 0, 549888, 4096, 64, ... 12386304, 552960, ) == 0x0
 00543   296   NtReadFile  (108, 0, 0, 0, 549888, 0x0, 0, ... {status=0x0, info=549888},  (108, 0, 0, 0, 549888, 0x0, 0, ... {status=0x0, info=549888}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\1\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\375\343\244\227\271\202\312\304\271\202\312\304\271\202\312\304C\241\323\304\276\202\312\304\271\202\312\304\273\202\312\304C\241\212\304\275\202\312\304\364\241\326\304\262\202\312\304p\240\340\304\277\202\312\304\271\202\313\304\37\203\312\304C\241\365\304\270\202\312\304.\241\217\304\270\202\312\304c\241\327\304\255\202\312\304c\241\326\304:\202\312\304C\241\367\304\270\202\312\304Rich\271\202\312\304\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\16\376};\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\0\0B\6\0\02\2\0\0\0\0\0\373\34\0\0\0\20\0\0\0 \6\0\0\0\335w\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\260\10\0\0\4\0\0\305\371\10\0\3\0\0\0\0\0\4\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\224\1\0YQ\0\0\204(\6\0P\0\0\0\0\260\6\0h\251\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0`\10\0\264D\0\0\330P\6\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\240\2\0\0L\0\0\0\0\20\0\0\\6\0\0\360&\6\0`\0\0\0\0\0\0\0", ) , ) == 0x0
 00544   296   NtClose  (108, ... ) == 0x0
 00545   296   NtClose  (68, ... ) == 0x0
 00546   296   NtClose  (60, ... ) == 0x0
 00547   296   NtAllocateVirtualMemory  (-1, 0, 0, 748, 4096, 4, ... 12976128, 4096, ) == 0x0
 00548   296   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "winmm.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00549   296   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\winmm.dll"}, 1243024, ... ) }, 1243024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00550   296   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "winmm.dll"}, 1243024, ... ) }, 1243024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00551   296   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winmm.dll"}, 1243024, ... ) }, 1243024, ... ) == 0x0
 00552   296   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winmm.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00553   296   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 68, ) == 0x0
 00554   296   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00555   296   NtOpenProcessToken  (-1, 0x8, ... 108, ) == 0x0
 00556   296   NtQueryInformationToken  (108, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00557   296   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00558   296   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 112, ) }, ... 112, ) == 0x0
 00559   296   NtQueryValueKey  (112,  (112, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (112, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00560   296   NtClose  (112, ... ) == 0x0
 00561   296   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00562   296   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 112, ) == 0x0
 00563   296   NtQueryInformationToken  (112, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00564   296   NtClose  (112, ... ) == 0x0
 00565   296   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00566   296   NtClose  (108, ... ) == 0x0
 00567   296   NtClose  (60, ... ) == 0x0
 00568   296   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b40000), 0x0, 180224, ) == 0x0
 00569   296   NtClose  (68, ... ) == 0x0
 00570   296   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 68, ) == 0x0
 00571   296   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 60, ) == 0x0
 00572   296   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 108, ) == 0x0
 00573   296   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32"}, ... 112, ) }, ... 112, ) == 0x0
 00574   296   NtQueryValueKey  (112,  (112, "wave", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00575   296   NtQueryValueKey  (112,  (112, "wave1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00576   296   NtQueryValueKey  (112,  (112, "wave2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00577   296   NtQueryValueKey  (112,  (112, "wave3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00578   296   NtQueryValueKey  (112,  (112, "wave4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00579   296   NtQueryValueKey  (112,  (112, "wave5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00580   296   NtQueryValueKey  (112,  (112, "wave6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00581   296   NtQueryValueKey  (112,  (112, "wave7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00582   296   NtQueryValueKey  (112,  (112, "wave8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00583   296   NtQueryValueKey  (112,  (112, "wave9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00584   296   NtQueryValueKey  (112,  (112, "midi", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00585   296   NtQueryValueKey  (112,  (112, "midi1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00586   296   NtQueryValueKey  (112,  (112, "midi2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00587   296   NtQueryValueKey  (112,  (112, "midi3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00588   296   NtQueryValueKey  (112,  (112, "midi4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00589   296   NtQueryValueKey  (112,  (112, "midi5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00590   296   NtQueryValueKey  (112,  (112, "midi6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00591   296   NtQueryValueKey  (112,  (112, "midi7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00592   296   NtQueryValueKey  (112,  (112, "midi8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00593   296   NtQueryValueKey  (112,  (112, "midi9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00594   296   NtQueryTimerResolution  (... 156250, 10000, 156250, ) == 0x0
 00595   296   NtQueryValueKey  (112,  (112, "aux", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00596   296   NtQueryValueKey  (112,  (112, "aux1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00597   296   NtQueryValueKey  (112,  (112, "aux2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00598   296   NtQueryValueKey  (112,  (112, "aux3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00599   296   NtQueryValueKey  (112,  (112, "aux4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00600   296   NtQueryValueKey  (112,  (112, "aux5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00601   296   NtQueryValueKey  (112,  (112, "aux6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00602   296   NtQueryValueKey  (112,  (112, "aux7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00603   296   NtQueryValueKey  (112,  (112, "aux8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00604   296   NtQueryValueKey  (112,  (112, "aux9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00605   296   NtUserRegisterWindowMessage  ( ("MSJSTICK_VJOYD_MSGSTR", ... ) , ... ) == 0xc07c
 00606   296   NtOpenKey  (0xf003f, {24, 48, 0x40, 0, 0,  (0xf003f, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm"}, ... 116, ) }, ... 116, ) == 0x0
 00607   296   NtQueryValueKey  (116,  (116, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00608   296   NtClose  (116, ... ) == 0x0
 00609   296   NtCreateEvent  (0x1f0003, {24, 56, 0x80, 0, 0,  (0x1f0003, {24, 56, 0x80, 0, 0, "DINPUTWINMM"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00610   296   NtQueryValueKey  (112,  (112, "mixer", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00611   296   NtQueryValueKey  (112,  (112, "mixer1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00612   296   NtQueryValueKey  (112,  (112, "mixer2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00613   296   NtQueryValueKey  (112,  (112, "mixer3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00614   296   NtQueryValueKey  (112,  (112, "mixer4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00615   296   NtQueryValueKey  (112,  (112, "mixer5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00616   296   NtQueryValueKey  (112,  (112, "mixer6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00617   296   NtQueryValueKey  (112,  (112, "mixer7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00618   296   NtQueryValueKey  (112,  (112, "mixer8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00619   296   NtQueryValueKey  (112,  (112, "mixer9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00620   296   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13041664, 1048576, ) == 0x0
 00621   296   NtAllocateVirtualMemory  (-1, 14082048, 0, 8192, 4096, 4, ... 14082048, 8192, ) == 0x0
 00622   296   NtProtectVirtualMemory  (-1, (0xd6e000), 4096, 260, ... (0xd6e000), 4096, 4, ) == 0x0
 00623   296   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 116, {292, 584}, ) == 0x0
 00624   296   NtQueryInformationThread  (116, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=292,Tid=584,}, 0x0, ) == 0x0
 00625   296   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 3014732, 4980804, 76, 2012555319}  (24, {28, 56, new_msg, 0, 3014732, 4980804, 76, 2012555319} "\0\0\0\0\1\0\1\0~F\365w\0\0\0\0t\0\0\0$\1\0\0H\2\0\0" ... {28, 56, reply, 0, 292, 296, 1471, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0t\0\0\0$\1\0\0H\2\0\0" )  ... {28, 56, reply, 0, 292, 296, 1471, 0}  (24, {28, 56, new_msg, 0, 3014732, 4980804, 76, 2012555319} "\0\0\0\0\1\0\1\0~F\365w\0\0\0\0t\0\0\0$\1\0\0H\2\0\0" ... {28, 56, reply, 0, 292, 296, 1471, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0t\0\0\0$\1\0\0H\2\0\0" )  ) == 0x0
 00626   296   NtResumeThread  (116, ... 1, ) == 0x0
 00627   584   NtTestAlert  (... ) == 0x0
 00628   584   NtContinue  (14089520, 1, ...
 00629   584   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00630   584   NtDelayExecution  (0, {-150000, -1}, ...
 00631   296   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 14090240, 1048576, ) == 0x0
 00632   296   NtAllocateVirtualMemory  (-1, 15130624, 0, 8192, 4096, 4, ... 15130624, 8192, ) == 0x0
 00633   296   NtProtectVirtualMemory  (-1, (0xe6e000), 4096, 260, ... (0xe6e000), 4096, 4, ) == 0x0
 00634   296   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 120, {292, 572}, ) == 0x0
 00635   296   NtQueryInformationThread  (120, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=292,Tid=572,}, 0x0, ) == 0x0
 00636   296   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 292, 296, 1471, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1471, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0x\0\0\0$\1\0\0<\2\0\0" ... {28, 56, reply, 0, 292, 296, 1472, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0x\0\0\0$\1\0\0<\2\0\0" )  ... {28, 56, reply, 0, 292, 296, 1472, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1471, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0x\0\0\0$\1\0\0<\2\0\0" ... {28, 56, reply, 0, 292, 296, 1472, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0x\0\0\0$\1\0\0<\2\0\0" )  ) == 0x0
 00637   296   NtResumeThread  (120, ... 1, ) == 0x0
 00638   296   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15138816, 1048576, ) == 0x0
 00639   296   NtAllocateVirtualMemory  (-1, 16179200, 0, 8192, 4096, 4, ...
 00640   572   NtTestAlert  (... ) == 0x0
 00641   572   NtContinue  (15138096, 1, ...
 00642   572   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00643   572   NtDelayExecution  (0, {-150000, -1}, ...
 00639   296   NtAllocateVirtualMemory  ... 16179200, 8192, ) == 0x0
 00644   296   NtProtectVirtualMemory  (-1, (0xf6e000), 4096, 260, ... (0xf6e000), 4096, 4, ) == 0x0
 00645   296   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 124, {292, 580}, ) == 0x0
 00646   296   NtQueryInformationThread  (124, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=292,Tid=580,}, 0x0, ) == 0x0
 00647   296   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 292, 296, 1472, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1472, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0|\0\0\0$\1\0\0D\2\0\0" ... {28, 56, reply, 0, 292, 296, 1473, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0|\0\0\0$\1\0\0D\2\0\0" )  ... {28, 56, reply, 0, 292, 296, 1473, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1472, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0|\0\0\0$\1\0\0D\2\0\0" ... {28, 56, reply, 0, 292, 296, 1473, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0|\0\0\0$\1\0\0D\2\0\0" )  ) == 0x0
 00648   296   NtResumeThread  (124, ... 1, ) == 0x0
 00649   580   NtTestAlert  (... ) == 0x0
 00650   580   NtContinue  (16186672, 1, ...
 00651   580   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00652   580   NtDelayExecution  (0, {-150000, -1}, ...
 00653   296   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 16187392, 1048576, ) == 0x0
 00654   296   NtAllocateVirtualMemory  (-1, 17227776, 0, 8192, 4096, 4, ... 17227776, 8192, ) == 0x0
 00655   296   NtProtectVirtualMemory  (-1, (0x106e000), 4096, 260, ... (0x106e000), 4096, 4, ) == 0x0
 00656   296   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 128, {292, 588}, ) == 0x0
 00657   296   NtQueryInformationThread  (128, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=292,Tid=588,}, 0x0, ) == 0x0
 00658   296   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 292, 296, 1473, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1473, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\200\0\0\0$\1\0\0L\2\0\0" ... {28, 56, reply, 0, 292, 296, 1474, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\200\0\0\0$\1\0\0L\2\0\0" )  ... {28, 56, reply, 0, 292, 296, 1474, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1473, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\200\0\0\0$\1\0\0L\2\0\0" ... {28, 56, reply, 0, 292, 296, 1474, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\200\0\0\0$\1\0\0L\2\0\0" )  ) == 0x0
 00659   296   NtResumeThread  (128, ... 1, ) == 0x0
 00660   296   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 17235968, 1048576, ) == 0x0
 00661   296   NtAllocateVirtualMemory  (-1, 18276352, 0, 8192, 4096, 4, ...
 00662   588   NtTestAlert  (... ) == 0x0
 00663   588   NtContinue  (17235248, 1, ...
 00664   588   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00665   588   NtDelayExecution  (0, {-150000, -1}, ...
 00661   296   NtAllocateVirtualMemory  ... 18276352, 8192, ) == 0x0
 00666   296   NtProtectVirtualMemory  (-1, (0x116e000), 4096, 260, ... (0x116e000), 4096, 4, ) == 0x0
 00667   296   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 132, {292, 576}, ) == 0x0
 00668   296   NtQueryInformationThread  (132, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=292,Tid=576,}, 0x0, ) == 0x0
 00669   296   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 292, 296, 1474, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1474, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\204\0\0\0$\1\0\0@\2\0\0" ... {28, 56, reply, 0, 292, 296, 1475, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\204\0\0\0$\1\0\0@\2\0\0" )  ... {28, 56, reply, 0, 292, 296, 1475, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1474, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\204\0\0\0$\1\0\0@\2\0\0" ... {28, 56, reply, 0, 292, 296, 1475, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\204\0\0\0$\1\0\0@\2\0\0" )  ) == 0x0
 00670   296   NtResumeThread  (132, ... 1, ) == 0x0
 00671   576   NtTestAlert  (... ) == 0x0
 00672   576   NtContinue  (18283824, 1, ...
 00673   576   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00674   576   NtDelayExecution  (0, {-150000, -1}, ...
 00675   296   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 18284544, 1048576, ) == 0x0
 00676   296   NtAllocateVirtualMemory  (-1, 19324928, 0, 8192, 4096, 4, ... 19324928, 8192, ) == 0x0
 00677   296   NtProtectVirtualMemory  (-1, (0x126e000), 4096, 260, ... (0x126e000), 4096, 4, ) == 0x0
 00678   296   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 136, {292, 596}, ) == 0x0
 00679   296   NtQueryInformationThread  (136, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=292,Tid=596,}, 0x0, ) == 0x0
 00680   296   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 292, 296, 1475, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1475, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\210\0\0\0$\1\0\0T\2\0\0" ... {28, 56, reply, 0, 292, 296, 1476, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\210\0\0\0$\1\0\0T\2\0\0" )  ... {28, 56, reply, 0, 292, 296, 1476, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1475, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\210\0\0\0$\1\0\0T\2\0\0" ... {28, 56, reply, 0, 292, 296, 1476, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\210\0\0\0$\1\0\0T\2\0\0" )  ) == 0x0
 00681   296   NtResumeThread  (136, ... 1, ) == 0x0
 00682   296   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 19333120, 1048576, ) == 0x0
 00683   296   NtAllocateVirtualMemory  (-1, 20373504, 0, 8192, 4096, 4, ...
 00684   596   NtTestAlert  (... ) == 0x0
 00685   596   NtContinue  (19332400, 1, ...
 00686   596   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00687   596   NtDelayExecution  (0, {-150000, -1}, ...
 00683   296   NtAllocateVirtualMemory  ... 20373504, 8192, ) == 0x0
 00688   296   NtProtectVirtualMemory  (-1, (0x136e000), 4096, 260, ... (0x136e000), 4096, 4, ) == 0x0
 00689   296   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 140, {292, 636}, ) == 0x0
 00690   296   NtQueryInformationThread  (140, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=292,Tid=636,}, 0x0, ) == 0x0
 00691   296   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 292, 296, 1476, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1476, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\214\0\0\0$\1\0\0|\2\0\0" ... {28, 56, reply, 0, 292, 296, 1477, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\214\0\0\0$\1\0\0|\2\0\0" )  ... {28, 56, reply, 0, 292, 296, 1477, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1476, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\214\0\0\0$\1\0\0|\2\0\0" ... {28, 56, reply, 0, 292, 296, 1477, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\214\0\0\0$\1\0\0|\2\0\0" )  ) == 0x0
 00692   296   NtResumeThread  (140, ... 1, ) == 0x0
 00693   636   NtTestAlert  (... ) == 0x0
 00694   636   NtContinue  (20380976, 1, ...
 00695   636   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00696   636   NtDelayExecution  (0, {-150000, -1}, ...
 00697   296   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 20381696, 1048576, ) == 0x0
 00698   296   NtAllocateVirtualMemory  (-1, 21422080, 0, 8192, 4096, 4, ... 21422080, 8192, ) == 0x0
 00699   296   NtProtectVirtualMemory  (-1, (0x146e000), 4096, 260, ... (0x146e000), 4096, 4, ) == 0x0
 00700   296   NtCreateThread  (0x1f03ff, 0x0, -1, 1244248, 1244964, 1, ... 144, {292, 732}, ) == 0x0
 00701   296   NtQueryInformationThread  (144, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=292,Tid=732,}, 0x0, ) == 0x0
 00702   296   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 292, 296, 1477, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1477, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\220\0\0\0$\1\0\0\334\2\0\0" ... {28, 56, reply, 0, 292, 296, 1478, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\220\0\0\0$\1\0\0\334\2\0\0" )  ... {28, 56, reply, 0, 292, 296, 1478, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1477, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\220\0\0\0$\1\0\0\334\2\0\0" ... {28, 56, reply, 0, 292, 296, 1478, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\220\0\0\0$\1\0\0\334\2\0\0" )  ) == 0x0
 00703   296   NtResumeThread  (144, ... 1, ) == 0x0
 00704   296   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 148, ) == 0x0
 00705   296   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 00706   732   NtTestAlert  (... ) == 0x0
 00707   732   NtContinue  (21429552, 1, ...
 00708   732   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00709   732   NtDelayExecution  (0, {-20010000, -1}, ...
 00705   296   NtCreateEvent  ... 152, ) == 0x0
 00710   296   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 156, ) == 0x0
 00711   296   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 160, ) == 0x0
 00712   296   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 164, ) == 0x0
 00713   296   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 168, ) == 0x0
 00714   296   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 172, ) == 0x0
 00715   296   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 176, ) == 0x0
 00716   296   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 180, ) == 0x0
 00717   296   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 184, ) == 0x0
 00718   296   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 188, ) == 0x0
 00719   296   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 192, ) == 0x0
 00720   296   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 196, ) == 0x0
 00721   296   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 200, ) == 0x0
 00722   296   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 204, ) == 0x0
 00723   296   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 208, ) == 0x0
 00724   296   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 21430272, 1048576, ) == 0x0
 00725   296   NtAllocateVirtualMemory  (-1, 22470656, 0, 8192, 4096, 4, ... 22470656, 8192, ) == 0x0
 00726   296   NtProtectVirtualMemory  (-1, (0x156e000), 4096, 260, ... (0x156e000), 4096, 4, ) == 0x0
 00727   296   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 212, {292, 744}, ) == 0x0
 00728   296   NtQueryInformationThread  (212, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=292,Tid=744,}, 0x0, ) == 0x0
 00729   296   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 10919951, 579118559, 726122064, 6072727}  (24, {28, 56, new_msg, 0, 10919951, 579118559, 726122064, 6072727} "\0\0\0\0\1\0\1\0\34\08\0\2\0\0\0\324\0\0\0$\1\0\0\350\2\0\0" ... {28, 56, reply, 0, 292, 296, 1479, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\324\0\0\0$\1\0\0\350\2\0\0" )  ... {28, 56, reply, 0, 292, 296, 1479, 0}  (24, {28, 56, new_msg, 0, 10919951, 579118559, 726122064, 6072727} "\0\0\0\0\1\0\1\0\34\08\0\2\0\0\0\324\0\0\0$\1\0\0\350\2\0\0" ... {28, 56, reply, 0, 292, 296, 1479, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\324\0\0\0$\1\0\0\350\2\0\0" )  ) == 0x0
 00730   296   NtResumeThread  (212, ... 1, ) == 0x0
 00731   296   NtSetInformationThread  (212, BasePriority, {thread info, class 3, size 4}, 4, ...
 00732   744   NtTestAlert  (... ) == 0x0
 00733   744   NtContinue  (22478128, 1, ...
 00734   744   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00735   744   NtWaitForSingleObject  (148, 0, 0x0, ...
 00731   296   NtSetInformationThread  ... ) == 0x0
 00736   296   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 22478848, 1048576, ) == 0x0
 00737   296   NtAllocateVirtualMemory  (-1, 23519232, 0, 8192, 4096, 4, ... 23519232, 8192, ) == 0x0
 00738   296   NtProtectVirtualMemory  (-1, (0x166e000), 4096, 260, ... (0x166e000), 4096, 4, ) == 0x0
 00739   296   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 216, {292, 788}, ) == 0x0
 00740   296   NtQueryInformationThread  (216, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=292,Tid=788,}, 0x0, ) == 0x0
 00741   296   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 292, 296, 1479, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1479, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\330\0\0\0$\1\0\0\24\3\0\0" ... {28, 56, reply, 0, 292, 296, 1480, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\330\0\0\0$\1\0\0\24\3\0\0" )  ... {28, 56, reply, 0, 292, 296, 1480, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1479, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\330\0\0\0$\1\0\0\24\3\0\0" ... {28, 56, reply, 0, 292, 296, 1480, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\330\0\0\0$\1\0\0\24\3\0\0" )  ) == 0x0
 00742   296   NtResumeThread  (216, ... 1, ) == 0x0
 00743   296   NtSetInformationThread  (216, BasePriority, {thread info, class 3, size 4}, 4, ...
 00744   788   NtTestAlert  (... ) == 0x0
 00745   788   NtContinue  (23526704, 1, ...
 00746   788   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00747   788   NtWaitForSingleObject  (152, 0, 0x0, ...
 00743   296   NtSetInformationThread  ... ) == 0x0
 00748   296   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 23527424, 1048576, ) == 0x0
 00749   296   NtAllocateVirtualMemory  (-1, 24567808, 0, 8192, 4096, 4, ... 24567808, 8192, ) == 0x0
 00750   296   NtProtectVirtualMemory  (-1, (0x176e000), 4096, 260, ... (0x176e000), 4096, 4, ) == 0x0
 00751   296   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 220, {292, 676}, ) == 0x0
 00752   296   NtQueryInformationThread  (220, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=292,Tid=676,}, 0x0, ) == 0x0
 00753   296   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 292, 296, 1480, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1480, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\334\0\0\0$\1\0\0\244\2\0\0" ... {28, 56, reply, 0, 292, 296, 1481, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\334\0\0\0$\1\0\0\244\2\0\0" )  ... {28, 56, reply, 0, 292, 296, 1481, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1480, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\334\0\0\0$\1\0\0\244\2\0\0" ... {28, 56, reply, 0, 292, 296, 1481, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\334\0\0\0$\1\0\0\244\2\0\0" )  ) == 0x0
 00754   296   NtResumeThread  (220, ... 1, ) == 0x0
 00755   676   NtTestAlert  (... ) == 0x0
 00756   676   NtContinue  (24575280, 1, ...
 00757   676   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00758   676   NtWaitForSingleObject  (156, 0, 0x0, ...
 00759   296   NtSetInformationThread  (220, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 00760   296   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 24576000, 1048576, ) == 0x0
 00761   296   NtAllocateVirtualMemory  (-1, 25616384, 0, 8192, 4096, 4, ... 25616384, 8192, ) == 0x0
 00762   296   NtProtectVirtualMemory  (-1, (0x186e000), 4096, 260, ... (0x186e000), 4096, 4, ) == 0x0
 00763   296   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 224, {292, 784}, ) == 0x0
 00764   296   NtQueryInformationThread  (224, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=292,Tid=784,}, 0x0, ) == 0x0
 00765   296   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 292, 296, 1481, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1481, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\340\0\0\0$\1\0\0\20\3\0\0" ... {28, 56, reply, 0, 292, 296, 1482, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\340\0\0\0$\1\0\0\20\3\0\0" )  ... {28, 56, reply, 0, 292, 296, 1482, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1481, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\340\0\0\0$\1\0\0\20\3\0\0" ... {28, 56, reply, 0, 292, 296, 1482, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\340\0\0\0$\1\0\0\20\3\0\0" )  ) == 0x0
 00766   296   NtResumeThread  (224, ... 1, ) == 0x0
 00767   296   NtSetInformationThread  (224, BasePriority, {thread info, class 3, size 4}, 4, ...
 00768   784   NtTestAlert  (... ) == 0x0
 00769   784   NtContinue  (25623856, 1, ...
 00770   784   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00771   784   NtWaitForSingleObject  (160, 0, 0x0, ...
 00767   296   NtSetInformationThread  ... ) == 0x0
 00772   296   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 25624576, 1048576, ) == 0x0
 00773   296   NtAllocateVirtualMemory  (-1, 26664960, 0, 8192, 4096, 4, ... 26664960, 8192, ) == 0x0
 00774   296   NtProtectVirtualMemory  (-1, (0x196e000), 4096, 260, ... (0x196e000), 4096, 4, ) == 0x0
 00775   296   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 228, {292, 712}, ) == 0x0
 00776   296   NtQueryInformationThread  (228, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=292,Tid=712,}, 0x0, ) == 0x0
 00777   296   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 292, 296, 1482, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1482, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\344\0\0\0$\1\0\0\310\2\0\0" ... {28, 56, reply, 0, 292, 296, 1483, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\344\0\0\0$\1\0\0\310\2\0\0" )  ... {28, 56, reply, 0, 292, 296, 1483, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1482, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\344\0\0\0$\1\0\0\310\2\0\0" ... {28, 56, reply, 0, 292, 296, 1483, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\344\0\0\0$\1\0\0\310\2\0\0" )  ) == 0x0
 00778   296   NtResumeThread  (228, ... 1, ) == 0x0
 00779   296   NtSetInformationThread  (228, BasePriority, {thread info, class 3, size 4}, 4, ...
 00780   712   NtTestAlert  (... ) == 0x0
 00781   712   NtContinue  (26672432, 1, ...
 00782   712   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00783   712   NtWaitForSingleObject  (164, 0, 0x0, ...
 00779   296   NtSetInformationThread  ... ) == 0x0
 00784   296   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 26673152, 1048576, ) == 0x0
 00785   296   NtAllocateVirtualMemory  (-1, 27713536, 0, 8192, 4096, 4, ... 27713536, 8192, ) == 0x0
 00786   296   NtProtectVirtualMemory  (-1, (0x1a6e000), 4096, 260, ... (0x1a6e000), 4096, 4, ) == 0x0
 00787   296   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 232, {292, 836}, ) == 0x0
 00788   296   NtQueryInformationThread  (232, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=292,Tid=836,}, 0x0, ) == 0x0
 00789   296   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 292, 296, 1483, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1483, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\350\0\0\0$\1\0\0D\3\0\0" ... {28, 56, reply, 0, 292, 296, 1484, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\350\0\0\0$\1\0\0D\3\0\0" )  ... {28, 56, reply, 0, 292, 296, 1484, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1483, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\350\0\0\0$\1\0\0D\3\0\0" ... {28, 56, reply, 0, 292, 296, 1484, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\350\0\0\0$\1\0\0D\3\0\0" )  ) == 0x0
 00790   296   NtResumeThread  (232, ... 1, ) == 0x0
 00791   296   NtSetInformationThread  (232, BasePriority, {thread info, class 3, size 4}, 4, ...
 00792   836   NtTestAlert  (... ) == 0x0
 00793   836   NtContinue  (27721008, 1, ...
 00794   836   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00795   836   NtWaitForSingleObject  (168, 0, 0x0, ...
 00791   296   NtSetInformationThread  ... ) == 0x0
 00796   296   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 27721728, 1048576, ) == 0x0
 00797   296   NtAllocateVirtualMemory  (-1, 28762112, 0, 8192, 4096, 4, ... 28762112, 8192, ) == 0x0
 00798   296   NtProtectVirtualMemory  (-1, (0x1b6e000), 4096, 260, ... (0x1b6e000), 4096, 4, ) == 0x0
 00799   296   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 236, {292, 856}, ) == 0x0
 00800   296   NtQueryInformationThread  (236, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=292,Tid=856,}, 0x0, ) == 0x0
 00801   296   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 292, 296, 1484, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1484, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\354\0\0\0$\1\0\0X\3\0\0" ... {28, 56, reply, 0, 292, 296, 1485, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\354\0\0\0$\1\0\0X\3\0\0" )  ... {28, 56, reply, 0, 292, 296, 1485, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1484, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\354\0\0\0$\1\0\0X\3\0\0" ... {28, 56, reply, 0, 292, 296, 1485, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\354\0\0\0$\1\0\0X\3\0\0" )  ) == 0x0
 00802   296   NtResumeThread  (236, ... 1, ) == 0x0
 00803   296   NtSetInformationThread  (236, BasePriority, {thread info, class 3, size 4}, 4, ...
 00804   856   NtTestAlert  (... ) == 0x0
 00805   856   NtContinue  (28769584, 1, ...
 00806   856   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00807   856   NtWaitForSingleObject  (172, 0, 0x0, ...
 00803   296   NtSetInformationThread  ... ) == 0x0
 00808   296   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 28770304, 1048576, ) == 0x0
 00809   296   NtAllocateVirtualMemory  (-1, 29810688, 0, 8192, 4096, 4, ... 29810688, 8192, ) == 0x0
 00810   296   NtProtectVirtualMemory  (-1, (0x1c6e000), 4096, 260, ... (0x1c6e000), 4096, 4, ) == 0x0
 00811   296   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 240, {292, 860}, ) == 0x0
 00812   296   NtQueryInformationThread  (240, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=292,Tid=860,}, 0x0, ) == 0x0
 00813   296   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 292, 296, 1485, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1485, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\360\0\0\0$\1\0\0\\3\0\0" ... {28, 56, reply, 0, 292, 296, 1486, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\360\0\0\0$\1\0\0\\3\0\0" )  ... {28, 56, reply, 0, 292, 296, 1486, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1485, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\360\0\0\0$\1\0\0\\3\0\0" ... {28, 56, reply, 0, 292, 296, 1486, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\360\0\0\0$\1\0\0\\3\0\0" )  ) == 0x0
 00814   296   NtResumeThread  (240, ... 1, ) == 0x0
 00815   296   NtSetInformationThread  (240, BasePriority, {thread info, class 3, size 4}, 4, ...
 00816   860   NtTestAlert  (... ) == 0x0
 00817   860   NtContinue  (29818160, 1, ...
 00818   860   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00819   860   NtWaitForSingleObject  (176, 0, 0x0, ...
 00815   296   NtSetInformationThread  ... ) == 0x0
 00820   296   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 29818880, 1048576, ) == 0x0
 00821   296   NtAllocateVirtualMemory  (-1, 30859264, 0, 8192, 4096, 4, ... 30859264, 8192, ) == 0x0
 00822   296   NtProtectVirtualMemory  (-1, (0x1d6e000), 4096, 260, ... (0x1d6e000), 4096, 4, ) == 0x0
 00823   296   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 244, {292, 864}, ) == 0x0
 00824   296   NtQueryInformationThread  (244, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=292,Tid=864,}, 0x0, ) == 0x0
 00825   296   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 292, 296, 1486, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1486, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\364\0\0\0$\1\0\0`\3\0\0" ... {28, 56, reply, 0, 292, 296, 1487, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\364\0\0\0$\1\0\0`\3\0\0" )  ... {28, 56, reply, 0, 292, 296, 1487, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1486, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\364\0\0\0$\1\0\0`\3\0\0" ... {28, 56, reply, 0, 292, 296, 1487, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\364\0\0\0$\1\0\0`\3\0\0" )  ) == 0x0
 00826   296   NtResumeThread  (244, ... 1, ) == 0x0
 00827   864   NtTestAlert  (... ) == 0x0
 00828   864   NtContinue  (30866736, 1, ...
 00829   864   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00830   864   NtWaitForSingleObject  (180, 0, 0x0, ...
 00831   296   NtSetInformationThread  (244, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 00832   296   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 30867456, 1048576, ) == 0x0
 00833   296   NtAllocateVirtualMemory  (-1, 31907840, 0, 8192, 4096, 4, ... 31907840, 8192, ) == 0x0
 00834   296   NtProtectVirtualMemory  (-1, (0x1e6e000), 4096, 260, ... (0x1e6e000), 4096, 4, ) == 0x0
 00835   296   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 248, {292, 868}, ) == 0x0
 00836   296   NtQueryInformationThread  (248, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=292,Tid=868,}, 0x0, ) == 0x0
 00837   296   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 292, 296, 1487, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1487, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\370\0\0\0$\1\0\0d\3\0\0" ... {28, 56, reply, 0, 292, 296, 1488, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\370\0\0\0$\1\0\0d\3\0\0" )  ... {28, 56, reply, 0, 292, 296, 1488, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1487, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\370\0\0\0$\1\0\0d\3\0\0" ... {28, 56, reply, 0, 292, 296, 1488, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\370\0\0\0$\1\0\0d\3\0\0" )  ) == 0x0
 00838   296   NtResumeThread  (248, ... 1, ) == 0x0
 00839   296   NtSetInformationThread  (248, BasePriority, {thread info, class 3, size 4}, 4, ...
 00840   868   NtTestAlert  (... ) == 0x0
 00841   868   NtContinue  (31915312, 1, ...
 00842   868   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00843   868   NtWaitForSingleObject  (184, 0, 0x0, ...
 00839   296   NtSetInformationThread  ... ) == 0x0
 00844   296   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 31916032, 1048576, ) == 0x0
 00845   296   NtAllocateVirtualMemory  (-1, 32956416, 0, 8192, 4096, 4, ... 32956416, 8192, ) == 0x0
 00846   296   NtProtectVirtualMemory  (-1, (0x1f6e000), 4096, 260, ... (0x1f6e000), 4096, 4, ) == 0x0
 00847   296   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 252, {292, 872}, ) == 0x0
 00848   296   NtQueryInformationThread  (252, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=292,Tid=872,}, 0x0, ) == 0x0
 00849   296   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 292, 296, 1488, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1488, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\374\0\0\0$\1\0\0h\3\0\0" ... {28, 56, reply, 0, 292, 296, 1489, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\374\0\0\0$\1\0\0h\3\0\0" )  ... {28, 56, reply, 0, 292, 296, 1489, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1488, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\374\0\0\0$\1\0\0h\3\0\0" ... {28, 56, reply, 0, 292, 296, 1489, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\374\0\0\0$\1\0\0h\3\0\0" )  ) == 0x0
 00850   296   NtResumeThread  (252, ... 1, ) == 0x0
 00851   296   NtSetInformationThread  (252, BasePriority, {thread info, class 3, size 4}, 4, ...
 00852   872   NtTestAlert  (... ) == 0x0
 00853   872   NtContinue  (32963888, 1, ...
 00854   872   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00855   872   NtWaitForSingleObject  (188, 0, 0x0, ...
 00851   296   NtSetInformationThread  ... ) == 0x0
 00856   296   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 32964608, 1048576, ) == 0x0
 00857   296   NtAllocateVirtualMemory  (-1, 34004992, 0, 8192, 4096, 4, ... 34004992, 8192, ) == 0x0
 00858   296   NtProtectVirtualMemory  (-1, (0x206e000), 4096, 260, ... (0x206e000), 4096, 4, ) == 0x0
 00859   296   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 256, {292, 876}, ) == 0x0
 00860   296   NtQueryInformationThread  (256, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa6000,Pid=292,Tid=876,}, 0x0, ) == 0x0
 00861   296   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 292, 296, 1489, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1489, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\0\1\0\0$\1\0\0l\3\0\0" ... {28, 56, reply, 0, 292, 296, 1490, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\0\1\0\0$\1\0\0l\3\0\0" )  ... {28, 56, reply, 0, 292, 296, 1490, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1489, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\0\1\0\0$\1\0\0l\3\0\0" ... {28, 56, reply, 0, 292, 296, 1490, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\0\1\0\0$\1\0\0l\3\0\0" )  ) == 0x0
 00862   296   NtResumeThread  (256, ... 1, ) == 0x0
 00863   296   NtSetInformationThread  (256, BasePriority, {thread info, class 3, size 4}, 4, ...
 00864   876   NtTestAlert  (... ) == 0x0
 00865   876   NtContinue  (34012464, 1, ...
 00866   876   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00867   876   NtWaitForSingleObject  (192, 0, 0x0, ...
 00863   296   NtSetInformationThread  ... ) == 0x0
 00868   296   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 34013184, 1048576, ) == 0x0
 00869   296   NtAllocateVirtualMemory  (-1, 35053568, 0, 8192, 4096, 4, ... 35053568, 8192, ) == 0x0
 00870   296   NtProtectVirtualMemory  (-1, (0x216e000), 4096, 260, ... (0x216e000), 4096, 4, ) == 0x0
 00871   296   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 260, {292, 880}, ) == 0x0
 00872   296   NtQueryInformationThread  (260, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9f000,Pid=292,Tid=880,}, 0x0, ) == 0x0
 00873   296   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 292, 296, 1490, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1490, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\4\1\0\0$\1\0\0p\3\0\0" ... {28, 56, reply, 0, 292, 296, 1491, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\4\1\0\0$\1\0\0p\3\0\0" )  ... {28, 56, reply, 0, 292, 296, 1491, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1490, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\4\1\0\0$\1\0\0p\3\0\0" ... {28, 56, reply, 0, 292, 296, 1491, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\4\1\0\0$\1\0\0p\3\0\0" )  ) == 0x0
 00874   296   NtResumeThread  (260, ... 1, ) == 0x0
 00875   296   NtSetInformationThread  (260, BasePriority, {thread info, class 3, size 4}, 4, ...
 00876   880   NtTestAlert  (... ) == 0x0
 00877   880   NtContinue  (35061040, 1, ...
 00878   880   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00879   880   NtWaitForSingleObject  (196, 0, 0x0, ...
 00875   296   NtSetInformationThread  ... ) == 0x0
 00880   296   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 35061760, 1048576, ) == 0x0
 00881   296   NtAllocateVirtualMemory  (-1, 36102144, 0, 8192, 4096, 4, ... 36102144, 8192, ) == 0x0
 00882   296   NtProtectVirtualMemory  (-1, (0x226e000), 4096, 260, ... (0x226e000), 4096, 4, ) == 0x0
 00883   296   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 264, {292, 884}, ) == 0x0
 00884   296   NtQueryInformationThread  (264, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9e000,Pid=292,Tid=884,}, 0x0, ) == 0x0
 00885   296   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 292, 296, 1491, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1491, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\10\1\0\0$\1\0\0t\3\0\0" ... {28, 56, reply, 0, 292, 296, 1492, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\10\1\0\0$\1\0\0t\3\0\0" )  ... {28, 56, reply, 0, 292, 296, 1492, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1491, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\10\1\0\0$\1\0\0t\3\0\0" ... {28, 56, reply, 0, 292, 296, 1492, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\10\1\0\0$\1\0\0t\3\0\0" )  ) == 0x0
 00886   296   NtResumeThread  (264, ... 1, ) == 0x0
 00887   296   NtSetInformationThread  (264, BasePriority, {thread info, class 3, size 4}, 4, ...
 00888   884   NtTestAlert  (... ) == 0x0
 00889   884   NtContinue  (36109616, 1, ...
 00890   884   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00891   884   NtWaitForSingleObject  (200, 0, 0x0, ...
 00887   296   NtSetInformationThread  ... ) == 0x0
 00892   296   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 36110336, 1048576, ) == 0x0
 00893   296   NtAllocateVirtualMemory  (-1, 37150720, 0, 8192, 4096, 4, ... 37150720, 8192, ) == 0x0
 00894   296   NtProtectVirtualMemory  (-1, (0x236e000), 4096, 260, ... (0x236e000), 4096, 4, ) == 0x0
 00895   296   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 268, {292, 888}, ) == 0x0
 00896   296   NtQueryInformationThread  (268, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9d000,Pid=292,Tid=888,}, 0x0, ) == 0x0
 00897   296   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 292, 296, 1492, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1492, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\14\1\0\0$\1\0\0x\3\0\0" ... {28, 56, reply, 0, 292, 296, 1493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\14\1\0\0$\1\0\0x\3\0\0" )  ... {28, 56, reply, 0, 292, 296, 1493, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1492, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\14\1\0\0$\1\0\0x\3\0\0" ... {28, 56, reply, 0, 292, 296, 1493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\14\1\0\0$\1\0\0x\3\0\0" )  ) == 0x0
 00898   296   NtResumeThread  (268, ... 1, ) == 0x0
 00899   888   NtTestAlert  (... ) == 0x0
 00900   888   NtContinue  (37158192, 1, ...
 00901   888   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00902   888   NtWaitForSingleObject  (204, 0, 0x0, ...
 00903   296   NtSetInformationThread  (268, BasePriority, {thread info, class 3, size 4}, 4, ... ) == 0x0
 00904   296   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 37158912, 1048576, ) == 0x0
 00905   296   NtAllocateVirtualMemory  (-1, 38199296, 0, 8192, 4096, 4, ... 38199296, 8192, ) == 0x0
 00906   296   NtProtectVirtualMemory  (-1, (0x246e000), 4096, 260, ... (0x246e000), 4096, 4, ) == 0x0
 00907   296   NtCreateThread  (0x1f03ff, 0x0, -1, 1244216, 1244932, 1, ... 272, {292, 892}, ) == 0x0
 00908   296   NtQueryInformationThread  (272, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff9c000,Pid=292,Tid=892,}, 0x0, ) == 0x0
 00909   296   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 292, 296, 1493, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\20\1\0\0$\1\0\0|\3\0\0" ... {28, 56, reply, 0, 292, 296, 1494, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\20\1\0\0$\1\0\0|\3\0\0" )  ... {28, 56, reply, 0, 292, 296, 1494, 0}  (24, {28, 56, new_msg, 0, 292, 296, 1493, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\20\1\0\0$\1\0\0|\3\0\0" ... {28, 56, reply, 0, 292, 296, 1494, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\2\0\0\0\20\1\0\0$\1\0\0|\3\0\0" )  ) == 0x0
 00910   296   NtResumeThread  (272, ... 1, ) == 0x0
 00911   296   NtSetInformationThread  (272, BasePriority, {thread info, class 3, size 4}, 4, ...
 00912   892   NtTestAlert  (... ) == 0x0
 00913   892   NtContinue  (38206768, 1, ...
 00914   892   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00915   892   NtWaitForSingleObject  (208, 0, 0x0, ...
 00911   296   NtSetInformationThread  ... ) == 0x0
 00916   296   NtSetEvent  (196, ...
 00879   880   NtWaitForSingleObject  ... ) == 0x0
 00917   880   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00918   880   NtWaitForSingleObject  (196, 0, 0x0, ...
 00916   296   NtSetEvent  ... 0x0, ) == 0x0
 00919   296   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00920   296   NtUserModifyUserStartupInfoFlags  (1, 0, ... ) == 0x810e5aa8
 00921   296   NtUserGetDCEx  (0, 0, 3, ... ) == 0x1010052
 00922   296   NtGdiSetupPublicCFONT  (16842834, 0, 0, ...
 00630   584   NtDelayExecution  ... ) == 0x0
 00923   584   NtDelayExecution  (0, {-20010000, -1}, ...
 00643   572   NtDelayExecution  ... ) == 0x0
 00924   572   NtDelayExecution  (0, {-20010000, -1}, ...
 00652   580   NtDelayExecution  ... ) == 0x0
 00925   580   NtDelayExecution  (0, {-20010000, -1}, ...
 00665   588   NtDelayExecution  ... ) == 0x0
 00926   588   NtDelayExecution  (0, {-20010000, -1}, ...
 00674   576   NtDelayExecution  ... ) == 0x0
 00927   576   NtDelayExecution  (0, {-20010000, -1}, ...
 00687   596   NtDelayExecution  ... ) == 0x0
 00928   596   NtDelayExecution  (0, {-20010000, -1}, ...
 00696   636   NtDelayExecution  ... ) == 0x0
 00929   636   NtDelayExecution  (0, {-20010000, -1}, ...
 00922   296   NtGdiSetupPublicCFONT  ... ) == 0x100
 00930   296   NtGdiGetTextExtent  (16842834, 1334984, 7, 1244388, 1, ... ) == 0x1
 00931   296   NtUserGetForegroundWindow  (... ) == 0x60036
 00932   296   NtUserQueryWindow  (393270, 0, ... ) == 0xe0
 00933   296   NtUserQueryWindow  (393270, 1, ... ) == 0xd4
 00934   296   NtGdiSetupPublicCFONT  (16842834, 0, 0, ... ) == 0x100
 00935   296   NtGdiGetTextMetricsW  (16842834, 1243308, 68, ... ) == 0x1
 00936   296   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00937   296   NtGdiGetTextCharsetInfo  (16842834, 0, 0, ... ) == 0x0
 00938   296   NtGdiCreateRectRgn  (0, 0, 1, 1, ... ) == 0x14040402
 00939   296   NtGdiGetRandomRgn  (16842834, 335807490, 1, ... ) == 0x0
 00940   296   NtGdiIntersectClipRect  (16842834, 0, 0, 565, 738, ... ) == 0x3
 00941   296   NtGdiExtSelectClipRgn  (16842834, 0, 5, ... ) == 0x2
 00942   296   NtGdiSetupPublicCFONT  (0, 50987263, 6, ... ) == 0x3
 00943   296   NtGdiGetTextCharsetInfo  (16842834, 0, 0, ... ) == 0x0
 00944   296   NtGdiGetRandomRgn  (16842834, 352584706, 1, ... ) == 0x0
 00945   296   NtGdiIntersectClipRect  (16842834, 0, 0, 274, 738, ... ) == 0x3
 00946   296   NtGdiExtSelectClipRgn  (16842834, 0, 5, ... ) == 0x2
 00947   296   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00948   296   NtUserFindExistingCursorIcon  (1243176, 1243192, 1243760, ... ) == 0x10011
 00949   296   NtUserSetCursor  (65553, ... ) == 0x10015
 00950   296   NtUserCallOneParam  (1, 49, ... ) == 0x1
 00951   296   NtUserFindExistingCursorIcon  (1243128, 1243144, 1243712, ... ) == 0x10015
 00952   296   NtUserSetCursor  (65557, ... ) == 0x10011
 00953   296   NtGdiCreateCompatibleDC  (0, ... ) == 0xa01040a
 00954   296   NtGdiExtGetObjectW  (50987263, 92, 1243456, ... ) == 0x5c
 00955   296   NtGdiHfontCreate  (1242892, 356, 0, 0, 1336368, ... ) == 0x80a0409
 00956   296   NtGdiGetTextMetricsW  (167838730, 1243396, 68, ... ) == 0x1
 00957   296   NtGdiGetWidthTable  (167838730, 52, 1337072, 308, 1337688, 1336440, 1336456, ... ) == 0x1
 00958   296   NtGdiDeleteObjectApp  (167838730, ... ) == 0x1
 00959   296   NtUserGetForegroundWindow  (... ) == 0x60036
 00960   296   NtUserQueryWindow  (393270, 0, ... ) == 0xe0
 00961   296   NtUserQueryWindow  (393270, 1, ... ) == 0xd4
 00962   296   NtUserGetAtomName  (32770, 1242332, ... ) == 0x6
 00963   296   NtUserCreateWindowEx  (65793, 32770, 32770,  (65793, 32770, 32770, "Themida", -2134375995, 341, 335, 350, 126, 0, 0, 2010382336, 0, 1073742848, 0, ... , -2134375995, 341, 335, 350, 126, 0, 0, 2010382336, 0, 1073742848, 0, ...
 00964   296   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1239856, ... ) }, 1239856, ... ) == 0x0
 00965   296   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 276, {status=0x0, info=1}, ) }, 5, 96, ... 276, {status=0x0, info=1}, ) == 0x0
 00966   296   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 276, ... 280, ) == 0x0
 00967   296   NtClose  (276, ... ) == 0x0
 00968   296   NtMapViewOfSection  (280, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2470000), 0x0, 204800, ) == 0x0
 00969   296   NtClose  (280, ... ) == 0x0
 00970   296   NtUnmapViewOfSection  (-1, 0x2470000, ... ) == 0x0
 00971   296   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1240172, ... ) }, 1240172, ... ) == 0x0
 00972   296   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 280, {status=0x0, info=1}, ) }, 5, 96, ... 280, {status=0x0, info=1}, ) == 0x0
 00973   296   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 280, ... 276, ) == 0x0
 00974   296   NtQuerySection  (276, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00975   296   NtClose  (280, ... ) == 0x0
 00976   296   NtMapViewOfSection  (276, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 00977   296   NtClose  (276, ... ) == 0x0
 00978   296   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 276, ) }, ... 276, ) == 0x0
 00979   296   NtMapViewOfSection  (276, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00980   296   NtClose  (276, ... ) == 0x0
 00981   296   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00982   296   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 38207488, 65536, ) == 0x0
 00983   296   NtAllocateVirtualMemory  (-1, 38207488, 0, 4096, 4096, 4, ... 38207488, 4096, ) == 0x0
 00984   296   NtAllocateVirtualMemory  (-1, 38211584, 0, 8192, 4096, 4, ... 38211584, 8192, ) == 0x0
 00985   296   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 276, ) }, ... 276, ) == 0x0
 00986   296   NtMapViewOfSection  (276, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2480000), 0x0, 12288, ) == 0x0
 00987   296   NtClose  (276, ... ) == 0x0
 00988   296   NtAllocateVirtualMemory  (-1, 38219776, 0, 4096, 4096, 4, ... 38219776, 4096, ) == 0x0
 00989   296   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00990   296   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00991   296   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00992   296   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 00993   296   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00994   296   NtClose  (276, ... ) == 0x0
 00995   296   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 276, ) }, ... 276, ) == 0x0
 00996   296   NtOpenKey  (0x1, {24, 276, 0x40, 0, 0,  (0x1, {24, 276, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 280, ) }, ... 280, ) == 0x0
 00997   296   NtQueryValueKey  (280,  (280, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00998   296   NtClose  (280, ... ) == 0x0
 00999   296   NtClose  (276, ... ) == 0x0
 01000   296   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01001   296   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 276, ) == 0x0
 01002   296   NtQueryInformationToken  (276, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01003   296   NtClose  (276, ... ) == 0x0
 01004   296   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 276, ) }, ... 276, ) == 0x0
 01005   296   NtOpenKey  (0x1, {24, 276, 0x40, 0, 0,  (0x1, {24, 276, 0x40, 0, 0, "Control Panel\Desktop"}, ... 280, ) }, ... 280, ) == 0x0
 01006   296   NtQueryValueKey  (280,  (280, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01007   296   NtClose  (280, ... ) == 0x0
 01008   296   NtClose  (276, ... ) == 0x0
 01009   296   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 1239672, ... ) }, 1239672, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01010   296   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "UxTheme.dll"}, 1239672, ... ) }, 1239672, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01011   296   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 1239672, ... ) }, 1239672, ... ) == 0x0
 01012   296   NtUserGetProcessWindowStation  (... ) == 0x24
 01013   296   NtUserGetObjectInformation  (36, 2, 0, 0, 1241968, ... ) == 0x0
 01014   296   NtUserGetObjectInformation  (36, 2, 1338488, 16, 1241968, ... ) == 0x1
 01015   296   NtUserGetGUIThreadInfo  (296, 1241924, ... ) == 0x1
 01016   296   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1241744, 64, ... 276, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1241744, 64, ... 276, 0x0, 0x0, 0x0, 64, ) == 0x0
 01017   296   NtRequestWaitReplyPort  (276, {32, 56, new_msg, 0, 0, 0, 0, 0}  (276, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 292, 296, 1499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 292, 296, 1499, 0}  (276, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 292, 296, 1499, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01018   296   NtRequestWaitReplyPort  (276, {32, 56, new_msg, 0, 0, 0, 0, 0}  (276, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 292, 296, 1500, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 292, 296, 1500, 0}  (276, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 292, 296, 1500, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01019   296   NtUserCallNoParam  (29, ...
 01020   296   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1239216, ... ) }, 1239216, ... ) == 0x0
 01019   296   NtUserCallNoParam  ... ) == 0x0
 01021   296   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 01022   296   NtGdiHfontCreate  (1241296, 356, 0, 0, 1336360, ... ) == 0xb0a040a
 01023   296   NtGdiHfontCreate  (1241296, 356, 0, 0, 1336352, ... ) == 0xb0a040b
 01024   296   NtRequestWaitReplyPort  (276, {32, 56, new_msg, 0, 0, 0, 0, 0}  (276, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 292, 296, 1501, 0} "\0\0\0\0\0\0\0\0\30\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 292, 296, 1501, 0}  (276, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 292, 296, 1501, 0} "\0\0\0\0\0\0\0\0\30\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01025   296   NtMapViewOfSection  (280, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x2490000), {0, 0}, 331776, ) == 0x0
 01026   296   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01027   296   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01028   296   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01029   296   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01030   296   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01031   296   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01032   296   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01033   296   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01034   296   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01035   296   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01036   296   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01037   296   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01038   296   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01039   296   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01040   296   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01041   296   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01042   296   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01043   296   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0xc1003fd
 01044   296   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01045   296   NtUserCallNoParam  (29, ...
 01046   296   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1238660, ... ) }, 1238660, ... ) == 0x0
 01047   296   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 01045   296   NtUserCallNoParam  ... ) == 0x0
 01048   296   NtUserCallNoParam  (29, ...
 01049   296   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1238656, ... ) }, 1238656, ... ) == 0x0
 01048   296   NtUserCallNoParam  ... ) == 0x0
 01050   296   NtUserSetWindowFNID  (131252, 676, ... ) == 0x1
 01051   296   NtUserCallHwndParam  (131252, 1338556, 78, ... ) == 0x146cbc
 01052   296   NtUserMessageCall  (0x200b4, WM_NCCREATE, 0x0, 0x12f488, 0, 670, 0, ... ) == 0x1
 01053   296   NtUserMessageCall  (0x200b4, WM_NCCALCSIZE, 0x0, 0x12f4b0, 0, 670, 0, ... ) == 0x0
 01054   296   NtUserGetClassName  (131252, 0, 1241464, ... ) == 0x6
 01055   296   NtUserRemoveProp  (131252, 43282, ... ) == 0x0
 01056   296   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 3801155, 5701724, 5111881, 5177412}  (24, {24, 52, new_msg, 0, 3801155, 5701724, 5111881, 5177412} "\0\0\0\0\5\4\3\0y\0s\0t\0e\0(\1\0\0\0\0\0\0" ... {24, 52, reply, 0, 292, 296, 1502, 0} "\0\0\0\0\5\4\3\0\0\0\0\0t\0e\0(\1\0\0\0\0\0\0" )  ... {24, 52, reply, 0, 292, 296, 1502, 0}  (24, {24, 52, new_msg, 0, 3801155, 5701724, 5111881, 5177412} "\0\0\0\0\5\4\3\0y\0s\0t\0e\0(\1\0\0\0\0\0\0" ... {24, 52, reply, 0, 292, 296, 1502, 0} "\0\0\0\0\5\4\3\0\0\0\0\0t\0e\0(\1\0\0\0\0\0\0" )  ) == 0x0
 01057   296   NtUserGetThreadDesktop  (296, 0, ... ) == 0x28
 01058   296   NtUserGetObjectInformation  (40, 2, 1241140, 520, 0, ... ) == 0x1
 01059   296   NtGdiDeleteObjectApp  (202376189, ... ) == 0x1
 01060   296   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01061   296   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01062   296   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01063   296   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01064   296   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01065   296   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01066   296   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01067   296   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01068   296   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01069   296   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01070   296   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01071   296   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01072   296   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01073   296   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01074   296   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01075   296   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01076   296   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01077   296   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0xd1003fd
 01078   296   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01079   296   NtAllocateVirtualMemory  (-1, 38223872, 0, 4096, 4096, 4, ... 38223872, 4096, ) == 0x0
 01080   296   NtUserSetProp  (131252, 43288, 38223192, ... ) == 0x1
 00963   296   NtUserCreateWindowEx  ... ) == 0x200b4
 01081   296   NtUserCallHwndLock  (131252, 89, ...
 01082   296   NtQueryDefaultUILanguage  (2013024600, ...
 01083   296   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01084   296   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482044, ) == 0x0
 01085   296   NtQueryInformationToken  (-2147482044, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01086   296   NtClose  (-2147482044, ... ) == 0x0
 01087   296   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 01088   296   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01089   296   NtOpenKey  (0x80000000, {24, -2147482044, 0x640, 0, 0,  (0x80000000, {24, -2147482044, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482056, ) }, ... -2147482056, ) == 0x0
 01090   296   NtQueryValueKey  (-2147482056,  (-2147482056, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01091   296   NtClose  (-2147482056, ... ) == 0x0
 01092   296   NtClose  (-2147482044, ... ) == 0x0
 01082   296   NtQueryDefaultUILanguage  ... ) == 0x0
 01093   296   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 01094   296   NtQueryDefaultLocale  (1, 1243232, ... ) == 0x0
 01095   296   NtUserCallNoParam  (0, ... ) == 0x300a5
 01096   296   NtUserCallNoParam  (0, ... ) == 0x300a3
 01097   296   NtUserThunkedMenuItemInfo  (196771, -1, 1, 1, 1243272, 1243320, ...
 01098   296   NtAllocateVirtualMemory  (-1, 7634944, 0, 4096, 4096, 32, ... 7634944, 4096, ) == 0x0
 01097   296   NtUserThunkedMenuItemInfo  ... ) == 0x1
 01099   296   NtUserThunkedMenuItemInfo  (196771, -1, 1, 1, 1243272, 1243320, ... ) == 0x1
 01100   296   NtUserThunkedMenuItemInfo  (196773, -1, 1, 1, 1243368, 1243416, ... ) == 0x1
 01081   296   NtUserCallHwndLock  ... ) == 0x1
 01101   296   NtUserGetAtomName  (49175, 1242332, ... ) == 0x6
 01102   296   NtUserCreateWindowEx  (4, 49175, 49175,  (4, 49175, 49175, "OK", 1342373889, 134, 60, 75, 23, 131252, 1, 2010382336, 0, 1073742848, 0, ... , 1342373889, 134, 60, 75, 23, 131252, 1, 2010382336, 0, 1073742848, 0, ...
 01103   296   NtUserSetWindowFNID  (65734, 673, ... ) == 0x1
 01104   296   NtUserSetWindowLong  (65734, 0, 1338788, 0, ... ) == 0x0
 01105   296   NtUserMessageCall  (0x100c6, WM_NCCREATE, 0x0, 0x12f488, 0, 670, 0, ... ) == 0x1
 01106   296   NtUserMessageCall  (0x100c6, WM_NCCALCSIZE, 0x0, 0x12f4b0, 0, 670, 0, ... ) == 0x0
 01107   296   NtUserSetProp  (65734, 43288, -1, ... ) == 0x1
 01102   296   NtUserCreateWindowEx  ... ) == 0x100c6
 01108   296   NtUserGetAtomName  (49177, 1242332, ... ) == 0x6
 01109   296   NtUserCreateWindowEx  (4, 49177, 49177, "1342308355, 11, 11, 0, 0, 131252, 20, 2010382336, 0, 1073742848, 0, ...
 01110   296   NtUserSetWindowFNID  (65736, 680, ... ) == 0x1
 01111   296   NtUserSetWindowLong  (65736, 0, 1338992, 0, ... ) == 0x0
 01112   296   NtUserMessageCall  (0x100c8, WM_NCCREATE, 0x0, 0x12f488, 0, 670, 0, ... ) == 0x1
 01113   296   NtUserMessageCall  (0x100c8, WM_NCCALCSIZE, 0x0, 0x12f4b0, 0, 670, 0, ... ) == 0x0
 01114   296   NtUserSetProp  (65736, 43288, -1, ... ) == 0x1
 01115   296   NtUserFindExistingCursorIcon  (1241120, 1241136, 1241704, ... ) == 0x0
 01116   296   NtUserFindExistingCursorIcon  (1241120, 1241136, 1241704, ... ) == 0x0
 01117   296   NtUserFindExistingCursorIcon  (1241120, 1241136, 1241704, ... ) == 0x10009
 01118   296   NtUserGetIconSize  (65545, 0, 1241724, 1241728, ... ) == 0x1
 01119   296   NtUserGetCursorFrameInfo  (65545, 0, 1241760, 1241736, ... ) == 0x10009
 01120   296   NtUserSetWindowPos  (65736, 0, 0, 0, 32, 32, 22, ...
 01121   296   NtUserMessageCall  (0x100c8, WM_WINDOWPOSCHANGING, 0x0, 0x12f1f8, 0, 670, 0, ... ) == 0x0
 01122   296   NtUserMessageCall  (0x100c8, WM_NCCALCSIZE, 0x1, 0x12f1cc, 0, 670, 0, ... ) == 0x0
 01120   296   NtUserSetWindowPos  ... ) == 0x1
 01109   296   NtUserCreateWindowEx  ... ) == 0x100c8
 01123   296   NtUserGetAtomName  (49177, 1242332, ... ) == 0x6
 01124   296   NtUserCreateWindowEx  (4, 49177, 49177,  (4, 49177, 49177, "Sorry, this application cannot run under a Virtual Machine", 1342316672, 62, 20, 276, 15, 131252, 65535, 2010382336, 0, 1073742848, 0, ... , 1342316672, 62, 20, 276, 15, 131252, 65535, 2010382336, 0, 1073742848, 0, ...
 01125   296   NtUserSetWindowFNID  (65738, 680, ... ) == 0x1
 01126   296   NtUserSetWindowLong  (65738, 0, 1338968, 0, ... ) == 0x0
 01127   296   NtUserMessageCall  (0x100ca, WM_NCCREATE, 0x0, 0x12f488, 0, 670, 0, ... ) == 0x1
 01128   296   NtUserMessageCall  (0x100ca, WM_NCCALCSIZE, 0x0, 0x12f4b0, 0, 670, 0, ... ) == 0x0
 01129   296   NtUserSetProp  (65738, 43288, -1, ... ) == 0x1
 01124   296   NtUserCreateWindowEx  ... ) == 0x100ca
 01130   296   NtUserSetWindowLong  (131252, -21, 1244832, 0, ... ) == 0x0
 01131   296   NtUserCallHwnd  (131252, 72, ... ) == 0xbc647c70
 01132   296   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 01133   296   NtAllocateVirtualMemory  (-1, 0, 0, 131064, 8192, 4, ... 38731776, 131072, ) == 0x0
 01134   296   NtAllocateVirtualMemory  (-1, 38731776, 0, 4096, 4096, 4, ... 38731776, 4096, ) == 0x0
 01135   296   NtUserSetFocus  (65734, ...
 01136   296   NtUserMessageCall  (0x200b4, WM_NCACTIVATE, 0x1, 0xffffffff, 0, 670, 0, ... ) == 0x1
 01137   296   NtUserInternalGetWindowText  (0x200b4, 260, ...  (0x200b4, 260, ... "Themida", ) , ) == 0x7
 01138   296   NtUserGetWindowDC  (131252, ... ) == 0x1010053
 01139   296   NtGdiGetTextMetricsW  (16842835, 1241392, 68, ... ) == 0x1
 01140   296   NtGdiGetRandomRgn  (16842835, 369361922, 1, ... ) == 0x0
 01141   296   NtGdiIntersectClipRect  (16842835, 0, 0, 0, 0, ... ) == 0x3
 01142   296   NtGdiGetWidthTable  (16842835, 7, 1340440, 263, 1340966, 1339808, 1339824, ... ) == 0x1
 01143   296   NtGdiExtSelectClipRgn  (16842835, 0, 5, ... ) == 0x1
 01144   296   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01145   296   NtUserCalcMenuBar  (131252, 3, 3, 29, 38223376, ... ) == 0x0
 01146   296   NtUserMessageCall  (0x200b4, WM_GETICON, 0x2, 0x0, 1241360, 690, 0, ...
 01147   296   NtUserMessageCall  (0x200b4, WM_GETICON, 0x2, 0x0, 0, 670, 0, ... ) == 0x0
 01146   296   NtUserMessageCall  ... ) == 0x0
 01148   296   NtUserMessageCall  (0x200b4, WM_GETICON, 0x0, 0x0, 1241360, 690, 0, ...
 01149   296   NtUserMessageCall  (0x200b4, WM_GETICON, 0x0, 0x0, 0, 670, 0, ... ) == 0x0
 01148   296   NtUserMessageCall  ... ) == 0x0
 01150   296   NtUserMessageCall  (0x200b4, WM_GETICON, 0x1, 0x0, 1241360, 690, 0, ...
 01151   296   NtUserMessageCall  (0x200b4, WM_GETICON, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 01150   296   NtUserMessageCall  ... ) == 0x0
 01152   296   NtUserGetTitleBarInfo  (131252, 1241988, ... ) == 0x1
 01153   296   NtUserGetDCEx  (131252, 0, 66561, ... ) == 0x1010050
 01154   296   NtGdiExcludeClipRect  (16842832, 3, 29, 347, 123, ... ) == 0x3
 01155   296   NtGdiDrawStream  (16842832, 96, 1241392, ... ) == 0x1
 01156   296   NtGdiDrawStream  (16842832, 96, 1241392, ... ) == 0x1
 01157   296   NtGdiDrawStream  (16842832, 96, 1241392, ... ) == 0x1
 01158   296   NtGdiCreateCompatibleBitmap  (16842832, 350, 29, ... ) == 0xc050405
 01159   296   NtGdiCreateCompatibleDC  (16842832, ... ) == 0x9010406
 01160   296   NtGdiSelectBitmap  (151061510, 201655301, ... ) == 0x185000f
 01161   296   NtGdiDrawStream  (151061510, 96, 1241284, ... ) == 0x1
 01162   296   NtGdiDrawStream  (151061510, 96, 1241240, ... ) == 0x1
 01163   296   NtGdiDrawStream  (151061510, 96, 1241240, ... ) == 0x1
 01164   296   NtUserInternalGetWindowText  (0x200b4, 260, ...  (0x200b4, 260, ... "Themida", ) , ) == 0x7
 01165   296   NtGdiGetRandomRgn  (151061510, 386139138, 1, ... ) == 0x0
 01166   296   NtGdiIntersectClipRect  (151061510, 8, 8, 322, 25, ... ) == 0x3
 01167   296   NtGdiExtSelectClipRgn  (151061510, 0, 5, ... ) == 0x2
 01168   296   NtGdiGetRandomRgn  (151061510, 402916354, 1, ... ) == 0x0
 01169   296   NtGdiIntersectClipRect  (151061510, 7, 7, 321, 25, ... ) == 0x3
 01170   296   NtGdiExtSelectClipRgn  (151061510, 0, 5, ... ) == 0x2
 01171   296   NtGdiBitBlt  (16842832, 0, 0, 350, 29, 151061510, 0, 0, 13369376, -1, 0, ... ) == 0x1
 01172   296   NtGdiSelectBitmap  (151061510, 25493519, ... ) == 0xc050405
 01173   296   NtGdiDeleteObjectApp  (151061510, ... ) == 0x1
 01174   296   NtGdiDeleteObjectApp  (201655301, ... ) == 0x1
 01175   296   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01135   296   NtUserSetFocus  ... ) == 0x0
 01176   296   NtUserSetWindowLong  (65734, -12, 2, 0, ... ) == 0x1
 01177   296   NtUserGetClassName  (65734, 0, 1242876, ... ) == 0x6
 01178   296   NtUserGetClassName  (65736, 0, 1242876, ... ) == 0x6
 01179   296   NtUserGetClassName  (65738, 0, 1242876, ... ) == 0x6
 01180   296   NtUserGetAncestor  (131252, 1, ... ) == 0x10014
 01181   296   NtUserSetWindowPos  (131252, 0, 341, 335, 350, 126, 1047, ... ) == 0x1
 01182   296   NtUserMessageCall  (0x200b4, 0x128, 0x30001, 0x0, 0, 670, 0, ...
 01183   296   NtUserMessageCall  (0x100c6, 0x128, 0x30001, 0x0, 0, 670, 0, ... ) == 0x0
 01184   296   NtUserMessageCall  (0x100c8, 0x128, 0x30001, 0x0, 0, 670, 0, ... ) == 0x0
 01185   296   NtUserMessageCall  (0x100ca, 0x128, 0x30001, 0x0, 0, 670, 0, ... ) == 0x0
 01182   296   NtUserMessageCall  ... ) == 0x0
 01186   296   NtUserShowWindow  (131252, 1, ...
 01187   296   NtUserInternalGetWindowText  (0x200b4, 260, ...  (0x200b4, 260, ... "Themida", ) , ) == 0x7
 01188   296   NtUserGetWindowDC  (131252, ... ) == 0x1010050
 01189   296   NtGdiGetRandomRgn  (16842832, 419693570, 1, ... ) == 0x0
 01190   296   NtGdiIntersectClipRect  (16842832, 0, 0, 0, 0, ... ) == 0x3
 01191   296   NtGdiGetCharSet  (16842832, ... ) == 0x4e4
 01192   296   NtGdiExtSelectClipRgn  (16842832, 0, 5, ... ) == 0x2
 01193   296   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01194   296   NtUserCalcMenuBar  (131252, 3, 3, 29, 38223376, ... ) == 0x0
 01195   296   NtUserMessageCall  (0x200b4, WM_GETICON, 0x2, 0x0, 1241976, 690, 0, ...
 01196   296   NtUserMessageCall  (0x200b4, WM_GETICON, 0x2, 0x0, 0, 670, 0, ... ) == 0x0
 01195   296   NtUserMessageCall  ... ) == 0x0
 01197   296   NtUserMessageCall  (0x200b4, WM_GETICON, 0x0, 0x0, 1241976, 690, 0, ...
 01198   296   NtUserMessageCall  (0x200b4, WM_GETICON, 0x0, 0x0, 0, 670, 0, ... ) == 0x0
 01197   296   NtUserMessageCall  ... ) == 0x0
 01199   296   NtUserMessageCall  (0x200b4, WM_GETICON, 0x1, 0x0, 1241976, 690, 0, ...
 01200   296   NtUserMessageCall  (0x200b4, WM_GETICON, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 01199   296   NtUserMessageCall  ... ) == 0x0
 01201   296   NtUserGetTitleBarInfo  (131252, 1242604, ... ) == 0x1
 01202   296   NtUserGetDCEx  (131252, 0, 66561, ... ) == 0x1010053
 01203   296   NtGdiExcludeClipRect  (16842835, 3, 29, 347, 123, ... ) == 0x3
 01204   296   NtGdiDrawStream  (16842835, 96, 1242008, ... ) == 0x1
 01205   296   NtGdiDrawStream  (16842835, 96, 1242008, ... ) == 0x1
 01206   296   NtGdiDrawStream  (16842835, 96, 1242008, ... ) == 0x1
 01207   296   NtGdiCreateCompatibleBitmap  (16842835, 350, 29, ... ) == 0x10050405
 01208   296   NtGdiCreateCompatibleDC  (16842835, ... ) == 0x7010403
 01209   296   NtGdiSelectBitmap  (117507075, 268764165, ... ) == 0x185000f
 01210   296   NtGdiDrawStream  (117507075, 96, 1241900, ... ) == 0x1
 01211   296   NtGdiDrawStream  (117507075, 96, 1241856, ... ) == 0x1
 01212   296   NtGdiDrawStream  (117507075, 96, 1241856, ... ) == 0x1
 01213   296   NtUserInternalGetWindowText  (0x200b4, 260, ...  (0x200b4, 260, ... "Themida", ) , ) == 0x7
 01214   296   NtGdiGetRandomRgn  (117507075, 436470786, 1, ... ) == 0x0
 01215   296   NtGdiIntersectClipRect  (117507075, 8, 8, 322, 25, ... ) == 0x3
 01216   296   NtGdiExtSelectClipRgn  (117507075, 0, 5, ... ) == 0x2
 01217   296   NtGdiGetRandomRgn  (117507075, 453248002, 1, ... ) == 0x0
 01218   296   NtGdiIntersectClipRect  (117507075, 7, 7, 321, 25, ... ) == 0x3
 01219   296   NtGdiExtSelectClipRgn  (117507075, 0, 5, ... ) == 0x2
 01220   296   NtGdiBitBlt  (16842835, 0, 0, 350, 29, 117507075, 0, 0, 13369376, -1, 0, ... ) == 0x1
 01221   296   NtGdiSelectBitmap  (117507075, 25493519, ... ) == 0x10050405
 01222   296   NtGdiDeleteObjectApp  (117507075, ... ) == 0x1
 01223   296   NtGdiDeleteObjectApp  (268764165, ... ) == 0x1
 01224   296   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 01225   296   NtUserFillWindow  (131252, 131252, 16842836, 4, ...
 01226   296   NtUserGetAncestor  (131252, 1, ... ) == 0x10014
 01227   296   NtUserGetAncestor  (65556, 1, ... ) == 0x0
 01225   296   NtUserFillWindow  ... ) == 0x1
 01228   296   NtUserInternalGetWindowText  (0x200b4, 260, ...  (0x200b4, 260, ... "Themida", ) , ) == 0x7
 01229   296   NtUserGetWindowDC  (131252, ... ) == 0x1010050
 01230   296   NtGdiGetRandomRgn  (16842832, 470025218, 1, ... ) == 0x0
 01231   296   NtGdiIntersectClipRect  (16842832, 0, 0, 0, 0, ... ) == 0x3
 01232   296   NtGdiGetCharSet  (16842832, ... ) == 0x4e4
 01233   296   NtGdiExtSelectClipRgn  (16842832, 0, 5, ... ) == 0x2
 01234   296   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01235   296   NtUserCalcMenuBar  (131252, 3, 3, 29, 38223376, ... ) == 0x0
 01236   296   NtUserMessageCall  (0x200b4, WM_GETICON, 0x2, 0x0, 1242260, 690, 0, ...
 01237   296   NtUserMessageCall  (0x200b4, WM_GETICON, 0x2, 0x0, 0, 670, 0, ... ) == 0x0
 01236   296   NtUserMessageCall  ... ) == 0x0
 01238   296   NtUserMessageCall  (0x200b4, WM_GETICON, 0x0, 0x0, 1242260, 690, 0, ...
 01239   296   NtUserMessageCall  (0x200b4, WM_GETICON, 0x0, 0x0, 0, 670, 0, ... ) == 0x0
 01238   296   NtUserMessageCall  ... ) == 0x0
 01240   296   NtUserMessageCall  (0x200b4, WM_GETICON, 0x1, 0x0, 1242260, 690, 0, ...
 01241   296   NtUserMessageCall  (0x200b4, WM_GETICON, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 01240   296   NtUserMessageCall  ... ) == 0x0
 01242   296   NtUserGetTitleBarInfo  (131252, 1242888, ... ) == 0x1
 01243   296   NtUserBuildHwndList  (0, 131252, 1, 0, 64, ... (0x100c6, 0x100c8, 0x100ca, 0x1, ), 4, ) == 0x0
 01244   296   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01245   296   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01246   296   NtGdiExtCreateRegion  (0, 112, 38224872, ... ) == 0x12040405
 01247   296   NtGdiOffsetRgn  (302253061, 0, 0, ... ) == 0x3
 01248   296   NtGdiCombineRgn  (486802434, 302253061, 486802434, 5, ... ) == 0x3
 01249   296   NtGdiCreateRectRgn  (0, 0, 1, 1, ... ) == 0x8040403
 01250   296   NtGdiCombineRgn  (486802434, 134480899, 486802434, 2, ... ) == 0x3
 01251   296   NtGdiCreateRectRgn  (0, 0, 1, 1, ... ) == 0x6040404
 01252   296   NtGdiCombineRgn  (486802434, 100926468, 486802434, 2, ... ) == 0x3
 01253   296   NtGdiCreateRectRgn  (0, 0, 1, 1, ... ) == 0xf0403e5
 01254   296   NtGdiCombineRgn  (486802434, 251921381, 486802434, 2, ... ) == 0x3
 01255   296   NtGdiCreateRectRgn  (0, 0, 1, 1, ... ) == 0xa0403e8
 01256   296   NtGdiCombineRgn  (486802434, 168035304, 486802434, 2, ... ) == 0x3
 01257   296   NtGdiCreateRectRgn  (0, 0, 1, 1, ... ) == 0x1d0403d8
 01258   296   NtGdiCombineRgn  (486802392, 486802434, 0, 5, ... ) == 0x3
 01259   296   NtUserSetWindowRgn  (131252, 486802434, 1, ...
 01260   296   NtUserMessageCall  (0x200b4, WM_NCCALCSIZE, 0x1, 0x12f64c, 0, 670, 0, ... ) == 0x0
 01261   296   NtUserInternalGetWindowText  (0x200b4, 260, ...  (0x200b4, 260, ... "Themida", ) , ) == 0x7
 01262   296   NtUserGetWindowDC  (131252, ... ) == 0x1010050
 01263   296   NtGdiGetRandomRgn  (16842832, 184812520, 1, ... ) == 0x0
 01264   296   NtGdiIntersectClipRect  (16842832, 0, 0, 0, 0, ... ) == 0x3
 01265   296   NtGdiGetCharSet  (16842832, ... ) == 0x4e4
 01266   296   NtGdiExtSelectClipRgn  (16842832, 0, 5, ... ) == 0x3
 01267   296   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 01268   296   NtUserCalcMenuBar  (131252, 3, 3, 29, 38223376, ... ) == 0x0
 01269   296   NtUserMessageCall  (0x200b4, WM_GETICON, 0x2, 0x0, 1241060, 690, 0, ...
 01270   296   NtUserMessageCall  (0x200b4, WM_GETICON, 0x2, 0x0, 0, 670, 0, ... ) == 0x0
 01269   296   NtUserMessageCall  ... ) == 0x0
 01271   296   NtUserMessageCall  (0x200b4, WM_GETICON, 0x0, 0x0, 1241060, 690, 0, ...
 01272   296   NtUserMessageCall  (0x200b4, WM_GETICON, 0x0, 0x0, 0, 670, 0, ... ) == 0x0
 01271   296   NtUserMessageCall  ... ) == 0x0
 01273   296   NtUserMessageCall  (0x200b4, WM_GETICON, 0x1, 0x0, 1241060, 690, 0, ...
 01274   296   NtUserMessageCall  (0x200b4, WM_GETICON, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 01273   296   NtUserMessageCall  ... ) == 0x0
 01275   296   NtUserGetTitleBarInfo  (131252, 1241688, ... ) == 0x1
 01276   296   NtUserGetDCEx  (131252, 0, 66561, ... ) == 0x1010054
 01277   296   NtGdiExcludeClipRect  (16842836, 3, 29, 347, 123, ... ) == 0x3
 01278   296   NtGdiDrawStream  (16842836, 96, 1241092, ... ) == 0x1
 01279   296   NtGdiDrawStream  (16842836, 96, 1241092, ... ) == 0x1
 01280   296   NtGdiDrawStream  (16842836, 96, 1241092, ... ) == 0x1
 01281   296   NtGdiCreateCompatibleBitmap  (16842836, 350, 29, ... ) == 0x90503ff
 01282   296   NtGdiCreateCompatibleDC  (16842836, ... ) == 0x70103f9
 01283   296   NtGdiSelectBitmap  (117507065, 151323647, ... ) == 0x185000f
 01284   296   NtGdiDrawStream  (117507065, 96, 1240984, ... ) == 0x1
 01285   296   NtGdiDrawStream  (117507065, 96, 1240940, ... ) == 0x1
 01286   296   NtGdiDrawStream  (117507065, 96, 1240940, ... ) == 0x1
 01287   296   NtUserInternalGetWindowText  (0x200b4, 260, ...  (0x200b4, 260, ... "Themida", ) , ) == 0x7
 01288   296   NtGdiGetRandomRgn  (117507065, 201589736, 1, ... ) == 0x0
 01289   296   NtGdiIntersectClipRect  (117507065, 8, 8, 322, 25, ... ) == 0x3
 01290   296   NtGdiExtSelectClipRgn  (117507065, 0, 5, ... ) == 0x2
 01291   296   NtGdiGetRandomRgn  (117507065, 218366952, 1, ... ) == 0x0
 01292   296   NtGdiIntersectClipRect  (117507065, 7, 7, 321, 25, ... ) == 0x3
 01293   296   NtGdiExtSelectClipRgn  (117507065, 0, 5, ... ) == 0x2
 01294   296   NtGdiBitBlt  (16842836, 0, 0, 350, 29, 117507065, 0, 0, 13369376, -1, 0, ... ) == 0x1
 01295   296   NtGdiSelectBitmap  (117507065, 25493519, ... ) == 0x90503ff
 01296   296   NtGdiDeleteObjectApp  (117507065, ... ) == 0x1
 01297   296   NtGdiDeleteObjectApp  (151323647, ... ) == 0x1
 01298   296   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 01299   296   NtUserFillWindow  (131252, 131252, 16842835, 4, ...
 01300   296   NtUserGetAncestor  (131252, 1, ... ) == 0x10014
 01301   296   NtUserGetAncestor  (65556, 1, ... ) == 0x0
 01299   296   NtUserFillWindow  ... ) == 0x1
 01259   296   NtUserSetWindowRgn  ... ) == 0x1
 01186   296   NtUserShowWindow  ... ) == 0x0
 01302   296   NtUserCallHwndLock  (131252, 93, ...
 01303   296   NtUserMessageCall  (0x200b4, WM_PAINT, 0x0, 0x0, 0, 670, 0, ... ) == 0x0
 01304   296   NtUserBeginPaint  (0x100c6, 1243260, ...
 01305   296   NtUserMessageCall  (0x100c6, WM_NCPAINT, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 01304   296   NtUserBeginPaint  ... ) == 0x1010053
 01306   296   NtUserGetControlBrush  (0x100c6, 16842835, 309, ... ) == 0x1100056
 01307   296   NtGdiIntersectClipRect  (16842835, 0, 0, 75, 23, ... ) == 0x3
 01308   296   NtGdiIntersectClipRect  (16842835, 3, 3, 72, 20, ... ) == 0x3
 01309   296   NtUserEndPaint  (0x100c6, 1243260, ... ) == 0x1
 01310   296   NtUserBeginPaint  (0x100c8, 1243272, ...
 01311   296   NtUserMessageCall  (0x100c8, WM_NCPAINT, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 01310   296   NtUserBeginPaint  ... ) == 0x1010053
 01312   296   NtGdiIntersectClipRect  (16842835, 0, 0, 32, 32, ... ) == 0x3
 01313   296   NtUserGetControlBrush  (0x100c8, 16842835, 312, ... ) == 0x1100056
 01314   296   NtGdiGetDCDword  (16842835, 7, 1242992, ... ) == 0x1
 01315   296   NtUserDrawIconEx  (16842835, 0, 0, 65545, 32, 32, 0, 17825878, 3, 0, 1243036, ... ) == 0x1
 01316   296   NtUserEndPaint  (0x100c8, 1243272, ... ) == 0x1
 01317   296   NtUserBeginPaint  (0x100ca, 1243272, ...
 01318   296   NtUserMessageCall  (0x100ca, WM_NCPAINT, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 01317   296   NtUserBeginPaint  ... ) == 0x1010053
 01319   296   NtGdiIntersectClipRect  (16842835, 0, 0, 276, 15, ... ) == 0x3
 01320   296   NtUserGetControlBrush  (0x100ca, 16842835, 312, ... ) == 0x1100056
 01321   296   NtGdiGetTextCharsetInfo  (16842835, 0, 0, ... ) == 0x0
 01322   296   NtUserEndPaint  (0x100ca, 1243272, ... ) == 0x1
 01302   296   NtUserCallHwndLock  ... ) == 0x1
 01323   296   NtUserPeekMessage  (0, 0, 0, 1, ...
 01324   296   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\VMware\VMware Tools\hook.dll"}, 1241124, ... ) }, 1241124, ... ) == 0x0
 01325   296   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\VMware\VMware Tools\hook.dll"}, 5, 96, ... 284, {status=0x0, info=1}, ) }, 5, 96, ... 284, {status=0x0, info=1}, ) == 0x0
 01326   296   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 284, ... 288, ) == 0x0
 01327   296   NtClose  (284, ... ) == 0x0
 01328   296   NtMapViewOfSection  (288, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x2510000), 0x0, 45056, ) == 0x0
 01329   296   NtClose  (288, ... ) == 0x0
 01330   296   NtUnmapViewOfSection  (-1, 0x2510000, ... ) == 0x0
 01331   296   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\VMware\VMware Tools\hook.dll"}, 1241440, ... ) }, 1241440, ... ) == 0x0
 01332   296   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\VMware\VMware Tools\hook.dll"}, 1241440, ... ) }, 1241440, ... ) == 0x0
 01333   296   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\VMware\VMware Tools\hook.dll"}, 5, 96, ... 288, {status=0x0, info=1}, ) }, 5, 96, ... 288, {status=0x0, info=1}, ) == 0x0
 01334   296   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 288, ... 284, ) == 0x0
 01335   296   NtQuerySection  (284, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01336   296   NtClose  (288, ... ) == 0x0
 01337   296   NtMapViewOfSection  (284, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x10000000), 0x0, 49152, ) == 0x0
 01338   296   NtClose  (284, ... ) == 0x0
 01339   296   NtProtectVirtualMemory  (-1, (0x10006000), 256, 4, ... (0x10006000), 4096, 2, ) == 0x0
 01340   296   NtProtectVirtualMemory  (-1, (0x10006000), 4096, 2, ... (0x10006000), 4096, 4, ) == 0x0
 01341   296   NtFlushInstructionCache  (-1, 268460032, 256, ... ) == 0x0
 01342   296   NtProtectVirtualMemory  (-1, (0x10006000), 256, 4, ... (0x10006000), 4096, 2, ) == 0x0
 01343   296   NtProtectVirtualMemory  (-1, (0x10006000), 4096, 2, ... (0x10006000), 4096, 4, ) == 0x0
 01344   296   NtFlushInstructionCache  (-1, 268460032, 256, ... ) == 0x0
 01345   296   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01346   296   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 38862848, 65536, ) == 0x0
 01347   296   NtAllocateVirtualMemory  (-1, 38862848, 0, 4096, 4096, 4, ... 38862848, 4096, ) == 0x0
 01348   296   NtAllocateVirtualMemory  (-1, 38866944, 0, 8192, 4096, 4, ... 38866944, 8192, ) == 0x0
 01349   296   NtQueryPerformanceCounter  (... {111340293, 0}, {3579545, 0}, ) == 0x0
 01350   296   NtUserMessageCall  (0x200b4, WM_SETCURSOR, 0x200b4, 0x2000001, 0, 670, 0, ... ) == 0x0
 01323   296   NtUserPeekMessage  ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x7cb1, {512, 384}}, ) == 0x1
 01351   296   NtOpenProcessToken  (-1, 0x8, ... 284, ) == 0x0
 01352   296   NtQueryInformationToken  (284, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01353   296   NtClose  (284, ... ) == 0x0
 01354   296   NtUserCallMsgFilter  (1243628, 0, ... ) == 0x0
 01355   296   NtUserPeekMessage  (0, 0, 0, 1, ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x7cb1, {512, 384}}, ) == 0x0
 01356   296   NtUserWaitMessage  (... ) == 0x1
 01357   296   NtUserPeekMessage  (0, 0, 0, 1, ...
 01358   296   NtUserMessageCall  (0x200b4, WM_SETCURSOR, 0x200b4, 0x2000001, 0, 670, 0, ... ) == 0x0
 01357   296   NtUserPeekMessage  ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x7cc1, {512, 384}}, ) == 0x1
 01359   296   NtUserCallMsgFilter  (1243628, 0, ... ) == 0x0
 01360   296   NtUserPeekMessage  (0, 0, 0, 1, ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x7cc1, {512, 384}}, ) == 0x0
 01361   296   NtUserWaitMessage  (... ) == 0x1
 01362   296   NtUserPeekMessage  (0, 0, 0, 1, ...
 01363   296   NtUserMessageCall  (0x200b4, WM_SETCURSOR, 0x200b4, 0x2000001, 0, 670, 0, ... ) == 0x0
 01362   296   NtUserPeekMessage  ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x7cc1, {512, 384}}, ) == 0x1
 01364   296   NtUserCallMsgFilter  (1243628, 0, ... ) == 0x0
 01365   296   NtUserPeekMessage  (0, 0, 0, 1, ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x7cc1, {512, 384}}, ) == 0x0
 01366   296   NtUserWaitMessage  (... ) == 0x1
 01367   296   NtUserPeekMessage  (0, 0, 0, 1, ...
 01368   296   NtUserMessageCall  (0x200b4, WM_SETCURSOR, 0x200b4, 0x2000001, 0, 670, 0, ... ) == 0x0
 01367   296   NtUserPeekMessage  ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x7cc1, {512, 384}}, ) == 0x1
 01369   296   NtUserCallMsgFilter  (1243628, 0, ... ) == 0x0
 01370   296   NtUserPeekMessage  (0, 0, 0, 1, ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x7cc1, {512, 384}}, ) == 0x0
 01371   296   NtUserWaitMessage  (... ) == 0x1
 01372   296   NtUserPeekMessage  (0, 0, 0, 1, ...
 01373   296   NtUserMessageCall  (0x200b4, WM_SETCURSOR, 0x200b4, 0x2000001, 0, 670, 0, ... ) == 0x0
 01372   296   NtUserPeekMessage  ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x7cc1, {512, 384}}, ) == 0x1
 01374   296   NtUserCallMsgFilter  (1243628, 0, ... ) == 0x0
 01375   296   NtUserPeekMessage  (0, 0, 0, 1, ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x7cc1, {512, 384}}, ) == 0x0
 01376   296   NtUserWaitMessage  (... ) == 0x1
 01377   296   NtUserPeekMessage  (0, 0, 0, 1, ...
 01378   296   NtUserMessageCall  (0x200b4, WM_SETCURSOR, 0x200b4, 0x2000001, 0, 670, 0, ... ) == 0x0
 01377   296   NtUserPeekMessage  ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x7cc1, {512, 384}}, ) == 0x1
 01379   296   NtUserCallMsgFilter  (1243628, 0, ... ) == 0x0
 01380   296   NtUserPeekMessage  (0, 0, 0, 1, ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x7cc1, {512, 384}}, ) == 0x0
 01381   296   NtUserWaitMessage  (... ) == 0x1
 01382   296   NtUserPeekMessage  (0, 0, 0, 1, ...
 01383   296   NtUserMessageCall  (0x200b4, WM_SETCURSOR, 0x200b4, 0x2000001, 0, 670, 0, ... ) == 0x0
 01382   296   NtUserPeekMessage  ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x7cc1, {512, 384}}, ) == 0x1
 01384   296   NtUserCallMsgFilter  (1243628, 0, ... ) == 0x0
 01385   296   NtUserPeekMessage  (0, 0, 0, 1, ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x7cc1, {512, 384}}, ) == 0x0
 01386   296   NtUserWaitMessage  (... ) == 0x1
 01387   296   NtUserPeekMessage  (0, 0, 0, 1, ...
 01388   296   NtUserMessageCall  (0x200b4, WM_SETCURSOR, 0x200b4, 0x2000001, 0, 670, 0, ... ) == 0x0
 01387   296   NtUserPeekMessage  ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x7cc1, {512, 384}}, ) == 0x1
 01389   296   NtUserCallMsgFilter  (1243628, 0, ... ) == 0x0
 01390   296   NtUserPeekMessage  (0, 0, 0, 1, ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x7cc1, {512, 384}}, ) == 0x0
 01391   296   NtUserWaitMessage  (... ) == 0x1
 01392   296   NtUserPeekMessage  (0, 0, 0, 1, ...
 01393   296   NtUserMessageCall  (0x200b4, WM_SETCURSOR, 0x200b4, 0x2000001, 0, 670, 0, ... ) == 0x0
 01392   296   NtUserPeekMessage  ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x7cc1, {512, 384}}, ) == 0x1
 01394   296   NtUserCallMsgFilter  (1243628, 0, ... ) == 0x0
 01395   296   NtUserPeekMessage  (0, 0, 0, 1, ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x7cc1, {512, 384}}, ) == 0x0
 01396   296   NtUserWaitMessage  (... ) == 0x1
 01397   296   NtUserPeekMessage  (0, 0, 0, 1, ...
 01398   296   NtUserMessageCall  (0x200b4, WM_SETCURSOR, 0x200b4, 0x2000001, 0, 670, 0, ... ) == 0x0
 01397   296   NtUserPeekMessage  ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x7cc1, {512, 384}}, ) == 0x1
 01399   296   NtUserCallMsgFilter  (1243628, 0, ... ) == 0x0
 01400   296   NtUserPeekMessage  (0, 0, 0, 1, ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x7cc1, {512, 384}}, ) == 0x0
 01401   296   NtUserWaitMessage  (... ) == 0x1
 01402   296   NtUserPeekMessage  (0, 0, 0, 1, ...
 01403   296   NtUserMessageCall  (0x200b4, WM_SETCURSOR, 0x200b4, 0x2000001, 0, 670, 0, ... ) == 0x0
 01402   296   NtUserPeekMessage  ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x7cc1, {512, 384}}, ) == 0x1
 01404   296   NtUserCallMsgFilter  (1243628, 0, ... ) == 0x0
 01405   296   NtUserPeekMessage  (0, 0, 0, 1, ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x7cc1, {512, 384}}, ) == 0x0
 01406   296   NtUserWaitMessage  (... ) == 0x1
 01407   296   NtUserPeekMessage  (0, 0, 0, 1, ...
 01408   296   NtUserMessageCall  (0x200b4, WM_SETCURSOR, 0x200b4, 0x2000001, 0, 670, 0, ... ) == 0x0
 01407   296   NtUserPeekMessage  ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x7e28, {512, 384}}, ) == 0x1
 01409   296   NtUserCallMsgFilter  (1243628, 0, ... ) == 0x0
 01410   296   NtUserPeekMessage  (0, 0, 0, 1, ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x7e28, {512, 384}}, ) == 0x0
 01411   296   NtUserWaitMessage  (... ) == 0x1
 01412   296   NtUserPeekMessage  (0, 0, 0, 1, ...
 01413   296   NtUserMessageCall  (0x200b4, WM_GETICON, 0x2, 0x0, 0, 670, 0, ... ) == 0x0
 01412   296   NtUserPeekMessage  ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x7e28, {512, 384}}, ) == 0x0
 01414   296   NtUserWaitMessage  (... ) == 0x1
 01415   296   NtUserPeekMessage  (0, 0, 0, 1, ...
 01416   296   NtUserMessageCall  (0x200b4, WM_GETICON, 0x0, 0x0, 0, 670, 0, ... ) == 0x0
 01415   296   NtUserPeekMessage  ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x7e28, {512, 384}}, ) == 0x0
 01417   296   NtUserWaitMessage  (... ) == 0x1
 01418   296   NtUserPeekMessage  (0, 0, 0, 1, ...
 01419   296   NtUserMessageCall  (0x200b4, WM_GETICON, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 01418   296   NtUserPeekMessage  ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x7e28, {512, 384}}, ) == 0x0
 01420   296   NtUserWaitMessage  (...
 00709   732   NtDelayExecution  ... ) == 0x0
 01421   732   NtDelayExecution  (0, {-20010000, -1}, ...
 00923   584   NtDelayExecution  ... ) == 0x0
 00924   572   NtDelayExecution  ... ) == 0x0
 00925   580   NtDelayExecution  ... ) == 0x0
 00926   588   NtDelayExecution  ... ) == 0x0
 00927   576   NtDelayExecution  ... ) == 0x0
 00928   596   NtDelayExecution  ... ) == 0x0
 00929   636   NtDelayExecution  ... ) == 0x0
 01422   584   NtDelayExecution  (0, {-20010000, -1}, ...
 01423   572   NtDelayExecution  (0, {-20010000, -1}, ...
 01424   580   NtDelayExecution  (0, {-20010000, -1}, ...
 01425   588   NtDelayExecution  (0, {-20010000, -1}, ...
 01426   576   NtDelayExecution  (0, {-20010000, -1}, ...
 01427   596   NtDelayExecution  (0, {-20010000, -1}, ...
 01428   636   NtDelayExecution  (0, {-20010000, -1}, ...
 01420   296   NtUserWaitMessage  ... ) == 0x1
 01429   296   NtUserPeekMessage  (0, 0, 0, 1, ...
 01430   296   NtUserMessageCall  (0x200b4, WM_SETCURSOR, 0x200b4, 0x2000001, 0, 670, 0, ... ) == 0x0
 01429   296   NtUserPeekMessage  ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x8ada, {512, 384}}, ) == 0x1
 01431   296   NtUserCallMsgFilter  (1243628, 0, ... ) == 0x0
 01432   296   NtUserPeekMessage  (0, 0, 0, 1, ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x8ada, {512, 384}}, ) == 0x0
 01433   296   NtUserWaitMessage  (... ) == 0x1
 01434   296   NtUserPeekMessage  (0, 0, 0, 1, ...
 01435   296   NtUserMessageCall  (0x200b4, WM_SETCURSOR, 0x200b4, 0x2000001, 0, 670, 0, ... ) == 0x0
 01434   296   NtUserPeekMessage  ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x8aea, {512, 384}}, ) == 0x1
 01436   296   NtUserCallMsgFilter  (1243628, 0, ... ) == 0x0
 01437   296   NtUserPeekMessage  (0, 0, 0, 1, ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x8aea, {512, 384}}, ) == 0x0
 01438   296   NtUserWaitMessage  (... ) == 0x1
 01439   296   NtUserPeekMessage  (0, 0, 0, 1, ...
 01440   296   NtUserMessageCall  (0x200b4, WM_SETCURSOR, 0x200b4, 0x2000001, 0, 670, 0, ... ) == 0x0
 01439   296   NtUserPeekMessage  ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x8aea, {512, 384}}, ) == 0x1
 01441   296   NtUserCallMsgFilter  (1243628, 0, ... ) == 0x0
 01442   296   NtUserPeekMessage  (0, 0, 0, 1, ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x8aea, {512, 384}}, ) == 0x0
 01443   296   NtUserWaitMessage  (... ) == 0x1
 01444   296   NtUserPeekMessage  (0, 0, 0, 1, ...
 01445   296   NtUserMessageCall  (0x200b4, WM_SETCURSOR, 0x200b4, 0x2000001, 0, 670, 0, ... ) == 0x0
 01444   296   NtUserPeekMessage  ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x8aea, {512, 384}}, ) == 0x1
 01446   296   NtUserCallMsgFilter  (1243628, 0, ... ) == 0x0
 01447   296   NtUserPeekMessage  (0, 0, 0, 1, ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x8aea, {512, 384}}, ) == 0x0
 01448   296   NtUserWaitMessage  (... ) == 0x1
 01449   296   NtUserPeekMessage  (0, 0, 0, 1, ...
 01450   296   NtUserMessageCall  (0x200b4, WM_SETCURSOR, 0x200b4, 0x2000001, 0, 670, 0, ... ) == 0x0
 01449   296   NtUserPeekMessage  ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x8afa, {512, 384}}, ) == 0x1
 01451   296   NtUserCallMsgFilter  (1243628, 0, ... ) == 0x0
 01452   296   NtUserPeekMessage  (0, 0, 0, 1, ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x8afa, {512, 384}}, ) == 0x0
 01453   296   NtUserWaitMessage  (... ) == 0x1
 01454   296   NtUserPeekMessage  (0, 0, 0, 1, ...
 01455   296   NtUserMessageCall  (0x200b4, WM_SETCURSOR, 0x200b4, 0x2000001, 0, 670, 0, ... ) == 0x0
 01454   296   NtUserPeekMessage  ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x8afa, {512, 384}}, ) == 0x1
 01456   296   NtUserCallMsgFilter  (1243628, 0, ... ) == 0x0
 01457   296   NtUserPeekMessage  (0, 0, 0, 1, ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x8afa, {512, 384}}, ) == 0x0
 01458   296   NtUserWaitMessage  (... ) == 0x1
 01459   296   NtUserPeekMessage  (0, 0, 0, 1, ...
 01460   296   NtUserMessageCall  (0x200b4, WM_SETCURSOR, 0x200b4, 0x2000001, 0, 670, 0, ... ) == 0x0
 01459   296   NtUserPeekMessage  ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x8b09, {512, 384}}, ) == 0x1
 01461   296   NtUserCallMsgFilter  (1243628, 0, ... ) == 0x0
 01462   296   NtUserPeekMessage  (0, 0, 0, 1, ... {0x200b4, WM_MOUSEFIRST, 0x0, 0x1400a8, 0x8b09, {512, 384}}, ) == 0x0
 01463   296   NtUserWaitMessage  (...
 01421   732   NtDelayExecution  ... ) == 0x0
 01464   732   NtDelayExecution  (0, {-20010000, -1}, ...
 01422   584   NtDelayExecution  ... ) == 0x0
 01465   584   NtDelayExecution  (0, {-20010000, -1}, ...
 01423   572   NtDelayExecution  ... ) == 0x0
 01466   572   NtDelayExecution  (0, {-20010000, -1}, ...
 01424   580   NtDelayExecution  ... ) == 0x0
 01467   580   NtDelayExecution  (0, {-20010000, -1}, ...
 01425   588   NtDelayExecution  ... ) == 0x0
 01468   588   NtDelayExecution  (0, {-20010000, -1}, ...
 01426   576   NtDelayExecution  ... ) == 0x0
 01469   576   NtDelayExecution  (0, {-20010000, -1}, ...
 01427   596   NtDelayExecution  ... ) == 0x0
 01470   596   NtDelayExecution  (0, {-20010000, -1}, ...
 01428   636   NtDelayExecution  ... ) == 0x0
 01471   636   NtDelayExecution  (0, {-20010000, -1}, ...
 01464   732   NtDelayExecution  ... ) == 0x0
 01472   732   NtDelayExecution  (0, {-20010000, -1}, ...
 01465   584   NtDelayExecution  ... ) == 0x0
 01473   584   NtDelayExecution  (0, {-20010000, -1}, ...
 01466   572   NtDelayExecution  ... ) == 0x0
 01474   572   NtDelayExecution  (0, {-20010000, -1}, ...
 01467   580   NtDelayExecution  ... ) == 0x0
 01475   580   NtDelayExecution  (0, {-20010000, -1}, ...
 01468   588   NtDelayExecution  ... ) == 0x0
 01476   588   NtDelayExecution  (0, {-20010000, -1}, ...
 01469   576   NtDelayExecution  ... ) == 0x0
 01477   576   NtDelayExecution  (0, {-20010000, -1}, ...
 01470   596   NtDelayExecution  ... ) == 0x0
 01478   596   NtDelayExecution  (0, {-20010000, -1}, ...
 01471   636   NtDelayExecution  ... ) == 0x0
 01479   636   NtDelayExecution  (0, {-20010000, -1}, ...
 01472   732   NtDelayExecution  ... ) == 0x0
 01480   732   NtDelayExecution  (0, {-20010000, -1}, ...
 01473   584   NtDelayExecution  ... ) == 0x0
 01481   584   NtDelayExecution  (0, {-20010000, -1}, ...
 01474   572   NtDelayExecution  ... ) == 0x0
 01482   572   NtDelayExecution  (0, {-20010000, -1}, ...
 01475   580   NtDelayExecution  ... ) == 0x0
 01483   580   NtDelayExecution  (0, {-20010000, -1}, ...
 01476   588   NtDelayExecution  ... ) == 0x0
 01484   588   NtDelayExecution  (0, {-20010000, -1}, ...
 01477   576   NtDelayExecution  ... ) == 0x0
 01485   576   NtDelayExecution  (0, {-20010000, -1}, ...
 01478   596   NtDelayExecution  ... ) == 0x0
 01486   596   NtDelayExecution  (0, {-20010000, -1}, ...
 01479   636   NtDelayExecution  ... ) == 0x0
 01487   636   NtDelayExecution  (0, {-20010000, -1}, ...
 01480   732   NtDelayExecution  ... ) == 0x0
 01488   732   NtDelayExecution  (0, {-20010000, -1}, ...
 01481   584   NtDelayExecution  ... ) == 0x0
 01489   584   NtDelayExecution  (0, {-20010000, -1}, ...
 01482   572   NtDelayExecution  ... ) == 0x0
 01490   572   NtDelayExecution  (0, {-20010000, -1}, ...
 01483   580   NtDelayExecution  ... ) == 0x0
 01491   580   NtDelayExecution  (0, {-20010000, -1}, ...
 01484   588   NtDelayExecution  ... ) == 0x0
 01492   588   NtDelayExecution  (0, {-20010000, -1}, ...
 01485   576   NtDelayExecution  ... ) == 0x0
 01493   576   NtDelayExecution  (0, {-20010000, -1}, ...
 01486   596   NtDelayExecution  ... ) == 0x0
 01494   596   NtDelayExecution  (0, {-20010000, -1}, ...
 01487   636   NtDelayExecution  ... ) == 0x0
 01495   636   NtDelayExecution  (0, {-20010000, -1}, ...
 01488   732   NtDelayExecution  ... ) == 0x0
 01496   732   NtDelayExecution  (0, {-20010000, -1}, ...
 01489   584   NtDelayExecution  ... ) == 0x0
 01497   584   NtDelayExecution  (0, {-20010000, -1}, ...
 01490   572   NtDelayExecution  ... ) == 0x0
 01498   572   NtDelayExecution  (0, {-20010000, -1}, ...
 01491   580   NtDelayExecution  ... ) == 0x0
 01499   580   NtDelayExecution  (0, {-20010000, -1}, ...
 01492   588   NtDelayExecution  ... ) == 0x0
 01500   588   NtDelayExecution  (0, {-20010000, -1}, ...
 01493   576   NtDelayExecution  ... ) == 0x0
 01501   576   NtDelayExecution  (0, {-20010000, -1}, ...
 01494   596   NtDelayExecution  ... ) == 0x0
 01502   596   NtDelayExecution  (0, {-20010000, -1}, ...
 01495   636   NtDelayExecution  ... ) == 0x0
 01503   636   NtDelayExecution  (0, {-20010000, -1}, ...
 01496   732   NtDelayExecution  ... ) == 0x0
 01504   732   NtDelayExecution  (0, {-20010000, -1}, ...
 01497   584   NtDelayExecution  ... ) == 0x0
 01498   572   NtDelayExecution  ... ) == 0x0
 01499   580   NtDelayExecution  ... ) == 0x0
 01500   588   NtDelayExecution  ... ) == 0x0
 01501   576   NtDelayExecution  ... ) == 0x0
 01502   596   NtDelayExecution  ... ) == 0x0
 01503   636   NtDelayExecution  ... ) == 0x0
 01505   584   NtDelayExecution  (0, {-20010000, -1}, ...
 01506   572   NtDelayExecution  (0, {-20010000, -1}, ...
 01507   580   NtDelayExecution  (0, {-20010000, -1}, ...
 01508   588   NtDelayExecution  (0, {-20010000, -1}, ...
 01509   576   NtDelayExecution  (0, {-20010000, -1}, ...
 01510   596   NtDelayExecution  (0, {-20010000, -1}, ...
 01511   636   NtDelayExecution  (0, {-20010000, -1}, ...
 01504   732   NtDelayExecution  ... ) == 0x0
 01512   732   NtDelayExecution  (0, {-20010000, -1}, ...
 01505   584   NtDelayExecution  ... ) == 0x0
 01513   584   NtDelayExecution  (0, {-20010000, -1}, ...
 01506   572   NtDelayExecution  ... ) == 0x0
 01514   572   NtDelayExecution  (0, {-20010000, -1}, ...
 01507   580   NtDelayExecution  ... ) == 0x0
 01515   580   NtDelayExecution  (0, {-20010000, -1}, ...
 01508   588   NtDelayExecution  ... ) == 0x0
 01516   588   NtDelayExecution  (0, {-20010000, -1}, ...
 01509   576   NtDelayExecution  ... ) == 0x0
 01517   576   NtDelayExecution  (0, {-20010000, -1}, ...
 01510   596   NtDelayExecution  ... ) == 0x0
 01518   596   NtDelayExecution  (0, {-20010000, -1}, ...
 01511   636   NtDelayExecution  ... ) == 0x0
 01519   636   NtDelayExecution  (0, {-20010000, -1}, ...
 01512   732   NtDelayExecution  ... ) == 0x0
 01520   732   NtDelayExecution  (0, {-20010000, -1}, ...
 01513   584   NtDelayExecution  ... ) == 0x0
 01521   584   NtDelayExecution  (0, {-20010000, -1}, ...
 01514   572   NtDelayExecution  ... ) == 0x0
 01522   572   NtDelayExecution  (0, {-20010000, -1}, ...
 01515   580   NtDelayExecution  ... ) == 0x0
 01523   580   NtDelayExecution  (0, {-20010000, -1}, ...
 01516   588   NtDelayExecution  ... ) == 0x0
 01524   588   NtDelayExecution  (0, {-20010000, -1}, ...
 01517   576   NtDelayExecution  ... ) == 0x0
 01525   576   NtDelayExecution  (0, {-20010000, -1}, ...
 01518   596   NtDelayExecution  ... ) == 0x0
 01526   596   NtDelayExecution  (0, {-20010000, -1}, ...
 01519   636   NtDelayExecution  ... ) == 0x0
 01527   636   NtDelayExecution  (0, {-20010000, -1}, ...
 01520   732   NtDelayExecution  ... ) == 0x0
 01528   732   NtDelayExecution  (0, {-20010000, -1}, ...
 01521   584   NtDelayExecution  ... ) == 0x0
 01529   584   NtDelayExecution  (0, {-20010000, -1}, ...
 01522   572   NtDelayExecution  ... ) == 0x0
 01530   572   NtDelayExecution  (0, {-20010000, -1}, ...
 01523   580   NtDelayExecution  ... ) == 0x0
 01531   580   NtDelayExecution  (0, {-20010000, -1}, ...
 01524   588   NtDelayExecution  ... ) == 0x0
 01532   588   NtDelayExecution  (0, {-20010000, -1}, ...
 01525   576   NtDelayExecution  ... ) == 0x0
 01533   576   NtDelayExecution  (0, {-20010000, -1}, ...
 01526   596   NtDelayExecution  ... ) == 0x0
 01534   596   NtDelayExecution  (0, {-20010000, -1}, ...
 01527   636   NtDelayExecution  ... ) == 0x0
 01535   636   NtDelayExecution  (0, {-20010000, -1}, ...
 01528   732   NtDelayExecution  ... ) == 0x0
 01536   732   NtDelayExecution  (0, {-20010000, -1}, ...
 01529   584   NtDelayExecution  ... ) == 0x0
 01537   584   NtDelayExecution  (0, {-20010000, -1}, ...
 01530   572   NtDelayExecution  ... ) == 0x0
 01538   572   NtDelayExecution  (0, {-20010000, -1}, ...
 01531   580   NtDelayExecution  ... ) == 0x0
 01539   580   NtDelayExecution  (0, {-20010000, -1}, ...
 01532   588   NtDelayExecution  ... ) == 0x0
 01540   588   NtDelayExecution  (0, {-20010000, -1}, ...
 01533   576   NtDelayExecution  ... ) == 0x0
 01541   576   NtDelayExecution  (0, {-20010000, -1}, ...
 01534   596   NtDelayExecution  ... ) == 0x0
 01542   596   NtDelayExecution  (0, {-20010000, -1}, ...
 01535   636   NtDelayExecution  ... ) == 0x0
 01543   636   NtDelayExecution  (0, {-20010000, -1}, ...
 01536   732   NtDelayExecution  ... ) == 0x0
 01544   732   NtDelayExecution  (0, {-20010000, -1}, ...
 01537   584   NtDelayExecution  ... ) == 0x0
 01545   584   NtDelayExecution  (0, {-20010000, -1}, ...
 01538   572   NtDelayExecution  ... ) == 0x0
 01546   572   NtDelayExecution  (0, {-20010000, -1}, ...
 01539   580   NtDelayExecution  ... ) == 0x0
 01547   580   NtDelayExecution  (0, {-20010000, -1}, ...
 01540   588   NtDelayExecution  ... ) == 0x0
 01548   588   NtDelayExecution  (0, {-20010000, -1}, ...
 01541   576   NtDelayExecution  ... ) == 0x0
 01549   576   NtDelayExecution  (0, {-20010000, -1}, ...
 01542   596   NtDelayExecution  ... ) == 0x0
 01550   596   NtDelayExecution  (0, {-20010000, -1}, ...
 01543   636   NtDelayExecution  ... ) == 0x0
 01551   636   NtDelayExecution  (0, {-20010000, -1}, ...
 01544   732   NtDelayExecution  ... ) == 0x0
 01552   732   NtDelayExecution  (0, {-20010000, -1}, ...
 01545   584   NtDelayExecution  ... ) == 0x0
 01546   572   NtDelayExecution  ... ) == 0x0
 01547   580   NtDelayExecution  ... ) == 0x0
 01548   588   NtDelayExecution  ... ) == 0x0
 01549   576   NtDelayExecution  ... ) == 0x0
 01550   596   NtDelayExecution  ... ) == 0x0
 01551   636   NtDelayExecution  ... ) == 0x0
 01553   584   NtDelayExecution  (0, {-20010000, -1}, ...
 01554   572   NtDelayExecution  (0, {-20010000, -1}, ...
 01555   580   NtDelayExecution  (0, {-20010000, -1}, ...
 01556   588   NtDelayExecution  (0, {-20010000, -1}, ...
 01557   576   NtDelayExecution  (0, {-20010000, -1}, ...
 01558   596   NtDelayExecution  (0, {-20010000, -1}, ...
 01559   636   NtDelayExecution  (0, {-20010000, -1}, ...
 01552   732   NtDelayExecution  ... ) == 0x0
 01560   732   NtDelayExecution  (0, {-20010000, -1}, ...
 01553   584   NtDelayExecution  ... ) == 0x0
 01561   584   NtDelayExecution  (0, {-20010000, -1}, ...
 01554   572   NtDelayExecution  ... ) == 0x0
 01562   572   NtDelayExecution  (0, {-20010000, -1}, ...
 01555   580   NtDelayExecution  ... ) == 0x0
 01563   580   NtDelayExecution  (0, {-20010000, -1}, ...
 01556   588   NtDelayExecution  ... ) == 0x0
 01564   588   NtDelayExecution  (0, {-20010000, -1}, ...
 01557   576   NtDelayExecution  ... ) == 0x0
 01565   576   NtDelayExecution  (0, {-20010000, -1}, ...
 01558   596   NtDelayExecution  ... ) == 0x0
 01566   596   NtDelayExecution  (0, {-20010000, -1}, ...
 01559   636   NtDelayExecution  ... ) == 0x0
 01567   636   NtDelayExecution  (0, {-20010000, -1}, ...
 01560   732   NtDelayExecution  ... ) == 0x0
 01568   732   NtDelayExecution  (0, {-20010000, -1}, ...
 01561   584   NtDelayExecution  ... ) == 0x0
 01569   584   NtDelayExecution  (0, {-20010000, -1}, ...
 01562   572   NtDelayExecution  ... ) == 0x0
 01570   572   NtDelayExecution  (0, {-20010000, -1}, ...
 01563   580   NtDelayExecution  ... ) == 0x0
 01571   580   NtDelayExecution  (0, {-20010000, -1}, ...
 01564   588   NtDelayExecution  ... ) == 0x0
 01572   588   NtDelayExecution  (0, {-20010000, -1}, ...
 01565   576   NtDelayExecution  ... ) == 0x0
 01573   576   NtDelayExecution  (0, {-20010000, -1}, ...
 01566   596   NtDelayExecution  ... ) == 0x0
 01574   596   NtDelayExecution  (0, {-20010000, -1}, ...
 01567   636   NtDelayExecution  ... ) == 0x0
 01575   636   NtDelayExecution  (0, {-20010000, -1}, ...
 01568   732   NtDelayExecution  ... ) == 0x0
 01576   732   NtDelayExecution  (0, {-20010000, -1}, ...
 01569   584   NtDelayExecution  ... ) == 0x0
 01577   584   NtDelayExecution  (0, {-20010000, -1}, ...
 01570   572   NtDelayExecution  ... ) == 0x0
 01578   572   NtDelayExecution  (0, {-20010000, -1}, ...
 01571   580   NtDelayExecution  ... ) == 0x0
 01579   580   NtDelayExecution  (0, {-20010000, -1}, ...
 01572   588   NtDelayExecution  ... ) == 0x0
 01580   588   NtDelayExecution  (0, {-20010000, -1}, ...
 01573   576   NtDelayExecution  ... ) == 0x0
 01581   576   NtDelayExecution  (0, {-20010000, -1}, ...
 01574   596   NtDelayExecution  ... ) == 0x0
 01582   596   NtDelayExecution  (0, {-20010000, -1}, ...
 01575   636   NtDelayExecution  ... ) == 0x0
 01583   636   NtDelayExecution  (0, {-20010000, -1}, ...
 01576   732   NtDelayExecution  ... ) == 0x0
 01584   732   NtDelayExecution  (0, {-20010000, -1}, ...
 01577   584   NtDelayExecution  ... ) == 0x0
 01585   584   NtDelayExecution  (0, {-20010000, -1}, ...
 01578   572   NtDelayExecution  ... ) == 0x0
 01586   572   NtDelayExecution  (0, {-20010000, -1}, ...
 01579   580   NtDelayExecution  ... ) == 0x0
 01587   580   NtDelayExecution  (0, {-20010000, -1}, ...
 01580   588   NtDelayExecution  ... ) == 0x0
 01588   588   NtDelayExecution  (0, {-20010000, -1}, ...
 01581   576   NtDelayExecution  ... ) == 0x0
 01589   576   NtDelayExecution  (0, {-20010000, -1}, ...
 01582   596   NtDelayExecution  ... ) == 0x0
 01590   596   NtDelayExecution  (0, {-20010000, -1}, ...
 01583   636   NtDelayExecution  ... ) == 0x0
 01591   636   NtDelayExecution  (0, {-20010000, -1}, ...
 01584   732   NtDelayExecution  ... ) == 0x0
 01592   732   NtDelayExecution  (0, {-20010000, -1}, ...
 01585   584   NtDelayExecution  ... ) == 0x0
 01593   584   NtDelayExecution  (0, {-20010000, -1}, ...
 01586   572   NtDelayExecution  ... ) == 0x0
 01594   572   NtDelayExecution  (0, {-20010000, -1}, ...
 01587   580   NtDelayExecution  ... ) == 0x0
 01595   580   NtDelayExecution  (0, {-20010000, -1}, ...
 01588   588   NtDelayExecution  ... ) == 0x0
 01596   588   NtDelayExecution  (0, {-20010000, -1}, ...
 01589   576   NtDelayExecution  ... ) == 0x0
 01597   576   NtDelayExecution  (0, {-20010000, -1}, ...
 01590   596   NtDelayExecution  ... ) == 0x0
 01598   596   NtDelayExecution  (0, {-20010000, -1}, ...
 01591   636   NtDelayExecution  ... ) == 0x0
 01599   636   NtDelayExecution  (0, {-20010000, -1}, ...
 01592   732   NtDelayExecution  ... ) == 0x0
 01600   732   NtDelayExecution  (0, {-20010000, -1}, ...
 01593   584   NtDelayExecution  ... ) == 0x0
 01594   572   NtDelayExecution  ... ) == 0x0
 01595   580   NtDelayExecution  ... ) == 0x0
 01596   588   NtDelayExecution  ... ) == 0x0
 01597   576   NtDelayExecution  ... ) == 0x0
 01598   596   NtDelayExecution  ... ) == 0x0
 01599   636   NtDelayExecution  ... ) == 0x0
 01601   584   NtDelayExecution  (0, {-20010000, -1}, ...
 01602   572   NtDelayExecution  (0, {-20010000, -1}, ...
 01603   580   NtDelayExecution  (0, {-20010000, -1}, ...
 01604   588   NtDelayExecution  (0, {-20010000, -1}, ...
 01605   576   NtDelayExecution  (0, {-20010000, -1}, ...
 01606   596   NtDelayExecution  (0, {-20010000, -1}, ...
 01607   636   NtDelayExecution  (0, {-20010000, -1}, ...
 01600   732   NtDelayExecution  ... ) == 0x0
 01608   732   NtDelayExecution  (0, {-20010000, -1}, ...
 01601   584   NtDelayExecution  ... ) == 0x0
 01609   584   NtDelayExecution  (0, {-20010000, -1}, ...
 01602   572   NtDelayExecution  ... ) == 0x0
 01610   572   NtDelayExecution  (0, {-20010000, -1}, ...
 01603   580   NtDelayExecution  ... ) == 0x0
 01611   580   NtDelayExecution  (0, {-20010000, -1}, ...
 01604   588   NtDelayExecution  ... ) == 0x0
 01612   588   NtDelayExecution  (0, {-20010000, -1}, ...
 01605   576   NtDelayExecution  ... ) == 0x0
 01613   576   NtDelayExecution  (0, {-20010000, -1}, ...
 01606   596   NtDelayExecution  ... ) == 0x0
 01614   596   NtDelayExecution  (0, {-20010000, -1}, ...
 01607   636   NtDelayExecution  ... ) == 0x0
 01615   636   NtDelayExecution  (0, {-20010000, -1}, ...
 01608   732   NtDelayExecution  ... ) == 0x0
 01616   732   NtDelayExecution  (0, {-20010000, -1}, ...
 01609   584   NtDelayExecution  ... ) == 0x0
 01617   584   NtDelayExecution  (0, {-20010000, -1}, ...
 01610   572   NtDelayExecution  ... ) == 0x0
 01618   572   NtDelayExecution  (0, {-20010000, -1}, ...
 01611   580   NtDelayExecution  ... ) == 0x0
 01619   580   NtDelayExecution  (0, {-20010000, -1}, ...
 01612   588   NtDelayExecution  ... ) == 0x0
 01620   588   NtDelayExecution  (0, {-20010000, -1}, ...
 01613   576   NtDelayExecution  ... ) == 0x0
 01621   576   NtDelayExecution  (0, {-20010000, -1}, ...
 01614   596   NtDelayExecution  ... ) == 0x0
 01622   596   NtDelayExecution  (0, {-20010000, -1}, ...
 01615   636   NtDelayExecution  ... ) == 0x0
 01623   636   NtDelayExecution  (0, {-20010000, -1}, ...
 01616   732   NtDelayExecution  ... ) == 0x0
 01624   732   NtDelayExecution  (0, {-20010000, -1}, ...
 01617   584   NtDelayExecution  ... ) == 0x0
 01625   584   NtDelayExecution  (0, {-20010000, -1}, ...
 01618   572   NtDelayExecution  ... ) == 0x0
 01626   572   NtDelayExecution  (0, {-20010000, -1}, ...
 01619   580   NtDelayExecution  ... ) == 0x0
 01627   580   NtDelayExecution  (0, {-20010000, -1}, ...
 01620   588   NtDelayExecution  ... ) == 0x0
 01628   588   NtDelayExecution  (0, {-20010000, -1}, ...
 01621   576   NtDelayExecution  ... ) == 0x0
 01629   576   NtDelayExecution  (0, {-20010000, -1}, ...
 01622   596   NtDelayExecution  ... ) == 0x0
 01630   596   NtDelayExecution  (0, {-20010000, -1}, ...
 01623   636   NtDelayExecution  ... ) == 0x0
 01631   636   NtDelayExecution  (0, {-20010000, -1}, ...
 01624   732   NtDelayExecution  ... ) == 0x0
 01632   732   NtDelayExecution  (0, {-20010000, -1}, ...
 01625   584   NtDelayExecution  ... ) == 0x0
 01633   584   NtDelayExecution  (0, {-20010000, -1}, ...
 01626   572   NtDelayExecution  ... ) == 0x0
 01634   572   NtDelayExecution  (0, {-20010000, -1}, ...
 01627   580   NtDelayExecution  ... ) == 0x0
 01635   580   NtDelayExecution  (0, {-20010000, -1}, ...
 01628   588   NtDelayExecution  ... ) == 0x0
 01636   588   NtDelayExecution  (0, {-20010000, -1}, ...
 01629   576   NtDelayExecution  ... ) == 0x0
 01637   576   NtDelayExecution  (0, {-20010000, -1}, ...
 01630   596   NtDelayExecution  ... ) == 0x0
 01638   596   NtDelayExecution  (0, {-20010000, -1}, ...
 01631   636   NtDelayExecution  ... ) == 0x0
 01639   636   NtDelayExecution  (0, {-20010000, -1}, ...
 01632   732   NtDelayExecution  ... ) == 0x0
 01640   732   NtDelayExecution  (0, {-20010000, -1}, ...
 01633   584   NtDelayExecution  ... ) == 0x0
 01641   584   NtDelayExecution  (0, {-20010000, -1}, ...
 01634   572   NtDelayExecution  ... ) == 0x0
 01642   572   NtDelayExecution  (0, {-20010000, -1}, ...
 01635   580   NtDelayExecution  ... ) == 0x0
 01643   580   NtDelayExecution  (0, {-20010000, -1}, ...
 01636   588   NtDelayExecution  ... ) == 0x0
 01644   588   NtDelayExecution  (0, {-20010000, -1}, ...
 01637   576   NtDelayExecution  ... ) == 0x0
 01645   576   NtDelayExecution  (0, {-20010000, -1}, ...
 01638   596   NtDelayExecution  ... ) == 0x0
 01646   596   NtDelayExecution  (0, {-20010000, -1}, ...
 01639   636   NtDelayExecution  ... ) == 0x0
 01647   636   NtDelayExecution  (0, {-20010000, -1}, ...
 01640   732   NtDelayExecution  ... ) == 0x0
 01648   732   NtDelayExecution  (0, {-20010000, -1}, ...
 01641   584   NtDelayExecution  ... ) == 0x0
 01642   572   NtDelayExecution  ... ) == 0x0
 01643   580   NtDelayExecution  ... ) == 0x0
 01644   588   NtDelayExecution  ... ) == 0x0
 01645   576   NtDelayExecution  ... ) == 0x0
 01646   596   NtDelayExecution  ... ) == 0x0
 01647   636   NtDelayExecution  ... ) == 0x0
 01649   584   NtDelayExecution  (0, {-20010000, -1}, ...
 01650   572   NtDelayExecution  (0, {-20010000, -1}, ...
 01651   580   NtDelayExecution  (0, {-20010000, -1}, ...
 01652   588   NtDelayExecution  (0, {-20010000, -1}, ...
 01653   576   NtDelayExecution  (0, {-20010000, -1}, ...
 01654   596   NtDelayExecution  (0, {-20010000, -1}, ...
 01655   636   NtDelayExecution  (0, {-20010000, -1}, ...
 01648   732   NtDelayExecution  ... ) == 0x0
 01656   732   NtDelayExecution  (0, {-20010000, -1}, ...
 01649   584   NtDelayExecution  ... ) == 0x0
 01657   584   NtDelayExecution  (0, {-20010000, -1}, ...
 01650   572   NtDelayExecution  ... ) == 0x0
 01658   572   NtDelayExecution  (0, {-20010000, -1}, ...
 01651   580   NtDelayExecution  ... ) == 0x0
 01659   580   NtDelayExecution  (0, {-20010000, -1}, ...
 01652   588   NtDelayExecution  ... ) == 0x0
 01660   588   NtDelayExecution  (0, {-20010000, -1}, ...
 01653   576   NtDelayExecution  ... ) == 0x0
 01661   576   NtDelayExecution  (0, {-20010000, -1}, ...
 01654   596   NtDelayExecution  ... ) == 0x0
 01662   596   NtDelayExecution  (0, {-20010000, -1}, ...
 01655   636   NtDelayExecution  ... ) == 0x0
 01663   636   NtDelayExecution  (0, {-20010000, -1}, ...
 01656   732   NtDelayExecution  ... ) == 0x0
 01664   732   NtDelayExecution  (0, {-20010000, -1}, ...
 01657   584   NtDelayExecution  ... ) == 0x0
 01665   584   NtDelayExecution  (0, {-20010000, -1}, ...
 01658   572   NtDelayExecution  ... ) == 0x0
 01666   572   NtDelayExecution  (0, {-20010000, -1}, ...
 01659   580   NtDelayExecution  ... ) == 0x0
 01667   580   NtDelayExecution  (0, {-20010000, -1}, ...
 01660   588   NtDelayExecution  ... ) == 0x0
 01668   588   NtDelayExecution  (0, {-20010000, -1}, ...
 01661   576   NtDelayExecution  ... ) == 0x0
 01669   576   NtDelayExecution  (0, {-20010000, -1}, ...
 01662   596   NtDelayExecution  ... ) == 0x0
 01670   596   NtDelayExecution  (0, {-20010000, -1}, ...
 01663   636   NtDelayExecution  ... ) == 0x0
 01671   636   NtDelayExecution  (0, {-20010000, -1}, ...
 01664   732   NtDelayExecution  ... ) == 0x0
 01672   732   NtDelayExecution  (0, {-20010000, -1}, ...
 01665   584   NtDelayExecution  ... ) == 0x0
 01673   584   NtDelayExecution  (0, {-20010000, -1}, ...
 01666   572   NtDelayExecution  ... ) == 0x0
 01674   572   NtDelayExecution  (0, {-20010000, -1}, ...
 01667   580   NtDelayExecution  ... ) == 0x0
 01675   580   NtDelayExecution  (0, {-20010000, -1}, ...
 01668   588   NtDelayExecution  ... ) == 0x0
 01676   588   NtDelayExecution  (0, {-20010000, -1}, ...
 01669   576   NtDelayExecution  ... ) == 0x0
 01677   576   NtDelayExecution  (0, {-20010000, -1}, ...
 01670   596   NtDelayExecution  ... ) == 0x0
 01678   596   NtDelayExecution  (0, {-20010000, -1}, ...
 01671   636   NtDelayExecution  ... ) == 0x0
 01679   636   NtDelayExecution  (0, {-20010000, -1}, ...
 01672   732   NtDelayExecution  ... ) == 0x0
 01680   732   NtDelayExecution  (0, {-20010000, -1}, ...
 01673   584   NtDelayExecution  ... ) == 0x0
 01681   584   NtDelayExecution  (0, {-20010000, -1}, ...
 01674   572   NtDelayExecution  ... ) == 0x0
 01682   572   NtDelayExecution  (0, {-20010000, -1}, ...
 01675   580   NtDelayExecution  ... ) == 0x0
 01683   580   NtDelayExecution  (0, {-20010000, -1}, ...
 01676   588   NtDelayExecution  ... ) == 0x0
 01684   588   NtDelayExecution  (0, {-20010000, -1}, ...
 01677   576   NtDelayExecution  ... ) == 0x0
 01685   576   NtDelayExecution  (0, {-20010000, -1}, ...
 01678   596   NtDelayExecution  ... ) == 0x0
 01686   596   NtDelayExecution  (0, {-20010000, -1}, ...
 01679   636   NtDelayExecution  ... ) == 0x0
 01687   636   NtDelayExecution  (0, {-20010000, -1}, ...
 01680   732   NtDelayExecution  ... ) == 0x0
 01688   732   NtDelayExecution  (0, {-20010000, -1}, ...
 01681   584   NtDelayExecution  ... ) == 0x0
 01689   584   NtDelayExecution  (0, {-20010000, -1}, ...
 01682   572   NtDelayExecution  ... ) == 0x0
 01690   572   NtDelayExecution  (0, {-20010000, -1}, ...
 01683   580   NtDelayExecution  ... ) == 0x0
 01691   580   NtDelayExecution  (0, {-20010000, -1}, ...
 01684   588   NtDelayExecution  ... ) == 0x0
 01692   588   NtDelayExecution  (0, {-20010000, -1}, ...
 01685   576   NtDelayExecution  ... ) == 0x0
 01693   576   NtDelayExecution  (0, {-20010000, -1}, ...
 01686   596   NtDelayExecution  ... ) == 0x0
 01694   596   NtDelayExecution  (0, {-20010000, -1}, ...
 01687   636   NtDelayExecution  ... ) == 0x0
 01695   636   NtDelayExecution  (0, {-20010000, -1}, ...
 01688   732   NtDelayExecution  ... ) == 0x0
 01696   732   NtDelayExecution  (0, {-20010000, -1}, ...
 01689   584   NtDelayExecution  ... ) == 0x0
 01690   572   NtDelayExecution  ... ) == 0x0
 01691   580   NtDelayExecution  ... ) == 0x0
 01692   588   NtDelayExecution  ... ) == 0x0
 01693   576   NtDelayExecution  ... ) == 0x0
 01694   596   NtDelayExecution  ... ) == 0x0
 01695   636   NtDelayExecution  ... ) == 0x0
 01697   584   NtDelayExecution  (0, {-20010000, -1}, ...
 01698   572   NtDelayExecution  (0, {-20010000, -1}, ...
 01699   580   NtDelayExecution  (0, {-20010000, -1}, ...
 01700   588   NtDelayExecution  (0, {-20010000, -1}, ...
 01701   576   NtDelayExecution  (0, {-20010000, -1}, ...
 01702   596   NtDelayExecution  (0, {-20010000, -1}, ...
 01703   636   NtDelayExecution  (0, {-20010000, -1}, ...
NtAdjustPrivilegesToken(>)	1	NtFreeVirtualMemory(>)	2	NtFsControlFile(>)	4	NtGdiGetRandomRgn(>)	12
NtCallbackReturn(>)	1	NtGdiCreatePatternBrushInternal(>)	2	NtGdiSetupPublicCFONT(>)	4	NtQuerySystemInformation(>)	13
NtConnectPort(>)	1	NtGdiCreateSolidBrush(>)	2	NtOpenProcessToken(>)	4	NtQueryAttributesFile(>)	15
NtGdiCreateBitmap(>)	1	NtGdiGetWidthTable(>)	2	NtQuerySection(>)	4	NtGdiIntersectClipRect(>)	16
NtGdiExtCreateRegion(>)	1	NtOpenDirectoryObject(>)	2	NtReadFile(>)	4	NtGdiDrawStream(>)	18
NtGdiExtGetObjectW(>)	1	NtOpenThreadToken(>)	2	NtUserCalcMenuBar(>)	4	NtOpenProcess(>)	18
NtGdiGetDCDword(>)	1	NtQueryDefaultUILanguage(>)	2	NtUserCallHwndLock(>)	4	NtUserGetClassInfo(>)	18
NtGdiGetTextExtent(>)	1	NtQueryVirtualMemory(>)	2	NtUserFillWindow(>)	4	NtWaitForSingleObject(>)	18
NtGdiInit(>)	1	NtSetEvent(>)	2	NtUserGetAtomName(>)	4	NtUserCallMsgFilter(>)	19
NtGdiOffsetRgn(>)	1	NtSetInformationFile(>)	2	NtUserGetClassName(>)	4	NtUserWaitMessage(>)	23
NtGdiQueryFontAssocInfo(>)	1	NtUserGetForegroundWindow(>)	2	NtUserGetDCEx(>)	4	NtQueryInformationThread(>)	24
NtOpenKeyedEvent(>)	1	NtUserGetThreadDesktop(>)	2	NtUserGetTitleBarInfo(>)	4	NtUserGetWindowDC(>)	24
NtOpenMutant(>)	1	NtUserRegisterWindowMessage(>)	2	NtUserQueryWindow(>)	4	NtCreateThread(>)	25
NtOpenSymbolicLinkObject(>)	1	NtUserSetCursor(>)	2	NtUserSetProp(>)	4	NtRegisterThreadTerminatePort(>)	25
NtQueryInstallUILanguage(>)	1	NtUserSetFocus(>)	2	NtUserSetWindowFNID(>)	4	NtResumeThread(>)	25
NtQueryObject(>)	1	NtUserSetWindowRgn(>)	2	NtUserThunkedMenuItemInfo(>)	4	NtTestAlert(>)	25
NtQueryPerformanceCounter(>)	1	NtUserShowWindow(>)	2	NtGdiGetStockObject(>)	5	NtContinue(>)	26
NtQuerySymbolicLinkObject(>)	1	NtDuplicateObject(>)	3	NtUserGetAncestor(>)	5	NtCreateEvent(>)	26
NtQuerySystemTime(>)	1	NtGdiBitBlt(>)	3	NtUserSetWindowLong(>)	5	NtUnmapViewOfSection(>)	26
NtQueryTimerResolution(>)	1	NtGdiCreateCompatibleBitmap(>)	3	NtUserSystemParametersInfo(>)	5	NtUserCallOneParam(>)	29
NtQueryVolumeInformationFile(>)	1	NtGdiExcludeClipRect(>)	3	NtGdiCombineRgn(>)	6	NtUserFindExistingCursorIcon(>)	29
NtSecureConnectPort(>)	1	NtGdiGetCharSet(>)	3	NtGdiCreateRectRgn(>)	6	NtOpenSection(>)	32
NtUserBuildHwndList(>)	1	NtGdiGetTextCharsetInfo(>)	3	NtOpenFile(>)	6	NtRequestWaitReplyPort(>)	32
NtUserCallHwnd(>)	1	NtGdiGetTextMetricsW(>)	3	NtOpenProcessTokenEx(>)	6	NtSetInformationThread(>)	32
NtUserCallHwndParam(>)	1	NtGdiHfontCreate(>)	3	NtOpenThreadTokenEx(>)	6	NtOpenKey(>)	33
NtUserDrawIconEx(>)	1	NtQueryDefaultLocale(>)	3	NtUserBeginPaint(>)	6	NtUserRegisterClassExWOW(>)	34
NtUserGetCursorFrameInfo(>)	1	NtQueryInformationFile(>)	3	NtGdiCreateCompatibleDC(>)	7	NtWriteVirtualMemory(>)	51
NtUserGetGUIThreadInfo(>)	1	NtQueryInformationProcess(>)	3	NtGdiSelectBitmap(>)	7	NtQueryValueKey(>)	57
NtUserGetIconSize(>)	1	NtSetInformationObject(>)	3	NtUserInternalGetWindowText(>)	7	NtMapViewOfSection(>)	61
NtUserGetProcessWindowStation(>)	1	NtUserEndPaint(>)	3	NtCreateSection(>)	8	NtUserPeekMessage(>)	63
NtUserModifyUserStartupInfoFlags(>)	1	NtUserGetControlBrush(>)	3	NtGdiDeleteObjectApp(>)	8	NtUserMessageCall(>)	79
NtUserRemoveProp(>)	1	NtUserGetObjectInformation(>)	3	NtUserCreateWindowEx(>)	8	NtProtectVirtualMemory(>)	84
NtWriteFile(>)	1	NtUserSetWindowPos(>)	3	NtUserCallNoParam(>)	9	NtAllocateVirtualMemory(>)	86
NtCreateIoCompletion(>)	2	NtCreateFile(>)	4	NtQueryInformationToken(>)	10	NtClose(>)	96
NtCreateSemaphore(>)	2	NtFlushInstructionCache(>)	4	NtGdiExtSelectClipRgn(>)	12	NtDelayExecution(>)	520