Summary:


NtCallbackReturn(>)  1 
NtSetInformationThread(>)  1 
NtUserSetCursor(>)  2 
NtGdiGetStockObject(>)  7 

NtCreateEvent(>)  1 
NtTestAlert(>)  1 
NtUserSetFocus(>)  2 
NtQueryInformationToken(>)  7 

NtDuplicateObject(>)  1 
NtUserCallHwnd(>)  1 
NtUserSetWindowPos(>)  2 
NtQuerySection(>)  8 

NtFsControlFile(>)  1 
NtUserCallHwndParam(>)  1 
NtUserShowWindow(>)  2 
NtUserCreateWindowEx(>)  8 

NtGdiCreateBitmap(>)  1 
NtUserCallMsgFilter(>)  1 
NtGdiSetupPublicCFONT(>)  3 
NtUserPeekMessage(>)  9 

NtGdiCreateRectRgn(>)  1 
NtUserDrawIconEx(>)  1 
NtOpenProcessToken(>)  3 
NtProtectVirtualMemory(>)  10 

NtGdiDeleteObjectApp(>)  1 
NtUserFillWindow(>)  1 
NtOpenProcessTokenEx(>)  3 
NtCreateSection(>)  14 

NtGdiExtGetObjectW(>)  1 
NtUserGetCursorFrameInfo(>)  1 
NtOpenThreadTokenEx(>)  3 
NtOpenFile(>)  14 

NtGdiGetDCDword(>)  1 
NtUserGetDCEx(>)  1 
NtUserCallHwndLock(>)  3 
NtQuerySystemInformation(>)  14 

NtGdiGetTextExtent(>)  1 
NtUserGetIconSize(>)  1 
NtUserCallNoParam(>)  3 
NtQueryValueKey(>)  14 

NtGdiGetWidthTable(>)  1 
NtUserGetThreadDesktop(>)  1 
NtUserEndPaint(>)  3 
NtQueryAttributesFile(>)  17 

NtGdiHfontCreate(>)  1 
NtUserModifyUserStartupInfoFlags(>)  1 
NtUserGetControlBrush(>)  3 
NtUserUnregisterClass(>)  18 

NtGdiSelectBitmap(>)  1 
NtUserRegisterWindowMessage(>)  1 
NtCreateFile(>)  4 
NtOpenKey(>)  22 

NtOpenDirectoryObject(>)  1 
NtFreeVirtualMemory(>)  2 
NtGdiCreateCompatibleDC(>)  4 
NtQueryDebugFilterState(>)  24 

NtOpenKeyedEvent(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtRequestWaitReplyPort(>)  4 
NtUserMessageCall(>)  25 

NtOpenMutant(>)  1 
NtGdiExtSelectClipRgn(>)  2 
NtUserGetAtomName(>)  4 
NtUnmapViewOfSection(>)  26 

NtOpenProcess(>)  1 
NtGdiGetRandomRgn(>)  2 
NtUserQueryWindow(>)  4 
NtOpenSection(>)  27 

NtOpenSymbolicLinkObject(>)  1 
NtGdiGetTextCharsetInfo(>)  2 
NtUserSetWindowFNID(>)  4 
NtContinue(>)  29 

NtQueryInformationProcess(>)  1 
NtGdiGetTextMetricsW(>)  2 
NtUserSystemParametersInfo(>)  4 
NtUserFindExistingCursorIcon(>)  29 

NtQueryObject(>)  1 
NtGdiInit(>)  2 
NtUserWaitMessage(>)  4 
NtUserRegisterClassExWOW(>)  34 

NtQueryPerformanceCounter(>)  1 
NtGdiQueryFontAssocInfo(>)  2 
NtFlushInstructionCache(>)  5 
NtUserGetClassInfo(>)  36 

NtQuerySymbolicLinkObject(>)  1 
NtQueryDefaultLocale(>)  2 
NtUserSetWindowLong(>)  5 
NtMapViewOfSection(>)  38 

NtQueryVolumeInformationFile(>)  1 
NtQueryVirtualMemory(>)  2 
NtGdiIntersectClipRect(>)  6 
NtAllocateVirtualMemory(>)  41 

NtRegisterThreadTerminatePort(>)  1 
NtUserCallOneParam(>)  2 
NtSetInformationObject(>)  6 
NtClose(>)  73 

NtSecureConnectPort(>)  1 
NtUserGetForegroundWindow(>)  2 
NtUserBeginPaint(>)  6 

Trace:
 00001   460   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   460   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   460   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   460   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   460   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   460   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   460   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   460   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   460   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   460   NtClose  (12, ... ) == 0x0
 00014   460   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   460   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   460   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   460   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   460   NtClose  (16, ... ) == 0x0
 00021   460   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   460   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   460   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18481152}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18481152}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   460   NtClose  (16, ... ) == 0x0
 00026   460   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   460   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   460   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   460   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 456, 460, 1531, 0} "\10\234\30\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ... {28, 56, reply, 0, 456, 460, 1531, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 456, 460, 1531, 0} "\10\234\30\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ) == 0x0
 00032   460   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   460   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   460   NtClose  (16, ... ) == 0x0
 00036   460   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   460   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   460   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   460   NtClose  (28, ... ) == 0x0
 00041   460   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   460   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   460   NtClose  (28, ... ) == 0x0
 00045   460   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   460   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   460   NtClose  (28, ... ) == 0x0
 00049   460   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   460   NtClose  (28, ... ) == 0x0
 00052   460   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   460   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   460   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 456, 460, 1539, 0} "\260.\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ... {28, 56, reply, 0, 456, 460, 1539, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 456, 460, 1539, 0} "\260.\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ) == 0x0
 00056   460   NtProtectVirtualMemory  (-1, (0x4b5000), 32768, 4, ... (0x4b5000), 32768, 8, ) == 0x0
 00057   460   NtProtectVirtualMemory  (-1, (0x4b5000), 32768, 8, ... (0x4b5000), 32768, 4, ) == 0x0
 00058   460   NtFlushInstructionCache  (-1, 4935680, 32768, ... ) == 0x0
 00059   460   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00060   460   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00061   460   NtClose  (28, ... ) == 0x0
 00062   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00063   460   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00064   460   NtClose  (28, ... ) == 0x0
 00065   460   NtTestAlert  (... ) == 0x0
 00066   460   NtContinue  (1244464, 1, ...
 00067   460   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x4b505c,}, 4, ... ) == 0x0
 00068   460   NtAllocateVirtualMemory  (-1, 0, 0, 49152, 12288, 4, ... 3276800, 49152, ) == 0x0
 00069   460   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 28, ) }, ... 28, ) == 0x0
 00070   460   NtQueryValueKey  (28,  (28, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00071   460   NtClose  (28, ... ) == 0x0
 00072   460   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00073   460   NtContinue  (1244388, 0, ...
 00074   460   NtContinue  (1244388, 0, ...
 00075   460   NtContinue  (1244388, 0, ...
 00076   460   NtContinue  (1244388, 0, ...
 00077   460   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1244988,  (0x100080, {24, 0, 0x40, 0, 1244988, "\??\SUPERBPM"}, 0x0, 0, 3, 1, 96, 0, 0, ... ) }, 0x0, 0, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00078   460   NtContinue  (1244388, 0, ...
 00079   460   NtContinue  (1244388, 0, ...
 00080   460   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1244988,  (0x100080, {24, 0, 0x40, 0, 1244988, "\??\NTICE"}, 0x0, 0, 3, 1, 96, 0, 0, ... ) }, 0x0, 0, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00081   460   NtContinue  (1244388, 0, ...
 00082   460   NtContinue  (1244388, 0, ...
 00083   460   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1244988,  (0x100080, {24, 0, 0x40, 0, 1244988, "\??\REGVXD"}, 0x0, 0, 3, 1, 96, 0, 0, ... ) }, 0x0, 0, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00084   460   NtAllocateVirtualMemory  (-1, 0, 0, 241664, 12288, 4, ... 3342336, 241664, ) == 0x0
 00085   460   NtContinue  (1244372, 0, ...
 00086   460   NtContinue  (1244372, 0, ...
 00087   460   NtContinue  (1244372, 0, ...
 00088   460   NtContinue  (1244372, 0, ...
 00089   460   NtContinue  (1244372, 0, ...
 00090   460   NtContinue  (1244372, 0, ...
 00091   460   NtContinue  (1244372, 0, ...
 00092   460   NtContinue  (1244372, 0, ...
 00093   460   NtContinue  (1244376, 0, ...
 00094   460   NtContinue  (1244376, 0, ...
 00095   460   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1244976,  (0x100080, {24, 0, 0x40, 0, 1244976, "\??\FILEVXD"}, 0x0, 0, 3, 1, 96, 0, 0, ... ) }, 0x0, 0, 3, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00096   460   NtContinue  (1244376, 0, ...
 00097   460   NtContinue  (1244376, 0, ...
 00098   460   NtContinue  (1244376, 0, ...
 00099   460   NtContinue  (1244376, 0, ...
 00100   460   NtAllocateVirtualMemory  (-1, 0, 0, 67840, 12288, 4, ... 3604480, 69632, ) == 0x0
 00101   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ODBC32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00102   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ODBC32.dll"}, 1243072, ... ) }, 1243072, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00103   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ODBC32.dll"}, 1243072, ... ) }, 1243072, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00104   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 1243072, ... ) }, 1243072, ... ) == 0x0
 00105   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00106   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00107   460   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00108   460   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00109   460   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00110   460   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00111   460   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00112   460   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00113   460   NtClose  (40, ... ) == 0x0
 00114   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00115   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00116   460   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00117   460   NtClose  (40, ... ) == 0x0
 00118   460   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00119   460   NtClose  (36, ... ) == 0x0
 00120   460   NtClose  (28, ... ) == 0x0
 00121   460   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f7b0000), 0x0, 200704, ) == 0x0
 00122   460   NtClose  (32, ... ) == 0x0
 00123   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00124   460   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00125   460   NtClose  (32, ... ) == 0x0
 00126   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00127   460   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00128   460   NtClose  (32, ... ) == 0x0
 00129   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00130   460   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00131   460   NtClose  (32, ... ) == 0x0
 00132   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00133   460   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00134   460   NtClose  (32, ... ) == 0x0
 00135   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00136   460   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00137   460   NtClose  (32, ... ) == 0x0
 00138   460   NtProtectVirtualMemory  (-1, (0x1f7b1000), 724, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 00139   460   NtProtectVirtualMemory  (-1, (0x1f7b1000), 4096, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 00140   460   NtFlushInstructionCache  (-1, 528158720, 724, ... ) == 0x0
 00141   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00142   460   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 00143   460   NtClose  (32, ... ) == 0x0
 00144   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00145   460   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00146   460   NtClose  (32, ... ) == 0x0
 00147   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00148   460   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00149   460   NtClose  (32, ... ) == 0x0
 00150   460   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 00151   460   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 00152   460   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 00153   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00154   460   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00155   460   NtClose  (32, ... ) == 0x0
 00156   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 32, ) }, ... 32, ) == 0x0
 00157   460   NtQueryValueKey  (32,  (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00158   460   NtQueryValueKey  (32,  (32, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00159   460   NtClose  (32, ... ) == 0x0
 00160   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 32, ) }, ... 32, ) == 0x0
 00161   460   NtQueryValueKey  (32,  (32, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00162   460   NtClose  (32, ... ) == 0x0
 00163   460   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 32, ) }, ... 32, ) == 0x0
 00164   460   NtSetInformationObject  (32, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00165   460   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00166   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00167   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\32\1\0\0\0\0\314\4\23\0\324Wh\364\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 456, 460, 1567, 0} "XQ\26\0\0\0\0\0\0\0\0\0\324Wh\364\3\0\0\0\234\6\32\1$\1\0\0" )  ... {28, 56, reply, 0, 456, 460, 1567, 0}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\32\1\0\0\0\0\314\4\23\0\324Wh\364\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 456, 460, 1567, 0} "XQ\26\0\0\0\0\0\0\0\0\0\324Wh\364\3\0\0\0\234\6\32\1$\1\0\0" )  ) == 0x0
 00168   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00169   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x590000), 0x0, 1060864, ) == 0x0
 00170   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00171   460   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00172   460   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00173   460   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00174   460   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00175   460   NtClose  (-2147482020, ... ) == 0x0
 00176   460   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3735552, 4096, ) == 0x0
 00177   460   NtFreeVirtualMemory  (-1, (0x390000), 4096, 32768, ... (0x390000), 4096, ) == 0x0
 00178   460   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00179   460   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00180   460   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00181   460   NtClose  (-2147482020, ... ) == 0x0
 00182   460   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00183   460   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00184   460   NtClose  (-2147482020, ... ) == 0x0
 00185   460   NtQueryDefaultLocale  (0, -104158708, ... ) == 0x0
 00186   460   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00187   460   NtUserCallNoParam  (24, ... ) == 0x0
 00188   460   NtGdiCreateCompatibleDC  (0, ...
 00189   460   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3735552, 4096, ) == 0x0
 00188   460   NtGdiCreateCompatibleDC  ... ) == 0xe010451
 00190   460   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00191   460   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00192   460   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0xb050458
 00193   460   NtGdiCreateSolidBrush  (0, 0, ...
 00194   460   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3801088, 4096, ) == 0x0
 00193   460   NtGdiCreateSolidBrush  ... ) == 0x810045b
 00195   460   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00196   460   NtGdiCreateCompatibleDC  (0, ... ) == 0x601045c
 00197   460   NtGdiSelectBitmap  (100729948, 184878168, ... ) == 0x185000f
 00198   460   NtUserGetThreadDesktop  (460, 0, ... ) == 0x2c
 00199   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00200   460   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00201   460   NtClose  (52, ... ) == 0x0
 00202   460   NtUserFindExistingCursorIcon  (1240876, 1240892, 1241460, ... ) == 0x10011
 00203   460   NtUserRegisterClassExWOW  (1241396, 1241476, 1241460, 1241492, 673, 128, 0, ... ) == 0x810cc017
 00204   460   NtUserFindExistingCursorIcon  (1240876, 1240892, 1241460, ... ) == 0x10011
 00205   460   NtUserRegisterClassExWOW  (1241396, 1241476, 1241460, 1241492, 674, 128, 0, ... ) == 0x810cc01c
 00206   460   NtUserFindExistingCursorIcon  (1240876, 1240892, 1241460, ... ) == 0x10011
 00207   460   NtUserRegisterClassExWOW  (1241396, 1241476, 1241460, 1241492, 675, 128, 0, ... ) == 0x810cc01e
 00208   460   NtUserFindExistingCursorIcon  (1240876, 1240892, 1241460, ... ) == 0x10011
 00209   460   NtUserRegisterClassExWOW  (1241396, 1241476, 1241460, 1241492, 676, 128, 0, ... ) == 0x810c8002
 00210   460   NtUserFindExistingCursorIcon  (1240876, 1240892, 1241460, ... ) == 0x10013
 00211   460   NtUserRegisterClassExWOW  (1241396, 1241476, 1241460, 1241492, 677, 128, 0, ... ) == 0x810cc018
 00212   460   NtUserFindExistingCursorIcon  (1240876, 1240892, 1241460, ... ) == 0x10011
 00213   460   NtUserRegisterClassExWOW  (1241396, 1241476, 1241460, 1241492, 678, 128, 0, ... ) == 0x810cc01a
 00214   460   NtUserFindExistingCursorIcon  (1240876, 1240892, 1241460, ... ) == 0x10011
 00215   460   NtUserRegisterClassExWOW  (1241396, 1241476, 1241460, 1241492, 679, 128, 0, ... ) == 0x810cc01d
 00216   460   NtUserFindExistingCursorIcon  (1240876, 1240892, 1241460, ... ) == 0x10011
 00217   460   NtUserRegisterClassExWOW  (1241396, 1241476, 1241460, 1241492, 681, 128, 0, ... ) == 0x810cc026
 00218   460   NtUserFindExistingCursorIcon  (1240876, 1240892, 1241460, ... ) == 0x10011
 00219   460   NtUserRegisterClassExWOW  (1241396, 1241476, 1241460, 1241492, 680, 128, 0, ... ) == 0x810cc019
 00220   460   NtUserRegisterClassExWOW  (1241348, 1241428, 1241412, 1241444, 0, 128, 0, ... ) == 0x810cc020
 00221   460   NtUserRegisterClassExWOW  (1241348, 1241424, 1241440, 1241412, 0, 130, 0, ... ) == 0x810cc022
 00222   460   NtUserRegisterClassExWOW  (1241348, 1241428, 1241412, 1241444, 0, 128, 0, ... ) == 0x810cc023
 00223   460   NtUserRegisterClassExWOW  (1241348, 1241424, 1241440, 1241412, 0, 130, 0, ... ) == 0x810cc024
 00224   460   NtUserRegisterClassExWOW  (1241348, 1241428, 1241412, 1241444, 0, 128, 0, ...
 00225   460   NtAllocateVirtualMemory  (-1, 7057408, 0, 4096, 4096, 32, ... 7057408, 4096, ) == 0x0
 00224   460   NtUserRegisterClassExWOW  ... ) == 0x810cc025
 00226   460   NtCallbackReturn  (0, 0, 0, ...
 00227   460   NtGdiInit  (... ) == 0x1
 00228   460   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00229   460   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00230   460   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {456, 0}, ... 52, ) == 0x0
 00231   460   NtQueryInformationProcess  (52, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00232   460   NtClose  (52, ... ) == 0x0
 00233   460   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00234   460   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00235   460   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00236   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00237   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 52, ) == 0x0
 00238   460   NtQueryInformationToken  (52, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00239   460   NtClose  (52, ... ) == 0x0
 00240   460   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 52, ) }, ... 52, ) == 0x0
 00241   460   NtSetInformationObject  (52, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00242   460   NtOpenKey  (0x20019, {24, 52, 0x40, 0, 0,  (0x20019, {24, 52, 0x40, 0, 0, "Control Panel\Desktop"}, ... 56, ) }, ... 56, ) == 0x0
 00243   460   NtQueryValueKey  (56,  (56, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00244   460   NtClose  (56, ... ) == 0x0
 00245   460   NtUserSystemParametersInfo  (41, 500, 1242804, 0, ... ) == 0x1
 00246   460   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00247   460   NtUserGetClassInfo  (1999896576, 1243212, 1243164, 1243240, 0, ... ) == 0x0
 00248   460   NtUserFindExistingCursorIcon  (1242596, 1242612, 1243180, ... ) == 0x10011
 00249   460   NtUserRegisterClassExWOW  (1243048, 1243128, 1243112, 1243144, 0, 384, 0, ... ) == 0x810cc03b
 00250   460   NtUserGetClassInfo  (1999896576, 1243212, 1243164, 1243240, 0, ... ) == 0x0
 00251   460   NtUserRegisterClassExWOW  (1243048, 1243128, 1243112, 1243144, 0, 384, 0, ... ) == 0x810cc03d
 00252   460   NtUserGetClassInfo  (1999896576, 1243212, 1243164, 1243240, 0, ... ) == 0x0
 00253   460   NtUserFindExistingCursorIcon  (1242596, 1242612, 1243180, ... ) == 0x10011
 00254   460   NtUserRegisterClassExWOW  (1243048, 1243128, 1243112, 1243144, 0, 384, 0, ... ) == 0x810cc03f
 00255   460   NtUserGetClassInfo  (1999896576, 1243212, 1243164, 1243240, 0, ... ) == 0x0
 00256   460   NtUserFindExistingCursorIcon  (1242596, 1242612, 1243180, ... ) == 0x10011
 00257   460   NtUserRegisterClassExWOW  (1243048, 1243128, 1243112, 1243144, 0, 384, 0, ... ) == 0x810cc041
 00258   460   NtUserGetClassInfo  (1999896576, 1243212, 1243164, 1243240, 0, ... ) == 0x0
 00259   460   NtUserFindExistingCursorIcon  (1242596, 1242612, 1243180, ... ) == 0x10011
 00260   460   NtUserRegisterClassExWOW  (1243048, 1243128, 1243112, 1243144, 0, 384, 0, ... ) == 0x810cc043
 00261   460   NtUserGetClassInfo  (1999896576, 1243212, 1243164, 1243240, 0, ... ) == 0x0
 00262   460   NtUserRegisterClassExWOW  (1243048, 1243128, 1243112, 1243144, 0, 384, 0, ... ) == 0x810cc045
 00263   460   NtUserGetClassInfo  (1999896576, 1243212, 1243164, 1243240, 0, ... ) == 0x0
 00264   460   NtUserFindExistingCursorIcon  (1242596, 1242612, 1243180, ... ) == 0x10011
 00265   460   NtUserRegisterClassExWOW  (1243048, 1243128, 1243112, 1243144, 0, 384, 0, ... ) == 0x810cc047
 00266   460   NtUserGetClassInfo  (1999896576, 1243212, 1243164, 1243240, 0, ... ) == 0x0
 00267   460   NtUserFindExistingCursorIcon  (1242592, 1242608, 1243176, ... ) == 0x10011
 00268   460   NtUserRegisterClassExWOW  (1243044, 1243124, 1243108, 1243140, 0, 384, 0, ... ) == 0x810cc049
 00269   460   NtUserGetClassInfo  (1999896576, 1243212, 1243164, 1243240, 0, ... ) == 0x0
 00270   460   NtUserFindExistingCursorIcon  (1242596, 1242612, 1243180, ... ) == 0x10011
 00271   460   NtUserRegisterClassExWOW  (1243048, 1243128, 1243112, 1243144, 0, 384, 0, ... ) == 0x810cc04b
 00272   460   NtUserGetClassInfo  (1999896576, 1243212, 1243164, 1243240, 0, ... ) == 0x0
 00273   460   NtUserFindExistingCursorIcon  (1242596, 1242612, 1243180, ... ) == 0x10011
 00274   460   NtUserRegisterClassExWOW  (1243048, 1243128, 1243112, 1243144, 0, 384, 0, ... ) == 0x810cc04d
 00275   460   NtUserGetClassInfo  (1999896576, 1243212, 1243164, 1243240, 0, ... ) == 0x0
 00276   460   NtUserFindExistingCursorIcon  (1242596, 1242612, 1243180, ... ) == 0x10011
 00277   460   NtUserRegisterClassExWOW  (1243048, 1243128, 1243112, 1243144, 0, 384, 0, ... ) == 0x810cc04f
 00278   460   NtUserGetClassInfo  (1999896576, 1243216, 1243168, 1243244, 0, ... ) == 0x0
 00279   460   NtUserRegisterClassExWOW  (1243052, 1243132, 1243116, 1243148, 0, 384, 0, ... ) == 0x810cc051
 00280   460   NtUserGetClassInfo  (1999896576, 1243212, 1243164, 1243240, 0, ... ) == 0x0
 00281   460   NtUserFindExistingCursorIcon  (1242596, 1242612, 1243180, ... ) == 0x10011
 00282   460   NtUserRegisterClassExWOW  (1243048, 1243128, 1243112, 1243144, 0, 384, 0, ... ) == 0x810cc053
 00283   460   NtUserGetClassInfo  (1999896576, 1243212, 1243164, 1243240, 0, ... ) == 0x0
 00284   460   NtUserFindExistingCursorIcon  (1242596, 1242612, 1243180, ... ) == 0x10011
 00285   460   NtUserRegisterClassExWOW  (1243048, 1243128, 1243112, 1243144, 0, 384, 0, ... ) == 0x810cc055
 00286   460   NtUserRegisterClassExWOW  (1243048, 1243128, 1243112, 1243144, 0, 384, 0, ... ) == 0x810cc057
 00287   460   NtUserGetClassInfo  (1999896576, 1243212, 1243164, 1243240, 0, ... ) == 0x0
 00288   460   NtUserFindExistingCursorIcon  (1242596, 1242612, 1243180, ... ) == 0x10011
 00289   460   NtUserRegisterClassExWOW  (1243048, 1243128, 1243112, 1243144, 0, 384, 0, ... ) == 0x810cc059
 00290   460   NtUserGetClassInfo  (1999896576, 1243212, 1243164, 1243240, 0, ... ) == 0x0
 00291   460   NtUserFindExistingCursorIcon  (1242596, 1242612, 1243180, ... ) == 0x10013
 00292   460   NtUserRegisterClassExWOW  (1243048, 1243128, 1243112, 1243144, 0, 384, 0, ... ) == 0x810cc05b
 00293   460   NtUserGetClassInfo  (1999896576, 1243212, 1243164, 1243240, 0, ... ) == 0x0
 00294   460   NtUserFindExistingCursorIcon  (1242596, 1242612, 1243180, ... ) == 0x10011
 00295   460   NtUserRegisterClassExWOW  (1243048, 1243128, 1243112, 1243144, 0, 384, 0, ... ) == 0x810cc05d
 00296   460   NtUserGetClassInfo  (1999896576, 1243212, 1243164, 1243240, 0, ... ) == 0x0
 00297   460   NtUserFindExistingCursorIcon  (1242596, 1242612, 1243180, ... ) == 0x10011
 00298   460   NtUserRegisterClassExWOW  (1243048, 1243128, 1243112, 1243144, 0, 384, 0, ... ) == 0x810cc05f
 00299   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00300   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3866624, 65536, ) == 0x0
 00301   460   NtAllocateVirtualMemory  (-1, 3866624, 0, 4096, 4096, 4, ... 3866624, 4096, ) == 0x0
 00302   460   NtAllocateVirtualMemory  (-1, 3870720, 0, 8192, 4096, 4, ... 3870720, 8192, ) == 0x0
 00303   460   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00304   460   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 56, ) }, ... 56, ) == 0x0
 00305   460   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x3c0000), 0x0, 12288, ) == 0x0
 00306   460   NtClose  (56, ... ) == 0x0
 00307   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00308   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00309   460   NtContinue  (1241200, 0, ...
 00310   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00311   460   NtUserGetClassInfo  (1999896576, 1243264, 1243216, 1243292, 0, ... ) == 0xc03b
 00312   460   NtUserUnregisterClass  (1243268, 1999896576, 1243256, ... ) == 0x1
 00313   460   NtUserGetClassInfo  (1999896576, 1243264, 1243216, 1243292, 0, ... ) == 0xc03d
 00314   460   NtUserUnregisterClass  (1243268, 1999896576, 1243256, ... ) == 0x1
 00315   460   NtUserGetClassInfo  (1999896576, 1243264, 1243216, 1243292, 0, ... ) == 0xc03f
 00316   460   NtUserUnregisterClass  (1243268, 1999896576, 1243256, ... ) == 0x1
 00317   460   NtUserGetClassInfo  (1999896576, 1243264, 1243216, 1243292, 0, ... ) == 0xc041
 00318   460   NtUserUnregisterClass  (1243268, 1999896576, 1243256, ... ) == 0x1
 00319   460   NtUserGetClassInfo  (1999896576, 1243264, 1243216, 1243292, 0, ... ) == 0xc043
 00320   460   NtUserUnregisterClass  (1243268, 1999896576, 1243256, ... ) == 0x1
 00321   460   NtUserGetClassInfo  (1999896576, 1243264, 1243216, 1243292, 0, ... ) == 0xc045
 00322   460   NtUserUnregisterClass  (1243268, 1999896576, 1243256, ... ) == 0x1
 00323   460   NtUserGetClassInfo  (1999896576, 1243264, 1243216, 1243292, 0, ... ) == 0xc047
 00324   460   NtUserUnregisterClass  (1243268, 1999896576, 1243256, ... ) == 0x1
 00325   460   NtUserGetClassInfo  (1999896576, 1243264, 1243216, 1243292, 0, ... ) == 0xc049
 00326   460   NtUserUnregisterClass  (1243268, 1999896576, 1243256, ... ) == 0x1
 00327   460   NtUserGetClassInfo  (1999896576, 1243264, 1243216, 1243292, 0, ... ) == 0xc04b
 00328   460   NtUserUnregisterClass  (1243268, 1999896576, 1243256, ... ) == 0x1
 00329   460   NtUserGetClassInfo  (1999896576, 1243264, 1243216, 1243292, 0, ... ) == 0xc04d
 00330   460   NtUserUnregisterClass  (1243268, 1999896576, 1243256, ... ) == 0x1
 00331   460   NtUserGetClassInfo  (1999896576, 1243264, 1243216, 1243292, 0, ... ) == 0xc04f
 00332   460   NtUserUnregisterClass  (1243268, 1999896576, 1243256, ... ) == 0x1
 00333   460   NtUserGetClassInfo  (1999896576, 1243264, 1243216, 1243292, 0, ... ) == 0xc051
 00334   460   NtUserUnregisterClass  (1243268, 1999896576, 1243256, ... ) == 0x1
 00335   460   NtUserGetClassInfo  (1999896576, 1243264, 1243216, 1243292, 0, ... ) == 0xc053
 00336   460   NtUserUnregisterClass  (1243268, 1999896576, 1243256, ... ) == 0x1
 00337   460   NtUserGetClassInfo  (1999896576, 1243264, 1243216, 1243292, 0, ... ) == 0xc057
 00338   460   NtUserUnregisterClass  (1243268, 1999896576, 1243256, ... ) == 0x1
 00339   460   NtUserGetClassInfo  (1999896576, 1243264, 1243216, 1243292, 0, ... ) == 0xc059
 00340   460   NtUserUnregisterClass  (1243268, 1999896576, 1243256, ... ) == 0x1
 00341   460   NtUserGetClassInfo  (1999896576, 1243264, 1243216, 1243292, 0, ... ) == 0xc05b
 00342   460   NtUserUnregisterClass  (1243268, 1999896576, 1243256, ... ) == 0x1
 00343   460   NtUserGetClassInfo  (1999896576, 1243264, 1243216, 1243292, 0, ... ) == 0xc05d
 00344   460   NtUserUnregisterClass  (1243268, 1999896576, 1243256, ... ) == 0x1
 00345   460   NtUserGetClassInfo  (1999896576, 1243264, 1243216, 1243292, 0, ... ) == 0xc05f
 00346   460   NtUserUnregisterClass  (1243268, 1999896576, 1243256, ... ) == 0x1
 00347   460   NtSetInformationObject  (52, Handle, {Inherit=0,ProtectFromClose=0,}, 129826816, ... ) == 0x0
 00348   460   NtClose  (52, ... ) == 0x0
 00349   460   NtSetInformationObject  (32, Handle, {Inherit=0,ProtectFromClose=0,}, 129826816, ... ) == 0x0
 00350   460   NtClose  (32, ... ) == 0x0
 00351   460   NtFreeVirtualMemory  (-1, (0x0), 0, 32768, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 00352   460   NtUnmapViewOfSection  (-1, 0x1f7b0000, ... ) == 0x0
 00353   460   NtUnmapViewOfSection  (-1, 0x763b0000, ... ) == 0x0
 00354   460   NtUnmapViewOfSection  (-1, 0x773d0000, ... ) == 0x0
 00355   460   NtUnmapViewOfSection  (-1, 0x772d0000, ... ) == 0x0
 00356   460   NtUnmapViewOfSection  (-1, 0x77c10000, ... ) == 0x0
 00357   460   NtUnmapViewOfSection  (-1, 0x77340000, ... ) == 0x0
 00358   460   NtUnmapViewOfSection  (-1, 0x77c70000, ... ) == 0x0
 00359   460   NtUnmapViewOfSection  (-1, 0x77d40000, ... ) == 0x0
 00360   460   NtUnmapViewOfSection  (-1, 0x77dd0000, ... ) == 0x0
 00361   460   NtUnmapViewOfSection  (-1, 0x77cc0000, ... ) == 0x0
 00362   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00363   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00364   460   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00365   460   NtClose  (32, ... ) == 0x0
 00366   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00367   460   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00368   460   NtClose  (32, ... ) == 0x0
 00369   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00370   460   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00371   460   NtClose  (32, ... ) == 0x0
 00372   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00373   460   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00374   460   NtClose  (32, ... ) == 0x0
 00375   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 32, ) }, ... 32, ) == 0x0
 00376   460   NtQueryValueKey  (32,  (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00377   460   NtQueryValueKey  (32,  (32, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00378   460   NtClose  (32, ... ) == 0x0
 00379   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 32, ) }, ... 32, ) == 0x0
 00380   460   NtQueryValueKey  (32,  (32, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00381   460   NtClose  (32, ... ) == 0x0
 00382   460   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 32, ) }, ... 32, ) == 0x0
 00383   460   NtSetInformationObject  (32, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00384   460   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00385   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00386   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\32\1\0\0\0\0\314\4\23\0\374\207\16\366\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 456, 460, 1568, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\32\1$\1\0\0" )  ... {28, 56, reply, 0, 456, 460, 1568, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\32\1\0\0\0\0\314\4\23\0\374\207\16\366\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 456, 460, 1568, 0} "XQ\26\0\0\0\0\0\0\0\0\0\374\207\16\366\3\0\0\0\234\6\32\1$\1\0\0" )  ) == 0x0
 00387   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00388   460   NtGdiInit  (... ) == 0x1
 00389   460   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00390   460   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00391   460   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00392   460   NtUserModifyUserStartupInfoFlags  (1, 0, ... ) == 0x810cfb30
 00393   460   NtUserGetDCEx  (0, 0, 3, ... ) == 0x1010050
 00394   460   NtGdiSetupPublicCFONT  (16842832, 0, 0, ... ) == 0x100
 00395   460   NtGdiGetTextExtent  (16842832, 1327352, 1, 1244452, 1, ... ) == 0x1
 00396   460   NtUserGetForegroundWindow  (... ) == 0x2005c
 00397   460   NtUserQueryWindow  (131164, 0, ... ) == 0x7e8
 00398   460   NtUserQueryWindow  (131164, 1, ... ) == 0x7ec
 00399   460   NtGdiSetupPublicCFONT  (16842832, 0, 0, ... ) == 0x100
 00400   460   NtGdiGetTextMetricsW  (16842832, 1243372, 68, ... ) == 0x1
 00401   460   NtGdiGetTextCharsetInfo  (16842832, 0, 0, ... ) == 0x0
 00402   460   NtGdiCreateRectRgn  (0, 0, 1, 1, ... ) == 0x604045d
 00403   460   NtGdiGetRandomRgn  (16842832, 100926557, 1, ... ) == 0x0
 00404   460   NtGdiIntersectClipRect  (16842832, 0, 0, 565, 738, ... ) == 0x3
 00405   460   NtGdiExtSelectClipRgn  (16842832, 0, 5, ... ) == 0x2
 00406   460   NtGdiSetupPublicCFONT  (0, 50987263, 6, ... ) == 0x3
 00407   460   NtGdiGetTextCharsetInfo  (16842832, 0, 0, ... ) == 0x0
 00408   460   NtGdiGetRandomRgn  (16842832, 117703773, 1, ... ) == 0x0
 00409   460   NtGdiIntersectClipRect  (16842832, 0, 0, 148, 738, ... ) == 0x3
 00410   460   NtGdiExtSelectClipRgn  (16842832, 0, 5, ... ) == 0x2
 00411   460   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00412   460   NtUserFindExistingCursorIcon  (1243240, 1243256, 1243824, ... ) == 0x10011
 00413   460   NtUserSetCursor  (65553, ... ) == 0x10015
 00414   460   NtUserCallOneParam  (1, 49, ... ) == 0x1
 00415   460   NtUserFindExistingCursorIcon  (1243192, 1243208, 1243776, ... ) == 0x10015
 00416   460   NtUserSetCursor  (65557, ... ) == 0x10011
 00417   460   NtGdiCreateCompatibleDC  (0, ... ) == 0x601045e
 00418   460   NtGdiExtGetObjectW  (50987263, 92, 1243520, ... ) == 0x5c
 00419   460   NtGdiHfontCreate  (1242956, 356, 0, 0, 1328664, ... ) == 0x10a045f
 00420   460   NtGdiGetTextMetricsW  (100729950, 1243460, 68, ... ) == 0x1
 00421   460   NtGdiGetWidthTable  (100729950, 52, 1329368, 308, 1329984, 1328736, 1328752, ... ) == 0x1
 00422   460   NtGdiDeleteObjectApp  (100729950, ... ) == 0x1
 00423   460   NtUserGetForegroundWindow  (... ) == 0x2005c
 00424   460   NtUserQueryWindow  (131164, 0, ... ) == 0x7e8
 00425   460   NtUserQueryWindow  (131164, 1, ... ) == 0x7ec
 00426   460   NtUserGetAtomName  (32770, 1242396, ... ) == 0x6
 00427   460   NtUserCreateWindowEx  (65793, 32770, 32770,  (65793, 32770, 32770, " ", -2134375995, 404, 335, 224, 126, 0, 0, 2010382336, 0, 1073742848, 0, ... , -2134375995, 404, 335, 224, 126, 0, 0, 2010382336, 0, 1073742848, 0, ...
 00428   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1239920, ... ) }, 1239920, ... ) == 0x0
 00429   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00430   460   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 56, ) == 0x0
 00431   460   NtClose  (52, ... ) == 0x0
 00432   460   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x9a0000), 0x0, 204800, ) == 0x0
 00433   460   NtClose  (56, ... ) == 0x0
 00434   460   NtUnmapViewOfSection  (-1, 0x9a0000, ... ) == 0x0
 00435   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1240236, ... ) }, 1240236, ... ) == 0x0
 00436   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00437   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 56, ... 52, ) == 0x0
 00438   460   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00439   460   NtClose  (56, ... ) == 0x0
 00440   460   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 00441   460   NtClose  (52, ... ) == 0x0
 00442   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00443   460   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00444   460   NtClose  (52, ... ) == 0x0
 00445   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00446   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3997696, 65536, ) == 0x0
 00447   460   NtAllocateVirtualMemory  (-1, 3997696, 0, 4096, 4096, 4, ... 3997696, 4096, ) == 0x0
 00448   460   NtAllocateVirtualMemory  (-1, 4001792, 0, 8192, 4096, 4, ... 4001792, 8192, ) == 0x0
 00449   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00450   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00451   460   NtContinue  (1238356, 0, ...
 00452   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00453   460   NtUnmapViewOfSection  (-1, 0x5ad70000, ... ) == 0x0
 00454   460   NtUnmapViewOfSection  (-1, 0x77c10000, ... ) == 0x0
 00455   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00456   460   NtUserSetWindowFNID  (131250, 676, ... ) == 0x1
 00457   460   NtUserCallHwndParam  (131250, 1329908, 78, ... ) == 0x144af4
 00458   460   NtUserMessageCall  (0x200b2, WM_NCCREATE, 0x0, 0x12f4c8, 0, 670, 0, ... ) == 0x1
 00459   460   NtUserMessageCall  (0x200b2, WM_NCCALCSIZE, 0x0, 0x12f4f0, 0, 670, 0, ... ) == 0x0
 00427   460   NtUserCreateWindowEx  ... ) == 0x200b2
 00460   460   NtUserCallHwndLock  (131250, 89, ... ) == 0x1
 00461   460   NtUserGetAtomName  (49175, 1242396, ... ) == 0x6
 00462   460   NtUserCreateWindowEx  (4, 49175, 49175,  (4, 49175, 49175, "OK", 1342373889, 71, 60, 75, 23, 131250, 1, 2010382336, 0, 1073742848, 0, ... , 1342373889, 71, 60, 75, 23, 131250, 1, 2010382336, 0, 1073742848, 0, ...
 00463   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1239920, ... ) }, 1239920, ... ) == 0x0
 00464   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00465   460   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 56, ) == 0x0
 00466   460   NtClose  (52, ... ) == 0x0
 00467   460   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x9a0000), 0x0, 204800, ) == 0x0
 00468   460   NtClose  (56, ... ) == 0x0
 00469   460   NtUnmapViewOfSection  (-1, 0x9a0000, ... ) == 0x0
 00470   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1240236, ... ) }, 1240236, ... ) == 0x0
 00471   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00472   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 56, ... 52, ) == 0x0
 00473   460   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00474   460   NtClose  (56, ... ) == 0x0
 00475   460   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 00476   460   NtClose  (52, ... ) == 0x0
 00477   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00478   460   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00479   460   NtClose  (52, ... ) == 0x0
 00480   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00481   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 00482   460   NtAllocateVirtualMemory  (-1, 4063232, 0, 4096, 4096, 4, ... 4063232, 4096, ) == 0x0
 00483   460   NtAllocateVirtualMemory  (-1, 4067328, 0, 8192, 4096, 4, ... 4067328, 8192, ) == 0x0
 00484   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00485   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00486   460   NtContinue  (1238356, 0, ...
 00487   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00488   460   NtUnmapViewOfSection  (-1, 0x5ad70000, ... ) == 0x0
 00489   460   NtUnmapViewOfSection  (-1, 0x77c10000, ... ) == 0x0
 00490   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00491   460   NtUserSetWindowFNID  (65762, 673, ... ) == 0x1
 00492   460   NtUserSetWindowLong  (65762, 0, 1330700, 0, ... ) == 0x0
 00493   460   NtUserMessageCall  (0x100e2, WM_NCCREATE, 0x0, 0x12f4c8, 0, 670, 0, ... ) == 0x1
 00494   460   NtUserMessageCall  (0x100e2, WM_NCCALCSIZE, 0x0, 0x12f4f0, 0, 670, 0, ... ) == 0x0
 00462   460   NtUserCreateWindowEx  ... ) == 0x100e2
 00495   460   NtUserGetAtomName  (49177, 1242396, ... ) == 0x6
 00496   460   NtUserCreateWindowEx  (4, 49177, 49177, "1342308355, 11, 11, 0, 0, 131250, 20, 2010382336, 0, 1073742848, 0, ...
 00497   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1239920, ... ) }, 1239920, ... ) == 0x0
 00498   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00499   460   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 56, ) == 0x0
 00500   460   NtClose  (52, ... ) == 0x0
 00501   460   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x9a0000), 0x0, 204800, ) == 0x0
 00502   460   NtClose  (56, ... ) == 0x0
 00503   460   NtUnmapViewOfSection  (-1, 0x9a0000, ... ) == 0x0
 00504   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1240236, ... ) }, 1240236, ... ) == 0x0
 00505   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00506   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 56, ... 52, ) == 0x0
 00507   460   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00508   460   NtClose  (56, ... ) == 0x0
 00509   460   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 00510   460   NtClose  (52, ... ) == 0x0
 00511   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00512   460   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00513   460   NtClose  (52, ... ) == 0x0
 00514   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00515   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4128768, 65536, ) == 0x0
 00516   460   NtAllocateVirtualMemory  (-1, 4128768, 0, 4096, 4096, 4, ... 4128768, 4096, ) == 0x0
 00517   460   NtAllocateVirtualMemory  (-1, 4132864, 0, 8192, 4096, 4, ... 4132864, 8192, ) == 0x0
 00518   460   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00519   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00520   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00521   460   NtContinue  (1238356, 0, ...
 00522   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00523   460   NtUnmapViewOfSection  (-1, 0x5ad70000, ... ) == 0x0
 00524   460   NtUnmapViewOfSection  (-1, 0x77c10000, ... ) == 0x0
 00525   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00526   460   NtUserSetWindowFNID  (65764, 680, ... ) == 0x1
 00527   460   NtUserSetWindowLong  (65764, 0, 1331504, 0, ... ) == 0x0
 00528   460   NtUserMessageCall  (0x100e4, WM_NCCREATE, 0x0, 0x12f4c8, 0, 670, 0, ... ) == 0x1
 00529   460   NtUserMessageCall  (0x100e4, WM_NCCALCSIZE, 0x0, 0x12f4f0, 0, 670, 0, ... ) == 0x0
 00530   460   NtUserFindExistingCursorIcon  (1241184, 1241200, 1241768, ... ) == 0x0
 00531   460   NtUserFindExistingCursorIcon  (1241184, 1241200, 1241768, ... ) == 0x0
 00532   460   NtUserFindExistingCursorIcon  (1241184, 1241200, 1241768, ... ) == 0x10009
 00533   460   NtUserGetIconSize  (65545, 0, 1241788, 1241792, ... ) == 0x1
 00534   460   NtUserGetCursorFrameInfo  (65545, 0, 1241824, 1241800, ... ) == 0x10009
 00535   460   NtUserCallNoParam  (29, ...
 00536   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1239200, ... ) }, 1239200, ... ) == 0x0
 00537   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00538   460   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 56, ) == 0x0
 00539   460   NtClose  (52, ... ) == 0x0
 00540   460   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x9a0000), 0x0, 204800, ) == 0x0
 00541   460   NtClose  (56, ... ) == 0x0
 00542   460   NtUnmapViewOfSection  (-1, 0x9a0000, ... ) == 0x0
 00543   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1239516, ... ) }, 1239516, ... ) == 0x0
 00544   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00545   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 56, ... 52, ) == 0x0
 00546   460   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00547   460   NtClose  (56, ... ) == 0x0
 00548   460   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 00549   460   NtClose  (52, ... ) == 0x0
 00550   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00551   460   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00552   460   NtClose  (52, ... ) == 0x0
 00553   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00554   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10092544, 65536, ) == 0x0
 00555   460   NtAllocateVirtualMemory  (-1, 10092544, 0, 4096, 4096, 4, ... 10092544, 4096, ) == 0x0
 00556   460   NtAllocateVirtualMemory  (-1, 10096640, 0, 8192, 4096, 4, ... 10096640, 8192, ) == 0x0
 00557   460   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00558   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00559   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00560   460   NtContinue  (1237636, 0, ...
 00561   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00562   460   NtUnmapViewOfSection  (-1, 0x5ad70000, ... ) == 0x0
 00563   460   NtUnmapViewOfSection  (-1, 0x77c10000, ... ) == 0x0
 00564   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00535   460   NtUserCallNoParam  ... ) == 0x0
 00565   460   NtUserSetWindowPos  (65764, 0, 0, 0, 32, 32, 22, ...
 00566   460   NtUserMessageCall  (0x100e4, WM_WINDOWPOSCHANGING, 0x0, 0x12f238, 0, 670, 0, ... ) == 0x0
 00567   460   NtUserMessageCall  (0x100e4, WM_NCCALCSIZE, 0x1, 0x12f20c, 0, 670, 0, ... ) == 0x0
 00565   460   NtUserSetWindowPos  ... ) == 0x1
 00496   460   NtUserCreateWindowEx  ... ) == 0x100e4
 00568   460   NtUserGetAtomName  (49177, 1242396, ... ) == 0x6
 00569   460   NtUserCreateWindowEx  (4, 49177, 49177,  (4, 49177, 49177, "Cannot load library ODBC32.dll", 1342316672, 62, 20, 150, 15, 131250, 65535, 2010382336, 0, 1073742848, 0, ... , 1342316672, 62, 20, 150, 15, 131250, 65535, 2010382336, 0, 1073742848, 0, ...
 00570   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1239920, ... ) }, 1239920, ... ) == 0x0
 00571   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00572   460   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 56, ) == 0x0
 00573   460   NtClose  (52, ... ) == 0x0
 00574   460   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x9b0000), 0x0, 204800, ) == 0x0
 00575   460   NtClose  (56, ... ) == 0x0
 00576   460   NtUnmapViewOfSection  (-1, 0x9b0000, ... ) == 0x0
 00577   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1240236, ... ) }, 1240236, ... ) == 0x0
 00578   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00579   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 56, ... 52, ) == 0x0
 00580   460   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00581   460   NtClose  (56, ... ) == 0x0
 00582   460   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 00583   460   NtClose  (52, ... ) == 0x0
 00584   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00585   460   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00586   460   NtClose  (52, ... ) == 0x0
 00587   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00588   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10158080, 65536, ) == 0x0
 00589   460   NtAllocateVirtualMemory  (-1, 10158080, 0, 4096, 4096, 4, ... 10158080, 4096, ) == 0x0
 00590   460   NtAllocateVirtualMemory  (-1, 10162176, 0, 8192, 4096, 4, ... 10162176, 8192, ) == 0x0
 00591   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00592   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00593   460   NtContinue  (1238356, 0, ...
 00594   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00595   460   NtUnmapViewOfSection  (-1, 0x5ad70000, ... ) == 0x0
 00596   460   NtUnmapViewOfSection  (-1, 0x77c10000, ... ) == 0x0
 00597   460   NtQueryDebugFilterState  (87, 3, ... ) == 0x0
 00598   460   NtUserSetWindowFNID  (65766, 680, ... ) == 0x1
 00599   460   NtUserSetWindowLong  (65766, 0, 1331480, 0, ... ) == 0x0
 00600   460   NtUserMessageCall  (0x100e6, WM_NCCREATE, 0x0, 0x12f4c8, 0, 670, 0, ... ) == 0x1
 00601   460   NtUserMessageCall  (0x100e6, WM_NCCALCSIZE, 0x0, 0x12f4f0, 0, 670, 0, ... ) == 0x0
 00569   460   NtUserCreateWindowEx  ... ) == 0x100e6
 00602   460   NtUserSetWindowLong  (131250, -21, 1244896, 0, ... ) == 0x0
 00603   460   NtUserCallHwnd  (131250, 72, ... ) == 0xbc64b0a0
 00604   460   NtAllocateVirtualMemory  (-1, 0, 0, 131064, 8192, 4, ... 10223616, 131072, ) == 0x0
 00605   460   NtAllocateVirtualMemory  (-1, 10223616, 0, 4096, 4096, 4, ... 10223616, 4096, ) == 0x0
 00606   460   NtUserSetFocus  (65762, ...
 00607   460   NtUserMessageCall  (0x200b2, WM_NCACTIVATE, 0x1, 0x0, 0, 670, 0, ... ) == 0x1
 00606   460   NtUserSetFocus  ... ) == 0x0
 00608   460   NtUserSetWindowLong  (65762, -12, 2, 0, ... ) == 0x1
 00609   460   NtUserMessageCall  (0x200b2, 0x128, 0x30001, 0x0, 0, 670, 0, ...
 00610   460   NtUserMessageCall  (0x100e2, 0x128, 0x30001, 0x0, 0, 670, 0, ... ) == 0x0
 00611   460   NtUserMessageCall  (0x100e4, 0x128, 0x30001, 0x0, 0, 670, 0, ... ) == 0x0
 00612   460   NtUserMessageCall  (0x100e6, 0x128, 0x30001, 0x0, 0, 670, 0, ... ) == 0x0
 00609   460   NtUserMessageCall  ... ) == 0x0
 00613   460   NtUserShowWindow  (131250, 1, ...
 00614   460   NtUserMessageCall  (0x200b2, WM_NCPAINT, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 00615   460   NtUserFillWindow  (131250, 131250, 16842833, 4, ... ) == 0x1
 00613   460   NtUserShowWindow  ... ) == 0x0
 00616   460   NtUserCallHwndLock  (131250, 93, ...
 00617   460   NtUserMessageCall  (0x200b2, WM_PAINT, 0x0, 0x0, 0, 670, 0, ... ) == 0x0
 00618   460   NtUserBeginPaint  (0x100e2, 1243324, ...
 00619   460   NtUserMessageCall  (0x100e2, WM_NCPAINT, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 00618   460   NtUserBeginPaint  ... ) == 0x1010051
 00620   460   NtUserGetControlBrush  (0x100e2, 16842833, 309, ... ) == 0x1100056
 00621   460   NtGdiIntersectClipRect  (16842833, 0, 0, 75, 23, ... ) == 0x3
 00622   460   NtGdiIntersectClipRect  (16842833, 3, 3, 72, 20, ... ) == 0x3
 00623   460   NtUserEndPaint  (0x100e2, 1243324, ... ) == 0x1
 00624   460   NtUserBeginPaint  (0x100e4, 1243336, ...
 00625   460   NtUserMessageCall  (0x100e4, WM_NCPAINT, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 00624   460   NtUserBeginPaint  ... ) == 0x1010051
 00626   460   NtGdiIntersectClipRect  (16842833, 0, 0, 32, 32, ... ) == 0x3
 00627   460   NtUserGetControlBrush  (0x100e4, 16842833, 312, ... ) == 0x1100056
 00628   460   NtGdiGetDCDword  (16842833, 7, 1243056, ... ) == 0x1
 00629   460   NtUserDrawIconEx  (16842833, 0, 0, 65545, 32, 32, 0, 17825878, 3, 0, 1243100, ... ) == 0x1
 00630   460   NtUserEndPaint  (0x100e4, 1243336, ... ) == 0x1
 00631   460   NtUserBeginPaint  (0x100e6, 1243336, ...
 00632   460   NtUserMessageCall  (0x100e6, WM_NCPAINT, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 00631   460   NtUserBeginPaint  ... ) == 0x1010051
 00633   460   NtGdiIntersectClipRect  (16842833, 0, 0, 150, 15, ... ) == 0x3
 00634   460   NtUserGetControlBrush  (0x100e6, 16842833, 312, ... ) == 0x1100056
 00635   460   NtUserEndPaint  (0x100e6, 1243336, ... ) == 0x1
 00616   460   NtUserCallHwndLock  ... ) == 0x1
 00636   460   NtUserPeekMessage  (0, 0, 0, 1, ...
 00637   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\VMware\VMware Tools\hook.dll"}, 1241188, ... ) }, 1241188, ... ) == 0x0
 00638   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\VMware\VMware Tools\hook.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00639   460   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 56, ) == 0x0
 00640   460   NtClose  (52, ... ) == 0x0
 00641   460   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x9e0000), 0x0, 45056, ) == 0x0
 00642   460   NtClose  (56, ... ) == 0x0
 00643   460   NtUnmapViewOfSection  (-1, 0x9e0000, ... ) == 0x0
 00644   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\VMware\VMware Tools\hook.dll"}, 1241504, ... ) }, 1241504, ... ) == 0x0
 00645   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\VMware\VMware Tools\hook.dll"}, 1241504, ... ) }, 1241504, ... ) == 0x0
 00646   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\VMware\VMware Tools\hook.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00647   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 56, ... 52, ) == 0x0
 00648   460   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00649   460   NtClose  (56, ... ) == 0x0
 00650   460   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x10000000), 0x0, 49152, ) == 0x0
 00651   460   NtClose  (52, ... ) == 0x0
 00652   460   NtProtectVirtualMemory  (-1, (0x10006000), 256, 4, ... (0x10006000), 4096, 2, ) == 0x0
 00653   460   NtProtectVirtualMemory  (-1, (0x10006000), 4096, 2, ... (0x10006000), 4096, 4, ) == 0x0
 00654   460   NtFlushInstructionCache  (-1, 268460032, 256, ... ) == 0x0
 00655   460   NtProtectVirtualMemory  (-1, (0x10006000), 256, 4, ... (0x10006000), 4096, 2, ) == 0x0
 00656   460   NtProtectVirtualMemory  (-1, (0x10006000), 4096, 2, ... (0x10006000), 4096, 4, ) == 0x0
 00657   460   NtFlushInstructionCache  (-1, 268460032, 256, ... ) == 0x0
 00658   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00659   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10354688, 65536, ) == 0x0
 00660   460   NtAllocateVirtualMemory  (-1, 10354688, 0, 4096, 4096, 4, ... 10354688, 4096, ) == 0x0
 00661   460   NtAllocateVirtualMemory  (-1, 10358784, 0, 8192, 4096, 4, ... 10358784, 8192, ) == 0x0
 00662   460   NtQueryPerformanceCounter  (... {109864315, 0}, {3579545, 0}, ) == 0x0
 00663   460   NtUserMessageCall  (0x200b2, WM_SETCURSOR, 0x200b2, 0x2000001, 0, 670, 0, ... ) == 0x0
 00636   460   NtUserPeekMessage  ... {0x200b2, WM_MOUSEFIRST, 0x0, 0x140069, 0x6d31, {512, 384}}, ) == 0x1
 00664   460   NtOpenProcessToken  (-1, 0x8, ... 52, ) == 0x0
 00665   460   NtQueryInformationToken  (52, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00666   460   NtClose  (52, ... ) == 0x0
 00667   460   NtUserCallMsgFilter  (1243692, 0, ... ) == 0x0
 00668   460   NtUserPeekMessage  (0, 0, 0, 1, ... {0x200b2, WM_MOUSEFIRST, 0x0, 0x140069, 0x6d31, {512, 384}}, ) == 0x0
 00669   460   NtUserWaitMessage  (... ) == 0x1
 00670   460   NtUserPeekMessage  (0, 0, 0, 1, ...
 00671   460   NtUserMessageCall  (0x200b2, WM_GETICON, 0x2, 0x0, 0, 670, 0, ... ) == 0x0
 00670   460   NtUserPeekMessage  ... {0x200b2, WM_MOUSEFIRST, 0x0, 0x140069, 0x6d31, {512, 384}}, ) == 0x0
 00672   460   NtUserWaitMessage  (... ) == 0x1
 00673   460   NtUserPeekMessage  (0, 0, 0, 1, ...
 00674   460   NtUserMessageCall  (0x200b2, WM_GETICON, 0x0, 0x0, 0, 670, 0, ... ) == 0x0
 00673   460   NtUserPeekMessage  ... {0x200b2, WM_MOUSEFIRST, 0x0, 0x140069, 0x6d31, {512, 384}}, ) == 0x0
 00675   460   NtUserWaitMessage  (... ) == 0x1
 00676   460   NtUserPeekMessage  (0, 0, 0, 1, ...
 00677   460   NtUserMessageCall  (0x200b2, WM_GETICON, 0x1, 0x0, 0, 670, 0, ... ) == 0x0
 00676   460   NtUserPeekMessage  ... {0x200b2, WM_MOUSEFIRST, 0x0, 0x140069, 0x6d31, {512, 384}}, ) == 0x0
 00678   460   NtUserWaitMessage  (...
NtCallbackReturn(>)	1	NtSetInformationThread(>)	1	NtUserSetCursor(>)	2	NtGdiGetStockObject(>)	7
NtCreateEvent(>)	1	NtTestAlert(>)	1	NtUserSetFocus(>)	2	NtQueryInformationToken(>)	7
NtDuplicateObject(>)	1	NtUserCallHwnd(>)	1	NtUserSetWindowPos(>)	2	NtQuerySection(>)	8
NtFsControlFile(>)	1	NtUserCallHwndParam(>)	1	NtUserShowWindow(>)	2	NtUserCreateWindowEx(>)	8
NtGdiCreateBitmap(>)	1	NtUserCallMsgFilter(>)	1	NtGdiSetupPublicCFONT(>)	3	NtUserPeekMessage(>)	9
NtGdiCreateRectRgn(>)	1	NtUserDrawIconEx(>)	1	NtOpenProcessToken(>)	3	NtProtectVirtualMemory(>)	10
NtGdiDeleteObjectApp(>)	1	NtUserFillWindow(>)	1	NtOpenProcessTokenEx(>)	3	NtCreateSection(>)	14
NtGdiExtGetObjectW(>)	1	NtUserGetCursorFrameInfo(>)	1	NtOpenThreadTokenEx(>)	3	NtOpenFile(>)	14
NtGdiGetDCDword(>)	1	NtUserGetDCEx(>)	1	NtUserCallHwndLock(>)	3	NtQuerySystemInformation(>)	14
NtGdiGetTextExtent(>)	1	NtUserGetIconSize(>)	1	NtUserCallNoParam(>)	3	NtQueryValueKey(>)	14
NtGdiGetWidthTable(>)	1	NtUserGetThreadDesktop(>)	1	NtUserEndPaint(>)	3	NtQueryAttributesFile(>)	17
NtGdiHfontCreate(>)	1	NtUserModifyUserStartupInfoFlags(>)	1	NtUserGetControlBrush(>)	3	NtUserUnregisterClass(>)	18
NtGdiSelectBitmap(>)	1	NtUserRegisterWindowMessage(>)	1	NtCreateFile(>)	4	NtOpenKey(>)	22
NtOpenDirectoryObject(>)	1	NtFreeVirtualMemory(>)	2	NtGdiCreateCompatibleDC(>)	4	NtQueryDebugFilterState(>)	24
NtOpenKeyedEvent(>)	1	NtGdiCreateSolidBrush(>)	2	NtRequestWaitReplyPort(>)	4	NtUserMessageCall(>)	25
NtOpenMutant(>)	1	NtGdiExtSelectClipRgn(>)	2	NtUserGetAtomName(>)	4	NtUnmapViewOfSection(>)	26
NtOpenProcess(>)	1	NtGdiGetRandomRgn(>)	2	NtUserQueryWindow(>)	4	NtOpenSection(>)	27
NtOpenSymbolicLinkObject(>)	1	NtGdiGetTextCharsetInfo(>)	2	NtUserSetWindowFNID(>)	4	NtContinue(>)	29
NtQueryInformationProcess(>)	1	NtGdiGetTextMetricsW(>)	2	NtUserSystemParametersInfo(>)	4	NtUserFindExistingCursorIcon(>)	29
NtQueryObject(>)	1	NtGdiInit(>)	2	NtUserWaitMessage(>)	4	NtUserRegisterClassExWOW(>)	34
NtQueryPerformanceCounter(>)	1	NtGdiQueryFontAssocInfo(>)	2	NtFlushInstructionCache(>)	5	NtUserGetClassInfo(>)	36
NtQuerySymbolicLinkObject(>)	1	NtQueryDefaultLocale(>)	2	NtUserSetWindowLong(>)	5	NtMapViewOfSection(>)	38
NtQueryVolumeInformationFile(>)	1	NtQueryVirtualMemory(>)	2	NtGdiIntersectClipRect(>)	6	NtAllocateVirtualMemory(>)	41
NtRegisterThreadTerminatePort(>)	1	NtUserCallOneParam(>)	2	NtSetInformationObject(>)	6	NtClose(>)	73
NtSecureConnectPort(>)	1	NtUserGetForegroundWindow(>)	2	NtUserBeginPaint(>)	6