Summary:
NtAddAtom(>) | 1 | NtGdiDoPalette(>) | 2 | NtWriteFile(>) | 7 | NtSetInformationFile(>) | 32 |
NtCallbackReturn(>) | 1 | NtGdiHfontCreate(>) | 2 | NtOpenMutant(>) | 8 | NtQueryVirtualMemory(>) | 33 |
NtClearEvent(>) | 1 | NtRegisterThreadTerminatePort(>) | 2 | NtCreateSemaphore(>) | 9 | NtCreateFile(>) | 34 |
NtCreateThread(>) | 1 | NtSetEventBoostPriority(>) | 2 | NtSetInformationThread(>) | 9 | NtQueryDefaultLocale(>) | 36 |
NtDelayExecution(>) | 1 | NtTestAlert(>) | 2 | NtFsControlFile(>) | 10 | NtQueryDebugFilterState(>) | 44 |
NtDuplicateToken(>) | 1 | NtUserCreateWindowEx(>) | 2 | NtUserGetWindowDC(>) | 10 | NtCreateEvent(>) | 49 |
NtGdiCreateBitmap(>) | 1 | NtUserGetObjectInformation(>) | 2 | NtEnumerateValueKey(>) | 12 | NtUserFindExistingCursorIcon(>) | 51 |
NtGdiCreatePatternBrushInternal(>) | 1 | NtUserGetThreadDesktop(>) | 2 | NtUserCallOneParam(>) | 12 | NtOpenSection(>) | 53 |
NtGdiInit(>) | 1 | NtUserMessageCall(>) | 2 | NtUserSystemParametersInfo(>) | 12 | NtUserRegisterClassExWOW(>) | 65 |
NtGdiQueryFontAssocInfo(>) | 1 | NtUserSetWindowsHookEx(>) | 2 | NtQueryPerformanceCounter(>) | 13 | NtOpenProcessTokenEx(>) | 79 |
NtGdiSelectBitmap(>) | 1 | NtUserUnregisterClass(>) | 2 | NtQueryVolumeInformationFile(>) | 13 | NtOpenThreadTokenEx(>) | 79 |
NtOpenKeyedEvent(>) | 1 | NtYieldExecution(>) | 2 | NtCreateMutant(>) | 14 | NtSetEvent(>) | 80 |
NtQueryEvent(>) | 1 | NtConnectPort(>) | 3 | NtQueryDirectoryFile(>) | 14 | NtReadFile(>) | 84 |
NtQueryFullAttributesFile(>) | 1 | NtContinue(>) | 3 | NtOpenProcessToken(>) | 15 | NtOpenFile(>) | 85 |
NtQueryInformationThread(>) | 1 | NtOpenDirectoryObject(>) | 3 | NtReleaseSemaphore(>) | 16 | NtAllocateVirtualMemory(>) | 87 |
NtQueryInstallUILanguage(>) | 1 | NtOpenEvent(>) | 3 | NtNotifyChangeKey(>) | 19 | NtQueryInformationToken(>) | 92 |
NtQueryObject(>) | 1 | NtOpenProcess(>) | 3 | NtOpenThreadToken(>) | 19 | NtQuerySystemInformation(>) | 93 |
NtQuerySystemTime(>) | 1 | NtAccessCheck(>) | 4 | NtQueryInformationProcess(>) | 19 | NtMapViewOfSection(>) | 94 |
NtResumeThread(>) | 1 | NtGdiDeleteObjectApp(>) | 4 | NtSetValueKey(>) | 19 | NtCreateSection(>) | 105 |
NtSecureConnectPort(>) | 1 | NtOpenSymbolicLinkObject(>) | 4 | NtQueryDefaultUILanguage(>) | 20 | NtQueryKey(>) | 114 |
NtUserGetAtomName(>) | 1 | NtQuerySymbolicLinkObject(>) | 4 | NtRequestWaitReplyPort(>) | 22 | NtQueryAttributesFile(>) | 116 |
NtUserGetDC(>) | 1 | NtFreeVirtualMemory(>) | 5 | NtCreateKey(>) | 23 | NtWaitForSingleObject(>) | 116 |
NtUserGetGUIThreadInfo(>) | 1 | NtGdiCreateCompatibleDC(>) | 5 | NtReleaseMutant(>) | 25 | NtFlushInstructionCache(>) | 210 |
NtUserGetProcessWindowStation(>) | 1 | NtGdiGetStockObject(>) | 5 | NtUserRegisterWindowMessage(>) | 25 | NtProtectVirtualMemory(>) | 435 |
NtUserSetProp(>) | 1 | NtSetInformationObject(>) | 5 | NtEnumerateKey(>) | 26 | NtQueryValueKey(>) | 610 |
NtCreateIoCompletion(>) | 2 | NtDuplicateObject(>) | 6 | NtQueryInformationFile(>) | 27 | NtOpenKey(>) | 742 |
NtGdiCreateHalftonePalette(>) | 2 | NtSetInformationProcess(>) | 6 | NtQuerySection(>) | 28 | NtClose(>) | 745 |
NtGdiCreatePaletteInternal(>) | 2 | NtUserCallNoParam(>) | 7 | NtUnmapViewOfSection(>) | 28 | ||
NtGdiCreateSolidBrush(>) | 2 | NtWaitForMultipleObjects(>) | 7 |
, ) \12#\260\371 ... {status=0x0, info=256}, ";X\36K\330\267\340\\13\14\354\255u\205=\220\316R\273\302\255(\360\3272\267\300\330\33\230\313/\372\271\317o\201\33\236\22\352\252\137\36\2666T\d\266!),\322\201q\314hB\323\345\372\357\371\212\335pND#\307K\340\234\335\262\234\346?\26\232\306foI1=\251y\36\341\247\362I|3\16'r\2\226\262\323\14\360l}\321\330\343\237\247\210N%-B\6\250\335B\252L\317\250pl{\17\242y\306kJ\341R\372\12\27C\316\37\360\330\271\254S\233\223\330\10B\260FiR\262(\250w\341~\14\330@9G\302\31"\12#\260\371"\361\232\227\240\2, ) , ) == 0x0 01469 896 NtDeviceIoControlFile (52, 0, 0x0, 0x0, 0x390008, (52, 0, 0x0, 0x0, 0x390008, "e\306E\332\356\5\321%a0/\345\37E\336x_.\360\36\25\232\234\221\373\12\202R\34I\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ... 01470 896 NtQuerySystemInformation (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0 01471 896 NtQuerySystemInformation (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0 01472 896 NtQuerySystemInformation (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0 01473 896 NtQuerySystemInformation (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0 01474 896 NtQuerySystemInformation (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0 01475 896 NtQuerySystemInformation (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0 01476 896 NtQuerySystemInformation (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH 01477 896 NtCreateKey (0x2, {24, 0, 0x240, 0, 0, (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482756, 2, ) }, 0, 0x0, 0, ... -2147482756, 2, ) == 0x0 01478 896 NtSetValueKey (-2147482756, (-2147482756, "Seed", 0, 3, "N\37\206\222g\217\2428\341&\245\216y\2203\207\200\305\236\246)[D\27s\205\304\363\6\206\337\26\305k.\3528\240:\16\302\335\315\11\255\236\367\14\311\0\355c\\32_\366\1-\205\241u\2435\205@D\356\343fRx\243\252D\211\215&\321\264\265", 80, ... ) , 0, 3, (-2147482756, "Seed", 0, 3, "N\37\206\222g\217\2428\341&\245\216y\2203\207\200\305\236\246)[D\27s\205\304\363\6\206\337\26\305k.\3528\240:\16\302\335\315\11\255\236\367\14\311\0\355c\\32_\366\1-\205\241u\2435\205@D\356\343fRx\243\252D\211\215&\321\264\265", 80, ... ) , 80, ... ) == 0x0 01479 896 NtClose (-2147482756, ... ) == 0x0 01469 896 NtDeviceIoControlFile ... {status=0x0, info=256}, ... {status=0x0, info=256}, "W\351\313*\10\\271\342E)G\7#\16\3\216mK\354\255\255xw\262I.#w?\341\235H\206\23\276\344n[\311\2608\331\230P24\222\355\236\216\203\341l+\363\0z[\6\316l\271\214\207\11\332WJ\247\22~\354\342O\234\260\307\256\377\311,\252~\303m\256fa\322\177\3504k\325\343%L\256\33J\333H\315 \5\22\340\363_\16}J\1\224\266XC}\311*\36p^\226\227\200\34\255\265\2066e\32685r\351C-)\300\250\373\32\217\376&Yu\11\334\230\215\332\31\26\4\242\26\300t\256\300\316\315P\3038\15\214\10&k)"N0\365\271\364\325g\256\334\360\354K3\317\260p\325<\4\1\272o@9\311<\311\215?c-j\3428\304=>\211]*+\315\35)h\372ZvK?\321@\213\323\233MPN\345\243\244q\6\204c.h\36`+x\376\7\341\251\351\227\12\27D\260", ) N0\365\271\364\325g\256\334\360\354K3\317\260p\325<\4\1\272o@9\311<\311\215?c-j\3428\304=>\211]*+\315\35)h\372ZvK?\321@\213\323\233MPN\345\243\244q\6\204c.h\36`+x\376\7\341\251\351\227\12\27D\260", ) == 0x0 01480 896 NtDeviceIoControlFile (52, 0, 0x0, 0x0, 0x390008, (52, 0, 0x0, 0x0, 0x390008, "e\306E\332\356\5\321%a0/\345\37E\336x_.\360\36\25v\240_.\360\36\25\232\234\221\373\12\202R\34I\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ... 01481 896 NtQuerySystemInformation (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0 01482 896 NtQuerySystemInformation (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0 01483 896 NtQuerySystemInformation (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0 01484 896 NtQuerySystemInformation (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0 01485 896 NtQuerySystemInformation (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0 01486 896 NtQuerySystemInformation (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0 01487 896 NtQuerySystemInformation (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH 01488 896 NtCreateKey (0x2, {24, 0, 0x240, 0, 0, (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482756, 2, ) }, 0, 0x0, 0, ... -2147482756, 2, ) == 0x0 01489 896 NtSetValueKey (-2147482756, (-2147482756, "Seed", 0, 3, "\246\210\343\254\323]\252Fk^\225\370\244\33N"\272R\273\2536g\252mt\267\36\250^@@FW\15hH\0\303\331\307FEv\359>\345\12\373\337\375\20\247a\371''k\5O\226\261L2\265\321\22\323>\252O\35\262L\4\33\3465\223k", 80, ... ) , 0, 3, (-2147482756, "Seed", 0, 3, "\246\210\343\254\323]\252Fk^\225\370\244\33N"\272R\273\2536g\252mt\267\36\250^@@FW\15hH\0\303\331\307FEv\359>\345\12\373\337\375\20\247a\371''k\5O\226\261L2\265\321\22\323>\252O\35\262L\4\33\3465\223k", 80, ... ) \272R\273\2536g\252mt\267\36\250^@@FW\15hH\0\303\331\307FEv\359>\345\12\373\337\375\20\247a\371''k\5O\226\261L2\265\321\22\323>\252O\35\262L\4\33\3465\223k", 80, ... ) == 0x0 01490 896 NtClose (-2147482756, ... ) == 0x0 01480 896 NtDeviceIoControlFile ... {status=0x0, info=256}, ... {status=0x0, info=256}, "\304B\273\343oB\254\354:\373q\252\214\366z\234\11r0\305Q\262J3\322c\316A\266B\224\331Bg\257WfZ\256\350\353\333\306\345\31\332\24Q\374\352\321V"Q\120\242\364\327\335\311\334t\207\345\320\345\316\346\336\366\2171\242\363\237\322\234\233\12#\2379q\264\243\277`\0Y\24\374\2711?\336'\213\355r*\264\375(8c\332\332\211\205q\335\332\356\351\270\240\26\245\332*4\25D\177\316\316\340\340\330\301\204\7f\350`\27\333\241H).m\212T\34qg\233\255\21w"\210\326\216\324~\326fsR\337 \357\320K\246\366\37\336\223\376}\216\271\364\240.\315\347\23V\327z5n<\30\17\337\273D$\257\211\277\26\226\351u\346\227\315\4\253D8\345\250\21\261\336L&fw\224\36[\256$\27.\233dh\315GZwi6\306s\340\242#\304\354u]\356 \317\353\251W\2016\362 \221\343D\231", ) Q\120\242\364\327\335\311\334t\207\345\320\345\316\346\336\366\2171\242\363\237\322\234\233\12#\2379q\264\243\277`\0Y\24\374\2711?\336'\213\355r*\264\375(8c\332\332\211\205q\335\332\356\351\270\240\26\245\332*4\25D\177\316\316\340\340\330\301\204\7f\350`\27\333\241H).m\212T\34qg\233\255\21w ... {status=0x0, info=256}, "\304B\273\343oB\254\354:\373q\252\214\366z\234\11r0\305Q\262J3\322c\316A\266B\224\331Bg\257WfZ\256\350\353\333\306\345\31\332\24Q\374\352\321V"Q\120\242\364\327\335\311\334t\207\345\320\345\316\346\336\366\2171\242\363\237\322\234\233\12#\2379q\264\243\277`\0Y\24\374\2711?\336'\213\355r*\264\375(8c\332\332\211\205q\335\332\356\351\270\240\26\245\332*4\25D\177\316\316\340\340\330\301\204\7f\350`\27\333\241H).m\212T\34qg\233\255\21w"\210\326\216\324~\326fsR\337 \357\320K\246\366\37\336\223\376}\216\271\364\240.\315\347\23V\327z5n<\30\17\337\273D$\257\211\277\26\226\351u\346\227\315\4\253D8\345\250\21\261\336L&fw\224\36[\256$\27.\233dh\315GZwi6\306s\340\242#\304\354u]\356 \317\353\251W\2016\362 \221\343D\231", ) , ) == 0x0 01491 896 NtDeviceIoControlFile (52, 0, 0x0, 0x0, 0x390008, (52, 0, 0x0, 0x0, 0x390008, "e\306E\332\356\5\321%a0/\345\37E\336x_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25\232\234\221\373\12\202R\34I\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ... 01492 896 NtQuerySystemInformation (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0 01493 896 NtQuerySystemInformation (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0 01494 896 NtQuerySystemInformation (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0 01495 896 NtQuerySystemInformation (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0 01496 896 NtQuerySystemInformation (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0 01497 896 NtQuerySystemInformation (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0 01498 896 NtQuerySystemInformation (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH 01499 896 NtCreateKey (0x2, {24, 0, 0x240, 0, 0, (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482756, 2, ) }, 0, 0x0, 0, ... -2147482756, 2, ) == 0x0 01500 896 NtSetValueKey (-2147482756, (-2147482756, "Seed", 0, 3, "\310\352\22\342N\251\330\225\355\366\31\347IW\262\320*\317\12\210\365\2244w\260ym\253b\255\211@]f\10\27"^\355\207\365g\301PU\6B\276ow\310!(\334\240\31\306\341\245\305i\220L\177H\22\225SK\222\274\376Z\307u\200$\305\344\206", 80, ... ) , 0, 3, (-2147482756, "Seed", 0, 3, "\310\352\22\342N\251\330\225\355\366\31\347IW\262\320*\317\12\210\365\2244w\260ym\253b\255\211@]f\10\27"^\355\207\365g\301PU\6B\276ow\310!(\334\240\31\306\341\245\305i\220L\177H\22\225SK\222\274\376Z\307u\200$\305\344\206", 80, ... ) ^\355\207\365g\301PU\6B\276ow\310!(\334\240\31\306\341\245\305i\220L\177H\22\225SK\222\274\376Z\307u\200$\305\344\206", 80, ... ) == 0x0 01501 896 NtClose (-2147482756, ... ) == 0x0 01491 896 NtDeviceIoControlFile ... {status=0x0, info=256}, ... {status=0x0, info=256}, "\31\366\362\226B\21\237\362\322\27\31\17\j7\271(\14\260\353\262\355N\330e$\2\254,R:-Ku\10\321a\74\0\224\0\17\11\312RG\336m\340\272\277\177x\17\26\355\305\22`\12\246\25g\6\355\221\331\335\272\334\1e\354\357\2\13[\365\320\333<\336\12\326\200\376]\33\365-\303oy\331\244\374m\21\2633\267\315\367\327\255\10\273\264z\337\237\254\366Y\231{X\211\274\340z\362\210xw\223d|\313\203E\310\366ta\354\337\4\252\177\336]D\204c\367\375l\243\313n{\274x-\341dLM\350\375X)\217\255a\362\310\230\36n\275\252\205\5\24\4%\230\364\231\351\212oW\5L\VyK\346\216\273\14d\363\264^\224\300\216\232\370\2269(\220ml\273\22\207\232\10%\242\255\241\255\35\344jb+,$\20\10\376\230\220\205f\333\205\177\13Cz\256Oh\235\36+&\321\20\200a\303\22\22\276", ) , ) == 0x0 01502 896 NtDeviceIoControlFile (52, 0, 0x0, 0x0, 0x390008, (52, 0, 0x0, 0x0, 0x390008, "e\306E\332\356\5\321%a0/\345\37E\336x_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25\232\234\221\373\12\202R\34I\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ... 01503 896 NtQuerySystemInformation (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0 01504 896 NtQuerySystemInformation (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0 01505 896 NtQuerySystemInformation (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0 01506 896 NtQuerySystemInformation (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0 01507 896 NtQuerySystemInformation (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0 01508 896 NtQuerySystemInformation (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0 01509 896 NtQuerySystemInformation (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH 01510 896 NtCreateKey (0x2, {24, 0, 0x240, 0, 0, (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482756, 2, ) }, 0, 0x0, 0, ... -2147482756, 2, ) == 0x0 01511 896 NtSetValueKey (-2147482756, (-2147482756, "Seed", 0, 3, "\25\354P\367s\337\273\305n\206pU\324\300\36\2233\216\336\337\2724\257\6J\351\373\302\367\321&\37\332*\276v2\326\243>\365@\4(\341\240\326C\366\364\204\3\4\11\244\354\360Zh\3 \21\16\275\36\h\\26\250\363\320\356\313\256m\250Pw", 80, ... ) , 0, 3, (-2147482756, "Seed", 0, 3, "\25\354P\367s\337\273\305n\206pU\324\300\36\2233\216\336\337\2724\257\6J\351\373\302\367\321&\37\332*\276v2\326\243>\365@\4(\341\240\326C\366\364\204\3\4\11\244\354\360Zh\3 \21\16\275\36\h\\26\250\363\320\356\313\256m\250Pw", 80, ... ) , 80, ... ) == 0x0 01512 896 NtClose (-2147482756, ... ) == 0x0 01502 896 NtDeviceIoControlFile ... {status=0x0, info=256}, ... {status=0x0, info=256}, "\222\364\250\343\261\240\265o\202\1\343\225\350\12\236\23)\233u7Ea\234s\254#\215\234\260*\2466\302\375\13\366\224\341#\2740\212O\223\6\316\363\37\251\313\216R\303\335\364r\27H7pu|k\34\13\273N\4f\210\331H\244\200\304\260\351w8\345\3409\305\345\315\3719v\311\355\337/\222\254HW]\213=\264\350wd\27\244\215\264\325\212IL\306\230\352\22G<\306\37s\0\204+\1771\240,\301\217P\376\362\206\243\340\326SJn\312\271LH\22\304i\27\354)\247\12\366\207ASD\207\364\11\331AS]\362\244\313\356_8\331\374\306\300p}\332_\315\37#\205\346\220\246\375\221G\32\227\356\201h=\7\330\252\335p\17c\302\305\273\362\210K\254!V\317<\257}\12p\2048.\324\331(5\224;\2023\253n\230\310!/\6\3\355\264\246\17\310\360\223\244\2#/MM\311\320\323\362\273\333q\230", ) , ) == 0x0 01513 896 NtDeviceIoControlFile (52, 0, 0x0, 0x0, 0x390008, (52, 0, 0x0, 0x0, 0x390008, "e\306E\332\356\5\321%a0/\345\37E\336x_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25\232\234\221\373\12\202R\34I\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ... 01514 896 NtQuerySystemInformation (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0 01515 896 NtQuerySystemInformation (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0 01516 896 NtQuerySystemInformation (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0 01517 896 NtQuerySystemInformation (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0 01518 896 NtQuerySystemInformation (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0 01519 896 NtQuerySystemInformation (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0 01520 896 NtQuerySystemInformation (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH 01521 896 NtCreateKey (0x2, {24, 0, 0x240, 0, 0, (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482756, 2, ) }, 0, 0x0, 0, ... -2147482756, 2, ) == 0x0 01522 896 NtSetValueKey (-2147482756, (-2147482756, "Seed", 0, 3, "\225\225\226\314za\347:\315\273h\344k\220\257\316\372\30\177\336\23\2003]\233\266\\273P@\364ct$'\267\257'\347O4M\340\264\345,\363i\264|\312\351g\365\2376$\276*M\262\222Q\17(\215h\240>\370g\240\212{\247 \274\277-\275", 80, ... ) , 0, 3, (-2147482756, "Seed", 0, 3, "\225\225\226\314za\347:\315\273h\344k\220\257\316\372\30\177\336\23\2003]\233\266\\273P@\364ct$'\267\257'\347O4M\340\264\345,\363i\264|\312\351g\365\2376$\276*M\262\222Q\17(\215h\240>\370g\240\212{\247 \274\277-\275", 80, ... ) , 80, ... ) == 0x0 01523 896 NtClose (-2147482756, ... ) == 0x0 01513 896 NtDeviceIoControlFile ... {status=0x0, info=256}, ... {status=0x0, info=256}, "\370\34\213\265\206\2624\327';\213V\16wI\343H\226G\2363\10\242\237\356\313;\276\226\2\24\322\305\365]\242ozo\353\347\23|\245\251j(\17\316\333z\17\321\266\300)Q\34\241Q\354[\345GJ\335`\247U%\274\317Rg\30\223\260\316\317Q\5\211X0\34,\15\304\324\314\27 \202>Po^\337P\207\365\314"\13\317\306\241\313M%{~\314\215\242\340J\231\252\232\347\306\274/\225\4b\327\313\300k\K\32\13 W\2627\345\343.z\27p<\177\233\341\231\353)\216\301gj%.\273\2'\374\215\341z\202mEY\307(_q|\247\367\254<\244\246\367BD\4,k\213\317\201\13\377"^\235\262\342\30\377\36y\336\34\275\226mf\2$\24\6\306aA\26\322D\277\313m0\200\366f\362\315_\224\342rT5\214\240\267\343\5G\32\370g\301\2135\246?\334M\16c\362\360>\375\204\337", ) \13\317\306\241\313M%{~\314\215\242\340J\231\252\232\347\306\274/\225\4b\327\313\300k\K\32\13 W\2627\345\343.z\27p<\177\233\341\231\353)\216\301gj%.\273\2'\374\215\341z\202mEY\307(_q|\247\367\254<\244\246\367BD\4,k\213\317\201\13\377 ... {status=0x0, info=256}, "\370\34\213\265\206\2624\327';\213V\16wI\343H\226G\2363\10\242\237\356\313;\276\226\2\24\322\305\365]\242ozo\353\347\23|\245\251j(\17\316\333z\17\321\266\300)Q\34\241Q\354[\345GJ\335`\247U%\274\317Rg\30\223\260\316\317Q\5\211X0\34,\15\304\324\314\27 \202>Po^\337P\207\365\314"\13\317\306\241\313M%{~\314\215\242\340J\231\252\232\347\306\274/\225\4b\327\313\300k\K\32\13 W\2627\345\343.z\27p<\177\233\341\231\353)\216\301gj%.\273\2'\374\215\341z\202mEY\307(_q|\247\367\254<\244\246\367BD\4,k\213\317\201\13\377"^\235\262\342\30\377\36y\336\34\275\226mf\2$\24\6\306aA\26\322D\277\313m0\200\366f\362\315_\224\342rT5\214\240\267\343\5G\32\370g\301\2135\246?\334M\16c\362\360>\375\204\337", ) , ) == 0x0 01524 896 NtDeviceIoControlFile (52, 0, 0x0, 0x0, 0x390008, (52, 0, 0x0, 0x0, 0x390008, "e\306E\332\356\5\321%a0/\345\37E\336x_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25v\240_.\360\36\25\232\234\221\373\12\202R\34I\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ... 01525 896 NtQuerySystemInformation (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0 01526 896 NtQuerySystemInformation (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0 01527 896 NtQuerySystemInformation (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0 01528 896 NtQuerySystemInformation (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0 01529 896 NtQuerySystemInformation (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0 01530 896 NtQuerySystemInformation (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0 01531 896 NtQuerySystemInformation (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH 01532 896 NtCreateKey (0x2, {24, 0, 0x240, 0, 0, (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482756, 2, ) }, 0, 0x0, 0, ... -2147482756, 2, ) == 0x0 01533 896 NtSetValueKey (-2147482756, (-2147482756, "Seed", 0, 3, "\240g\256\213y\19\320\223U\376\374Y27\347y5\343\2676\356k#\355\244\201\215.\3\270K\346,6GV?\0M"\354%\3061\3511f\244\200v\3347\264<\374(\366\34\346\340\332\217*A+\204\354\253"\303\253\26\265h\233\351\15\276\350", 80, ... ) , 0, 3, (-2147482756, "Seed", 0, 3, "\240g\256\213y\19\320\223U\376\374Y27\347y5\343\2676\356k#\355\244\201\215.\3\270K\346,6GV?\0M"\354%\3061\3511f\244\200v\3347\264<\374(\366\34\346\340\332\217*A+\204\354\253"\303\253\26\265h\233\351\15\276\350", 80, ... ) \354%\3061\3511f\244\200v\3347\264<\374(\366\34\346\340\332\217*A+\204\354\253 (-2147482756, "Seed", 0, 3, "\240g\256\213y\19\320\223U\376\374Y27\347y5\343\2676\356k#\355\244\201\215.\3\270K\346,6GV?\0M"\354%\3061\3511f\244\200v\3347\264<\374(\366\34\346\340\332\217*A+\204\354\253"\303\253\26\265h\233\351\15\276\350", 80, ... ) , 80, ... ) == 0x0 01534 896 NtClose (-2147482756, ... ) == 0x0 01524 896 NtDeviceIoControlFile ... {status=0x0, info=256}, ... {status=0x0, info=256}, "\354a\266\214\354\301\177\262\363\201\342Cn\306S+\270\2043mOG\342+mw\30\311Z6`\255)\271\241d\2144!\3738\330\16\251I\334H\351K\255\2243\320\255\276)\231\277\243\320\331"\344\233\326i\213\302\5\214\225~v\303\254\2\212z\357AC\302\306[g\34 th\352\14\367XA\306\364\337\335\373 \3\241\15\307\0\22\375\37\327\277F\233\23?kXaY\362\256I\267\30\13\334\267Ly\265\231\306\367\353\345\321Jw\10\333z9\356\340^\353\214\255\313\14v\221\313\300\340\347\231\25\317o\324\213\11H\242 \377\262dj.\303\217Y&-\233\311\31731\202\201\331\6g\325\376D\254WoF\345ZShS>#Lp \177\o\33\2542\243R\336g%v\302\336h\270%\334L*\20WH\333\214fx\357\240h\262\2021\304\17\320\17i(\13\267x\2559\33\23\240\202\327\207u.\20q", ) \344\233\326i\213\302\5\214\225~v\303\254\2\212z\357AC\302\306[g\34 th\352\14\367XA\306\364\337\335\373 \3\241\15\307\0\22\375\37\327\277F\233\23?kXaY\362\256I\267\30\13\334\267Ly\265\231\306\367\353\345\321Jw\10\333z9\356\340^\353\214\255\313\14v\221\313\300\340\347\231\25\317o\324\213\11H\242 \377\262dj.\303\217Y&-\233\311\31731\202\201\331\6g\325\376D\254WoF\345ZShS>#Lp \177\o\33\2542\243R\336g%v\302\336h\270%\334L*\20WH\333\214fx\357\240h\262\2021\304\17\320\17i(\13\267x\2559\33\23\240\202\327\207u.\20q", ) == 0x0 01535 896 NtClose (140, ... ) == 0x0 01536 896 NtOpenFile (0x100020, {24, 0, 0x42, 0, 0, (0x100020, {24, 0, 0x42, 0, 0, "\??\u:\work\"}, 3, 33, ... 140, {status=0x0, info=1}, ) }, 3, 33, ... 140, {status=0x0, info=1}, ) == 0x0 01537 896 NtQueryVolumeInformationFile (140, 1238992, 8, Device, ... {status=0x0, info=8}, ) == 0x0 01538 896 NtClose (12, ... ) == 0x0 01539 896 NtOpenFile (0x10080, {24, 0, 0x40, 0, 0, (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\spooIsv.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01540 896 NtCreateFile (0x80100080, {24, 0, 0x40, 0, 1238156, (0x80100080, {24, 0, 0x40, 0, 1238156, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 12, {status=0x0, info=1}, ) == 0x0 01541 896 NtQueryInformationFile (12, 1238592, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0 01542 896 NtQueryInformationFile (12, 1238508, 24, Standard, ... {status=0x0, info=24}, ) == 0x0 01543 896 NtQueryInformationFile (12, 1238324, 40, Basic, ... {status=0x0, info=40}, ) == 0x0 01544 896 NtAllocateVirtualMemory (-1, 1372160, 0, 8192, 4096, 4, ... 1372160, 8192, ) == 0x0 01545 896 NtQueryInformationFile (12, 1371184, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0 01546 896 NtQueryInformationFile (12, 1236772, 40, Basic, ... {status=0x0, info=40}, ) == 0x0 01547 896 NtQueryInformationFile (12, 1237048, 4, Ea, ... {status=0x0, info=4}, ) == 0x0 01548 896 NtCreateFile (0x40110080, {24, 0, 0x40, 0, 1236924, (0x40110080, {24, 0, 0x40, 0, 1236924, "\??\C:\WINDOWS\system32\spooIsv.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ... 01549 896 NtClose (-2147482756, ... ) == 0x0 01548 896 NtCreateFile ... 136, {status=0x0, info=2}, ) == 0x0 01550 896 NtQueryVolumeInformationFile (136, 1237076, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0 01551 896 NtQueryInformationFile (136, 1236660, 40, Basic, ... {status=0x0, info=40}, ) == 0x0 01552 896 NtQueryVolumeInformationFile (12, 1237076, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0 01553 896 NtQueryVolumeInformationFile (12, 1236420, 8, Device, ... {status=0x0, info=8}, ) == 0x0 01554 896 NtSetInformationFile (136, 1236976, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0 01555 896 NtCreateSection (0xf001f, 0x0, 0x0, 2, 134217728, 12, ... 144, ) == 0x0 01556 896 NtMapViewOfSection (144, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x340000), {0, 0}, 81920, ) == 0x0 01557 896 NtClose (144, ... ) == 0x0 01558 896 NtWriteFile (136, 0, 0, 0, (136, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\300\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0]e\375\310\31\4\223\233\31\4\223\233\31\4\223\233\227\33\200\233\21\4\223\233\345$\201\233\30\4\223\233Rich\31\4\223\233\0\0\0\0\0\0\0\0-\255\257dIP\2452mx{\242\3611\274\205PE\0\0L\1\4\0\300\304\317E\0\0\0\0\0\0\0\0\340\0\16\1\13\1\5\14\0\0\0\0\0\0\0\0\0\0\0\0\0@\3\0\0\340\2\0\0\0\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\260\3\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\31\327\2\0(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\3\00\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0@,\3\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.packed\0\0\20\2\0\0\20\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\340.RLPack\0\0\300\0\0\0 \2\0\224\272\0\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0 01559 896 NtWriteFile (136, 0, 0, 0, (136, 0, 0, 0, "\22\31\0\0\11\300\17\205S\357\377\377\350O\357\377\377\351I\357\377\377\303\351\23\25\0\0\303\201\353\0\0\1\0\213\3\367\330\351#\352\377\377\13\360\201\365:\226q5\301\302\32\201\302\223#4~\207\24$\351\234\16\0\0Z\351\244\0\0\0\377E\340\213E\344\351\332\360\377\377\203}\344\17\17\205\350\346\377\377\213E\344\351i\334\377\377\350\263\357\377\377\213E\374\350\252\370\377\377\204\300\17\205\355\346\377\377\351\337\346\377\377\303\351V\372\377\377\350u\357\377\377\367\325\351\262\361\377\377\211\14$Y]\303PQhK\374%\23Y\351\276\26\0\0PR\213\326\207\24$h\230\350:H^\201\316\344\247/x\351@\374\377\3771\362\301\302\5\1\372\301\302\51\352\301\302\5\1\342\301\302\5\351l\323\377\377\235\351\24\30\0\0\213E\370\213\345]\303\3503\347\377\377\351\357\362\377\377\17\213\242\16\0\0\207<$_]\351c\2\0\0\377u\10h\302\345B\0\351\302\27\0\0\235\351\367\374\377\377\17\206\325\0\0\0\213)\351\353\364\377\377\303U\213\354\350\243\327\377\377\213E\10Ph\236\353B\0\351\313\11\0\0\211\34$[\350e\346\377\377\203=\4\17C\0\0\17\205e\326\377\377h\216+C\0\351\255\357\377\377P\301\300\13\211\5\240\27C\0\303\351B\2\0\0\351^\351\377\377\3519\323\377\377\301\310\13P\303\207*\1\0\0\0\0\351\225\346\377\377P\301\300\26\211\5\264\34C\0\303\301\310\26\3501\0\0\0\351T\0\0\0\303\17\204\2\361\377\377\17\202\361\0\0\0Pj\0\350\307\23\0\0X\2038\0\17\205\350\377\377\377\351\250\27\0\0\303\2072\351\346\17\0\0h0*C\0\351\360\367\377\377\2074$\211\354\275\342\21C\0\207,$\303\351\270\376\377\377h=\245\247\370X\351\240\23\0\0\17\224\300\350\360\376\377", 18944, 0x0, 0, ... {status=0x0, info=18944}, ) , 18944, 0x0, 0, ... {status=0x0, info=18944}, ) == 0x0 01560 896 NtUnmapViewOfSection (-1, 0x340000, ... ) == 0x0 01561 896 NtSetInformationFile (136, 1238324, 40, Basic, ... {status=0x0, info=0}, ) == 0x0 01562 896 NtClose (12, ... ) == 0x0 01563 896 NtClose (136, ... ) == 0x0 01564 896 NtOpenFile (0x100100, {24, 0, 0x40, 0, 0, (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\spooIsv.exe"}, 7, 2113568, ... 136, {status=0x0, info=1}, ) }, 7, 2113568, ... 136, {status=0x0, info=1}, ) == 0x0 01565 896 NtSetInformationFile (136, 1239244, 40, Basic, ... {status=0x0, info=0}, ) == 0x0 01566 896 NtClose (136, ... ) == 0x0 01567 896 NtOpenFile (0x100100, {24, 0, 0x40, 0, 0, (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\spooIsv.exe"}, 7, 2113568, ... 136, {status=0x0, info=1}, ) }, 7, 2113568, ... 136, {status=0x0, info=1}, ) == 0x0 01568 896 NtSetInformationFile (136, 1239244, 40, Basic, ... {status=0x0, info=0}, ) == 0x0 01569 896 NtClose (136, ... ) == 0x0 01570 896 NtCreateFile (0x80100080, {24, 0, 0x40, 0, 1238952, (0x80100080, {24, 0, 0x40, 0, 1238952, "\??\C:\WINDOWS\explorer.exe"}, 0x0, 128, 1, 1, 96, 0, 0, ... 136, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 136, {status=0x0, info=1}, ) == 0x0 01571 896 NtQueryInformationFile (136, 1239004, 40, Basic, ... {status=0x0, info=40}, ) == 0x0 01572 896 NtClose (136, ... ) == 0x0 01573 896 NtCreateFile (0x40100080, {24, 0, 0x40, 0, 1238952, (0x40100080, {24, 0, 0x40, 0, 1238952, "\??\C:\WINDOWS\system32\spooIsv.exe"}, 0x0, 128, 2, 1, 96, 0, 0, ... 136, {status=0x0, info=1}, ) }, 0x0, 128, 2, 1, 96, 0, 0, ... 136, {status=0x0, info=1}, ) == 0x0 01574 896 NtSetInformationFile (136, 1239004, 40, Basic, ... {status=0x0, info=0}, ) == 0x0 01575 896 NtClose (136, ... ) == 0x0 01576 896 NtOpenFile (0x10080, {24, 140, 0x40, 0, 0, (0x10080, {24, 140, 0x40, 0, 0, "rzqprvoo.bat"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01577 896 NtCreateFile (0x40100080, {24, 140, 0x40, 0, 1239200, (0x40100080, {24, 140, 0x40, 0, 1239200, "rzqprvoo.bat"}, 0x0, 0, 0, 5, 96, 0, 0, ... 136, {status=0x0, info=2}, ) }, 0x0, 0, 0, 5, 96, 0, 0, ... 136, {status=0x0, info=2}, ) == 0x0 01578 896 NtWriteFile (136, 0, 0, 0, (136, 0, 0, 0, "@echo off\15\12:deleteagain\15\12del /A:H /F packed.exe\15\12del /F packed.exe\15\12if exist packed.exe goto deleteagain\15\12del rzqprvoo.bat\15\12", 124, 0x0, 0, ... {status=0x0, info=124}, ) , 124, 0x0, 0, ... {status=0x0, info=124}, ) == 0x0 01579 896 NtClose (136, ... ) == 0x0 01580 896 NtOpenKey (0x9, {24, 16, 0x40, 0, 0, (0x9, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01581 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1232480, ... ) }, 1232480, ... ) == 0x0 01582 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 136, {status=0x0, info=1}, ) }, 5, 96, ... 136, {status=0x0, info=1}, ) == 0x0 01583 896 NtCreateSection (0xe, 0x0, 0x0, 16, 134217728, 136, ... 12, ) == 0x0 01584 896 NtClose (136, ... ) == 0x0 01585 896 NtMapViewOfSection (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 401408, ) == 0x0 01586 896 NtClose (12, ... ) == 0x0 01587 896 NtUnmapViewOfSection (-1, 0x340000, ... ) == 0x0 01588 896 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 01589 896 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 01590 896 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 01591 896 NtAllocateVirtualMemory (-1, 1380352, 0, 16384, 4096, 4, ... 1380352, 16384, ) == 0x0 01592 896 NtUserRegisterClassExWOW (1234088, 1234156, 1234172, 1234188, 0, 384, 0, ... ) == 0x8177c038 01593 896 NtUserGetAtomName (49208, 1233416, ... ) == 0x15 01594 896 NtUserCreateWindowEx (0, 49208, 49208, (0, 49208, 49208, "OleMainThreadWndName", -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 2001600512, 0, 1073742848, 0, ... , -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 2001600512, 0, 1073742848, 0, ... 01595 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1230888, ... ) }, 1230888, ... ) == 0x0 01596 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 12, {status=0x0, info=1}, ) }, 5, 96, ... 12, {status=0x0, info=1}, ) == 0x0 01597 896 NtCreateSection (0xe, 0x0, 0x0, 16, 134217728, 12, ... 136, ) == 0x0 01598 896 NtClose (12, ... ) == 0x0 01599 896 NtMapViewOfSection (136, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 221184, ) == 0x0 01600 896 NtClose (136, ... ) == 0x0 01601 896 NtUnmapViewOfSection (-1, 0x340000, ... ) == 0x0 01602 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1231196, ... ) }, 1231196, ... ) == 0x0 01603 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 136, {status=0x0, info=1}, ) }, 5, 96, ... 136, {status=0x0, info=1}, ) == 0x0 01604 896 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 136, ... 12, ) == 0x0 01605 896 NtQuerySection (12, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 01606 896 NtClose (136, ... ) == 0x0 01607 896 NtMapViewOfSection (12, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 229376, ) == 0x0 01608 896 NtClose (12, ... ) == 0x0 01609 896 NtProtectVirtualMemory (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0 01610 896 NtProtectVirtualMemory (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0 01611 896 NtFlushInstructionCache (-1, 1524043776, 1300, ... ) == 0x0 01612 896 NtProtectVirtualMemory (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0 01613 896 NtProtectVirtualMemory (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0 01614 896 NtFlushInstructionCache (-1, 1524043776, 1300, ... ) == 0x0 01615 896 NtProtectVirtualMemory (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0 01616 896 NtProtectVirtualMemory (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0 01617 896 NtFlushInstructionCache (-1, 1524043776, 1300, ... ) == 0x0 01618 896 NtProtectVirtualMemory (-1, (0x5ad71000), 1300, 4, ... (0x5ad71000), 4096, 32, ) == 0x0 01619 896 NtProtectVirtualMemory (-1, (0x5ad71000), 4096, 32, ... (0x5ad71000), 4096, 4, ) == 0x0 01620 896 NtFlushInstructionCache (-1, 1524043776, 1300, ... ) == 0x0 01621 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uxtheme.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01622 896 NtUserGetWindowDC (0, ... ) == 0x1010054 01623 896 NtUserCallOneParam (16842836, 57, ... ) == 0x1 01624 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01625 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 12, ) == 0x0 01626 896 NtQueryInformationToken (12, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01627 896 NtClose (12, ... ) == 0x0 01628 896 NtAllocateVirtualMemory (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0 01629 896 NtOpenKey (0x2001f, {24, 0, 0x640, 0, 0, (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 12, ) }, ... 12, ) == 0x0 01630 896 NtOpenKey (0x1, {24, 12, 0x40, 0, 0, (0x1, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 136, ) }, ... 136, ) == 0x0 01631 896 NtQueryValueKey (136, (136, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01632 896 NtClose (136, ... ) == 0x0 01633 896 NtClose (12, ... ) == 0x0 01634 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01635 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 12, ) == 0x0 01636 896 NtQueryInformationToken (12, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01637 896 NtClose (12, ... ) == 0x0 01638 896 NtOpenKey (0x20019, {24, 0, 0x640, 0, 0, (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 12, ) }, ... 12, ) == 0x0 01639 896 NtOpenKey (0x1, {24, 12, 0x40, 0, 0, (0x1, {24, 12, 0x40, 0, 0, "Control Panel\Desktop"}, ... 136, ) }, ... 136, ) == 0x0 01640 896 NtQueryValueKey (136, (136, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01641 896 NtClose (136, ... ) == 0x0 01642 896 NtClose (12, ... ) == 0x0 01643 896 NtUserGetProcessWindowStation (... ) == 0x1c 01644 896 NtUserGetObjectInformation (28, 2, 1232984, 64, 1232980, ... ) == 0x1 01645 896 NtUserGetGUIThreadInfo (896, 1233004, ... ) == 0x1 01646 896 NtConnectPort ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1232848, 64, ... 12, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1232848, 64, ... 12, 0x0, 0x0, 0x0, 64, ) == 0x0 01647 896 NtRequestWaitReplyPort (12, {32, 56, new_msg, 0, 0, 0, 0, 0} (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1252, 896, 81849, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ) ... {32, 56, reply, 0, 1252, 896, 81849, 0} (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1252, 896, 81849, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ) ) == 0x0 01648 896 NtRequestWaitReplyPort (12, {32, 56, new_msg, 0, 0, 0, 0, 0} (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1252, 896, 81850, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ) ... {32, 56, reply, 0, 1252, 896, 81850, 0} (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1252, 896, 81850, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ) ) == 0x0 01649 896 NtUserCallNoParam (29, ... 01650 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1230244, ... ) }, 1230244, ... ) == 0x0 01649 896 NtUserCallNoParam ... ) == 0x0 01651 896 NtUserSystemParametersInfo (41, 0, 1524240760, 0, ... ) == 0x1 01652 896 NtGdiHfontCreate (1232372, 356, 0, 0, 1333304, ... ) == 0x640a0596 01653 896 NtGdiHfontCreate (1232372, 356, 0, 0, 1333296, ... ) == 0x740a05de 01654 896 NtRequestWaitReplyPort (12, {32, 56, new_msg, 0, 0, 0, 0, 0} (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1252, 896, 81851, 0} "\0\0\0\0\0\0\0\0\210\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ) ... {32, 56, reply, 0, 1252, 896, 81851, 0} (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1252, 896, 81851, 0} "\0\0\0\0\0\0\0\0\210\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ) ) == 0x0 01655 896 NtMapViewOfSection (136, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x340000), {0, 0}, 327680, ) == 0x0 01656 896 NtUserGetWindowDC (0, ... ) == 0x1010054 01657 896 NtUserCallOneParam (16842836, 57, ... ) == 0x1 01658 896 NtUserGetWindowDC (0, ... ) == 0x1010054 01659 896 NtUserCallOneParam (16842836, 57, ... ) == 0x1 01660 896 NtUserGetWindowDC (0, ... ) == 0x1010054 01661 896 NtUserCallOneParam (16842836, 57, ... ) == 0x1 01662 896 NtUserGetWindowDC (0, ... ) == 0x1010054 01663 896 NtUserCallOneParam (16842836, 57, ... ) == 0x1 01664 896 NtUserGetWindowDC (0, ... ) == 0x1010054 01665 896 NtUserCallOneParam (16842836, 57, ... ) == 0x1 01666 896 NtUserGetWindowDC (0, ... ) == 0x1010054 01667 896 NtUserCallOneParam (16842836, 57, ... ) == 0x1 01668 896 NtUserGetWindowDC (0, ... ) == 0x1010054 01669 896 NtUserCallOneParam (16842836, 57, ... ) == 0x1 01670 896 NtUserGetWindowDC (0, ... ) == 0x1010054 01671 896 NtUserCallOneParam (16842836, 57, ... ) == 0x1 01672 896 NtUserGetWindowDC (0, ... ) == 0x1010054 01673 896 NtGdiCreatePatternBrushInternal (59048383, 0, 0, ... ) == 0xb91006e8 01674 896 NtUserCallOneParam (16842836, 57, ... ) == 0x1 01675 896 NtUserCallNoParam (29, ... 01676 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1229684, ... ) }, 1229684, ... ) == 0x0 01675 896 NtUserCallNoParam ... ) == 0x0 01677 896 NtUserCallNoParam (29, ... 01678 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1229680, ... ) }, 1229680, ... ) == 0x0 01677 896 NtUserCallNoParam ... ) == 0x0 01679 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSCTF.dll"}, 1230892, ... ) }, 1230892, ... ) == 0x0 01680 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSCTF.dll"}, 5, 96, ... 144, {status=0x0, info=1}, ) }, 5, 96, ... 144, {status=0x0, info=1}, ) == 0x0 01681 896 NtCreateSection (0xe, 0x0, 0x0, 16, 134217728, 144, ... 148, ) == 0x0 01682 896 NtClose (144, ... ) == 0x0 01683 896 NtMapViewOfSection (148, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x390000), 0x0, 294912, ) == 0x0 01684 896 NtClose (148, ... ) == 0x0 01685 896 NtUnmapViewOfSection (-1, 0x390000, ... ) == 0x0 01686 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSCTF.dll"}, 1231200, ... ) }, 1231200, ... ) == 0x0 01687 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSCTF.dll"}, 5, 96, ... 148, {status=0x0, info=1}, ) }, 5, 96, ... 148, {status=0x0, info=1}, ) == 0x0 01688 896 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 148, ... 144, ) == 0x0 01689 896 NtQuerySection (144, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 01690 896 NtClose (148, ... ) == 0x0 01691 896 NtMapViewOfSection (144, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x74720000), 0x0, 307200, ) == 0x0 01692 896 NtClose (144, ... ) == 0x0 01693 896 NtProtectVirtualMemory (-1, (0x74721000), 928, 4, ... (0x74721000), 4096, 32, ) == 0x0 01694 896 NtProtectVirtualMemory (-1, (0x74721000), 4096, 32, ... (0x74721000), 4096, 4, ) == 0x0 01695 896 NtFlushInstructionCache (-1, 1953632256, 928, ... ) == 0x0 01696 896 NtProtectVirtualMemory (-1, (0x74721000), 928, 4, ... (0x74721000), 4096, 32, ) == 0x0 01697 896 NtProtectVirtualMemory (-1, (0x74721000), 4096, 32, ... (0x74721000), 4096, 4, ) == 0x0 01698 896 NtFlushInstructionCache (-1, 1953632256, 928, ... ) == 0x0 01699 896 NtProtectVirtualMemory (-1, (0x74721000), 928, 4, ... (0x74721000), 4096, 32, ) == 0x0 01700 896 NtProtectVirtualMemory (-1, (0x74721000), 4096, 32, ... (0x74721000), 4096, 4, ) == 0x0 01701 896 NtFlushInstructionCache (-1, 1953632256, 928, ... ) == 0x0 01702 896 NtProtectVirtualMemory (-1, (0x74721000), 928, 4, ... (0x74721000), 4096, 32, ) == 0x0 01703 896 NtProtectVirtualMemory (-1, (0x74721000), 4096, 32, ... (0x74721000), 4096, 4, ) == 0x0 01704 896 NtFlushInstructionCache (-1, 1953632256, 928, ... ) == 0x0 01705 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSCTF.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01706 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ntdll.dll"}, 1228556, ... ) }, 1228556, ... ) == 0x0 01707 896 NtQueryInformationProcess (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0 01708 896 NtUserCallOneParam (0, 40, ... ) == 0x4090409 01709 896 NtUserRegisterWindowMessage ( ("MSUIM.Msg.Private", ... ) , ... ) == 0xc0a1 01710 896 NtUserRegisterWindowMessage ( ("MSUIM.Msg.SetFocus", ... ) , ... ) == 0xc0a2 01711 896 NtUserRegisterWindowMessage ( ("MSUIM.Msg.ThreadTerminate", ... ) , ... ) == 0xc0a3 01712 896 NtUserRegisterWindowMessage ( ("MSUIM.Msg.ThreadItemChange", ... ) , ... ) == 0xc0a4 01713 896 NtUserRegisterWindowMessage ( ("MSUIM.Msg.LangBarModal", ... ) , ... ) == 0xc0a5 01714 896 NtUserRegisterWindowMessage ( ("MSUIM.Msg.RpcSendReceive", ... ) , ... ) == 0xc0a6 01715 896 NtUserRegisterWindowMessage ( ("MSUIM.Msg.ThreadMarshal", ... ) , ... ) == 0xc0a7 01716 896 NtUserRegisterWindowMessage ( ("MSUIM.Msg.CheckThreadInputIdel", ... ) , ... ) == 0xc0a8 01717 896 NtUserRegisterWindowMessage ( ("MSUIM.Msg.StubCleanUp", ... ) , ... ) == 0xc0a9 01718 896 NtUserRegisterWindowMessage ( ("MSUIM.Msg.ShowFloating", ... ) , ... ) == 0xc0aa 01719 896 NtUserRegisterWindowMessage ( ("MSUIM.Msg.LBUpdate", ... ) , ... ) == 0xc0ab 01720 896 NtUserRegisterWindowMessage ( ("MSUIM.Msg.MuiMgrDirtyUpdate", ... ) , ... ) == 0xc0ac 01721 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\imm32.dll"}, 1228564, ... ) }, 1228564, ... ) == 0x0 01722 896 NtRequestWaitReplyPort (24, {24, 52, new_msg, 0, 3998, 1230956, 0, 0} (24, {24, 52, new_msg, 0, 3998, 1230956, 0, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\1\0\0\0\200\3\0\0\0\0\0\0" ... {24, 52, reply, 0, 1252, 896, 81852, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\1\0\0\0\200\3\0\0\0\0\0\0" ) ... {24, 52, reply, 0, 1252, 896, 81852, 0} (24, {24, 52, new_msg, 0, 3998, 1230956, 0, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\1\0\0\0\200\3\0\0\0\0\0\0" ... {24, 52, reply, 0, 1252, 896, 81852, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\1\0\0\0\200\3\0\0\0\0\0\0" ) ) == 0x0 01723 896 NtUserGetThreadDesktop (896, 0, ... ) == 0x24 01724 896 NtUserGetObjectInformation (36, 2, 1318544, 520, 1230864, ... ) == 0x1 01725 896 NtOpenProcessToken (-1, 0x8, ... 144, ) == 0x0 01726 896 NtQueryInformationToken (144, User, 0, ... ) == STATUS_BUFFER_TOO_SMALL 01727 896 NtQueryInformationToken (144, User, 36, ... {token info, class 1, size 36}, 36, ) == 0x0 01728 896 NtClose (144, ... ) == 0x0 01729 896 NtCreateSection (0xf0007, {24, 44, 0x80, 0, 0, (0xf0007, {24, 44, 0x80, 0, 0, "CiceroSharedMemDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, {3240, 0}, 4, 134217728, 0, ... 144, ) }, {3240, 0}, 4, 134217728, 0, ... 144, ) == STATUS_OBJECT_NAME_EXISTS 01730 896 NtMapViewOfSection (144, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x390000), {0, 0}, 4096, ) == 0x0 01731 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\CTF\Compatibility\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01732 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\CTF\SystemShared\"}, ... 148, ) }, ... 148, ) == 0x0 01733 896 NtQueryValueKey (148, (148, "CUAS", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (148, "CUAS", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 01734 896 NtClose (148, ... ) == 0x0 01735 896 NtUserFindExistingCursorIcon (1230396, 1230412, 1230460, ... ) == 0x10011 01736 896 NtUserRegisterClassExWOW (1230668, 1230764, 1230748, 1230736, 0, 386, 0, ... ) == 0x8177c0ad 01737 896 NtCreateMutant (0x1f0001, {24, 44, 0x80, 0, 0, (0x1f0001, {24, 44, 0x80, 0, 0, "CTF.LBES.MutexDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... 148, ) }, 0, ... 148, ) == STATUS_OBJECT_NAME_EXISTS 01738 896 NtCreateMutant (0x1f0001, {24, 44, 0x80, 0, 0, (0x1f0001, {24, 44, 0x80, 0, 0, "CTF.Compart.MutexDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... 152, ) }, 0, ... 152, ) == STATUS_OBJECT_NAME_EXISTS 01739 896 NtCreateMutant (0x1f0001, {24, 44, 0x80, 0, 0, (0x1f0001, {24, 44, 0x80, 0, 0, "CTF.Asm.MutexDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... 156, ) }, 0, ... 156, ) == STATUS_OBJECT_NAME_EXISTS 01740 896 NtCreateMutant (0x1f0001, {24, 44, 0x80, 0, 0, (0x1f0001, {24, 44, 0x80, 0, 0, "CTF.Layouts.MutexDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... 160, ) }, 0, ... 160, ) == STATUS_OBJECT_NAME_EXISTS 01741 896 NtCreateMutant (0x1f0001, {24, 44, 0x80, 0, 0, (0x1f0001, {24, 44, 0x80, 0, 0, "CTF.TMD.MutexDefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... 164, ) }, 0, ... 164, ) == STATUS_OBJECT_NAME_EXISTS 01742 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Keyboard Layout\Toggle"}, ... 168, ) }, ... 168, ) == 0x0 01743 896 NtQueryValueKey (168, (168, "Language Hotkey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01744 896 NtQueryValueKey (168, (168, "Hotkey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01745 896 NtQueryValueKey (168, (168, "Layout Hotkey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01746 896 NtClose (168, ... ) == 0x0 01747 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\KERNEL32.dll"}, 1228384, ... ) }, 1228384, ... ) == 0x0 01748 896 NtQueryDefaultUILanguage (1230944, ... 01749 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01750 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... -2147482756, ) == 0x0 01751 896 NtQueryInformationToken (-2147482756, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01752 896 NtClose (-2147482756, ... ) == 0x0 01753 896 NtOpenKey (0x2000000, {24, 0, 0x640, 0, 0, (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482756, ) }, ... -2147482756, ) == 0x0 01754 896 NtOpenKey (0x80000000, {24, -2147482756, 0x240, 0, 0, (0x80000000, {24, -2147482756, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01755 896 NtOpenKey (0x80000000, {24, -2147482756, 0x640, 0, 0, (0x80000000, {24, -2147482756, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0 01756 896 NtQueryValueKey (-2147481452, (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01757 896 NtClose (-2147481452, ... ) == 0x0 01758 896 NtClose (-2147482756, ... ) == 0x0 01748 896 NtQueryDefaultUILanguage ... ) == 0x0 01759 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\CTF\"}, ... 168, ) }, ... 168, ) == 0x0 01760 896 NtQueryValueKey (168, (168, "EnableAnchorContext", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01761 896 NtClose (168, ... ) == 0x0 01762 896 NtCreateMutant (0x1f0001, {24, 44, 0x80, 0, 0, (0x1f0001, {24, 44, 0x80, 0, 0, "CTF.TimListCache.FMPDefaultS-1-5-21-1292428093-1383384898-725345543-1003MUTEX.DefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, 0, ... 168, ) }, 0, ... 168, ) == STATUS_OBJECT_NAME_EXISTS 01763 896 NtOpenSection (0xf001f, {24, 44, 0x0, 0, 0, (0xf001f, {24, 44, 0x0, 0, 0, "CTF.TimListCache.FMPDefaultS-1-5-21-1292428093-1383384898-725345543-1003SFM.DefaultS-1-5-21-1292428093-1383384898-725345543-1003"}, ... 172, ) }, ... 172, ) == 0x0 01764 896 NtMapViewOfSection (172, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3a0000), {0, 0}, 262144, ) == 0x0 01765 896 NtWaitForSingleObject (168, 0, {-50000000, -1}, ... ) == 0x0 01766 896 NtReleaseMutant (168, ... 0x0, ) == 0x0 01767 896 NtWaitForSingleObject (168, 0, {-50000000, -1}, ... ) == 0x0 01768 896 NtReleaseMutant (168, ... 0x0, ) == 0x0 01769 896 NtWaitForSingleObject (168, 0, {-50000000, -1}, ... ) == 0x0 01770 896 NtReleaseMutant (168, ... 0x0, ) == 0x0 01771 896 NtUserSetWindowsHookEx (1953628160, 1232388, 896, 2, 1953694283, 2, ... ) == 0x2007009d 01772 896 NtUserSetWindowsHookEx (1953628160, 1232388, 896, 7, 1953693577, 2, ... ) == 0x1580153 01773 896 NtUserMessageCall (0x90130, WM_NCCREATE, 0x0, 0x12d1b4, 0, 670, 0, ... ) == 0x1 01774 896 NtUserMessageCall (0x90130, WM_NCCALCSIZE, 0x0, 0x12d1dc, 0, 670, 0, ... ) == 0x0 01775 896 NtUserSetProp (590128, 43288, -1, ... ) == 0x1 01594 896 NtUserCreateWindowEx ... ) == 0x90130 01776 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 176, ) }, ... 176, ) == 0x0 01777 896 NtQueryValueKey (176, (176, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01778 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 180, ) }, ... 180, ) == 0x0 01779 896 NtQueryValueKey (180, (180, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01780 896 NtClose (180, ... ) == 0x0 01781 896 NtClose (176, ... ) == 0x0 01782 896 NtAllocateVirtualMemory (-1, 1396736, 0, 28672, 4096, 4, ... 1396736, 28672, ) == 0x0 01783 896 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 01784 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01785 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 176, ) }, ... 176, ) == 0x0 01786 896 NtQueryValueKey (176, (176, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01787 896 NtClose (176, ... ) == 0x0 01788 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01789 896 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 176, ) == 0x0 01790 896 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 180, ) == 0x0 01791 896 NtQuerySystemTime (... {1431172914, 29929616}, ) == 0x0 01792 896 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 184, ) == 0x0 01793 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01794 896 NtQuerySystemInformation (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0 01795 896 NtQueryInformationProcess (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0 01796 896 NtQueryInformationProcess (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0 01797 896 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 188, ) == 0x0 01798 896 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 192, ) == 0x0 01799 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 196, ) }, ... 196, ) == 0x0 01800 896 NtOpenKey (0x20019, {24, 196, 0x40, 0, 0, (0x20019, {24, 196, 0x40, 0, 0, "ActiveComputerName"}, ... 200, ) }, ... 200, ) == 0x0 01801 896 NtQueryValueKey (200, (200, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (200, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (200, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0 01802 896 NtClose (200, ... ) == 0x0 01803 896 NtClose (196, ... ) == 0x0 01804 896 NtCreateIoCompletion (0x1f0003, 0x0, 0, ... 196, ) == 0x0 01805 896 NtCreateIoCompletion (0x1f0003, 0x0, -1, ... 200, ) == 0x0 01806 896 NtDuplicateObject (-1, 196, -1, 0x0, 0, 2, ... 204, ) == 0x0 01807 896 NtOpenThreadToken (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN 01808 896 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 208, ) == 0x0 01809 896 NtOpenThreadToken (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN 01810 896 NtSetInformationThread (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0 01811 896 NtCreateFile (0xc0100080, {24, 0, 0x40, 0, 1233108, (0xc0100080, {24, 0, 0x40, 0, 1233108, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 212, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 212, {status=0x0, info=1}, ) == 0x0 01812 896 NtSetInformationFile (212, 1233164, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0 01813 896 NtSetInformationFile (212, 1233152, 8, Completion, ... {status=0x0, info=0}, ) == 0x0 01814 896 NtSetInformationThread (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0 01815 896 NtWriteFile (212, 189, 0, 0, (212, 189, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0 01816 896 NtReadFile (212, 189, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, (212, 189, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20p2\0\0\15\0\PIPE\wkssvc\0\200\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0 01817 896 NtFsControlFile (212, 189, 0x0, 0x0, 0x11c017, (212, 189, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20p2\0\0\15\0\PIPE\wkssvc\0\200\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 32, 1024, ... {status=0x103, info=68}, (212, 189, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20p2\0\0\15\0\PIPE\wkssvc\0\200\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103 01818 896 NtClose (208, ... ) == 0x0 01819 896 NtClose (212, ... ) == 0x0 01820 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\u:\work"}, 1233168, ... ) }, 1233168, ... ) == 0x0 01821 896 NtQueryInformationProcess (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0 01822 896 NtSetInformationProcess (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0 01823 896 NtQueryAttributesFile ({24, 140, 0x40, 0, 0, ({24, 140, 0x40, 0, 0, "rzqprvoo.bat"}, 1232972, ... ) }, 1232972, ... ) == 0x0 01824 896 NtQueryInformationProcess (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0 01825 896 NtSetInformationProcess (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0 01826 896 NtCreateSemaphore (0x1f0003, {24, 44, 0x80, 1330600, 0, (0x1f0003, {24, 44, 0x80, 1330600, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 212, ) }, 0, 2147483647, ... 212, ) == STATUS_OBJECT_NAME_EXISTS 01827 896 NtReleaseSemaphore (212, 1, ... 0, ) == 0x0 01828 896 NtWaitForSingleObject (212, 0, {0, 0}, ... ) == 0x0 01829 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01830 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 208, ) }, ... 208, ) == 0x0 01831 896 NtQueryValueKey (208, (208, "NoNetHood", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01832 896 NtClose (208, ... ) == 0x0 01833 896 NtReleaseSemaphore (212, 1, ... 0, ) == 0x0 01834 896 NtWaitForSingleObject (212, 0, {0, 0}, ... ) == 0x0 01835 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01836 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 208, ) }, ... 208, ) == 0x0 01837 896 NtQueryValueKey (208, (208, "NoPropertiesMyComputer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01838 896 NtClose (208, ... ) == 0x0 01839 896 NtReleaseSemaphore (212, 1, ... 0, ) == 0x0 01840 896 NtWaitForSingleObject (212, 0, {0, 0}, ... ) == 0x0 01841 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01842 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 208, ) }, ... 208, ) == 0x0 01843 896 NtQueryValueKey (208, (208, "NoInternetIcon", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01844 896 NtClose (208, ... ) == 0x0 01845 896 NtReleaseSemaphore (212, 1, ... 0, ) == 0x0 01846 896 NtWaitForSingleObject (212, 0, {0, 0}, ... ) == 0x0 01847 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01848 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 208, ) }, ... 208, ) == 0x0 01849 896 NtQueryValueKey (208, (208, "NoCommonGroups", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01850 896 NtClose (208, ... ) == 0x0 01851 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace"}, ... 208, ) }, ... 208, ) == 0x0 01852 896 NtEnumerateKey (208, 0, Basic, 288, ... {LastWrite={0xdb5bf10e,0x1c74da8}, TitleIdx=0, Name= (208, 0, Basic, 288, ... {LastWrite={0xdb5bf10e,0x1c74da8}, TitleIdx=0, Name="{1f4de370-d627-11d1-ba4f-00a0c91eedba}"}, 92, ) }, 92, ) == 0x0 01853 896 NtOpenKey (0x20019, {24, 208, 0x40, 0, 0, (0x20019, {24, 208, 0x40, 0, 0, "{1f4de370-d627-11d1-ba4f-00a0c91eedba}"}, ... 216, ) }, ... 216, ) == 0x0 01854 896 NtQueryValueKey (216, (216, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01855 896 NtClose (216, ... ) == 0x0 01856 896 NtEnumerateKey (208, 1, Basic, 288, ... {LastWrite={0xdb5bf10e,0x1c74da8}, TitleIdx=0, Name= (208, 1, Basic, 288, ... {LastWrite={0xdb5bf10e,0x1c74da8}, TitleIdx=0, Name="{450D8FBA-AD25-11D0-98A8-0800361B1103}"}, 92, ) }, 92, ) == 0x0 01857 896 NtOpenKey (0x20019, {24, 208, 0x40, 0, 0, (0x20019, {24, 208, 0x40, 0, 0, "{450D8FBA-AD25-11D0-98A8-0800361B1103}"}, ... 216, ) }, ... 216, ) == 0x0 01858 896 NtQueryValueKey (216, (216, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01859 896 NtClose (216, ... ) == 0x0 01860 896 NtEnumerateKey (208, 2, Basic, 288, ... {LastWrite={0x389828a4,0x1c74d7e}, TitleIdx=0, Name= (208, 2, Basic, 288, ... {LastWrite={0x389828a4,0x1c74d7e}, TitleIdx=0, Name="{645FF040-5081-101B-9F08-00AA002F954E}"}, 92, ) }, 92, ) == 0x0 01861 896 NtOpenKey (0x20019, {24, 208, 0x40, 0, 0, (0x20019, {24, 208, 0x40, 0, 0, "{645FF040-5081-101B-9F08-00AA002F954E}"}, ... 216, ) }, ... 216, ) == 0x0 01862 896 NtQueryValueKey (216, (216, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01863 896 NtClose (216, ... ) == 0x0 01864 896 NtEnumerateKey (208, 3, Basic, 288, ... {LastWrite={0xdb5bf10e,0x1c74da8}, TitleIdx=0, Name= (208, 3, Basic, 288, ... {LastWrite={0xdb5bf10e,0x1c74da8}, TitleIdx=0, Name="{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"}, 92, ) }, 92, ) == 0x0 01865 896 NtOpenKey (0x20019, {24, 208, 0x40, 0, 0, (0x20019, {24, 208, 0x40, 0, 0, "{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"}, ... 216, ) }, ... 216, ) == 0x0 01866 896 NtQueryValueKey (216, (216, "SuppressionPolicy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01867 896 NtClose (216, ... ) == 0x0 01868 896 NtEnumerateKey (208, 4, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES 01869 896 NtClose (208, ... ) == 0x0 01870 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01871 896 NtOpenProcessToken (-1, 0x8, ... 208, ) == 0x0 01872 896 NtQueryInformationToken (208, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0 01873 896 NtClose (208, ... ) == 0x0 01874 896 NtOpenThreadToken (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN 01875 896 NtCreateKey (0x2000000, {24, 84, 0x40, 0, 0, (0x2000000, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, 0, 0x0, 0, ... 208, 2, ) }, 0, 0x0, 0, ... 208, 2, ) == 0x0 01876 896 NtOpenKey (0x2000000, {24, 208, 0x40, 0, 0, ""}, ... 216, ) == 0x0 01877 896 NtCreateKey (0x1, {24, 216, 0x40, 0, 0, (0x1, {24, 216, 0x40, 0, 0, "SessionInfo\0000000000009f43"}, 0, 0x0, 1, ... 220, 2, ) }, 0, 0x0, 1, ... 220, 2, ) == 0x0 01878 896 NtClose (216, ... ) == 0x0 01879 896 NtOpenKey (0x20019, {24, 220, 0x40, 0, 0, (0x20019, {24, 220, 0x40, 0, 0, "Desktop\NameSpace"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01880 896 NtClose (220, ... ) == 0x0 01881 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01882 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 220, ) == 0x0 01883 896 NtQueryInformationToken (220, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01884 896 NtClose (220, ... ) == 0x0 01885 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes"}, ... 220, ) }, ... 220, ) == 0x0 01886 896 NtSetInformationObject (222, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0 01887 896 NtQueryKey (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 01888 896 NtOpenKey (0x2000000, {24, 222, 0x40, 0, 0, (0x2000000, {24, 222, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01889 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... 216, ) }, ... 216, ) == 0x0 01890 896 NtQueryKey (218, Name, 392, ... {Name= (218, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0 01891 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01892 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 224, ) == 0x0 01893 896 NtQueryInformationToken (224, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01894 896 NtClose (224, ... ) == 0x0 01895 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01896 896 NtQueryValueKey (218, (218, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01897 896 NtClose (218, ... ) == 0x0 01898 896 NtQueryKey (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 01899 896 NtOpenKey (0x2000000, {24, 222, 0x40, 0, 0, (0x2000000, {24, 222, 0x40, 0, 0, "CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01900 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... 216, ) }, ... 216, ) == 0x0 01901 896 NtQueryKey (218, Name, 392, ... {Name= (218, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0 01902 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01903 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 224, ) == 0x0 01904 896 NtQueryInformationToken (224, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01905 896 NtClose (224, ... ) == 0x0 01906 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01907 896 NtQueryValueKey (218, (218, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01908 896 NtClose (218, ... ) == 0x0 01909 896 NtQueryKey (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 01910 896 NtOpenKey (0x2000000, {24, 222, 0x40, 0, 0, (0x2000000, {24, 222, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01911 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... 216, ) }, ... 216, ) == 0x0 01912 896 NtQueryKey (218, Name, 392, ... {Name= (218, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolderB"}, 186, ) }, 186, ) == 0x0 01913 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01914 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 224, ) == 0x0 01915 896 NtQueryInformationToken (224, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01916 896 NtClose (224, ... ) == 0x0 01917 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01918 896 NtQueryValueKey (218, (218, "WantsParseDisplayName", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (218, "WantsParseDisplayName", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0 01919 896 NtClose (218, ... ) == 0x0 01920 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01921 896 NtQueryKey (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 01922 896 NtOpenKey (0x1, {24, 222, 0x40, 0, 0, (0x1, {24, 222, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01923 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... 216, ) }, ... 216, ) == 0x0 01924 896 NtQueryKey (218, Name, 392, ... {Name= (218, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0 01925 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01926 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 224, ) == 0x0 01927 896 NtQueryInformationToken (224, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01928 896 NtClose (224, ... ) == 0x0 01929 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01930 896 NtQueryValueKey (218, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (218, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0i\0e\0f\0r\0a\0m\0e\0.\0d\0l\0l\0\0\0"}, 76, ) }, 76, ) == 0x0 01931 896 NtQueryKey (218, Name, 392, ... {Name= (218, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0 01932 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01933 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 224, ) == 0x0 01934 896 NtQueryInformationToken (224, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01935 896 NtClose (224, ... ) == 0x0 01936 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01937 896 NtQueryValueKey (218, (218, "LoadWithoutCOM", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01938 896 NtClose (218, ... ) == 0x0 01939 896 NtCreateKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked"}, 0, 0x0, 0, ... 216, 2, ) }, 0, 0x0, 0, ... 216, 2, ) == 0x0 01940 896 NtQueryValueKey (216, (216, "{871C5380-42A0-1069-A2EA-08002B30309D}", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01941 896 NtCreateKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked"}, 0, 0x0, 0, ... 224, 2, ) }, 0, 0x0, 0, ... 224, 2, ) == 0x0 01942 896 NtQueryValueKey (224, (224, "{871C5380-42A0-1069-A2EA-08002B30309D}", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01943 896 NtReleaseSemaphore (212, 1, ... 0, ) == 0x0 01944 896 NtWaitForSingleObject (212, 0, {0, 0}, ... ) == 0x0 01945 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01946 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 228, ) }, ... 228, ) == 0x0 01947 896 NtQueryValueKey (228, (228, "EnforceShellExtensionSecurity", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01948 896 NtClose (228, ... ) == 0x0 01949 896 NtCreateKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached"}, 0, 0x0, 0, ... 228, 2, ) }, 0, 0x0, 0, ... 228, 2, ) == 0x0 01950 896 NtQueryValueKey (228, (228, "{871C5380-42A0-1069-A2EA-08002B30309D} {000214E6-0000-0000-C000-000000000046} 0x401", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01951 896 NtCreateKey (0x2001f, {24, 84, 0x40, 0, 0, (0x2001f, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached"}, 0, 0x0, 0, ... 232, 2, ) }, 0, 0x0, 0, ... 232, 2, ) == 0x0 01952 896 NtQueryValueKey (232, (232, "{871C5380-42A0-1069-A2EA-08002B30309D} {000214E6-0000-0000-C000-000000000046} 0x401", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\01\02\0,A\276z\261M\307\1"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (232, "{871C5380-42A0-1069-A2EA-08002B30309D} {000214E6-0000-0000-C000-000000000046} 0x401", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\01\02\0,A\276z\261M\307\1"}, 28, ) }, 28, ) == 0x0 01953 896 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "appHelp.dll"}, ... 236, ) }, ... 236, ) == 0x0 01954 896 NtMapViewOfSection (236, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77b40000), 0x0, 139264, ) == 0x0 01955 896 NtClose (236, ... ) == 0x0 01956 896 NtProtectVirtualMemory (-1, (0x77b41000), 524, 4, ... (0x77b41000), 4096, 32, ) == 0x0 01957 896 NtProtectVirtualMemory (-1, (0x77b41000), 4096, 32, ... (0x77b41000), 4096, 4, ) == 0x0 01958 896 NtFlushInstructionCache (-1, 2008289280, 524, ... ) == 0x0 01959 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\appHelp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01960 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 236, ) }, ... 236, ) == 0x0 01961 896 NtQueryValueKey (236, (236, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01962 896 NtClose (236, ... ) == 0x0 01963 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871c5380-42a0-1069-a2ea-08002b30309d}\InProcServer32"}, ... 236, ) }, ... 236, ) == 0x0 01964 896 NtQueryValueKey (236, " (236, "", Full, 520, ... TitleIdx=0, Type=1, Name="", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0i\0e\0f\0r\0a\0m\0e\0.\0d\0l\0l\0\0\0"}, 84, ) (236, "", Full, 520, ... TitleIdx=0, Type=1, Name="", Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0i\0e\0f\0r\0a\0m\0e\0.\0d\0l\0l\0\0\0"}, 84, ) C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0i\0e\0f\0r\0a\0m\0e\0.\0d\0l\0l\0\0\0"}, 84, ) == 0x0 01965 896 NtClose (236, ... ) == 0x0 01966 896 NtCreateFile (0x80100080, {24, 0, 0x40, 0, 0, (0x80100080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ieframe.dll"}, 0x0, 128, 1, 1, 96, 0, 0, ... 236, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 236, {status=0x0, info=1}, ) == 0x0 01967 896 NtQueryVolumeInformationFile (236, 1232740, 8, Device, ... {status=0x0, info=8}, ) == 0x0 01968 896 NtOpenMutant (0x120001, {24, 44, 0x0, 0, 0, (0x120001, {24, 44, 0x0, 0, 0, "ShimCacheMutex"}, ... 240, ) }, ... 240, ) == 0x0 01969 896 NtAllocateVirtualMemory (-1, 1425408, 0, 4096, 4096, 4, ... 1425408, 4096, ) == 0x0 01970 896 NtWaitForSingleObject (240, 0, {-1000000, -1}, ... ) == 0x0 01971 896 NtOpenSection (0x2, {24, 44, 0x0, 0, 0, (0x2, {24, 44, 0x0, 0, 0, "ShimSharedMemory"}, ... 244, ) }, ... 244, ) == 0x0 01972 896 NtMapViewOfSection (244, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3e0000), {0, 0}, 57344, ) == 0x0 01973 896 NtQueryInformationFile (236, 1232704, 40, Basic, ... {status=0x0, info=40}, ) == 0x0 01974 896 NtQueryInformationFile (236, 1232744, 24, Standard, ... {status=0x0, info=24}, ) == 0x0 01975 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 01976 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 248, ) == 0x0 01977 896 NtQueryInformationToken (248, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 01978 896 NtClose (248, ... ) == 0x0 01979 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01980 896 NtReleaseMutant (240, ... 0x0, ) == 0x0 01981 896 NtClose (236, ... ) == 0x0 01982 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 236, ) }, ... 236, ) == 0x0 01983 896 NtQueryValueKey (236, (236, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (236, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 01984 896 NtClose (236, ... ) == 0x0 01985 896 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "CLBCATQ.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01986 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\u:\work\CLBCATQ.DLL"}, 1230724, ... ) }, 1230724, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01987 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\CLBCATQ.DLL"}, 1230724, ... ) }, 1230724, ... ) == 0x0 01988 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\CLBCATQ.DLL"}, 5, 96, ... 236, {status=0x0, info=1}, ) }, 5, 96, ... 236, {status=0x0, info=1}, ) == 0x0 01989 896 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 236, ... 248, ) == 0x0 01990 896 NtQuerySection (248, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 01991 896 NtClose (236, ... ) == 0x0 01992 896 NtMapViewOfSection (248, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fd0000), 0x0, 520192, ) == 0x0 01993 896 NtClose (248, ... ) == 0x0 01994 896 NtProtectVirtualMemory (-1, (0x76fd1000), 1060, 4, ... (0x76fd1000), 4096, 32, ) == 0x0 01995 896 NtProtectVirtualMemory (-1, (0x76fd1000), 4096, 32, ... (0x76fd1000), 4096, 4, ) == 0x0 01996 896 NtFlushInstructionCache (-1, 1996296192, 1060, ... ) == 0x0 01997 896 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "COMRes.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01998 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\u:\work\COMRes.dll"}, 1229936, ... ) }, 1229936, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 01999 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\COMRes.dll"}, 1229936, ... ) }, 1229936, ... ) == 0x0 02000 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\COMRes.dll"}, 5, 96, ... 248, {status=0x0, info=1}, ) }, 5, 96, ... 248, {status=0x0, info=1}, ) == 0x0 02001 896 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 248, ... 236, ) == 0x0 02002 896 NtQuerySection (236, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 02003 896 NtClose (248, ... ) == 0x0 02004 896 NtMapViewOfSection (236, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77050000), 0x0, 806912, ) == 0x0 02005 896 NtClose (236, ... ) == 0x0 02006 896 NtProtectVirtualMemory (-1, (0x77051000), 8, 4, ... (0x77051000), 4096, 32, ) == 0x0 02007 896 NtProtectVirtualMemory (-1, (0x77051000), 4096, 32, ... (0x77051000), 4096, 4, ) == 0x0 02008 896 NtFlushInstructionCache (-1, 1996820480, 8, ... ) == 0x0 02009 896 NtProtectVirtualMemory (-1, (0x76fd1000), 1060, 4, ... (0x76fd1000), 4096, 32, ) == 0x0 02010 896 NtProtectVirtualMemory (-1, (0x76fd1000), 4096, 32, ... (0x76fd1000), 4096, 4, ) == 0x0 02011 896 NtFlushInstructionCache (-1, 1996296192, 1060, ... ) == 0x0 02012 896 NtProtectVirtualMemory (-1, (0x76fd1000), 1060, 4, ... (0x76fd1000), 4096, 32, ) == 0x0 02013 896 NtProtectVirtualMemory (-1, (0x76fd1000), 4096, 32, ... (0x76fd1000), 4096, 4, ) == 0x0 02014 896 NtFlushInstructionCache (-1, 1996296192, 1060, ... ) == 0x0 02015 896 NtProtectVirtualMemory (-1, (0x76fd1000), 1060, 4, ... (0x76fd1000), 4096, 32, ) == 0x0 02016 896 NtProtectVirtualMemory (-1, (0x76fd1000), 4096, 32, ... (0x76fd1000), 4096, 4, ) == 0x0 02017 896 NtFlushInstructionCache (-1, 1996296192, 1060, ... ) == 0x0 02018 896 NtProtectVirtualMemory (-1, (0x76fd1000), 1060, 4, ... (0x76fd1000), 4096, 32, ) == 0x0 02019 896 NtProtectVirtualMemory (-1, (0x76fd1000), 4096, 32, ... (0x76fd1000), 4096, 4, ) == 0x0 02020 896 NtFlushInstructionCache (-1, 1996296192, 1060, ... ) == 0x0 02021 896 NtProtectVirtualMemory (-1, (0x76fd1000), 1060, 4, ... (0x76fd1000), 4096, 32, ) == 0x0 02022 896 NtProtectVirtualMemory (-1, (0x76fd1000), 4096, 32, ... (0x76fd1000), 4096, 4, ) == 0x0 02023 896 NtFlushInstructionCache (-1, 1996296192, 1060, ... ) == 0x0 02024 896 NtProtectVirtualMemory (-1, (0x76fd1000), 1060, 4, ... (0x76fd1000), 4096, 32, ) == 0x0 02025 896 NtProtectVirtualMemory (-1, (0x76fd1000), 4096, 32, ... (0x76fd1000), 4096, 4, ) == 0x0 02026 896 NtFlushInstructionCache (-1, 1996296192, 1060, ... ) == 0x0 02027 896 NtProtectVirtualMemory (-1, (0x76fd1000), 1060, 4, ... (0x76fd1000), 4096, 32, ) == 0x0 02028 896 NtProtectVirtualMemory (-1, (0x76fd1000), 4096, 32, ... (0x76fd1000), 4096, 4, ) == 0x0 02029 896 NtFlushInstructionCache (-1, 1996296192, 1060, ... ) == 0x0 02030 896 NtProtectVirtualMemory (-1, (0x76fd1000), 1060, 4, ... (0x76fd1000), 4096, 32, ) == 0x0 02031 896 NtProtectVirtualMemory (-1, (0x76fd1000), 4096, 32, ... (0x76fd1000), 4096, 4, ) == 0x0 02032 896 NtFlushInstructionCache (-1, 1996296192, 1060, ... ) == 0x0 02033 896 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 236, ) }, ... 236, ) == 0x0 02034 896 NtMapViewOfSection (236, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 32768, ) == 0x0 02035 896 NtClose (236, ... ) == 0x0 02036 896 NtProtectVirtualMemory (-1, (0x77c01000), 304, 4, ... (0x77c01000), 4096, 32, ) == 0x0 02037 896 NtProtectVirtualMemory (-1, (0x77c01000), 4096, 32, ... (0x77c01000), 4096, 4, ) == 0x0 02038 896 NtFlushInstructionCache (-1, 2009075712, 304, ... ) == 0x0 02039 896 NtProtectVirtualMemory (-1, (0x76fd1000), 1060, 4, ... (0x76fd1000), 4096, 32, ) == 0x0 02040 896 NtProtectVirtualMemory (-1, (0x76fd1000), 4096, 32, ... (0x76fd1000), 4096, 4, ) == 0x0 02041 896 NtFlushInstructionCache (-1, 1996296192, 1060, ... ) == 0x0 02042 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\COMRes.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02043 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VERSION.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02044 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLBCATQ.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02045 896 NtOpenKey (0xf003f, {24, 16, 0x40, 0, 0, (0xf003f, {24, 16, 0x40, 0, 0, "Software\Microsoft\COM3\Debug"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02046 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\COM3\Debug"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02047 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\OLE"}, ... 236, ) }, ... 236, ) == 0x0 02048 896 NtQueryValueKey (236, (236, "MinimumFreeMemPercentageToCreateProcess", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02049 896 NtQueryValueKey (236, (236, "MinimumFreeMemPercentageToCreateObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02050 896 NtClose (236, ... ) == 0x0 02051 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\Registration"}, 1230808, ... ) }, 1230808, ... ) == 0x0 02052 896 NtQueryInformationProcess (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0 02053 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 236, ) }, ... 236, ) == 0x0 02054 896 NtQueryValueKey (236, (236, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (236, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 02055 896 NtClose (236, ... ) == 0x0 02056 896 NtOpenThreadToken (-2, 0x4, 1, ... ) == STATUS_NO_TOKEN 02057 896 NtOpenProcessToken (-1, 0x8, ... 236, ) == 0x0 02058 896 NtQueryInformationToken (236, User, 100, ... {token info, class 1, size 36}, 36, ) == 0x0 02059 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\User\S-1-5-21-1292428093-1383384898-725345543-1003_Classes"}, ... 248, ) }, ... 248, ) == 0x0 02060 896 NtClose (236, ... ) == 0x0 02061 896 NtOpenKey (0x2000000, {24, 16, 0x40, 0, 0, (0x2000000, {24, 16, 0x40, 0, 0, "Software\Classes"}, ... 236, ) }, ... 236, ) == 0x0 02062 896 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 252, ) == 0x0 02063 896 NtNotifyChangeKey (236, 252, 0, 0, 2011455960, 5, 1, 0, 0, 1, ... ) == 0x103 02064 896 NtOpenKey (0x2000000, {24, 16, 0x40, 0, 0, (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 256, ) }, ... 256, ) == 0x0 02065 896 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 260, ) == 0x0 02066 896 NtNotifyChangeKey (256, 260, 0, 0, 2011455960, 5, 1, 0, 0, 1, ... ) == 0x103 02067 896 NtOpenKey (0x10, {24, 0, 0x40, 0, 0, (0x10, {24, 0, 0x40, 0, 0, "\REGISTRY\USER"}, ... 264, ) }, ... 264, ) == 0x0 02068 896 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 268, ) == 0x0 02069 896 NtNotifyChangeKey (264, 268, 0, 0, 2011455960, 5, 1, 0, 0, 1, ... ) == 0x103 02070 896 NtOpenKey (0x2000000, {24, 16, 0x40, 0, 0, (0x2000000, {24, 16, 0x40, 0, 0, "Software\Classes"}, ... 272, ) }, ... 272, ) == 0x0 02071 896 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 276, ) == 0x0 02072 896 NtNotifyChangeKey (272, 276, 0, 0, 2011455960, 5, 1, 0, 0, 1, ... ) == 0x103 02073 896 NtOpenKey (0x10, {24, 0, 0x40, 0, 0, (0x10, {24, 0, 0x40, 0, 0, "\REGISTRY\USER"}, ... 280, ) }, ... 280, ) == 0x0 02074 896 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 284, ) == 0x0 02075 896 NtNotifyChangeKey (280, 284, 0, 0, 2011455960, 5, 1, 0, 0, 1, ... ) == 0x103 02076 896 NtOpenKey (0x2000000, {24, 16, 0x40, 0, 0, (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 288, ) }, ... 288, ) == 0x0 02077 896 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 292, ) == 0x0 02078 896 NtNotifyChangeKey (288, 292, 0, 0, 2011455960, 5, 1, 0, 0, 1, ... ) == 0x103 02079 896 NtOpenKey (0x2000000, {24, 16, 0x40, 0, 0, (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 296, ) }, ... 296, ) == 0x0 02080 896 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 300, ) == 0x0 02081 896 NtNotifyChangeKey (296, 300, 0, 0, 2011455960, 5, 1, 0, 0, 1, ... ) == 0x103 02082 896 NtOpenKey (0x2000000, {24, 16, 0x40, 0, 0, (0x2000000, {24, 16, 0x40, 0, 0, "Software\Classes\CLSID"}, ... 304, ) }, ... 304, ) == 0x0 02083 896 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 308, ) == 0x0 02084 896 NtNotifyChangeKey (304, 308, 0, 0, 2011455960, 5, 1, 0, 0, 1, ... ) == 0x103 02085 896 NtOpenKey (0x2000000, {24, 16, 0x40, 0, 0, (0x2000000, {24, 16, 0x40, 0, 0, "Software\Classes"}, ... 312, ) }, ... 312, ) == 0x0 02086 896 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 316, ) == 0x0 02087 896 NtNotifyChangeKey (312, 316, 0, 0, 2011455960, 5, 1, 0, 0, 1, ... ) == 0x103 02088 896 NtOpenKey (0x2000000, {24, 16, 0x40, 0, 0, (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 320, ) }, ... 320, ) == 0x0 02089 896 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 324, ) == 0x0 02090 896 NtNotifyChangeKey (320, 324, 0, 0, 2011455960, 5, 1, 0, 0, 1, ... ) == 0x103 02091 896 NtOpenKey (0x10, {24, 0, 0x40, 0, 0, (0x10, {24, 0, 0x40, 0, 0, "\REGISTRY\USER"}, ... 328, ) }, ... 328, ) == 0x0 02092 896 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 332, ) == 0x0 02093 896 NtNotifyChangeKey (328, 332, 0, 0, 2011455960, 5, 1, 0, 0, 1, ... ) == 0x103 02094 896 NtOpenKey (0x2000000, {24, 16, 0x40, 0, 0, (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 336, ) }, ... 336, ) == 0x0 02095 896 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 340, ) == 0x0 02096 896 NtNotifyChangeKey (336, 340, 0, 0, 2011455960, 5, 1, 0, 0, 1, ... ) == 0x103 02097 896 NtOpenKey (0x2000000, {24, 16, 0x40, 0, 0, (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 344, ) }, ... 344, ) == 0x0 02098 896 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 348, ) == 0x0 02099 896 NtNotifyChangeKey (344, 348, 0, 0, 2011455960, 5, 1, 0, 0, 1, ... ) == 0x103 02100 896 NtOpenKey (0x2000000, {24, 16, 0x40, 0, 0, (0x2000000, {24, 16, 0x40, 0, 0, "Software\Classes\CLSID"}, ... 352, ) }, ... 352, ) == 0x0 02101 896 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 356, ) == 0x0 02102 896 NtNotifyChangeKey (352, 356, 0, 0, 2011455960, 5, 1, 0, 0, 1, ... ) == 0x103 02103 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 360, ) }, ... 360, ) == 0x0 02104 896 NtQueryValueKey (360, (360, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (360, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0 02105 896 NtClose (360, ... ) == 0x0 02106 896 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 02107 896 NtQuerySystemInformation (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0 02108 896 NtCreateFile (0x80100080, {24, 0, 0x40, 0, 1231568, (0x80100080, {24, 0, 0x40, 0, 1231568, "\??\C:\WINDOWS\Registration\R000000000007.clb"}, 0x0, 0, 1, 1, 96, 0, 0, ... 360, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 96, 0, 0, ... 360, {status=0x0, info=1}, ) == 0x0 02109 896 NtQueryInformationFile (360, 1231636, 24, Standard, ... {status=0x0, info=24}, ) == 0x0 02110 896 NtSetInformationFile (360, 1231668, 8, Position, ... {status=0x0, info=0}, ) == 0x0 02111 896 NtAllocateVirtualMemory (-1, 1429504, 0, 24576, 4096, 4, ... 1429504, 24576, ) == 0x0 02112 896 NtSetInformationFile (360, 1231564, 8, Position, ... {status=0x0, info=0}, ) == 0x0 02113 896 NtReadFile (360, 0, 0, 0, 22512, 0x0, 0, ... {status=0x0, info=22512}, (360, 0, 0, 0, 22512, 0x0, 0, ... {status=0x0, info=22512}, "COM+\1\0\0\0\1\0\22\0$\0\0\0\0\1\1\0c\0\0\0\0\0\0\1\1\0\0\0\0\1\20\0\0\0\0\0\300\0\0\0\0\0\0F\16\0\0\00\1\0\0\240\3\0\03_0\0\320\4\0\0\14\0\0\03_1\0\334\4\0\0\210\2\0\03_2\0d\7\0\0<\0\0\03_3\0\240\7\0\0\220\10\0\03_4\00\20\0\0(\0\0\03_5\0X\20\0\0(\0\0\03_6\0\200\20\0\0(\0\0\03_7\0\250\20\0\0\210\20\0\03_8\00!\0\0\250\11\0\03_9\0\330*\0\0<\4\0\03_10\0\0\0\0\24/\0\0\14\1\0\03_11\0\0\0\0 0\0\0\34\0\0\03_12\0\0\0\0<0\0\0\24\0\0\03_16\0\0\0\0P0\0\0\220\16\0\0#Schema\0\340>\0\0d\17\0\0#Strings\0\0\0\0DN\0\0\14\4\0\0#Blob\0\0\0PR\0\0\240\5\0\0#GUID\0\0\0\5\0\0\0\270\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\4\0\0\0\3\0\0\0\1\0\0\0\0\0\0\0\3\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\1\0\0\0R\0A\13\0\0\0\0\345\16\275\13\377\377R\2\231\6\231\6\377\377\237\10\231\6\231\6\0\0\377\377\377\377\231\6\0\0\334\12Z\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0 02114 896 NtClose (360, ... ) == 0x0 02115 896 NtAllocateVirtualMemory (-1, 4485120, 0, 8192, 4096, 4, ... 4485120, 8192, ) == 0x0 02116 896 NtAllocateVirtualMemory (-1, 4493312, 0, 8192, 4096, 4, ... 4493312, 8192, ) == 0x0 02117 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 360, ) }, ... 360, ) == 0x0 02118 896 NtQueryValueKey (360, (360, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (360, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0 02119 896 NtClose (360, ... ) == 0x0 02120 896 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 02121 896 NtQuerySystemInformation (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0 02122 896 NtAllocateVirtualMemory (-1, 0, 0, 65536, 8192, 1, ... 4128768, 65536, ) == 0x0 02123 896 NtAllocateVirtualMemory (-1, 4128768, 0, 4096, 4096, 4, ... 4128768, 4096, ) == 0x0 02124 896 NtQueryKey (250, Name, 384, ... {Name= (250, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 02125 896 NtOpenKey (0x20019, {24, 250, 0x40, 0, 0, (0x20019, {24, 250, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02126 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 360, ) }, ... 360, ) == 0x0 02127 896 NtQueryKey (362, Name, 384, ... {Name= (362, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0 02128 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02129 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 364, ) == 0x0 02130 896 NtQueryInformationToken (364, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02131 896 NtClose (364, ... ) == 0x0 02132 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02133 896 NtOpenKey (0x1, {24, 362, 0x40, 0, 0, (0x1, {24, 362, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02134 896 NtQueryKey (250, Name, 384, ... {Name= (250, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 02135 896 NtOpenKey (0x20019, {24, 250, 0x40, 0, 0, ""}, ... 364, ) == 0x0 02136 896 NtClose (362, ... ) == 0x0 02137 896 NtQueryKey (366, Name, 384, ... {Name= (366, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 02138 896 NtOpenKey (0x20019, {24, 366, 0x40, 0, 0, (0x20019, {24, 366, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02139 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 360, ) }, ... 360, ) == 0x0 02140 896 NtQueryKey (362, Name, 384, ... {Name= (362, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0 02141 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02142 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 368, ) == 0x0 02143 896 NtQueryInformationToken (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02144 896 NtClose (368, ... ) == 0x0 02145 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02146 896 NtOpenKey (0x2000000, {24, 362, 0x40, 0, 0, (0x2000000, {24, 362, 0x40, 0, 0, "InprocServer32"}, ... 368, ) }, ... 368, ) == 0x0 02147 896 NtQueryKey (370, Name, 392, ... {Name= (370, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0 02148 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02149 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 372, ) == 0x0 02150 896 NtQueryInformationToken (372, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02151 896 NtClose (372, ... ) == 0x0 02152 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02153 896 NtQueryValueKey (370, (370, "InprocServer32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02154 896 NtClose (370, ... ) == 0x0 02155 896 NtQueryKey (362, Name, 384, ... {Name= (362, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}3"}, 162, ) }, 162, ) == 0x0 02156 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02157 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 368, ) == 0x0 02158 896 NtQueryInformationToken (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02159 896 NtClose (368, ... ) == 0x0 02160 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02161 896 NtOpenKey (0x2000000, {24, 362, 0x40, 0, 0, (0x2000000, {24, 362, 0x40, 0, 0, "InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02162 896 NtQueryKey (362, Name, 384, ... {Name= (362, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}3"}, 162, ) }, 162, ) == 0x0 02163 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02164 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 368, ) == 0x0 02165 896 NtQueryInformationToken (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02166 896 NtClose (368, ... ) == 0x0 02167 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02168 896 NtOpenKey (0x2000000, {24, 362, 0x40, 0, 0, (0x2000000, {24, 362, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02169 896 NtQueryKey (362, Name, 384, ... {Name= (362, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}3"}, 162, ) }, 162, ) == 0x0 02170 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02171 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 368, ) == 0x0 02172 896 NtQueryInformationToken (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02173 896 NtClose (368, ... ) == 0x0 02174 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02175 896 NtOpenKey (0x2000000, {24, 362, 0x40, 0, 0, (0x2000000, {24, 362, 0x40, 0, 0, "InprocServer32"}, ... 368, ) }, ... 368, ) == 0x0 02176 896 NtQueryKey (370, Name, 392, ... {Name= (370, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0 02177 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02178 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 372, ) == 0x0 02179 896 NtQueryInformationToken (372, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02180 896 NtClose (372, ... ) == 0x0 02181 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02182 896 NtQueryValueKey (370, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (370, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0i\0e\0f\0r\0a\0m\0e\0.\0d\0l\0l\0\0\0"}, 76, ) }, 76, ) == 0x0 02183 896 NtClose (370, ... ) == 0x0 02184 896 NtQueryKey (362, Name, 384, ... {Name= (362, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}3"}, 162, ) }, 162, ) == 0x0 02185 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02186 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 368, ) == 0x0 02187 896 NtQueryInformationToken (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02188 896 NtClose (368, ... ) == 0x0 02189 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02190 896 NtOpenKey (0x2000000, {24, 362, 0x40, 0, 0, (0x2000000, {24, 362, 0x40, 0, 0, "InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02191 896 NtQueryKey (362, Name, 384, ... {Name= (362, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}3"}, 162, ) }, 162, ) == 0x0 02192 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02193 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 368, ) == 0x0 02194 896 NtQueryInformationToken (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02195 896 NtClose (368, ... ) == 0x0 02196 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02197 896 NtOpenKey (0x2000000, {24, 362, 0x40, 0, 0, (0x2000000, {24, 362, 0x40, 0, 0, "InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02198 896 NtQueryKey (362, Name, 384, ... {Name= (362, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}3"}, 162, ) }, 162, ) == 0x0 02199 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02200 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 368, ) == 0x0 02201 896 NtQueryInformationToken (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02202 896 NtClose (368, ... ) == 0x0 02203 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02204 896 NtOpenKey (0x2000000, {24, 362, 0x40, 0, 0, (0x2000000, {24, 362, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02205 896 NtQueryKey (362, Name, 384, ... {Name= (362, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}3"}, 162, ) }, 162, ) == 0x0 02206 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02207 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 368, ) == 0x0 02208 896 NtQueryInformationToken (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02209 896 NtClose (368, ... ) == 0x0 02210 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02211 896 NtOpenKey (0x2000000, {24, 362, 0x40, 0, 0, (0x2000000, {24, 362, 0x40, 0, 0, "LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02212 896 NtQueryKey (366, Name, 384, ... {Name= (366, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 02213 896 NtOpenKey (0x20019, {24, 366, 0x40, 0, 0, (0x20019, {24, 366, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02214 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 368, ) }, ... 368, ) == 0x0 02215 896 NtQueryKey (370, Name, 392, ... {Name= (370, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0 02216 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02217 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 372, ) == 0x0 02218 896 NtQueryInformationToken (372, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02219 896 NtClose (372, ... ) == 0x0 02220 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02221 896 NtQueryValueKey (370, (370, "AppID", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02222 896 NtClose (370, ... ) == 0x0 02223 896 NtClose (362, ... ) == 0x0 02224 896 NtOpenProcess (0x400, {24, 0, 0x0, 0, 0, 0x0}, {1252, 0}, ... 360, ) == 0x0 02225 896 NtQueryInformationProcess (360, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0 02226 896 NtClose (360, ... ) == 0x0 02227 896 NtQueryKey (366, Name, 384, ... {Name= (366, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 02228 896 NtOpenKey (0x20019, {24, 366, 0x40, 0, 0, (0x20019, {24, 366, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02229 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 360, ) }, ... 360, ) == 0x0 02230 896 NtClose (362, ... ) == 0x0 02231 896 NtQueryKey (366, Name, 384, ... {Name= (366, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 02232 896 NtOpenKey (0x20019, {24, 366, 0x40, 0, 0, (0x20019, {24, 366, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02233 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 360, ) }, ... 360, ) == 0x0 02234 896 NtQueryKey (362, Name, 384, ... {Name= (362, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0 02235 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02236 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 368, ) == 0x0 02237 896 NtQueryInformationToken (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02238 896 NtClose (368, ... ) == 0x0 02239 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02240 896 NtOpenKey (0x2000000, {24, 362, 0x40, 0, 0, (0x2000000, {24, 362, 0x40, 0, 0, "InprocServer32"}, ... 368, ) }, ... 368, ) == 0x0 02241 896 NtQueryKey (370, Name, 392, ... {Name= (370, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0 02242 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02243 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 372, ) == 0x0 02244 896 NtQueryInformationToken (372, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02245 896 NtClose (372, ... ) == 0x0 02246 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02247 896 NtQueryValueKey (370, (370, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (370, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0"}, 32, ) }, 32, ) == 0x0 02248 896 NtClose (370, ... ) == 0x0 02249 896 NtClose (362, ... ) == 0x0 02250 896 NtAllocateVirtualMemory (-1, 1454080, 0, 8192, 4096, 4, ... 1454080, 8192, ) == 0x0 02251 896 NtQueryKey (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 02252 896 NtOpenKey (0x20019, {24, 222, 0x40, 0, 0, (0x20019, {24, 222, 0x40, 0, 0, "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02253 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... 360, ) }, ... 360, ) == 0x0 02254 896 NtQueryKey (362, Name, 384, ... {Name= (362, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}9"}, 162, ) }, 162, ) == 0x0 02255 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02256 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 368, ) == 0x0 02257 896 NtQueryInformationToken (368, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02258 896 NtClose (368, ... ) == 0x0 02259 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02260 896 NtOpenKey (0x1, {24, 362, 0x40, 0, 0, (0x1, {24, 362, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02261 896 NtClose (362, ... ) == 0x0 02262 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ieframe.dll"}, 1226992, ... ) }, 1226992, ... ) == 0x0 02263 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ieframe.dll"}, 5, 96, ... 360, {status=0x0, info=1}, ) }, 5, 96, ... 360, {status=0x0, info=1}, ) == 0x0 02264 896 NtCreateSection (0xe, 0x0, 0x0, 16, 134217728, 360, ... 368, ) == 0x0 02265 896 NtClose (360, ... ) == 0x0 02266 896 NtMapViewOfSection (368, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x1190000), 0x0, 6066176, ) == 0x0 02267 896 NtClose (368, ... ) == 0x0 02268 896 NtUnmapViewOfSection (-1, 0x1190000, ... ) == 0x0 02269 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ieframe.dll"}, 1227300, ... ) }, 1227300, ... ) == 0x0 02270 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ieframe.dll"}, 5, 96, ... 368, {status=0x0, info=1}, ) }, 5, 96, ... 368, {status=0x0, info=1}, ) == 0x0 02271 896 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 368, ... 360, ) == 0x0 02272 896 NtQuerySection (360, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 02273 896 NtClose (368, ... ) == 0x0 02274 896 NtMapViewOfSection (360, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x42ef0000), 0x0, 6082560, ) == 0x0 02275 896 NtClose (360, ... ) == 0x0 02276 896 NtProtectVirtualMemory (-1, (0x42ef1000), 3464, 4, ... (0x42ef1000), 4096, 32, ) == 0x0 02277 896 NtProtectVirtualMemory (-1, (0x42ef1000), 4096, 32, ... (0x42ef1000), 4096, 4, ) == 0x0 02278 896 NtFlushInstructionCache (-1, 1122963456, 3464, ... ) == 0x0 02279 896 NtProtectVirtualMemory (-1, (0x42ef1000), 3464, 4, ... (0x42ef1000), 4096, 32, ) == 0x0 02280 896 NtProtectVirtualMemory (-1, (0x42ef1000), 4096, 32, ... (0x42ef1000), 4096, 4, ) == 0x0 02281 896 NtFlushInstructionCache (-1, 1122963456, 3464, ... ) == 0x0 02282 896 NtProtectVirtualMemory (-1, (0x42ef1000), 3464, 4, ... (0x42ef1000), 4096, 32, ) == 0x0 02283 896 NtProtectVirtualMemory (-1, (0x42ef1000), 4096, 32, ... (0x42ef1000), 4096, 4, ) == 0x0 02284 896 NtFlushInstructionCache (-1, 1122963456, 3464, ... ) == 0x0 02285 896 NtProtectVirtualMemory (-1, (0x42ef1000), 3464, 4, ... (0x42ef1000), 4096, 32, ) == 0x0 02286 896 NtProtectVirtualMemory (-1, (0x42ef1000), 4096, 32, ... (0x42ef1000), 4096, 4, ) == 0x0 02287 896 NtFlushInstructionCache (-1, 1122963456, 3464, ... ) == 0x0 02288 896 NtProtectVirtualMemory (-1, (0x42ef1000), 3464, 4, ... (0x42ef1000), 4096, 32, ) == 0x0 02289 896 NtProtectVirtualMemory (-1, (0x42ef1000), 4096, 32, ... (0x42ef1000), 4096, 4, ) == 0x0 02290 896 NtFlushInstructionCache (-1, 1122963456, 3464, ... ) == 0x0 02291 896 NtProtectVirtualMemory (-1, (0x42ef1000), 3464, 4, ... (0x42ef1000), 4096, 32, ) == 0x0 02292 896 NtProtectVirtualMemory (-1, (0x42ef1000), 4096, 32, ... (0x42ef1000), 4096, 4, ) == 0x0 02293 896 NtFlushInstructionCache (-1, 1122963456, 3464, ... ) == 0x0 02294 896 NtProtectVirtualMemory (-1, (0x42ef1000), 3464, 4, ... (0x42ef1000), 4096, 32, ) == 0x0 02295 896 NtProtectVirtualMemory (-1, (0x42ef1000), 4096, 32, ... (0x42ef1000), 4096, 4, ) == 0x0 02296 896 NtFlushInstructionCache (-1, 1122963456, 3464, ... ) == 0x0 02297 896 NtProtectVirtualMemory (-1, (0x42ef1000), 3464, 4, ... (0x42ef1000), 4096, 32, ) == 0x0 02298 896 NtProtectVirtualMemory (-1, (0x42ef1000), 4096, 32, ... (0x42ef1000), 4096, 4, ) == 0x0 02299 896 NtFlushInstructionCache (-1, 1122963456, 3464, ... ) == 0x0 02300 896 NtProtectVirtualMemory (-1, (0x42ef1000), 3464, 4, ... (0x42ef1000), 4096, 32, ) == 0x0 02301 896 NtProtectVirtualMemory (-1, (0x42ef1000), 4096, 32, ... (0x42ef1000), 4096, 4, ) == 0x0 02302 896 NtFlushInstructionCache (-1, 1122963456, 3464, ... ) == 0x0 02303 896 NtProtectVirtualMemory (-1, (0x42ef1000), 3464, 4, ... (0x42ef1000), 4096, 32, ) == 0x0 02304 896 NtProtectVirtualMemory (-1, (0x42ef1000), 4096, 32, ... (0x42ef1000), 4096, 4, ) == 0x0 02305 896 NtFlushInstructionCache (-1, 1122963456, 3464, ... ) == 0x0 02306 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieframe.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02307 896 NtQueryPerformanceCounter (... {-1444566127, 16}, {3579545, 0}, ) == 0x0 02308 896 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 360, ) == 0x0 02309 896 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 368, ) == 0x0 02310 896 NtRequestWaitReplyPort (12, {32, 56, new_msg, 0, 0, 0, 0, 0} (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1252, 896, 81853, 0} "\0\0\0\0\0\0\0\0t\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ) ... {32, 56, reply, 0, 1252, 896, 81853, 0} (12, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 1252, 896, 81853, 0} "\0\0\0\0\0\0\0\0t\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ) ) == 0x0 02311 896 NtClose (372, ... ) == 0x0 02312 896 NtUserRegisterWindowMessage ( ("XElementNavigateOut", ... ) , ... ) == 0xc088 02313 896 NtUserRegisterWindowMessage ( ("XElementButtonFocusChange", ... ) , ... ) == 0xc089 02314 896 NtUserRegisterWindowMessage ( ("XElementUnhandledSyschar", ... ) , ... ) == 0xc08d 02315 896 NtUserRegisterWindowMessage ( ("DUI_UIA_InvokeHelperMsg", ... ) , ... ) == 0xc0cf 02316 896 NtAllocateVirtualMemory (-1, 1216512, 0, 4096, 4096, 260, ... 1216512, 4096, ) == 0x0 02317 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE"}, ... 372, ) }, ... 372, ) == 0x0 02318 896 NtQueryValueKey (372, " (372, "", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0I\0E\0X\0P\0L\0O\0R\0E\0.\0E\0X\0E\0\0\0"}, 108, ) C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0I\0E\0X\0P\0L\0O\0R\0E\0.\0E\0X\0E\0\0\0"}, 108, ) == 0x0 02319 896 NtClose (372, ... ) == 0x0 02320 896 NtCreateFile (0x100080, {24, 0, 0x40, 0, 1223532, (0x100080, {24, 0, 0x40, 0, 1223532, "\??\C:\Program Files\Internet Explorer\IEXPLORE.EXE"}, 0x0, 128, 1, 1, 96, 0, 0, ... 372, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 372, {status=0x0, info=1}, ) == 0x0 02321 896 NtQueryVolumeInformationFile (372, 1223472, 24, Volume, ... {status=0x0, info=18}, ) == 0x0 02322 896 NtQueryInformationFile (372, 1223496, 104, All, ... ) == STATUS_BUFFER_OVERFLOW 02323 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Internet Explorer\Setup"}, ... 376, ) }, ... 376, ) == 0x0 02324 896 NtQueryValueKey (376, (376, "IExploreLastModifiedLow", Partial, 144, ... TitleIdx=0, Type=4, Data="\0D\331\256"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (376, "IExploreLastModifiedLow", Partial, 144, ... TitleIdx=0, Type=4, Data="\0D\331\256"}, 16, ) }, 16, ) == 0x0 02325 896 NtClose (376, ... ) == 0x0 02326 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Internet Explorer\Setup"}, ... 376, ) }, ... 376, ) == 0x0 02327 896 NtQueryValueKey (376, (376, "IExploreLastModifiedHigh", Partial, 144, ... TitleIdx=0, Type=4, Data=",\13\310\1"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (376, "IExploreLastModifiedHigh", Partial, 144, ... TitleIdx=0, Type=4, Data=",\13\310\1"}, 16, ) }, 16, ) == 0x0 02328 896 NtClose (376, ... ) == 0x0 02329 896 NtClose (372, ... ) == 0x0 02330 896 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 372, ) == 0x0 02331 896 NtDeviceIoControlFile (88, 92, 0x0, 0x12b878, 0x22414c, (88, 92, 0x0, 0x12b878, 0x22414c, "\300\270\22\0\0\0\0\0\3\0\0\0\2\0\0\0\24\0\0\0\34\0\0\0P\0\0\0\0\0\0\0L\0\0\0\0\0\0\0\2\0\0\0*\327\37>#\303tE\231\27\\351\3116\367\214\0\20\10\0\0\0\0\0\0\0\0\0*\327\37>#\303tE\231\27\\351\3116\367\214\0\0\10\0\0\0\0\0\0\0\0\0\2\0\0\0", 104, 80, ... , 104, 80, ... 02332 896 NtOpenKey (0x82000000, {24, 0, 0x240, 0, 0, (0x82000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\WMI\Security"}, ... -2147482756, ) }, ... -2147482756, ) == 0x0 02333 896 NtQueryValueKey (-2147482756, (-2147482756, "DF8480A1-7492-4F45-AB78-1084642581FB", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02334 896 NtQueryValueKey (-2147482756, (-2147482756, "00000000-0000-0000-0000-000000000000", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02335 896 NtClose (-2147482756, ... ) == 0x0 02336 896 NtClose (892, ... ) == 0x0 02331 896 NtDeviceIoControlFile ... {status=0x0, info=80}, ... {status=0x0, info=80}, " (\267\341\0\0\0\0*\327\37>#\303tE\231\27\\351\3116\367\214\0\4\0\0ey\16\0\0\0\0\0\0\0\0\0\2\0\0\0*\327\37>#\303tE\231\27\\351\3116\367\214\0\20\10\0x\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0 02337 896 NtSetEvent (104, ... 01206 1556 NtWaitForMultipleObjects ... ) == 0x0 02338 1556 NtDeviceIoControlFile (100, 112, 0x0, 0x77e466a0, 0x228144, (100, 112, 0x0, 0x77e466a0, 0x228144, "\3\0\0\0\1\0\0\0\\370\342w\0\0\0\0l\0\0\0\0\0\0\0x\1\0\0\0\0\0\0|\0\0\0\0\0\0\0`\0\0\0\0\0\0\0", 48, 4096, ... {status=0x103, info=0}, "", ) , 48, 4096, ... {status=0x103, info=0}, "", ) == 0x103 02339 1556 NtWaitForMultipleObjects (2, (104, 112, ), 1, 1, {1294967296, -1}, ... 02337 896 NtSetEvent ... 0x0, ) == 0x0 02340 896 NtSetEvent (372, ... 0x0, ) == 0x0 02341 896 NtClose (372, ... ) == 0x0 02342 896 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 372, ) == 0x0 02343 896 NtDeviceIoControlFile (88, 92, 0x0, 0x12b878, 0x22414c, (88, 92, 0x0, 0x12b878, 0x22414c, "\300\270\22\0\0\0\0\0\4\0\0\0\2\0\0\0\24\0\0\0\34\0\0\0P\0\0\0\0\0\0\0L\0\0\0\0\0\0\0\2\0\0\0\202\234\377\257\343[\5B\233>I\340\24\300\232c\0\20\10\0\0\0\0\0\0\0\0\0\202\234\377\257\343[\5B\233>I\340\24\300\232c\0\0\10\0\0\0\0\0\0\0\0\0\2\0\0\0", 104, 80, ... , 104, 80, ... 02344 896 NtOpenKey (0x82000000, {24, 0, 0x240, 0, 0, (0x82000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\WMI\Security"}, ... -2147482756, ) }, ... -2147482756, ) == 0x0 02345 896 NtQueryValueKey (-2147482756, (-2147482756, "DF8480A1-7492-4F45-AB78-1084642581FB", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02346 896 NtQueryValueKey (-2147482756, (-2147482756, "00000000-0000-0000-0000-000000000000", Full, 130, ... ) , Full, 130, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02347 896 NtClose (-2147482756, ... ) == 0x0 02348 896 NtClose (892, ... ) == 0x0 02343 896 NtDeviceIoControlFile ... {status=0x0, info=80}, ... {status=0x0, info=80}, " xF\342\0\0\0\0\202\234\377\257\343[\5B\233>I\340\24\300\232c\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\202\234\377\257\343[\5B\233>I\340\24\300\232c\0\20\10\0|\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0 02349 896 NtSetEvent (104, ... 02339 1556 NtWaitForMultipleObjects ... ) == 0x0 02350 1556 NtDeviceIoControlFile (100, 116, 0x0, 0x77e46680, 0x228144, (100, 116, 0x0, 0x77e46680, 0x228144, "\4\0\0\0\1\0\0\0\\370\342w\0\0\0\0l\0\0\0\0\0\0\0|\1\0\0\0\0\0\0x\1\0\0\0\0\0\0|\0\0\0\0\0\0\0`\0\0\0\0\0\0\0", 56, 4096, ... {status=0x103, info=0}, "", ) , 56, 4096, ... {status=0x103, info=0}, "", ) == 0x103 02351 1556 NtWaitForMultipleObjects (2, (104, 116, ), 1, 1, {1294967296, -1}, ... 02349 896 NtSetEvent ... 0x0, ) == 0x0 02352 896 NtSetEvent (372, ... 0x0, ) == 0x0 02353 896 NtClose (372, ... ) == 0x0 02354 896 NtQueryDefaultUILanguage (1226080, ... 02355 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02356 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... -2147482756, ) == 0x0 02357 896 NtQueryInformationToken (-2147482756, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02358 896 NtClose (-2147482756, ... ) == 0x0 02359 896 NtOpenKey (0x2000000, {24, 0, 0x640, 0, 0, (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482756, ) }, ... -2147482756, ) == 0x0 02360 896 NtOpenKey (0x80000000, {24, -2147482756, 0x240, 0, 0, (0x80000000, {24, -2147482756, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02361 896 NtOpenKey (0x80000000, {24, -2147482756, 0x640, 0, 0, (0x80000000, {24, -2147482756, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0 02362 896 NtQueryValueKey (-2147481452, (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02363 896 NtClose (-2147481452, ... ) == 0x0 02364 896 NtClose (-2147482756, ... ) == 0x0 02354 896 NtQueryDefaultUILanguage ... ) == 0x0 02365 896 NtOpenFile (0x1200a9, {24, 0, 0x40, 0, 0, (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ieframe.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02366 896 NtAllocateVirtualMemory (-1, 1212416, 0, 4096, 4096, 260, ... 1212416, 4096, ) == 0x0 02367 896 NtQueryDefaultLocale (1, 1224176, ... ) == 0x0 02368 896 NtOpenFile (0x1200a9, {24, 0, 0x40, 0, 0, (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\ieframe.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02369 896 NtRequestWaitReplyPort (24, {128, 156, new_msg, 0, 2088850039, 1225212, 1179817, 1224936} (24, {128, 156, new_msg, 0, 2088850039, 1225212, 1179817, 1224936} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0\20\35\26C\0\0\0\0\261\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\360\265\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81854, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0\20\35\26C\0\0\0\0\261\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\360\265\22\0\0\0\0\0" ) ... {128, 156, reply, 0, 1252, 896, 81854, 0} (24, {128, 156, new_msg, 0, 2088850039, 1225212, 1179817, 1224936} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0\20\35\26C\0\0\0\0\261\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\360\265\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81854, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0\20\35\26C\0\0\0\0\261\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\360\265\22\0\0\0\0\0" ) ) == 0x0 02370 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 02371 896 NtOpenKey (0x8, {24, 0, 0x40, 0, 0, (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02372 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 02373 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 02374 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1223404, ... ) }, 1223404, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02375 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 02376 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 02377 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 02378 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 1223468, ... ) }, 1223468, ... ) == 0x0 02379 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 3, 33, ... 372, {status=0x0, info=1}, ) }, 3, 33, ... 372, {status=0x0, info=1}, ) == 0x0 02380 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 02381 896 NtGdiCreateHalftonePalette (0, ... ) == 0x700804dc 02382 896 NtGdiDoPalette (1879573724, 0, 256, 1226404, 2, 0, ... ) == 0x100 02383 896 NtGdiDeleteObjectApp (1879573724, ... ) == 0x1 02384 896 NtGdiCreateCompatibleDC (0, ... ) == 0x710104dc 02385 896 NtGdiCreatePaletteInternal (1226400, 256, ... ) == 0x140806c8 02386 896 NtGdiDeleteObjectApp (1895892188, ... ) == 0x1 02387 896 NtQueryKey (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 02388 896 NtOpenKey (0x1, {24, 222, 0x40, 0, 0, (0x1, {24, 222, 0x40, 0, 0, "Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02389 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib"}, ... 384, ) }, ... 384, ) == 0x0 02390 896 NtQueryKey (386, Name, 392, ... {Name= (386, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib0"}, 186, ) }, 186, ) == 0x0 02391 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02392 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 388, ) == 0x0 02393 896 NtQueryInformationToken (388, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02394 896 NtClose (388, ... ) == 0x0 02395 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02396 896 NtQueryValueKey (386, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (386, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0E\0A\0B\02\02\0A\0C\00\0-\03\00\0C\01\0-\01\01\0C\0F\0-\0A\07\0E\0B\0-\00\00\00\00\0C\00\05\0B\0A\0E\00\0B\0}\0\0\0"}, 90, ) }, 90, ) == 0x0 02397 896 NtClose (386, ... ) == 0x0 02398 896 NtQueryKey (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 02399 896 NtOpenKey (0x20019, {24, 222, 0x40, 0, 0, (0x20019, {24, 222, 0x40, 0, 0, "CLSID\{c90250f3-4d7d-4991-9b69-a5c5bc1c2ae6}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02400 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{c90250f3-4d7d-4991-9b69-a5c5bc1c2ae6}"}, ... 384, ) }, ... 384, ) == 0x0 02401 896 NtClose (386, ... ) == 0x0 02402 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Setup\7.0"}, ... 384, ) }, ... 384, ) == 0x0 02403 896 NtQueryValueKey (384, (384, "InstallStarted", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02404 896 NtClose (384, ... ) == 0x0 02405 896 NtQueryKey (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 02406 896 NtOpenKey (0x1, {24, 222, 0x40, 0, 0, (0x1, {24, 222, 0x40, 0, 0, "Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02407 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32"}, ... 384, ) }, ... 384, ) == 0x0 02408 896 NtQueryKey (386, Name, 392, ... {Name= (386, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0 02409 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02410 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 388, ) == 0x0 02411 896 NtQueryInformationToken (388, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02412 896 NtClose (388, ... ) == 0x0 02413 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02414 896 NtQueryValueKey (386, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (386, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0B\08\0D\0A\06\03\01\00\0-\0E\01\09\0B\0-\01\01\0D\00\0-\09\03\03\0C\0-\00\00\0A\00\0C\09\00\0D\0C\0A\0A\09\0}\0\0\0"}, 90, ) }, 90, ) == 0x0 02415 896 NtClose (386, ... ) == 0x0 02416 896 NtQueryKey (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 02417 896 NtOpenKey (0x1, {24, 222, 0x40, 0, 0, (0x1, {24, 222, 0x40, 0, 0, "Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02418 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32"}, ... 384, ) }, ... 384, ) == 0x0 02419 896 NtQueryKey (386, Name, 392, ... {Name= (386, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0 02420 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02421 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 388, ) == 0x0 02422 896 NtQueryInformationToken (388, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02423 896 NtClose (388, ... ) == 0x0 02424 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02425 896 NtQueryValueKey (386, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (386, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0B\08\0D\0A\06\03\01\00\0-\0E\01\09\0B\0-\01\01\0D\00\0-\09\03\03\0C\0-\00\00\0A\00\0C\09\00\0D\0C\0A\0A\09\0}\0\0\0"}, 90, ) }, 90, ) == 0x0 02426 896 NtClose (386, ... ) == 0x0 02427 896 NtQueryKey (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 02428 896 NtOpenKey (0x1, {24, 222, 0x40, 0, 0, (0x1, {24, 222, 0x40, 0, 0, "Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02429 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... 384, ) }, ... 384, ) == 0x0 02430 896 NtQueryKey (386, Name, 392, ... {Name= (386, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0 02431 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02432 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 388, ) == 0x0 02433 896 NtQueryInformationToken (388, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02434 896 NtClose (388, ... ) == 0x0 02435 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02436 896 NtQueryValueKey (386, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (386, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0b\0f\05\00\0b\06\08\0e\0-\02\09\0b\08\0-\04\03\08\06\0-\0a\0e\09\0c\0-\09\07\03\04\0d\05\01\01\07\0c\0d\05\0}\0\0\0"}, 90, ) }, 90, ) == 0x0 02437 896 NtClose (386, ... ) == 0x0 02438 896 NtQueryKey (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 02439 896 NtOpenKey (0x1, {24, 222, 0x40, 0, 0, (0x1, {24, 222, 0x40, 0, 0, "Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02440 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... 384, ) }, ... 384, ) == 0x0 02441 896 NtQueryKey (386, Name, 392, ... {Name= (386, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0 02442 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02443 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 388, ) == 0x0 02444 896 NtQueryInformationToken (388, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02445 896 NtClose (388, ... ) == 0x0 02446 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02447 896 NtQueryValueKey (386, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (386, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0b\0f\05\00\0b\06\08\0e\0-\02\09\0b\08\0-\04\03\08\06\0-\0a\0e\09\0c\0-\09\07\03\04\0d\05\01\01\07\0c\0d\05\0}\0\0\0"}, 90, ) }, 90, ) == 0x0 02448 896 NtClose (386, ... ) == 0x0 02449 896 NtUserRegisterWindowMessage ( ("MSWHEEL_ROLLMSG", ... ) , ... ) == 0xc08f 02450 896 NtAllocateVirtualMemory (-1, 1462272, 0, 4096, 4096, 4, ... 1462272, 4096, ) == 0x0 02451 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{871C5380-42A0-1069-A2EA-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02452 896 NtAllocateVirtualMemory (-1, 1466368, 0, 12288, 4096, 4, ... 1466368, 12288, ) == 0x0 02453 896 NtQueryKey (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 02454 896 NtOpenKey (0x2000000, {24, 222, 0x40, 0, 0, (0x2000000, {24, 222, 0x40, 0, 0, "CLSID\{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02455 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}\ShellFolder"}, ... 384, ) }, ... 384, ) == 0x0 02456 896 NtQueryKey (386, Name, 392, ... {Name= (386, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder9"}, 186, ) }, 186, ) == 0x0 02457 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02458 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 388, ) == 0x0 02459 896 NtQueryInformationToken (388, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02460 896 NtClose (388, ... ) == 0x0 02461 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02462 896 NtQueryValueKey (386, (386, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02463 896 NtClose (386, ... ) == 0x0 02464 896 NtQueryKey (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 02465 896 NtOpenKey (0x2000000, {24, 222, 0x40, 0, 0, (0x2000000, {24, 222, 0x40, 0, 0, "CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02466 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... 384, ) }, ... 384, ) == 0x0 02467 896 NtQueryKey (386, Name, 392, ... {Name= (386, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder6"}, 186, ) }, 186, ) == 0x0 02468 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02469 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 388, ) == 0x0 02470 896 NtQueryInformationToken (388, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02471 896 NtClose (388, ... ) == 0x0 02472 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02473 896 NtQueryValueKey (386, (386, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02474 896 NtClose (386, ... ) == 0x0 02475 896 NtQueryKey (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 02476 896 NtOpenKey (0x2000000, {24, 222, 0x40, 0, 0, (0x2000000, {24, 222, 0x40, 0, 0, "CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02477 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... 384, ) }, ... 384, ) == 0x0 02478 896 NtQueryKey (386, Name, 392, ... {Name= (386, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder0"}, 186, ) }, 186, ) == 0x0 02479 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02480 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 388, ) == 0x0 02481 896 NtQueryInformationToken (388, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02482 896 NtClose (388, ... ) == 0x0 02483 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02484 896 NtQueryValueKey (386, (386, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02485 896 NtClose (386, ... ) == 0x0 02486 896 NtQueryKey (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 02487 896 NtOpenKey (0x2000000, {24, 222, 0x40, 0, 0, (0x2000000, {24, 222, 0x40, 0, 0, "CLSID\{E17D4FC0-5564-11D1-83F2-00A0C90DC849}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02488 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{E17D4FC0-5564-11D1-83F2-00A0C90DC849}\ShellFolder"}, ... 384, ) }, ... 384, ) == 0x0 02489 896 NtQueryKey (386, Name, 392, ... {Name= (386, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder9"}, 186, ) }, 186, ) == 0x0 02490 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02491 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 388, ) == 0x0 02492 896 NtQueryInformationToken (388, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02493 896 NtClose (388, ... ) == 0x0 02494 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02495 896 NtQueryValueKey (386, (386, "WantsParseDisplayName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02496 896 NtClose (386, ... ) == 0x0 02497 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks"}, ... 384, ) }, ... 384, ) == 0x0 02498 896 NtEnumerateValueKey (384, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (384, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) , Data= (384, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) }, 98, ) == 0x0 02499 896 NtQueryKey (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 02500 896 NtOpenKey (0x1, {24, 222, 0x40, 0, 0, (0x1, {24, 222, 0x40, 0, 0, "CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02501 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... 388, ) }, ... 388, ) == 0x0 02502 896 NtQueryKey (390, Name, 392, ... {Name= (390, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0 02503 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02504 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 392, ) == 0x0 02505 896 NtQueryInformationToken (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02506 896 NtClose (392, ... ) == 0x0 02507 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02508 896 NtQueryValueKey (390, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (390, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="s\0h\0e\0l\0l\03\02\0.\0d\0l\0l\0\0\0"}, 36, ) }, 36, ) == 0x0 02509 896 NtQueryKey (390, Name, 392, ... {Name= (390, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0 02510 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02511 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 392, ) == 0x0 02512 896 NtQueryInformationToken (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02513 896 NtClose (392, ... ) == 0x0 02514 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02515 896 NtQueryValueKey (390, (390, "LoadWithoutCOM", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02516 896 NtClose (390, ... ) == 0x0 02517 896 NtEnumerateValueKey (384, 1, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES 02518 896 NtClose (384, ... ) == 0x0 02519 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\rzqprvoo.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02520 896 NtQueryInformationProcess (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0 02521 896 NtSetInformationProcess (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0 02522 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\u:\work\rzqprvoo.bat"}, 1232412, ... ) }, 1232412, ... ) == 0x0 02523 896 NtQueryInformationProcess (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0 02524 896 NtSetInformationProcess (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0 02525 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\u:\work\rzqprvoo.bat"}, 1234744, ... ) }, 1234744, ... ) == 0x0 02526 896 NtReleaseSemaphore (48, 1, ... 0, ) == 0x0 02527 896 NtWaitForSingleObject (48, 0, {0, 0}, ... ) == 0x0 02528 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Associations"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02529 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Associations"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02530 896 NtReleaseSemaphore (48, 1, ... 0, ) == 0x0 02531 896 NtWaitForSingleObject (48, 0, {0, 0}, ... ) == 0x0 02532 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Associations"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02533 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Associations"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02534 896 NtReleaseSemaphore (48, 1, ... 0, ) == 0x0 02535 896 NtWaitForSingleObject (48, 0, {0, 0}, ... ) == 0x0 02536 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Associations"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02537 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Associations"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02538 896 NtReleaseSemaphore (48, 1, ... 0, ) == 0x0 02539 896 NtWaitForSingleObject (48, 0, {0, 0}, ... ) == 0x0 02540 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Associations"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02541 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Associations"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02542 896 NtQueryKey (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 02543 896 NtOpenKey (0x1, {24, 222, 0x40, 0, 0, (0x1, {24, 222, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02544 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 384, ) }, ... 384, ) == 0x0 02545 896 NtQueryKey (386, Name, 392, ... {Name= (386, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0 02546 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02547 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 388, ) == 0x0 02548 896 NtQueryInformationToken (388, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02549 896 NtClose (388, ... ) == 0x0 02550 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02551 896 NtQueryValueKey (386, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (386, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0 02552 896 NtClose (386, ... ) == 0x0 02553 896 NtQueryKey (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 02554 896 NtOpenKey (0x1, {24, 222, 0x40, 0, 0, (0x1, {24, 222, 0x40, 0, 0, ".ade"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02555 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.ade"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02556 896 NtQueryKey (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 02557 896 NtOpenKey (0x1, {24, 222, 0x40, 0, 0, (0x1, {24, 222, 0x40, 0, 0, ".adp"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02558 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.adp"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02559 896 NtQueryKey (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 02560 896 NtOpenKey (0x1, {24, 222, 0x40, 0, 0, (0x1, {24, 222, 0x40, 0, 0, ".app"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02561 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.app"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02562 896 NtQueryKey (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 02563 896 NtOpenKey (0x1, {24, 222, 0x40, 0, 0, (0x1, {24, 222, 0x40, 0, 0, ".asp"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02564 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.asp"}, ... 384, ) }, ... 384, ) == 0x0 02565 896 NtQueryKey (386, Name, 392, ... {Name= (386, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.aspo"}, 82, ) }, 82, ) == 0x0 02566 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02567 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 388, ) == 0x0 02568 896 NtQueryInformationToken (388, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02569 896 NtClose (388, ... ) == 0x0 02570 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\.asp"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02571 896 NtQueryValueKey (386, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (386, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="a\0s\0p\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0 02572 896 NtClose (386, ... ) == 0x0 02573 896 NtQueryKey (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 02574 896 NtOpenKey (0x1, {24, 222, 0x40, 0, 0, (0x1, {24, 222, 0x40, 0, 0, ".bas"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02575 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bas"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02576 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 384, ) }, ... 384, ) == 0x0 02577 896 NtQueryValueKey (384, (384, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (384, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0 02578 896 NtClose (384, ... ) == 0x0 02579 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 384, ) }, ... 384, ) == 0x0 02580 896 NtQueryValueKey (384, (384, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (384, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0 02581 896 NtClose (384, ... ) == 0x0 02582 896 NtQueryKey (250, Name, 384, ... {Name= (250, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 02583 896 NtOpenKey (0x20019, {24, 250, 0x40, 0, 0, (0x20019, {24, 250, 0x40, 0, 0, "CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02584 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}"}, ... 384, ) }, ... 384, ) == 0x0 02585 896 NtQueryKey (386, Name, 384, ... {Name= (386, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}1"}, 162, ) }, 162, ) == 0x0 02586 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02587 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 388, ) == 0x0 02588 896 NtQueryInformationToken (388, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02589 896 NtClose (388, ... ) == 0x0 02590 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02591 896 NtOpenKey (0x1, {24, 386, 0x40, 0, 0, (0x1, {24, 386, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02592 896 NtQueryKey (250, Name, 384, ... {Name= (250, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 02593 896 NtOpenKey (0x20019, {24, 250, 0x40, 0, 0, ""}, ... 388, ) == 0x0 02594 896 NtClose (386, ... ) == 0x0 02595 896 NtQueryKey (390, Name, 384, ... {Name= (390, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 02596 896 NtOpenKey (0x20019, {24, 390, 0x40, 0, 0, (0x20019, {24, 390, 0x40, 0, 0, "CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02597 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}"}, ... 384, ) }, ... 384, ) == 0x0 02598 896 NtQueryKey (386, Name, 384, ... {Name= (386, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}1"}, 162, ) }, 162, ) == 0x0 02599 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02600 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 392, ) == 0x0 02601 896 NtQueryInformationToken (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02602 896 NtClose (392, ... ) == 0x0 02603 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02604 896 NtOpenKey (0x2000000, {24, 386, 0x40, 0, 0, (0x2000000, {24, 386, 0x40, 0, 0, "InprocServer32"}, ... 392, ) }, ... 392, ) == 0x0 02605 896 NtQueryKey (394, Name, 392, ... {Name= (394, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32"}, 192, ) }, 192, ) == 0x0 02606 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02607 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 396, ) == 0x0 02608 896 NtQueryInformationToken (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02609 896 NtClose (396, ... ) == 0x0 02610 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02611 896 NtQueryValueKey (394, (394, "InprocServer32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02612 896 NtClose (394, ... ) == 0x0 02613 896 NtQueryKey (386, Name, 384, ... {Name= (386, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}3"}, 162, ) }, 162, ) == 0x0 02614 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02615 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 392, ) == 0x0 02616 896 NtQueryInformationToken (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02617 896 NtClose (392, ... ) == 0x0 02618 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02619 896 NtOpenKey (0x2000000, {24, 386, 0x40, 0, 0, (0x2000000, {24, 386, 0x40, 0, 0, "InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02620 896 NtQueryKey (386, Name, 384, ... {Name= (386, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}3"}, 162, ) }, 162, ) == 0x0 02621 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02622 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 392, ) == 0x0 02623 896 NtQueryInformationToken (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02624 896 NtClose (392, ... ) == 0x0 02625 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02626 896 NtOpenKey (0x2000000, {24, 386, 0x40, 0, 0, (0x2000000, {24, 386, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02627 896 NtQueryKey (386, Name, 384, ... {Name= (386, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}3"}, 162, ) }, 162, ) == 0x0 02628 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02629 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 392, ) == 0x0 02630 896 NtQueryInformationToken (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02631 896 NtClose (392, ... ) == 0x0 02632 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02633 896 NtOpenKey (0x2000000, {24, 386, 0x40, 0, 0, (0x2000000, {24, 386, 0x40, 0, 0, "InprocServer32"}, ... 392, ) }, ... 392, ) == 0x0 02634 896 NtQueryKey (394, Name, 392, ... {Name= (394, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32"}, 192, ) }, 192, ) == 0x0 02635 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02636 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 396, ) == 0x0 02637 896 NtQueryInformationToken (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02638 896 NtClose (396, ... ) == 0x0 02639 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02640 896 NtQueryValueKey (394, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (394, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0u\0r\0l\0m\0o\0n\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0 02641 896 NtClose (394, ... ) == 0x0 02642 896 NtQueryKey (386, Name, 384, ... {Name= (386, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}3"}, 162, ) }, 162, ) == 0x0 02643 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02644 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 392, ) == 0x0 02645 896 NtQueryInformationToken (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02646 896 NtClose (392, ... ) == 0x0 02647 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02648 896 NtOpenKey (0x2000000, {24, 386, 0x40, 0, 0, (0x2000000, {24, 386, 0x40, 0, 0, "InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02649 896 NtQueryKey (386, Name, 384, ... {Name= (386, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}3"}, 162, ) }, 162, ) == 0x0 02650 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02651 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 392, ) == 0x0 02652 896 NtQueryInformationToken (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02653 896 NtClose (392, ... ) == 0x0 02654 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02655 896 NtOpenKey (0x2000000, {24, 386, 0x40, 0, 0, (0x2000000, {24, 386, 0x40, 0, 0, "InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02656 896 NtQueryKey (386, Name, 384, ... {Name= (386, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}3"}, 162, ) }, 162, ) == 0x0 02657 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02658 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 392, ) == 0x0 02659 896 NtQueryInformationToken (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02660 896 NtClose (392, ... ) == 0x0 02661 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02662 896 NtOpenKey (0x2000000, {24, 386, 0x40, 0, 0, (0x2000000, {24, 386, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02663 896 NtQueryKey (386, Name, 384, ... {Name= (386, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}3"}, 162, ) }, 162, ) == 0x0 02664 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02665 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 392, ) == 0x0 02666 896 NtQueryInformationToken (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02667 896 NtClose (392, ... ) == 0x0 02668 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02669 896 NtOpenKey (0x2000000, {24, 386, 0x40, 0, 0, (0x2000000, {24, 386, 0x40, 0, 0, "LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02670 896 NtQueryKey (390, Name, 384, ... {Name= (390, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 02671 896 NtOpenKey (0x20019, {24, 390, 0x40, 0, 0, (0x20019, {24, 390, 0x40, 0, 0, "CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02672 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}"}, ... 392, ) }, ... 392, ) == 0x0 02673 896 NtQueryKey (394, Name, 392, ... {Name= (394, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}1"}, 162, ) }, 162, ) == 0x0 02674 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02675 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 396, ) == 0x0 02676 896 NtQueryInformationToken (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02677 896 NtClose (396, ... ) == 0x0 02678 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02679 896 NtQueryValueKey (394, (394, "AppID", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02680 896 NtClose (394, ... ) == 0x0 02681 896 NtClose (386, ... ) == 0x0 02682 896 NtOpenProcess (0x400, {24, 0, 0x0, 0, 0, 0x0}, {1252, 0}, ... 384, ) == 0x0 02683 896 NtQueryInformationProcess (384, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0 02684 896 NtClose (384, ... ) == 0x0 02685 896 NtQueryKey (390, Name, 384, ... {Name= (390, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 02686 896 NtOpenKey (0x20019, {24, 390, 0x40, 0, 0, (0x20019, {24, 390, 0x40, 0, 0, "CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02687 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}"}, ... 384, ) }, ... 384, ) == 0x0 02688 896 NtQueryKey (386, Name, 384, ... {Name= (386, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}1"}, 162, ) }, 162, ) == 0x0 02689 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02690 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 392, ) == 0x0 02691 896 NtQueryInformationToken (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02692 896 NtClose (392, ... ) == 0x0 02693 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02694 896 NtOpenKey (0x2000000, {24, 386, 0x40, 0, 0, (0x2000000, {24, 386, 0x40, 0, 0, "InprocServer32"}, ... 392, ) }, ... 392, ) == 0x0 02695 896 NtQueryKey (394, Name, 392, ... {Name= (394, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32"}, 192, ) }, 192, ) == 0x0 02696 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02697 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 396, ) == 0x0 02698 896 NtQueryInformationToken (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02699 896 NtClose (396, ... ) == 0x0 02700 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02701 896 NtQueryValueKey (394, (394, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0o\0t\0h\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (394, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0o\0t\0h\0\0\0"}, 22, ) }, 22, ) == 0x0 02702 896 NtClose (394, ... ) == 0x0 02703 896 NtClose (386, ... ) == 0x0 02704 896 NtQueryKey (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 02705 896 NtOpenKey (0x20019, {24, 222, 0x40, 0, 0, (0x20019, {24, 222, 0x40, 0, 0, "CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02706 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}"}, ... 384, ) }, ... 384, ) == 0x0 02707 896 NtQueryKey (386, Name, 384, ... {Name= (386, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}1"}, 162, ) }, 162, ) == 0x0 02708 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02709 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 392, ) == 0x0 02710 896 NtQueryInformationToken (392, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02711 896 NtClose (392, ... ) == 0x0 02712 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02713 896 NtOpenKey (0x1, {24, 386, 0x40, 0, 0, (0x1, {24, 386, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02714 896 NtClose (386, ... ) == 0x0 02715 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\urlmon.dll"}, 1228432, ... ) }, 1228432, ... ) == 0x0 02716 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\urlmon.dll"}, 5, 96, ... 384, {status=0x0, info=1}, ) }, 5, 96, ... 384, {status=0x0, info=1}, ) == 0x0 02717 896 NtCreateSection (0xe, 0x0, 0x0, 16, 134217728, 384, ... 392, ) == 0x0 02718 896 NtClose (384, ... ) == 0x0 02719 896 NtMapViewOfSection (392, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xc30000), 0x0, 1163264, ) == 0x0 02720 896 NtClose (392, ... ) == 0x0 02721 896 NtUnmapViewOfSection (-1, 0xc30000, ... ) == 0x0 02722 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\urlmon.dll"}, 1228740, ... ) }, 1228740, ... ) == 0x0 02723 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\urlmon.dll"}, 5, 96, ... 392, {status=0x0, info=1}, ) }, 5, 96, ... 392, {status=0x0, info=1}, ) == 0x0 02724 896 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 392, ... 384, ) == 0x0 02725 896 NtQuerySection (384, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 02726 896 NtClose (392, ... ) == 0x0 02727 896 NtMapViewOfSection (384, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x42cf0000), 0x0, 1208320, ) == 0x0 02728 896 NtClose (384, ... ) == 0x0 02729 896 NtProtectVirtualMemory (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0 02730 896 NtProtectVirtualMemory (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0 02731 896 NtFlushInstructionCache (-1, 1120866304, 2148, ... ) == 0x0 02732 896 NtProtectVirtualMemory (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0 02733 896 NtProtectVirtualMemory (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0 02734 896 NtFlushInstructionCache (-1, 1120866304, 2148, ... ) == 0x0 02735 896 NtProtectVirtualMemory (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0 02736 896 NtProtectVirtualMemory (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0 02737 896 NtFlushInstructionCache (-1, 1120866304, 2148, ... ) == 0x0 02738 896 NtProtectVirtualMemory (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0 02739 896 NtProtectVirtualMemory (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0 02740 896 NtFlushInstructionCache (-1, 1120866304, 2148, ... ) == 0x0 02741 896 NtProtectVirtualMemory (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0 02742 896 NtProtectVirtualMemory (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0 02743 896 NtFlushInstructionCache (-1, 1120866304, 2148, ... ) == 0x0 02744 896 NtProtectVirtualMemory (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0 02745 896 NtProtectVirtualMemory (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0 02746 896 NtFlushInstructionCache (-1, 1120866304, 2148, ... ) == 0x0 02747 896 NtProtectVirtualMemory (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0 02748 896 NtProtectVirtualMemory (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0 02749 896 NtFlushInstructionCache (-1, 1120866304, 2148, ... ) == 0x0 02750 896 NtProtectVirtualMemory (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0 02751 896 NtProtectVirtualMemory (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0 02752 896 NtFlushInstructionCache (-1, 1120866304, 2148, ... ) == 0x0 02753 896 NtProtectVirtualMemory (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0 02754 896 NtProtectVirtualMemory (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0 02755 896 NtFlushInstructionCache (-1, 1120866304, 2148, ... ) == 0x0 02756 896 NtProtectVirtualMemory (-1, (0x42cf1000), 2148, 4, ... (0x42cf1000), 4096, 32, ) == 0x0 02757 896 NtProtectVirtualMemory (-1, (0x42cf1000), 4096, 32, ... (0x42cf1000), 4096, 4, ) == 0x0 02758 896 NtFlushInstructionCache (-1, 1120866304, 2148, ... ) == 0x0 02759 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\urlmon.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02760 896 NtQueryPerformanceCounter (... {-1444316433, 16}, {3579545, 0}, ) == 0x0 02761 896 NtCreateMutant (0x1f0001, {24, 44, 0x80, 0, 0, (0x1f0001, {24, 44, 0x80, 0, 0, "Local\ZonesCounterMutex"}, 0, ... 384, ) }, 0, ... 384, ) == STATUS_OBJECT_NAME_EXISTS 02762 896 NtCreateMutant (0x1f0001, {24, 44, 0x80, 0, 0, (0x1f0001, {24, 44, 0x80, 0, 0, "Local\ZonesCacheCounterMutex"}, 0, ... 392, ) }, 0, ... 392, ) == STATUS_OBJECT_NAME_EXISTS 02763 896 NtCreateMutant (0x1f0001, {24, 44, 0x80, 0, 0, (0x1f0001, {24, 44, 0x80, 0, 0, "Local\ZonesLockedCacheCounterMutex"}, 0, ... 396, ) }, 0, ... 396, ) == STATUS_OBJECT_NAME_EXISTS 02764 896 NtQueryDefaultUILanguage (1227536, ... 02765 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02766 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... -2147482756, ) == 0x0 02767 896 NtQueryInformationToken (-2147482756, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02768 896 NtClose (-2147482756, ... ) == 0x0 02769 896 NtOpenKey (0x2000000, {24, 0, 0x640, 0, 0, (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482756, ) }, ... -2147482756, ) == 0x0 02770 896 NtOpenKey (0x80000000, {24, -2147482756, 0x240, 0, 0, (0x80000000, {24, -2147482756, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02771 896 NtOpenKey (0x80000000, {24, -2147482756, 0x640, 0, 0, (0x80000000, {24, -2147482756, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0 02772 896 NtQueryValueKey (-2147481452, (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02773 896 NtClose (-2147481452, ... ) == 0x0 02774 896 NtClose (-2147482756, ... ) == 0x0 02764 896 NtQueryDefaultUILanguage ... ) == 0x0 02775 896 NtOpenFile (0x1200a9, {24, 0, 0x40, 0, 0, (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\urlmon.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02776 896 NtQueryDefaultLocale (1, 1225632, ... ) == 0x0 02777 896 NtOpenFile (0x1200a9, {24, 0, 0x40, 0, 0, (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\urlmon.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02778 896 NtRequestWaitReplyPort (24, {128, 156, new_msg, 0, 2088850039, 1226668, 1179817, 1226392} (24, {128, 156, new_msg, 0, 2088850039, 1226668, 1179817, 1226392} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0\0I\333B\0\0\0\0\361\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\240\273\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81855, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0\0I\333B\0\0\0\0\361\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\240\273\22\0\0\0\0\0" ) ... {128, 156, reply, 0, 1252, 896, 81855, 0} (24, {128, 156, new_msg, 0, 2088850039, 1226668, 1179817, 1226392} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0\0I\333B\0\0\0\0\361\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\240\273\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81855, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0\0I\333B\0\0\0\0\361\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\240\273\22\0\0\0\0\0" ) ) == 0x0 02779 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 02780 896 NtOpenKey (0x8, {24, 0, 0x40, 0, 0, (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02781 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 02782 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 02783 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1224860, ... ) }, 1224860, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02784 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 02785 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 02786 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 02787 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 1224924, ... ) }, 1224924, ... ) == 0x0 02788 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 3, 33, ... 400, {status=0x0, info=1}, ) }, 3, 33, ... 400, {status=0x0, info=1}, ) == 0x0 02789 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 02790 896 NtQueryKey (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 02791 896 NtOpenKey (0x2000000, {24, 222, 0x40, 0, 0, (0x2000000, {24, 222, 0x40, 0, 0, "PROTOCOLS\Name-Space Handler\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02792 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\PROTOCOLS\Name-Space Handler"}, ... 404, ) }, ... 404, ) == 0x0 02793 896 NtQueryKey (406, Name, 392, ... {Name= (406, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Name-Space HandlerS"}, 130, ) }, 130, ) == 0x0 02794 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02795 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 408, ) == 0x0 02796 896 NtQueryInformationToken (408, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02797 896 NtClose (408, ... ) == 0x0 02798 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\PROTOCOLS\Name-Space Handler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02799 896 NtEnumerateKey (406, 0, Node, 288, ... {LastWrite={0xdf7c22cc,0x1c74da8}, TitleIdx=0, Name= (406, 0, Node, 288, ... {LastWrite={0xdf7c22cc,0x1c74da8}, TitleIdx=0, Name="mk", Class=""}, 28, ) , Class=""}, 28, ) == 0x0 02800 896 NtEnumerateKey (406, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES 02801 896 NtClose (406, ... ) == 0x0 02802 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02803 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02804 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 404, ) }, ... 404, ) == 0x0 02805 896 NtQueryValueKey (404, (404, "DisableImprovedZoneCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02806 896 NtClose (404, ... ) == 0x0 02807 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02808 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02809 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02810 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02811 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 404, ) }, ... 404, ) == 0x0 02812 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02813 896 NtOpenKey (0x1, {24, 404, 0x40, 0, 0, (0x1, {24, 404, 0x40, 0, 0, "FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02814 896 NtClose (404, ... ) == 0x0 02815 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02816 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02817 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02818 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02819 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02820 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02821 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02822 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02823 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02824 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 404, ) }, ... 404, ) == 0x0 02825 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02826 896 NtOpenKey (0x1, {24, 404, 0x40, 0, 0, (0x1, {24, 404, 0x40, 0, 0, "FEATURE_OBJECT_CACHING"}, ... 408, ) }, ... 408, ) == 0x0 02827 896 NtQueryValueKey (408, (408, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02828 896 NtQueryValueKey (408, (408, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02829 896 NtClose (408, ... ) == 0x0 02830 896 NtOpenKey (0x1, {24, 404, 0x40, 0, 0, (0x1, {24, 404, 0x40, 0, 0, "FEATURE_ZONE_ELEVATION"}, ... 408, ) }, ... 408, ) == 0x0 02831 896 NtQueryValueKey (408, (408, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02832 896 NtQueryValueKey (408, (408, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02833 896 NtClose (408, ... ) == 0x0 02834 896 NtOpenKey (0x1, {24, 404, 0x40, 0, 0, (0x1, {24, 404, 0x40, 0, 0, "FEATURE_MIME_HANDLING"}, ... 408, ) }, ... 408, ) == 0x0 02835 896 NtQueryValueKey (408, (408, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02836 896 NtQueryValueKey (408, (408, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02837 896 NtClose (408, ... ) == 0x0 02838 896 NtOpenKey (0x1, {24, 404, 0x40, 0, 0, (0x1, {24, 404, 0x40, 0, 0, "FEATURE_MIME_SNIFFING"}, ... 408, ) }, ... 408, ) == 0x0 02839 896 NtQueryValueKey (408, (408, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02840 896 NtQueryValueKey (408, (408, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02841 896 NtClose (408, ... ) == 0x0 02842 896 NtOpenKey (0x1, {24, 404, 0x40, 0, 0, (0x1, {24, 404, 0x40, 0, 0, "FEATURE_WINDOW_RESTRICTIONS"}, ... 408, ) }, ... 408, ) == 0x0 02843 896 NtQueryValueKey (408, (408, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02844 896 NtQueryValueKey (408, (408, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02845 896 NtClose (408, ... ) == 0x0 02846 896 NtOpenKey (0x1, {24, 404, 0x40, 0, 0, (0x1, {24, 404, 0x40, 0, 0, "FEATURE_WEBOC_POPUPMANAGEMENT"}, ... 408, ) }, ... 408, ) == 0x0 02847 896 NtQueryValueKey (408, (408, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02848 896 NtQueryValueKey (408, (408, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02849 896 NtClose (408, ... ) == 0x0 02850 896 NtOpenKey (0x1, {24, 404, 0x40, 0, 0, (0x1, {24, 404, 0x40, 0, 0, "FEATURE_BEHAVIORS"}, ... 408, ) }, ... 408, ) == 0x0 02851 896 NtQueryValueKey (408, (408, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02852 896 NtQueryValueKey (408, (408, "*", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (408, "*", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 02853 896 NtClose (408, ... ) == 0x0 02854 896 NtOpenKey (0x1, {24, 404, 0x40, 0, 0, (0x1, {24, 404, 0x40, 0, 0, "FEATURE_DISABLE_MK_PROTOCOL"}, ... 408, ) }, ... 408, ) == 0x0 02855 896 NtQueryValueKey (408, (408, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02856 896 NtQueryValueKey (408, (408, "*", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (408, "*", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 02857 896 NtClose (408, ... ) == 0x0 02858 896 NtOpenKey (0x1, {24, 404, 0x40, 0, 0, (0x1, {24, 404, 0x40, 0, 0, "FEATURE_LOCALMACHINE_LOCKDOWN"}, ... 408, ) }, ... 408, ) == 0x0 02859 896 NtQueryValueKey (408, (408, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02860 896 NtQueryValueKey (408, (408, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02861 896 NtClose (408, ... ) == 0x0 02862 896 NtOpenKey (0x1, {24, 404, 0x40, 0, 0, (0x1, {24, 404, 0x40, 0, 0, "FEATURE_SECURITYBAND"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02863 896 NtOpenKey (0x1, {24, 404, 0x40, 0, 0, (0x1, {24, 404, 0x40, 0, 0, "FEATURE_RESTRICT_ACTIVEXINSTALL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02864 896 NtOpenKey (0x1, {24, 404, 0x40, 0, 0, (0x1, {24, 404, 0x40, 0, 0, "FEATURE_VALIDATE_NAVIGATE_URL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02865 896 NtOpenKey (0x1, {24, 404, 0x40, 0, 0, (0x1, {24, 404, 0x40, 0, 0, "FEATURE_RESTRICT_FILEDOWNLOAD"}, ... 408, ) }, ... 408, ) == 0x0 02866 896 NtQueryValueKey (408, (408, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02867 896 NtQueryValueKey (408, (408, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02868 896 NtClose (408, ... ) == 0x0 02869 896 NtOpenKey (0x1, {24, 404, 0x40, 0, 0, (0x1, {24, 404, 0x40, 0, 0, "FEATURE_ADDON_MANAGEMENT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02870 896 NtOpenKey (0x1, {24, 404, 0x40, 0, 0, (0x1, {24, 404, 0x40, 0, 0, "FEATURE_PROTOCOL_LOCKDOWN"}, ... 408, ) }, ... 408, ) == 0x0 02871 896 NtQueryValueKey (408, (408, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02872 896 NtQueryValueKey (408, (408, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02873 896 NtClose (408, ... ) == 0x0 02874 896 NtOpenKey (0x1, {24, 404, 0x40, 0, 0, (0x1, {24, 404, 0x40, 0, 0, "FEATURE_HTTP_USERNAME_PASSWORD_DISABLE"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02875 896 NtOpenKey (0x1, {24, 404, 0x40, 0, 0, (0x1, {24, 404, 0x40, 0, 0, "FEATURE_SAFE_BINDTOOBJECT"}, ... 408, ) }, ... 408, ) == 0x0 02876 896 NtQueryValueKey (408, (408, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02877 896 NtQueryValueKey (408, (408, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02878 896 NtClose (408, ... ) == 0x0 02879 896 NtOpenKey (0x1, {24, 404, 0x40, 0, 0, (0x1, {24, 404, 0x40, 0, 0, "FEATURE_UNC_SAVEDFILECHECK"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02880 896 NtOpenKey (0x1, {24, 404, 0x40, 0, 0, (0x1, {24, 404, 0x40, 0, 0, "FEATURE_GET_URL_DOM_FILEPATH_UNENCODED"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02881 896 NtOpenKey (0x1, {24, 404, 0x40, 0, 0, (0x1, {24, 404, 0x40, 0, 0, "FEATURE_TABBED_BROWSING"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02882 896 NtOpenKey (0x1, {24, 404, 0x40, 0, 0, (0x1, {24, 404, 0x40, 0, 0, "FEATURE_SSLUX"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02883 896 NtOpenKey (0x1, {24, 404, 0x40, 0, 0, (0x1, {24, 404, 0x40, 0, 0, "FEATURE_DISABLE_NAVIGATION_SOUNDS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02884 896 NtOpenKey (0x1, {24, 404, 0x40, 0, 0, (0x1, {24, 404, 0x40, 0, 0, "FEATURE_DISABLE_LEGACY_COMPRESSION"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02885 896 NtOpenKey (0x1, {24, 404, 0x40, 0, 0, (0x1, {24, 404, 0x40, 0, 0, "FEATURE_FORCE_ADDR_AND_STATUS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02886 896 NtOpenKey (0x1, {24, 404, 0x40, 0, 0, (0x1, {24, 404, 0x40, 0, 0, "FEATURE_XMLHTTP"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02887 896 NtOpenKey (0x1, {24, 404, 0x40, 0, 0, (0x1, {24, 404, 0x40, 0, 0, "FEATURE_DISABLE_TELNET_PROTOCOL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02888 896 NtOpenKey (0x1, {24, 404, 0x40, 0, 0, (0x1, {24, 404, 0x40, 0, 0, "FEATURE_FEEDS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02889 896 NtOpenKey (0x1, {24, 404, 0x40, 0, 0, (0x1, {24, 404, 0x40, 0, 0, "FEATURE_BLOCK_INPUT_PROMPTS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02890 896 NtClose (404, ... ) == 0x0 02891 896 NtQueryKey (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 02892 896 NtOpenKey (0x1, {24, 222, 0x40, 0, 0, (0x1, {24, 222, 0x40, 0, 0, "CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02893 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\InProcServer32"}, ... 404, ) }, ... 404, ) == 0x0 02894 896 NtQueryKey (406, Name, 392, ... {Name= (406, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32"}, 192, ) }, 192, ) == 0x0 02895 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 02896 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 408, ) == 0x0 02897 896 NtQueryInformationToken (408, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 02898 896 NtClose (408, ... ) == 0x0 02899 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02900 896 NtQueryValueKey (406, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (406, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0u\0r\0l\0m\0o\0n\0.\0d\0l\0l\0\0\0"}, 74, ) }, 74, ) == 0x0 02901 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\urlmon.dll"}, 1231104, ... ) }, 1231104, ... ) == 0x0 02902 896 NtClose (406, ... ) == 0x0 02903 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"}, ... 404, ) }, ... 404, ) == 0x0 02904 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies"}, ... 408, ) }, ... 408, ) == 0x0 02905 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Policies"}, ... 412, ) }, ... 412, ) == 0x0 02906 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software"}, ... 416, ) }, ... 416, ) == 0x0 02907 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software"}, ... 420, ) }, ... 420, ) == 0x0 02908 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02909 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02910 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"}, ... 424, ) }, ... 424, ) == 0x0 02911 896 NtOpenKey (0x20019, {24, 424, 0x40, 0, 0, (0x20019, {24, 424, 0x40, 0, 0, "Ranges\"}, ... 428, ) }, ... 428, ) == 0x0 02912 896 NtQueryKey (428, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0 02913 896 NtClose (428, ... ) == 0x0 02914 896 NtWaitForSingleObject (384, 0, 0x0, ... ) == 0x0 02915 896 NtReleaseMutant (384, ... 0x0, ) == 0x0 02916 896 NtOpenKey (0x20019, {24, 424, 0x40, 0, 0, (0x20019, {24, 424, 0x40, 0, 0, "ProtocolDefaults\"}, ... 428, ) }, ... 428, ) == 0x0 02917 896 NtQueryKey (428, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0 02918 896 NtEnumerateValueKey (428, 0, Full, 220, ... TitleIdx=0, Type=1, Name=" (428, 0, Full, 220, ... TitleIdx=0, Type=1, Name="", Data="\0\0"}, 22, ) \0\0"}, 22, ) == 0x0 02919 896 NtEnumerateValueKey (428, 1, Full, 220, ... TitleIdx=0, Type=4, Name= (428, 1, Full, 220, ... TitleIdx=0, Type=4, Name="http", Data="\3\0\0\0"}, 32, ) , Data= (428, 1, Full, 220, ... TitleIdx=0, Type=4, Name="http", Data="\3\0\0\0"}, 32, ) }, 32, ) == 0x0 02920 896 NtEnumerateValueKey (428, 2, Full, 220, ... TitleIdx=0, Type=4, Name= (428, 2, Full, 220, ... TitleIdx=0, Type=4, Name="https", Data="\3\0\0\0"}, 36, ) , Data= (428, 2, Full, 220, ... TitleIdx=0, Type=4, Name="https", Data="\3\0\0\0"}, 36, ) }, 36, ) == 0x0 02921 896 NtEnumerateValueKey (428, 3, Full, 220, ... TitleIdx=0, Type=4, Name= (428, 3, Full, 220, ... TitleIdx=0, Type=4, Name="ftp", Data="\3\0\0\0"}, 32, ) , Data= (428, 3, Full, 220, ... TitleIdx=0, Type=4, Name="ftp", Data="\3\0\0\0"}, 32, ) }, 32, ) == 0x0 02922 896 NtEnumerateValueKey (428, 4, Full, 220, ... TitleIdx=0, Type=4, Name= (428, 4, Full, 220, ... TitleIdx=0, Type=4, Name="file", Data="\3\0\0\0"}, 32, ) , Data= (428, 4, Full, 220, ... TitleIdx=0, Type=4, Name="file", Data="\3\0\0\0"}, 32, ) }, 32, ) == 0x0 02923 896 NtEnumerateValueKey (428, 5, Full, 220, ... TitleIdx=0, Type=4, Name= (428, 5, Full, 220, ... TitleIdx=0, Type=4, Name="@ivt", Data="\1\0\0\0"}, 32, ) , Data= (428, 5, Full, 220, ... TitleIdx=0, Type=4, Name="@ivt", Data="\1\0\0\0"}, 32, ) }, 32, ) == 0x0 02924 896 NtEnumerateValueKey (428, 6, Full, 220, ... TitleIdx=0, Type=4, Name= (428, 6, Full, 220, ... TitleIdx=0, Type=4, Name="shell", Data="\0\0\0\0"}, 36, ) , Data= (428, 6, Full, 220, ... TitleIdx=0, Type=4, Name="shell", Data="\0\0\0\0"}, 36, ) }, 36, ) == 0x0 02925 896 NtClose (428, ... ) == 0x0 02926 896 NtOpenKey (0x20019, {24, 424, 0x40, 0, 0, (0x20019, {24, 424, 0x40, 0, 0, "Domains\"}, ... 428, ) }, ... 428, ) == 0x0 02927 896 NtQueryKey (428, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0 02928 896 NtClose (428, ... ) == 0x0 02929 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\"}, ... 428, ) }, ... 428, ) == 0x0 02930 896 NtQueryKey (428, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0 02931 896 NtEnumerateKey (428, 0, Basic, 288, ... {LastWrite={0xde94deb2,0x1c74da8}, TitleIdx=0, Name= (428, 0, Basic, 288, ... {LastWrite={0xde94deb2,0x1c74da8}, TitleIdx=0, Name="msn.com"}, 30, ) }, 30, ) == 0x0 02932 896 NtOpenKey (0x20019, {24, 428, 0x40, 0, 0, (0x20019, {24, 428, 0x40, 0, 0, "msn.com"}, ... 432, ) }, ... 432, ) == 0x0 02933 896 NtQueryKey (432, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0 02934 896 NtEnumerateKey (432, 0, Basic, 288, ... {LastWrite={0xde94deb2,0x1c74da8}, TitleIdx=0, Name= (432, 0, Basic, 288, ... {LastWrite={0xde94deb2,0x1c74da8}, TitleIdx=0, Name="related"}, 30, ) }, 30, ) == 0x0 02935 896 NtOpenKey (0x20019, {24, 432, 0x40, 0, 0, (0x20019, {24, 432, 0x40, 0, 0, "related"}, ... 436, ) }, ... 436, ) == 0x0 02936 896 NtQueryKey (436, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0 02937 896 NtEnumerateValueKey (436, 0, Full, 220, ... TitleIdx=0, Type=4, Name= (436, 0, Full, 220, ... TitleIdx=0, Type=4, Name="http", Data="\4\0\0\0"}, 32, ) , Data= (436, 0, Full, 220, ... TitleIdx=0, Type=4, Name="http", Data="\4\0\0\0"}, 32, ) }, 32, ) == 0x0 02938 896 NtClose (436, ... ) == 0x0 02939 896 NtEnumerateValueKey (432, 0, Full, 220, ... TitleIdx=0, Type=1, Name=" (432, 0, Full, 220, ... TitleIdx=0, Type=1, Name="", Data="\0\0"}, 22, ) \0\0"}, 22, ) == 0x0 02940 896 NtClose (432, ... ) == 0x0 02941 896 NtClose (428, ... ) == 0x0 02942 896 NtWaitForSingleObject (384, 0, 0x0, ... ) == 0x0 02943 896 NtReleaseMutant (384, ... 0x0, ) == 0x0 02944 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02945 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 428, ) }, ... 428, ) == 0x0 02946 896 NtQueryValueKey (428, (428, "CreateUriCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02947 896 NtClose (428, ... ) == 0x0 02948 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 428, ) }, ... 428, ) == 0x0 02949 896 NtQueryValueKey (428, (428, "CreateUriCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02950 896 NtClose (428, ... ) == 0x0 02951 896 NtCreateEvent (0x1f0003, 0x0, 1, 1, ... 428, ) == 0x0 02952 896 NtCreateEvent (0x1f0003, 0x0, 1, 1, ... 432, ) == 0x0 02953 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 02954 896 NtSetEvent (432, ... 0x0, ) == 0x0 02955 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 436, ) }, ... 436, ) == 0x0 02956 896 NtQueryValueKey (436, (436, "EnablePunycode", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 02957 896 NtClose (436, ... ) == 0x0 02958 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 436, ) }, ... 436, ) == 0x0 02959 896 NtQueryValueKey (436, (436, "EnablePunycode", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (436, "EnablePunycode", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 02960 896 NtClose (436, ... ) == 0x0 02961 896 NtWaitForSingleObject (428, 0, 0x0, ... ) == 0x0 02962 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 02963 896 NtSetEvent (432, ... 0x0, ) == 0x0 02964 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 02965 896 NtSetEvent (432, ... 0x0, ) == 0x0 02966 896 NtSetEvent (428, ... 0x0, ) == 0x0 02967 896 NtWaitForSingleObject (428, 0, 0x0, ... ) == 0x0 02968 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 02969 896 NtSetEvent (432, ... 0x0, ) == 0x0 02970 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 02971 896 NtSetEvent (432, ... 0x0, ) == 0x0 02972 896 NtSetEvent (428, ... 0x0, ) == 0x0 02973 896 NtWaitForSingleObject (428, 0, 0x0, ... ) == 0x0 02974 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 02975 896 NtSetEvent (432, ... 0x0, ) == 0x0 02976 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 02977 896 NtSetEvent (432, ... 0x0, ) == 0x0 02978 896 NtSetEvent (428, ... 0x0, ) == 0x0 02979 896 NtWaitForSingleObject (428, 0, 0x0, ... ) == 0x0 02980 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 02981 896 NtSetEvent (432, ... 0x0, ) == 0x0 02982 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 02983 896 NtSetEvent (432, ... 0x0, ) == 0x0 02984 896 NtSetEvent (428, ... 0x0, ) == 0x0 02985 896 NtWaitForSingleObject (428, 0, 0x0, ... ) == 0x0 02986 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 02987 896 NtSetEvent (432, ... 0x0, ) == 0x0 02988 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 02989 896 NtSetEvent (432, ... 0x0, ) == 0x0 02990 896 NtSetEvent (428, ... 0x0, ) == 0x0 02991 896 NtWaitForSingleObject (428, 0, 0x0, ... ) == 0x0 02992 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 02993 896 NtSetEvent (432, ... 0x0, ) == 0x0 02994 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 02995 896 NtSetEvent (432, ... 0x0, ) == 0x0 02996 896 NtSetEvent (428, ... 0x0, ) == 0x0 02997 896 NtWaitForSingleObject (428, 0, 0x0, ... ) == 0x0 02998 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 02999 896 NtSetEvent (432, ... 0x0, ) == 0x0 03000 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 03001 896 NtSetEvent (432, ... 0x0, ) == 0x0 03002 896 NtSetEvent (428, ... 0x0, ) == 0x0 03003 896 NtWaitForSingleObject (428, 0, 0x0, ... ) == 0x0 03004 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 03005 896 NtSetEvent (432, ... 0x0, ) == 0x0 03006 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 03007 896 NtSetEvent (432, ... 0x0, ) == 0x0 03008 896 NtSetEvent (428, ... 0x0, ) == 0x0 03009 896 NtWaitForSingleObject (428, 0, 0x0, ... ) == 0x0 03010 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 03011 896 NtSetEvent (432, ... 0x0, ) == 0x0 03012 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 03013 896 NtSetEvent (432, ... 0x0, ) == 0x0 03014 896 NtSetEvent (428, ... 0x0, ) == 0x0 03015 896 NtWaitForSingleObject (428, 0, 0x0, ... ) == 0x0 03016 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 03017 896 NtSetEvent (432, ... 0x0, ) == 0x0 03018 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 03019 896 NtSetEvent (432, ... 0x0, ) == 0x0 03020 896 NtSetEvent (428, ... 0x0, ) == 0x0 03021 896 NtWaitForSingleObject (428, 0, 0x0, ... ) == 0x0 03022 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 03023 896 NtSetEvent (432, ... 0x0, ) == 0x0 03024 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 03025 896 NtSetEvent (432, ... 0x0, ) == 0x0 03026 896 NtSetEvent (428, ... 0x0, ) == 0x0 03027 896 NtWaitForSingleObject (428, 0, 0x0, ... ) == 0x0 03028 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 03029 896 NtSetEvent (432, ... 0x0, ) == 0x0 03030 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 03031 896 NtSetEvent (432, ... 0x0, ) == 0x0 03032 896 NtSetEvent (428, ... 0x0, ) == 0x0 03033 896 NtWaitForSingleObject (428, 0, 0x0, ... ) == 0x0 03034 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 03035 896 NtSetEvent (432, ... 0x0, ) == 0x0 03036 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 03037 896 NtSetEvent (432, ... 0x0, ) == 0x0 03038 896 NtSetEvent (428, ... 0x0, ) == 0x0 03039 896 NtWaitForSingleObject (428, 0, 0x0, ... ) == 0x0 03040 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 03041 896 NtSetEvent (432, ... 0x0, ) == 0x0 03042 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 03043 896 NtSetEvent (432, ... 0x0, ) == 0x0 03044 896 NtSetEvent (428, ... 0x0, ) == 0x0 03045 896 NtWaitForSingleObject (428, 0, 0x0, ... ) == 0x0 03046 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 03047 896 NtSetEvent (432, ... 0x0, ) == 0x0 03048 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 03049 896 NtSetEvent (432, ... 0x0, ) == 0x0 03050 896 NtSetEvent (428, ... 0x0, ) == 0x0 03051 896 NtWaitForSingleObject (428, 0, 0x0, ... ) == 0x0 03052 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 03053 896 NtSetEvent (432, ... 0x0, ) == 0x0 03054 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 03055 896 NtSetEvent (432, ... 0x0, ) == 0x0 03056 896 NtSetEvent (428, ... 0x0, ) == 0x0 03057 896 NtWaitForSingleObject (428, 0, 0x0, ... ) == 0x0 03058 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 03059 896 NtSetEvent (432, ... 0x0, ) == 0x0 03060 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 03061 896 NtSetEvent (432, ... 0x0, ) == 0x0 03062 896 NtSetEvent (428, ... 0x0, ) == 0x0 03063 896 NtWaitForSingleObject (428, 0, 0x0, ... ) == 0x0 03064 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 03065 896 NtSetEvent (432, ... 0x0, ) == 0x0 03066 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 03067 896 NtSetEvent (432, ... 0x0, ) == 0x0 03068 896 NtSetEvent (428, ... 0x0, ) == 0x0 03069 896 NtWaitForSingleObject (428, 0, 0x0, ... ) == 0x0 03070 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 03071 896 NtSetEvent (432, ... 0x0, ) == 0x0 03072 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 03073 896 NtSetEvent (432, ... 0x0, ) == 0x0 03074 896 NtSetEvent (428, ... 0x0, ) == 0x0 03075 896 NtWaitForSingleObject (428, 0, 0x0, ... ) == 0x0 03076 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 03077 896 NtSetEvent (432, ... 0x0, ) == 0x0 03078 896 NtSetEvent (428, ... 0x0, ) == 0x0 03079 896 NtWaitForSingleObject (428, 0, 0x0, ... ) == 0x0 03080 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 03081 896 NtSetEvent (432, ... 0x0, ) == 0x0 03082 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 03083 896 NtSetEvent (432, ... 0x0, ) == 0x0 03084 896 NtSetEvent (428, ... 0x0, ) == 0x0 03085 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03086 896 NtOpenKey (0x20019, {24, 416, 0x40, 0, 0, (0x20019, {24, 416, 0x40, 0, 0, "Microsoft\Internet Explorer\Security"}, ... 436, ) }, ... 436, ) == 0x0 03087 896 NtQueryValueKey (436, (436, "DisableSecuritySettingsCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03088 896 NtClose (436, ... ) == 0x0 03089 896 NtOpenKey (0x20019, {24, 420, 0x40, 0, 0, (0x20019, {24, 420, 0x40, 0, 0, "Microsoft\Internet Explorer\Security"}, ... 436, ) }, ... 436, ) == 0x0 03090 896 NtQueryValueKey (436, (436, "DisableSecuritySettingsCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03091 896 NtClose (436, ... ) == 0x0 03092 896 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03093 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\u:\work\Secur32.dll"}, 1231316, ... ) }, 1231316, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03094 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Secur32.dll"}, 1231316, ... ) }, 1231316, ... ) == 0x0 03095 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Secur32.dll"}, 5, 96, ... 436, {status=0x0, info=1}, ) }, 5, 96, ... 436, {status=0x0, info=1}, ) == 0x0 03096 896 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 436, ... 440, ) == 0x0 03097 896 NtQuerySection (440, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 03098 896 NtClose (436, ... ) == 0x0 03099 896 NtMapViewOfSection (440, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77fe0000), 0x0, 69632, ) == 0x0 03100 896 NtClose (440, ... ) == 0x0 03101 896 NtProtectVirtualMemory (-1, (0x77fe1000), 388, 4, ... (0x77fe1000), 4096, 32, ) == 0x0 03102 896 NtProtectVirtualMemory (-1, (0x77fe1000), 4096, 32, ... (0x77fe1000), 4096, 4, ) == 0x0 03103 896 NtFlushInstructionCache (-1, 2013138944, 388, ... ) == 0x0 03104 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03105 896 NtCreateSemaphore (0x100003, 0x0, 0, 2147483647, ... 440, ) == 0x0 03106 896 NtCreateSemaphore (0x100003, 0x0, 0, 2147483647, ... 436, ) == 0x0 03107 896 NtOpenEvent (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\SECURITY\LSA_AUTHENTICATION_INITIALIZED"}, ... 444, ) }, ... 444, ) == 0x0 03108 896 NtQueryEvent (444, Basic, 8, ... {EventType=0,SignalState=1,}, 0x0, ) == 0x0 03109 896 NtClose (444, ... ) == 0x0 03110 896 NtConnectPort ( ("\LsaAuthenticationPort", {12, 2, 1, 0}, 0x0, 0x0, 1232888, 140, ... 444, 0x0, 0x0, 256, 140, ) , {12, 2, 1, 0}, 0x0, 0x0, 1232888, 140, ... 444, 0x0, 0x0, 256, 140, ) == 0x0 03111 896 NtRequestWaitReplyPort (444, {28, 52, new_msg, 0, 0, 0, 0, 0} (444, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\353\6\10\2\240\267\25\0" ... {188, 212, reply, 0, 1252, 896, 81857, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\34\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0" ) ... {188, 212, reply, 0, 1252, 896, 81857, 0} (444, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\353\6\10\2\240\267\25\0" ... {188, 212, reply, 0, 1252, 896, 81857, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\34\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0" ) ) == 0x0 03112 896 NtCreateSection (0xf0007, {24, 44, 0x80, 0, 0, (0xf0007, {24, 44, 0x80, 0, 0, "Local\UrlZonesSM_Martim Carbone"}, {28, 0}, 4, 134217728, 0, ... 448, ) }, {28, 0}, 4, 134217728, 0, ... 448, ) == STATUS_OBJECT_NAME_EXISTS 03113 896 NtMapViewOfSection (448, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x9a0000), {0, 0}, 4096, ) == 0x0 03114 896 NtOpenThreadToken (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN 03115 896 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 452, ) == 0x0 03116 896 NtOpenThreadToken (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN 03117 896 NtSetInformationThread (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0 03118 896 NtCreateFile (0xc0100080, {24, 0, 0x40, 0, 1231656, (0xc0100080, {24, 0, 0x40, 0, 1231656, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 456, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 456, {status=0x0, info=1}, ) == 0x0 03119 896 NtSetInformationFile (456, 1231712, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0 03120 896 NtSetInformationFile (456, 1231700, 8, Completion, ... {status=0x0, info=0}, ) == 0x0 03121 896 NtSetInformationThread (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0 03122 896 NtWriteFile (456, 189, 0, 0, (456, 189, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0 03123 896 NtReadFile (456, 189, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, (456, 189, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20l+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0 03124 896 NtFsControlFile (456, 189, 0x0, 0x0, 0x11c017, (456, 189, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\08\0\0\0\1\0\0\0 \0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0", 56, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20l+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 56, 1024, ... {status=0x103, info=68}, (456, 189, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\08\0\0\0\1\0\0\0 \0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0", 56, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20l+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103 03125 896 NtFsControlFile (456, 189, 0x0, 0x0, 0x11c017, (456, 189, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0.\0\0\0\2\0\0\0\26\0\0\0\0\0.\0\0\0\0\0IZ\274\35\11\214T@\262\364>G\345\302\315A\14\0", 46, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0IZ\274\35\11\214T@\262\364>G\345\302\315A\0\0\0\0", ) , 46, 1024, ... {status=0x103, info=48}, (456, 189, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0.\0\0\0\2\0\0\0\26\0\0\0\0\0.\0\0\0\0\0IZ\274\35\11\214T@\262\364>G\345\302\315A\14\0", 46, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0IZ\274\35\11\214T@\262\364>G\345\302\315A\0\0\0\0", ) , ) == 0x103 03126 896 NtFsControlFile (456, 189, 0x0, 0x0, 0x11c017, (456, 189, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0.\0\0\0\3\0\0\0\26\0\0\0\0\0\7\0\0\0\0\0IZ\274\35\11\214T@\262\364>G\345\302\315A\5\0", 46, 1024, ... {status=0x103, info=104}, "\5\0\2\3\20\0\0\0h\0\0\0\2\0\0\0P\0\0\0\0\0\0\0\0\206\26\0\14\0\274\35\14\0\16\00\206\26\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7\0\0\0\0\0\0\0\6\0\0\0M\0S\0H\0O\0M\0E\0\0\0\0\0", ) , 46, 1024, ... {status=0x103, info=104}, (456, 189, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0.\0\0\0\3\0\0\0\26\0\0\0\0\0\7\0\0\0\0\0IZ\274\35\11\214T@\262\364>G\345\302\315A\5\0", 46, 1024, ... {status=0x103, info=104}, "\5\0\2\3\20\0\0\0h\0\0\0\2\0\0\0P\0\0\0\0\0\0\0\0\206\26\0\14\0\274\35\14\0\16\00\206\26\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7\0\0\0\0\0\0\0\6\0\0\0M\0S\0H\0O\0M\0E\0\0\0\0\0", ) , ) == 0x103 03127 896 NtFsControlFile (456, 189, 0x0, 0x0, 0x11c017, (456, 189, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0IZ\274\35\11\214T@\262\364>G\345\302\315A", 44, 1024, ... {status=0x103, info=104}, "\5\0\2\3\20\0\0\0h\0\0\0\3\0\0\0P\0\0\0\0\0\0\0\230\206\26\0\5\0\274\35\16\0\20\0\310\206\26\0\330\206\26\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0\0\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=104}, (456, 189, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0IZ\274\35\11\214T@\262\364>G\345\302\315A", 44, 1024, ... {status=0x103, info=104}, "\5\0\2\3\20\0\0\0h\0\0\0\3\0\0\0P\0\0\0\0\0\0\0\230\206\26\0\5\0\274\35\16\0\20\0\310\206\26\0\330\206\26\0\10\0\0\0\0\0\0\0\7\0\0\0V\0I\0R\0T\0U\0A\0L\0\0\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0=\343\10MB\307tR\7\345;+\0\0\0\0", ) , ) == 0x103 03128 896 NtClose (452, ... ) == 0x0 03129 896 NtClose (456, ... ) == 0x0 03130 896 NtCreateMutant (0x1f0001, {24, 44, 0x80, 0, 0, (0x1f0001, {24, 44, 0x80, 0, 0, "Local\ZoneAttributeCacheCounterMutex"}, 0, ... 456, ) }, 0, ... 456, ) == STATUS_OBJECT_NAME_EXISTS 03131 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "System\Setup"}, ... 452, ) }, ... 452, ) == 0x0 03132 896 NtQueryValueKey (452, (452, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (452, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 03133 896 NtClose (452, ... ) == 0x0 03134 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\"}, ... 452, ) }, ... 452, ) == 0x0 03135 896 NtOpenKey (0x20019, {24, 452, 0x40, 0, 0, (0x20019, {24, 452, 0x40, 0, 0, "0"}, ... 460, ) }, ... 460, ) == 0x0 03136 896 NtClose (460, ... ) == 0x0 03137 896 NtOpenKey (0x20019, {24, 452, 0x40, 0, 0, (0x20019, {24, 452, 0x40, 0, 0, "1"}, ... 460, ) }, ... 460, ) == 0x0 03138 896 NtClose (460, ... ) == 0x0 03139 896 NtOpenKey (0x20019, {24, 452, 0x40, 0, 0, (0x20019, {24, 452, 0x40, 0, 0, "2"}, ... 460, ) }, ... 460, ) == 0x0 03140 896 NtClose (460, ... ) == 0x0 03141 896 NtOpenKey (0x20019, {24, 452, 0x40, 0, 0, (0x20019, {24, 452, 0x40, 0, 0, "3"}, ... 460, ) }, ... 460, ) == 0x0 03142 896 NtClose (460, ... ) == 0x0 03143 896 NtOpenKey (0x20019, {24, 452, 0x40, 0, 0, (0x20019, {24, 452, 0x40, 0, 0, "4"}, ... 460, ) }, ... 460, ) == 0x0 03144 896 NtClose (460, ... ) == 0x0 03145 896 NtClose (452, ... ) == 0x0 03146 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03147 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03148 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03149 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03150 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03151 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\"}, ... 452, ) }, ... 452, ) == 0x0 03152 896 NtEnumerateKey (452, 0, Basic, 288, ... {LastWrite={0x435b806e,0x1c74db1}, TitleIdx=0, Name= (452, 0, Basic, 288, ... {LastWrite={0x435b806e,0x1c74db1}, TitleIdx=0, Name="0"}, 18, ) }, 18, ) == 0x0 03153 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0"}, ... 460, ) }, ... 460, ) == 0x0 03154 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03155 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03156 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03157 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0"}, ... 464, ) }, ... 464, ) == 0x0 03158 896 NtQueryValueKey (464, (464, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="!\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (464, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="!\0\0\0"}, 16, ) }, 16, ) == 0x0 03159 896 NtClose (464, ... ) == 0x0 03160 896 NtClose (460, ... ) == 0x0 03161 896 NtEnumerateKey (452, 1, Basic, 288, ... {LastWrite={0x437357f2,0x1c74db1}, TitleIdx=0, Name= (452, 1, Basic, 288, ... {LastWrite={0x437357f2,0x1c74db1}, TitleIdx=0, Name="1"}, 18, ) }, 18, ) == 0x0 03162 896 NtAllocateVirtualMemory (-1, 1478656, 0, 4096, 4096, 4, ... 1478656, 4096, ) == 0x0 03163 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1"}, ... 460, ) }, ... 460, ) == 0x0 03164 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03165 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03166 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03167 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1"}, ... 464, ) }, ... 464, ) == 0x0 03168 896 NtQueryValueKey (464, (464, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\333\1\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (464, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\333\1\0\0"}, 16, ) }, 16, ) == 0x0 03169 896 NtWaitForSingleObject (384, 0, 0x0, ... ) == 0x0 03170 896 NtReleaseMutant (384, ... 0x0, ) == 0x0 03171 896 NtOpenKey (0x2001f, {24, 84, 0x40, 0, 0, (0x2001f, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"}, ... 468, ) }, ... 468, ) == 0x0 03172 896 NtSetValueKey (468, (468, "ProxyBypass", 0, 4, "\1\0\0\0", 4, ... ) , 0, 4, (468, "ProxyBypass", 0, 4, "\1\0\0\0", 4, ... ) , 4, ... ) == 0x0 03173 896 NtSetValueKey (468, (468, "IntranetName", 0, 4, "\1\0\0\0", 4, ... ) , 0, 4, (468, "IntranetName", 0, 4, "\1\0\0\0", 4, ... ) , 4, ... ) == 0x0 03174 896 NtSetValueKey (468, (468, "UNCAsIntranet", 0, 4, "\1\0\0\0", 4, ... ) , 0, 4, (468, "UNCAsIntranet", 0, 4, "\1\0\0\0", 4, ... ) , 4, ... ) == 0x0 03175 896 NtSetValueKey (468, (468, "AutoDetect", 0, 4, "\1\0\0\0", 4, ... ) , 0, 4, (468, "AutoDetect", 0, 4, "\1\0\0\0", 4, ... ) , 4, ... ) == 0x0 03176 896 NtClose (468, ... ) == 0x0 03177 896 NtClose (464, ... ) == 0x0 03178 896 NtClose (460, ... ) == 0x0 03179 896 NtEnumerateKey (452, 2, Basic, 288, ... {LastWrite={0x4369ce8a,0x1c74db1}, TitleIdx=0, Name= (452, 2, Basic, 288, ... {LastWrite={0x4369ce8a,0x1c74db1}, TitleIdx=0, Name="2e"}, 18, ) }, 18, ) == 0x0 03180 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2"}, ... 460, ) }, ... 460, ) == 0x0 03181 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03182 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03183 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03184 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2"}, ... 464, ) }, ... 464, ) == 0x0 03185 896 NtQueryValueKey (464, (464, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="G\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (464, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="G\0\0\0"}, 16, ) }, 16, ) == 0x0 03186 896 NtClose (464, ... ) == 0x0 03187 896 NtClose (460, ... ) == 0x0 03188 896 NtEnumerateKey (452, 3, Basic, 288, ... {LastWrite={0x31a6291,0x1c7701e}, TitleIdx=0, Name= (452, 3, Basic, 288, ... {LastWrite={0x31a6291,0x1c7701e}, TitleIdx=0, Name="3"}, 18, ) }, 18, ) == 0x0 03189 896 NtAllocateVirtualMemory (-1, 1482752, 0, 4096, 4096, 4, ... 1482752, 4096, ) == 0x0 03190 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3"}, ... 460, ) }, ... 460, ) == 0x0 03191 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03192 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03193 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03194 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3"}, ... 464, ) }, ... 464, ) == 0x0 03195 896 NtQueryValueKey (464, (464, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (464, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 03196 896 NtClose (464, ... ) == 0x0 03197 896 NtClose (460, ... ) == 0x0 03198 896 NtEnumerateKey (452, 4, Basic, 288, ... {LastWrite={0x43604522,0x1c74db1}, TitleIdx=0, Name= (452, 4, Basic, 288, ... {LastWrite={0x43604522,0x1c74db1}, TitleIdx=0, Name="4"}, 18, ) }, 18, ) == 0x0 03199 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4"}, ... 460, ) }, ... 460, ) == 0x0 03200 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03201 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03202 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03203 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4"}, ... 464, ) }, ... 464, ) == 0x0 03204 896 NtQueryValueKey (464, (464, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (464, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0 03205 896 NtClose (464, ... ) == 0x0 03206 896 NtClose (460, ... ) == 0x0 03207 896 NtEnumerateKey (452, 5, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES 03208 896 NtClose (452, ... ) == 0x0 03209 896 NtCreateMutant (0x1f0001, {24, 44, 0x80, 0, 0, (0x1f0001, {24, 44, 0x80, 0, 0, "Local\ZoneAttributeCacheCounterMutex"}, 0, ... 452, ) }, 0, ... 452, ) == STATUS_OBJECT_NAME_EXISTS 03210 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03211 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03212 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03213 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03214 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03215 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\"}, ... 460, ) }, ... 460, ) == 0x0 03216 896 NtEnumerateKey (460, 0, Basic, 288, ... {LastWrite={0x4362a77c,0x1c74db1}, TitleIdx=0, Name= (460, 0, Basic, 288, ... {LastWrite={0x4362a77c,0x1c74db1}, TitleIdx=0, Name="0"}, 18, ) }, 18, ) == 0x0 03217 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0"}, ... 464, ) }, ... 464, ) == 0x0 03218 896 NtAllocateVirtualMemory (-1, 1486848, 0, 4096, 4096, 4, ... 1486848, 4096, ) == 0x0 03219 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03220 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03221 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03222 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0"}, ... 468, ) }, ... 468, ) == 0x0 03223 896 NtQueryValueKey (468, (468, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="!\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (468, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="!\0\0\0"}, 16, ) }, 16, ) == 0x0 03224 896 NtClose (468, ... ) == 0x0 03225 896 NtClose (464, ... ) == 0x0 03226 896 NtEnumerateKey (460, 1, Basic, 288, ... {LastWrite={0x4362a77c,0x1c74db1}, TitleIdx=0, Name= (460, 1, Basic, 288, ... {LastWrite={0x4362a77c,0x1c74db1}, TitleIdx=0, Name="1"}, 18, ) }, 18, ) == 0x0 03227 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1"}, ... 464, ) }, ... 464, ) == 0x0 03228 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03229 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03230 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03231 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1"}, ... 468, ) }, ... 468, ) == 0x0 03232 896 NtQueryValueKey (468, (468, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\333\1\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (468, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\333\1\0\0"}, 16, ) }, 16, ) == 0x0 03233 896 NtWaitForSingleObject (384, 0, 0x0, ... ) == 0x0 03234 896 NtReleaseMutant (384, ... 0x0, ) == 0x0 03235 896 NtOpenKey (0x2001f, {24, 84, 0x40, 0, 0, (0x2001f, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"}, ... 472, ) }, ... 472, ) == 0x0 03236 896 NtSetValueKey (472, (472, "ProxyBypass", 0, 4, "\1\0\0\0", 4, ... ) , 0, 4, (472, "ProxyBypass", 0, 4, "\1\0\0\0", 4, ... ) , 4, ... ) == 0x0 03237 896 NtSetValueKey (472, (472, "IntranetName", 0, 4, "\1\0\0\0", 4, ... ) , 0, 4, (472, "IntranetName", 0, 4, "\1\0\0\0", 4, ... ) , 4, ... ) == 0x0 03238 896 NtSetValueKey (472, (472, "UNCAsIntranet", 0, 4, "\1\0\0\0", 4, ... ) , 0, 4, (472, "UNCAsIntranet", 0, 4, "\1\0\0\0", 4, ... ) , 4, ... ) == 0x0 03239 896 NtSetValueKey (472, (472, "AutoDetect", 0, 4, "\1\0\0\0", 4, ... ) , 0, 4, (472, "AutoDetect", 0, 4, "\1\0\0\0", 4, ... ) , 4, ... ) == 0x0 03240 896 NtClose (472, ... ) == 0x0 03241 896 NtClose (468, ... ) == 0x0 03242 896 NtClose (464, ... ) == 0x0 03243 896 NtEnumerateKey (460, 2, Basic, 288, ... {LastWrite={0x436509d6,0x1c74db1}, TitleIdx=0, Name= (460, 2, Basic, 288, ... {LastWrite={0x436509d6,0x1c74db1}, TitleIdx=0, Name="2e"}, 18, ) }, 18, ) == 0x0 03244 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2"}, ... 464, ) }, ... 464, ) == 0x0 03245 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03246 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03247 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03248 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2"}, ... 468, ) }, ... 468, ) == 0x0 03249 896 NtQueryValueKey (468, (468, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="G\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (468, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="G\0\0\0"}, 16, ) }, 16, ) == 0x0 03250 896 NtClose (468, ... ) == 0x0 03251 896 NtClose (464, ... ) == 0x0 03252 896 NtEnumerateKey (460, 3, Basic, 288, ... {LastWrite={0x436509d6,0x1c74db1}, TitleIdx=0, Name= (460, 3, Basic, 288, ... {LastWrite={0x436509d6,0x1c74db1}, TitleIdx=0, Name="3"}, 18, ) }, 18, ) == 0x0 03253 896 NtAllocateVirtualMemory (-1, 1490944, 0, 4096, 4096, 4, ... 1490944, 4096, ) == 0x0 03254 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3"}, ... 464, ) }, ... 464, ) == 0x0 03255 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03256 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03257 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03258 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3"}, ... 468, ) }, ... 468, ) == 0x0 03259 896 NtQueryValueKey (468, (468, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (468, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 03260 896 NtClose (468, ... ) == 0x0 03261 896 NtClose (464, ... ) == 0x0 03262 896 NtEnumerateKey (460, 4, Basic, 288, ... {LastWrite={0x43676c30,0x1c74db1}, TitleIdx=0, Name= (460, 4, Basic, 288, ... {LastWrite={0x43676c30,0x1c74db1}, TitleIdx=0, Name="4"}, 18, ) }, 18, ) == 0x0 03263 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4"}, ... 464, ) }, ... 464, ) == 0x0 03264 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03265 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03266 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03267 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4"}, ... 468, ) }, ... 468, ) == 0x0 03268 896 NtQueryValueKey (468, (468, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (468, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0 03269 896 NtClose (468, ... ) == 0x0 03270 896 NtClose (464, ... ) == 0x0 03271 896 NtEnumerateKey (460, 5, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES 03272 896 NtClose (460, ... ) == 0x0 03273 896 NtWaitForSingleObject (384, 0, 0x0, ... ) == 0x0 03274 896 NtReleaseMutant (384, ... 0x0, ) == 0x0 03275 896 NtWaitForSingleObject (428, 0, 0x0, ... ) == 0x0 03276 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 03277 896 NtSetEvent (432, ... 0x0, ) == 0x0 03278 896 NtSetEvent (428, ... 0x0, ) == 0x0 03279 896 NtWaitForSingleObject (428, 0, 0x0, ... ) == 0x0 03280 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 03281 896 NtSetEvent (432, ... 0x0, ) == 0x0 03282 896 NtWaitForSingleObject (432, 0, 0x0, ... ) == 0x0 03283 896 NtSetEvent (432, ... 0x0, ) == 0x0 03284 896 NtSetEvent (428, ... 0x0, ) == 0x0 03285 896 NtQueryInformationProcess (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0 03286 896 NtOpenFile (0x100080, {24, 0, 0x40, 0, 0, (0x100080, {24, 0, 0x40, 0, 0, "\??\u:"}, 3, 96, ... 460, {status=0x0, info=1}, ) }, 3, 96, ... 460, {status=0x0, info=1}, ) == 0x0 03287 896 NtOpenSymbolicLinkObject (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\??\u:"}, ... 464, ) }, ... 464, ) == 0x0 03288 896 NtQuerySymbolicLinkObject (464, ... (464, ... "\Device\WinDfs\U:0000000000009f43", 66, ) , 66, ) == 0x0 03289 896 NtClose (464, ... ) == 0x0 03290 896 NtQueryVolumeInformationFile (460, 1231152, 8, Device, ... {status=0x0, info=8}, ) == 0x0 03291 896 NtClose (460, ... ) == 0x0 03292 896 NtWaitForSingleObject (68, 0, {0, 0}, ... ) == 0x102 03293 896 NtQueryInformationProcess (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0 03294 896 NtOpenFile (0x100080, {24, 0, 0x40, 0, 0, (0x100080, {24, 0, 0x40, 0, 0, "\??\u:"}, 3, 96, ... 460, {status=0x0, info=1}, ) }, 3, 96, ... 460, {status=0x0, info=1}, ) == 0x0 03295 896 NtOpenSymbolicLinkObject (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\??\u:"}, ... 464, ) }, ... 464, ) == 0x0 03296 896 NtQuerySymbolicLinkObject (464, ... (464, ... "\Device\WinDfs\U:0000000000009f43", 66, ) , 66, ) == 0x0 03297 896 NtClose (464, ... ) == 0x0 03298 896 NtQueryVolumeInformationFile (460, 1230932, 8, Device, ... {status=0x0, info=8}, ) == 0x0 03299 896 NtClose (460, ... ) == 0x0 03300 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "system\CurrentControlSet"}, ... 460, ) }, ... 460, ) == 0x0 03301 896 NtOpenKey (0x20019, {24, 460, 0x40, 0, 0, (0x20019, {24, 460, 0x40, 0, 0, "control\NetworkProvider\HwOrder"}, ... 464, ) }, ... 464, ) == 0x0 03302 896 NtQueryValueKey (464, (464, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (464, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) }, 90, ) == 0x0 03303 896 NtQueryValueKey (464, (464, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (464, "ProviderOrder", Partial, 144, ... TitleIdx=0, Type=1, Data="R\0D\0P\0N\0P\0,\0L\0a\0n\0m\0a\0n\0W\0o\0r\0k\0s\0t\0a\0t\0i\0o\0n\0,\0W\0e\0b\0C\0l\0i\0e\0n\0t\0,\0h\0g\0f\0s\0\0\0"}, 90, ) }, 90, ) == 0x0 03304 896 NtClose (464, ... ) == 0x0 03305 896 NtAllocateVirtualMemory (-1, 1495040, 0, 4096, 4096, 4, ... 1495040, 4096, ) == 0x0 03306 896 NtOpenKey (0x20019, {24, 460, 0x40, 0, 0, (0x20019, {24, 460, 0x40, 0, 0, "services\RDPNP\NetworkProvider"}, ... 464, ) }, ... 464, ) == 0x0 03307 896 NtQueryValueKey (464, (464, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (464, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0 03308 896 NtQueryValueKey (464, (464, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (464, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0 03309 896 NtQueryValueKey (464, (464, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03310 896 NtQueryValueKey (464, (464, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (464, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0 03311 896 NtQueryValueKey (464, (464, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (464, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0r\0p\0r\0o\0v\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0 03312 896 NtClose (464, ... ) == 0x0 03313 896 NtOpenKey (0x20019, {24, 460, 0x40, 0, 0, (0x20019, {24, 460, 0x40, 0, 0, "services\LanmanWorkstation\NetworkProvider"}, ... 464, ) }, ... 464, ) == 0x0 03314 896 NtQueryValueKey (464, (464, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (464, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0 03315 896 NtQueryValueKey (464, (464, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (464, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0W\0i\0n\0d\0o\0w\0s\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 64, ) }, 64, ) == 0x0 03316 896 NtQueryValueKey (464, (464, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03317 896 NtQueryValueKey (464, (464, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (464, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0 03318 896 NtQueryValueKey (464, (464, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (464, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0n\0t\0l\0a\0n\0m\0a\0n\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0 03319 896 NtClose (464, ... ) == 0x0 03320 896 NtOpenKey (0x20019, {24, 460, 0x40, 0, 0, (0x20019, {24, 460, 0x40, 0, 0, "services\WebClient\NetworkProvider"}, ... 464, ) }, ... 464, ) == 0x0 03321 896 NtQueryValueKey (464, (464, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (464, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0 03322 896 NtQueryValueKey (464, (464, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (464, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0 03323 896 NtQueryValueKey (464, (464, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03324 896 NtQueryValueKey (464, (464, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (464, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0 03325 896 NtQueryValueKey (464, (464, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (464, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0d\0a\0v\0c\0l\0n\0t\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0 03326 896 NtClose (464, ... ) == 0x0 03327 896 NtOpenKey (0x20019, {24, 460, 0x40, 0, 0, (0x20019, {24, 460, 0x40, 0, 0, "services\hgfs\NetworkProvider"}, ... 464, ) }, ... 464, ) == 0x0 03328 896 NtQueryValueKey (464, (464, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (464, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0 03329 896 NtQueryValueKey (464, (464, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (464, "name", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0M\0w\0a\0r\0e\0 \0S\0h\0a\0r\0e\0d\0 \0F\0o\0l\0d\0e\0r\0s\0\0\0"}, 56, ) }, 56, ) == 0x0 03330 896 NtQueryValueKey (464, (464, "Class", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03331 896 NtQueryValueKey (464, (464, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\0.\0d\0l\0l\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (464, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\0.\0d\0l\0l\0\0\0"}, 48, ) }, 48, ) == 0x0 03332 896 NtQueryValueKey (464, (464, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\0.\0d\0l\0l\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (464, "ProviderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0y\0s\0t\0e\0m\03\02\0\\0h\0g\0f\0s\0.\0d\0l\0l\0\0\0"}, 48, ) }, 48, ) == 0x0 03333 896 NtClose (464, ... ) == 0x0 03334 896 NtClose (460, ... ) == 0x0 03335 896 NtQueryDefaultLocale (1, 1231756, ... ) == 0x0 03336 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1229636, ... ) }, 1229636, ... ) == 0x0 03337 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 5, 96, ... 460, {status=0x0, info=1}, ) }, 5, 96, ... 460, {status=0x0, info=1}, ) == 0x0 03338 896 NtCreateSection (0xe, 0x0, 0x0, 16, 134217728, 460, ... 464, ) == 0x0 03339 896 NtClose (460, ... ) == 0x0 03340 896 NtMapViewOfSection (464, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x9b0000), 0x0, 16384, ) == 0x0 03341 896 NtClose (464, ... ) == 0x0 03342 896 NtUnmapViewOfSection (-1, 0x9b0000, ... ) == 0x0 03343 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 1229944, ... ) }, 1229944, ... ) == 0x0 03344 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\drprov.dll"}, 5, 96, ... 464, {status=0x0, info=1}, ) }, 5, 96, ... 464, {status=0x0, info=1}, ) == 0x0 03345 896 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 464, ... 460, ) == 0x0 03346 896 NtQuerySection (460, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 03347 896 NtClose (464, ... ) == 0x0 03348 896 NtMapViewOfSection (460, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f60000), 0x0, 28672, ) == 0x0 03349 896 NtClose (460, ... ) == 0x0 03350 896 NtProtectVirtualMemory (-1, (0x75f61000), 172, 4, ... (0x75f61000), 4096, 32, ) == 0x0 03351 896 NtProtectVirtualMemory (-1, (0x75f61000), 4096, 32, ... (0x75f61000), 4096, 4, ) == 0x0 03352 896 NtFlushInstructionCache (-1, 1979060224, 172, ... ) == 0x0 03353 896 NtProtectVirtualMemory (-1, (0x75f61000), 172, 4, ... (0x75f61000), 4096, 32, ) == 0x0 03354 896 NtProtectVirtualMemory (-1, (0x75f61000), 4096, 32, ... (0x75f61000), 4096, 4, ) == 0x0 03355 896 NtFlushInstructionCache (-1, 1979060224, 172, ... ) == 0x0 03356 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drprov.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03357 896 NtQueryPerformanceCounter (... {-1443911435, 16}, {3579545, 0}, ) == 0x0 03358 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\RDPNP\NetworkProvider"}, ... 460, ) }, ... 460, ) == 0x0 03359 896 NtQueryValueKey (460, (460, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (460, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0T\0e\0r\0m\0i\0n\0a\0l\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0"}, 68, ) }, 68, ) == 0x0 03360 896 NtClose (460, ... ) == 0x0 03361 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1229636, ... ) }, 1229636, ... ) == 0x0 03362 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 5, 96, ... 460, {status=0x0, info=1}, ) }, 5, 96, ... 460, {status=0x0, info=1}, ) == 0x0 03363 896 NtCreateSection (0xe, 0x0, 0x0, 16, 134217728, 460, ... 464, ) == 0x0 03364 896 NtClose (460, ... ) == 0x0 03365 896 NtMapViewOfSection (464, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x9b0000), 0x0, 45056, ) == 0x0 03366 896 NtClose (464, ... ) == 0x0 03367 896 NtUnmapViewOfSection (-1, 0x9b0000, ... ) == 0x0 03368 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 1229944, ... ) }, 1229944, ... ) == 0x0 03369 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntlanman.dll"}, 5, 96, ... 464, {status=0x0, info=1}, ) }, 5, 96, ... 464, {status=0x0, info=1}, ) == 0x0 03370 896 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 464, ... 460, ) == 0x0 03371 896 NtQuerySection (460, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 03372 896 NtClose (464, ... ) == 0x0 03373 896 NtMapViewOfSection (460, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c10000), 0x0, 57344, ) == 0x0 03374 896 NtClose (460, ... ) == 0x0 03375 896 NtProtectVirtualMemory (-1, (0x71c11000), 716, 4, ... (0x71c11000), 4096, 32, ) == 0x0 03376 896 NtProtectVirtualMemory (-1, (0x71c11000), 4096, 32, ... (0x71c11000), 4096, 4, ) == 0x0 03377 896 NtFlushInstructionCache (-1, 1908477952, 716, ... ) == 0x0 03378 896 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "NETUI0.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03379 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI0.dll"}, 1229120, ... ) }, 1229120, ... ) == 0x0 03380 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI0.dll"}, 5, 96, ... 460, {status=0x0, info=1}, ) }, 5, 96, ... 460, {status=0x0, info=1}, ) == 0x0 03381 896 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 460, ... 464, ) == 0x0 03382 896 NtQuerySection (464, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 03383 896 NtClose (460, ... ) == 0x0 03384 896 NtMapViewOfSection (464, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71cd0000), 0x0, 94208, ) == 0x0 03385 896 NtClose (464, ... ) == 0x0 03386 896 NtProtectVirtualMemory (-1, (0x71cd1000), 384, 4, ... (0x71cd1000), 4096, 32, ) == 0x0 03387 896 NtProtectVirtualMemory (-1, (0x71cd1000), 4096, 32, ... (0x71cd1000), 4096, 4, ) == 0x0 03388 896 NtFlushInstructionCache (-1, 1909264384, 384, ... ) == 0x0 03389 896 NtProtectVirtualMemory (-1, (0x71cd1000), 384, 4, ... (0x71cd1000), 4096, 32, ) == 0x0 03390 896 NtProtectVirtualMemory (-1, (0x71cd1000), 4096, 32, ... (0x71cd1000), 4096, 4, ) == 0x0 03391 896 NtFlushInstructionCache (-1, 1909264384, 384, ... ) == 0x0 03392 896 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "NETUI1.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03393 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI1.dll"}, 1229120, ... ) }, 1229120, ... ) == 0x0 03394 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETUI1.dll"}, 5, 96, ... 464, {status=0x0, info=1}, ) }, 5, 96, ... 464, {status=0x0, info=1}, ) == 0x0 03395 896 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 464, ... 460, ) == 0x0 03396 896 NtQuerySection (460, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 03397 896 NtClose (464, ... ) == 0x0 03398 896 NtMapViewOfSection (460, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c90000), 0x0, 262144, ) == 0x0 03399 896 NtClose (460, ... ) == 0x0 03400 896 NtProtectVirtualMemory (-1, (0x71c91000), 1532, 4, ... (0x71c91000), 4096, 32, ) == 0x0 03401 896 NtProtectVirtualMemory (-1, (0x71c91000), 4096, 32, ... (0x71c91000), 4096, 4, ) == 0x0 03402 896 NtFlushInstructionCache (-1, 1909002240, 1532, ... ) == 0x0 03403 896 NtProtectVirtualMemory (-1, (0x71c91000), 1532, 4, ... (0x71c91000), 4096, 32, ) == 0x0 03404 896 NtProtectVirtualMemory (-1, (0x71c91000), 4096, 32, ... (0x71c91000), 4096, 4, ) == 0x0 03405 896 NtFlushInstructionCache (-1, 1909002240, 1532, ... ) == 0x0 03406 896 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "NETRAP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03407 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETRAP.dll"}, 1228304, ... ) }, 1228304, ... ) == 0x0 03408 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETRAP.dll"}, 5, 96, ... 460, {status=0x0, info=1}, ) }, 5, 96, ... 460, {status=0x0, info=1}, ) == 0x0 03409 896 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 460, ... 464, ) == 0x0 03410 896 NtQuerySection (464, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 03411 896 NtClose (460, ... ) == 0x0 03412 896 NtMapViewOfSection (464, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c80000), 0x0, 28672, ) == 0x0 03413 896 NtClose (464, ... ) == 0x0 03414 896 NtProtectVirtualMemory (-1, (0x71c81000), 112, 4, ... (0x71c81000), 4096, 32, ) == 0x0 03415 896 NtProtectVirtualMemory (-1, (0x71c81000), 4096, 32, ... (0x71c81000), 4096, 4, ) == 0x0 03416 896 NtFlushInstructionCache (-1, 1908936704, 112, ... ) == 0x0 03417 896 NtProtectVirtualMemory (-1, (0x71c81000), 112, 4, ... (0x71c81000), 4096, 32, ) == 0x0 03418 896 NtProtectVirtualMemory (-1, (0x71c81000), 4096, 32, ... (0x71c81000), 4096, 4, ) == 0x0 03419 896 NtFlushInstructionCache (-1, 1908936704, 112, ... ) == 0x0 03420 896 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "SAMLIB.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03421 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 1228304, ... ) }, 1228304, ... ) == 0x0 03422 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 5, 96, ... 464, {status=0x0, info=1}, ) }, 5, 96, ... 464, {status=0x0, info=1}, ) == 0x0 03423 896 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 464, ... 460, ) == 0x0 03424 896 NtQuerySection (460, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 03425 896 NtClose (464, ... ) == 0x0 03426 896 NtMapViewOfSection (460, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71bf0000), 0x0, 77824, ) == 0x0 03427 896 NtClose (460, ... ) == 0x0 03428 896 NtProtectVirtualMemory (-1, (0x71bf1000), 392, 4, ... (0x71bf1000), 4096, 32, ) == 0x0 03429 896 NtProtectVirtualMemory (-1, (0x71bf1000), 4096, 32, ... (0x71bf1000), 4096, 4, ) == 0x0 03430 896 NtFlushInstructionCache (-1, 1908346880, 392, ... ) == 0x0 03431 896 NtProtectVirtualMemory (-1, (0x71bf1000), 392, 4, ... (0x71bf1000), 4096, 32, ) == 0x0 03432 896 NtProtectVirtualMemory (-1, (0x71bf1000), 4096, 32, ... (0x71bf1000), 4096, 4, ) == 0x0 03433 896 NtFlushInstructionCache (-1, 1908346880, 392, ... ) == 0x0 03434 896 NtProtectVirtualMemory (-1, (0x71bf1000), 392, 4, ... (0x71bf1000), 4096, 32, ) == 0x0 03435 896 NtProtectVirtualMemory (-1, (0x71bf1000), 4096, 32, ... (0x71bf1000), 4096, 4, ) == 0x0 03436 896 NtFlushInstructionCache (-1, 1908346880, 392, ... ) == 0x0 03437 896 NtProtectVirtualMemory (-1, (0x71c91000), 1532, 4, ... (0x71c91000), 4096, 32, ) == 0x0 03438 896 NtProtectVirtualMemory (-1, (0x71c91000), 4096, 32, ... (0x71c91000), 4096, 4, ) == 0x0 03439 896 NtFlushInstructionCache (-1, 1909002240, 1532, ... ) == 0x0 03440 896 NtProtectVirtualMemory (-1, (0x71c11000), 716, 4, ... (0x71c11000), 4096, 32, ) == 0x0 03441 896 NtProtectVirtualMemory (-1, (0x71c11000), 4096, 32, ... (0x71c11000), 4096, 4, ) == 0x0 03442 896 NtFlushInstructionCache (-1, 1908477952, 716, ... ) == 0x0 03443 896 NtProtectVirtualMemory (-1, (0x71c11000), 716, 4, ... (0x71c11000), 4096, 32, ) == 0x0 03444 896 NtProtectVirtualMemory (-1, (0x71c11000), 4096, 32, ... (0x71c11000), 4096, 4, ) == 0x0 03445 896 NtFlushInstructionCache (-1, 1908477952, 716, ... ) == 0x0 03446 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NETUI0.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03447 896 NtQueryPerformanceCounter (... {-1443634736, 16}, {3579545, 0}, ) == 0x0 03448 896 NtOpenKey (0x80000000, {24, 0, 0xc0, 0, 0, (0x80000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Network\World Full Access Shared Parameters"}, ... 460, ) }, ... 460, ) == 0x0 03449 896 NtDuplicateObject (-1, 460, -1, 0x0, 0, 2, ... 464, ) == 0x0 03450 896 NtQueryValueKey (464, (464, "Sort Hyphens", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03451 896 NtClose (464, ... ) == 0x0 03452 896 NtOpenProcessToken (-1, 0x8, ... 464, ) == 0x0 03453 896 NtQueryInformationToken (464, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0 03454 896 NtClose (464, ... ) == 0x0 03455 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NETRAP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03456 896 NtQueryPerformanceCounter (... {-1443633327, 16}, {3579545, 0}, ) == 0x0 03457 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SAMLIB.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03458 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NETUI1.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03459 896 NtQueryPerformanceCounter (... {-1443631923, 16}, {3579545, 0}, ) == 0x0 03460 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntlanman.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03461 896 NtQueryPerformanceCounter (... {-1443630390, 16}, {3579545, 0}, ) == 0x0 03462 896 NtCreateSemaphore (0x1f0003, 0x0, 1, 1, ... 464, ) == 0x0 03463 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1229636, ... ) }, 1229636, ... ) == 0x0 03464 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 5, 96, ... 468, {status=0x0, info=1}, ) }, 5, 96, ... 468, {status=0x0, info=1}, ) == 0x0 03465 896 NtCreateSection (0xe, 0x0, 0x0, 16, 134217728, 468, ... 472, ) == 0x0 03466 896 NtClose (468, ... ) == 0x0 03467 896 NtMapViewOfSection (472, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x9b0000), 0x0, 24576, ) == 0x0 03468 896 NtClose (472, ... ) == 0x0 03469 896 NtUnmapViewOfSection (-1, 0x9b0000, ... ) == 0x0 03470 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 1229944, ... ) }, 1229944, ... ) == 0x0 03471 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\davclnt.dll"}, 5, 96, ... 472, {status=0x0, info=1}, ) }, 5, 96, ... 472, {status=0x0, info=1}, ) == 0x0 03472 896 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 472, ... 468, ) == 0x0 03473 896 NtQuerySection (468, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 03474 896 NtClose (472, ... ) == 0x0 03475 896 NtMapViewOfSection (468, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f70000), 0x0, 36864, ) == 0x0 03476 896 NtClose (468, ... ) == 0x0 03477 896 NtProtectVirtualMemory (-1, (0x75f71000), 284, 4, ... (0x75f71000), 4096, 32, ) == 0x0 03478 896 NtProtectVirtualMemory (-1, (0x75f71000), 4096, 32, ... (0x75f71000), 4096, 4, ) == 0x0 03479 896 NtFlushInstructionCache (-1, 1979125760, 284, ... ) == 0x0 03480 896 NtProtectVirtualMemory (-1, (0x75f71000), 284, 4, ... (0x75f71000), 4096, 32, ) == 0x0 03481 896 NtProtectVirtualMemory (-1, (0x75f71000), 4096, 32, ... (0x75f71000), 4096, 4, ) == 0x0 03482 896 NtFlushInstructionCache (-1, 1979125760, 284, ... ) == 0x0 03483 896 NtProtectVirtualMemory (-1, (0x75f71000), 284, 4, ... (0x75f71000), 4096, 32, ) == 0x0 03484 896 NtProtectVirtualMemory (-1, (0x75f71000), 4096, 32, ... (0x75f71000), 4096, 4, ) == 0x0 03485 896 NtFlushInstructionCache (-1, 1979125760, 284, ... ) == 0x0 03486 896 NtProtectVirtualMemory (-1, (0x75f71000), 284, 4, ... (0x75f71000), 4096, 32, ) == 0x0 03487 896 NtProtectVirtualMemory (-1, (0x75f71000), 4096, 32, ... (0x75f71000), 4096, 4, ) == 0x0 03488 896 NtFlushInstructionCache (-1, 1979125760, 284, ... ) == 0x0 03489 896 NtProtectVirtualMemory (-1, (0x75f71000), 284, 4, ... (0x75f71000), 4096, 32, ) == 0x0 03490 896 NtProtectVirtualMemory (-1, (0x75f71000), 4096, 32, ... (0x75f71000), 4096, 4, ) == 0x0 03491 896 NtFlushInstructionCache (-1, 1979125760, 284, ... ) == 0x0 03492 896 NtProtectVirtualMemory (-1, (0x75f71000), 284, 4, ... (0x75f71000), 4096, 32, ) == 0x0 03493 896 NtProtectVirtualMemory (-1, (0x75f71000), 4096, 32, ... (0x75f71000), 4096, 4, ) == 0x0 03494 896 NtFlushInstructionCache (-1, 1979125760, 284, ... ) == 0x0 03495 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\davclnt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03496 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\WebClient\NetworkProvider"}, ... 468, ) }, ... 468, ) == 0x0 03497 896 NtQueryValueKey (468, (468, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (468, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0e\0b\0 \0C\0l\0i\0e\0n\0t\0 \0N\0e\0t\0w\0o\0r\0k\0\0\0"}, 50, ) }, 50, ) == 0x0 03498 896 NtClose (468, ... ) == 0x0 03499 896 NtQueryAttributesFile ({24, 140, 0x40, 0, 0, ({24, 140, 0x40, 0, 0, "System32\System32\hgfs.dll"}, 1229628, ... ) }, 1229628, ... ) == STATUS_OBJECT_PATH_NOT_FOUND 03500 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\System32\hgfs.dll"}, 1229628, ... ) }, 1229628, ... ) == STATUS_OBJECT_PATH_NOT_FOUND 03501 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\System32\hgfs.dll"}, 1229628, ... ) }, 1229628, ... ) == STATUS_OBJECT_PATH_NOT_FOUND 03502 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\hgfs.dll"}, 1229628, ... ) }, 1229628, ... ) == 0x0 03503 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\hgfs.dll"}, 5, 96, ... 468, {status=0x0, info=1}, ) }, 5, 96, ... 468, {status=0x0, info=1}, ) == 0x0 03504 896 NtCreateSection (0xe, 0x0, 0x0, 16, 134217728, 468, ... 472, ) == 0x0 03505 896 NtClose (468, ... ) == 0x0 03506 896 NtMapViewOfSection (472, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x9b0000), 0x0, 94208, ) == 0x0 03507 896 NtClose (472, ... ) == 0x0 03508 896 NtUnmapViewOfSection (-1, 0x9b0000, ... ) == 0x0 03509 896 NtQueryAttributesFile ({24, 140, 0x40, 0, 0, ({24, 140, 0x40, 0, 0, "System32\System32\hgfs.dll"}, 1229936, ... ) }, 1229936, ... ) == STATUS_OBJECT_PATH_NOT_FOUND 03510 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\System32\hgfs.dll"}, 1229936, ... ) }, 1229936, ... ) == STATUS_OBJECT_PATH_NOT_FOUND 03511 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system\System32\hgfs.dll"}, 1229936, ... ) }, 1229936, ... ) == STATUS_OBJECT_PATH_NOT_FOUND 03512 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\hgfs.dll"}, 1229936, ... ) }, 1229936, ... ) == 0x0 03513 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\hgfs.dll"}, 5, 96, ... 472, {status=0x0, info=1}, ) }, 5, 96, ... 472, {status=0x0, info=1}, ) == 0x0 03514 896 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 472, ... 468, ) == 0x0 03515 896 NtQuerySection (468, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 03516 896 NtClose (472, ... ) == 0x0 03517 896 NtMapViewOfSection (468, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x10000000), 0x0, 94208, ) == 0x0 03518 896 NtClose (468, ... ) == 0x0 03519 896 NtProtectVirtualMemory (-1, (0x1000d000), 364, 4, ... (0x1000d000), 4096, 2, ) == 0x0 03520 896 NtProtectVirtualMemory (-1, (0x1000d000), 4096, 2, ... (0x1000d000), 4096, 4, ) == 0x0 03521 896 NtFlushInstructionCache (-1, 268488704, 364, ... ) == 0x0 03522 896 NtProtectVirtualMemory (-1, (0x1000d000), 364, 4, ... (0x1000d000), 4096, 2, ) == 0x0 03523 896 NtProtectVirtualMemory (-1, (0x1000d000), 4096, 2, ... (0x1000d000), 4096, 4, ) == 0x0 03524 896 NtFlushInstructionCache (-1, 268488704, 364, ... ) == 0x0 03525 896 NtProtectVirtualMemory (-1, (0x1000d000), 364, 4, ... (0x1000d000), 4096, 2, ) == 0x0 03526 896 NtProtectVirtualMemory (-1, (0x1000d000), 4096, 2, ... (0x1000d000), 4096, 4, ) == 0x0 03527 896 NtFlushInstructionCache (-1, 268488704, 364, ... ) == 0x0 03528 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hgfs.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03529 896 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 03530 896 NtAllocateVirtualMemory (-1, 0, 0, 65536, 8192, 4, ... 10158080, 65536, ) == 0x0 03531 896 NtAllocateVirtualMemory (-1, 10158080, 0, 4096, 4096, 4, ... 10158080, 4096, ) == 0x0 03532 896 NtAllocateVirtualMemory (-1, 10162176, 0, 8192, 4096, 4, ... 10162176, 8192, ) == 0x0 03533 896 NtAllocateVirtualMemory (-1, 10170368, 0, 4096, 4096, 4, ... 10170368, 4096, ) == 0x0 03534 896 NtAllocateVirtualMemory (-1, 10174464, 0, 4096, 4096, 4, ... 10174464, 4096, ) == 0x0 03535 896 NtOpenDirectoryObject (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\??"}, ... 468, ) }, ... 468, ) == 0x0 03536 896 NtOpenSymbolicLinkObject (0x1, {24, 468, 0x40, 0, 0, (0x1, {24, 468, 0x40, 0, 0, "u:"}, ... 472, ) }, ... 472, ) == 0x0 03537 896 NtQuerySymbolicLinkObject (472, ... (472, ... "\Device\WinDfs\U:0000000000009f43", 66, ) , 66, ) == 0x0 03538 896 NtClose (472, ... ) == 0x0 03539 896 NtClose (468, ... ) == 0x0 03540 896 NtOpenThreadToken (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN 03541 896 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 468, ) == 0x0 03542 896 NtOpenThreadToken (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN 03543 896 NtSetInformationThread (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0 03544 896 NtCreateFile (0xc0100080, {24, 0, 0x40, 0, 1227620, (0xc0100080, {24, 0, 0x40, 0, 1227620, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 472, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 472, {status=0x0, info=1}, ) == 0x0 03545 896 NtSetInformationFile (472, 1227676, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0 03546 896 NtSetInformationFile (472, 1227664, 8, Completion, ... {status=0x0, info=0}, ) == 0x0 03547 896 NtSetInformationThread (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0 03548 896 NtWriteFile (472, 189, 0, 0, (472, 189, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0 03549 896 NtReadFile (472, 189, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, (472, 189, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20q2\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0 03550 896 NtFsControlFile (472, 189, 0x0, 0x0, 0x11c017, (472, 189, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\4\20\316q\1\0\0\0\0\0\0\0\1\0\0\0\0\0F\303d\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20q2\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 48, 1024, ... {status=0x103, info=68}, (472, 189, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\4\20\316q\1\0\0\0\0\0\0\0\1\0\0\0\0\0F\303d\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20q2\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103 03551 896 NtClose (468, ... ) == 0x0 03552 896 NtClose (472, ... ) == 0x0 03553 896 NtOpenThreadToken (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN 03554 896 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 472, ) == 0x0 03555 896 NtOpenThreadToken (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN 03556 896 NtSetInformationThread (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0 03557 896 NtCreateFile (0xc0100080, {24, 0, 0x40, 0, 1227620, (0xc0100080, {24, 0, 0x40, 0, 1227620, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 468, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 468, {status=0x0, info=1}, ) == 0x0 03558 896 NtSetInformationFile (468, 1227676, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0 03559 896 NtSetInformationFile (468, 1227664, 8, Completion, ... {status=0x0, info=0}, ) == 0x0 03560 896 NtSetInformationThread (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0 03561 896 NtWriteFile (468, 189, 0, 0, (468, 189, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0 03562 896 NtReadFile (468, 189, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, (468, 189, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20r2\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0 03563 896 NtFsControlFile (468, 189, 0x0, 0x0, 0x11c017, (468, 189, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20r2\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 32, 1024, ... {status=0x103, info=68}, (468, 189, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\3\0\0\0\0\0\1\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20r2\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103 03564 896 NtClose (472, ... ) == 0x0 03565 896 NtClose (468, ... ) == 0x0 03566 896 NtCreateFile (0x100000, {24, 0, 0x40, 0, 0, (0x100000, {24, 0, 0x40, 0, 0, "\Dfs"}, 0x0, 128, 7, 3, 160, 0, 0, ... 468, {status=0x0, info=1}, ) }, 0x0, 128, 7, 3, 160, 0, 0, ... 468, {status=0x0, info=1}, ) == 0x0 03567 896 NtFsControlFile (468, 0, 0x0, 0x0, 0x60008, (468, 0, 0x0, 0x0, 0x60008, "\0\0u\0\0\0\0\0\7\0\0\0\24\0\0\0\340\235D\0\1\0\0\0\5\0\0\0\0\212\24\0\244\321\26\0", 36, 520, ... {status=0x0, info=38}, "\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0", ) , 36, 520, ... {status=0x0, info=38}, (468, 0, 0x0, 0x0, 0x60008, "\0\0u\0\0\0\0\0\7\0\0\0\24\0\0\0\340\235D\0\1\0\0\0\5\0\0\0\0\212\24\0\244\321\26\0", 36, 520, ... {status=0x0, info=38}, "\\0m\0i\0s\0s\0o\0u\0r\0i\0\\0b\0i\0n\0a\0r\0i\0e\0s\0\0\0", ) , ) == 0x0 03568 896 NtWaitForSingleObject (384, 0, 0x0, ... ) == 0x0 03569 896 NtReleaseMutant (384, ... 0x0, ) == 0x0 03570 896 NtQueryValueKey (404, (404, "AutoDetect", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (404, "AutoDetect", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 03571 896 NtAllocateVirtualMemory (-1, 1499136, 0, 4096, 4096, 4, ... 1499136, 4096, ) == 0x0 03572 896 NtOpenKey (0x2000000, {24, 16, 0x40, 0, 0, (0x2000000, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 472, ) }, ... 472, ) == 0x0 03573 896 NtQueryValueKey (472, (472, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (472, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0 03574 896 NtQueryValueKey (472, (472, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (472, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0 03575 896 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 476, ) == 0x0 03576 896 NtOpenKey (0x2000000, {24, 472, 0x40, 0, 0, (0x2000000, {24, 472, 0x40, 0, 0, "Protocol_Catalog9"}, ... 480, ) }, ... 480, ) == 0x0 03577 896 NtQueryValueKey (480, (480, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (480, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0 03578 896 NtNotifyChangeKey (480, 476, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103 03579 896 NtQueryValueKey (480, (480, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (480, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0 03580 896 NtOpenKey (0x2000000, {24, 480, 0x40, 0, 0, (0x2000000, {24, 480, 0x40, 0, 0, "0000000D"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03581 896 NtQueryValueKey (480, (480, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (480, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) }, 16, ) == 0x0 03582 896 NtQueryValueKey (480, (480, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (480, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) }, 16, ) == 0x0 03583 896 NtOpenKey (0x2000000, {24, 480, 0x40, 0, 0, (0x2000000, {24, 480, 0x40, 0, 0, "Catalog_Entries"}, ... 484, ) }, ... 484, ) == 0x0 03584 896 NtOpenKey (0x20019, {24, 484, 0x40, 0, 0, (0x20019, {24, 484, 0x40, 0, 0, "000000000001"}, ... 488, ) }, ... 488, ) == 0x0 03585 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03586 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03587 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\4\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0\4\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\5\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\5\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0\6\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0\6\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\7\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\4\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0\4\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\5\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\5\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0\6\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0\6\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\7\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0\6\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\7\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0 (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\4\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0\4\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\5\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\5\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0\6\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0\6\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\7\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 03588 896 NtClose (488, ... ) == 0x0 03589 896 NtOpenKey (0x20019, {24, 484, 0x40, 0, 0, (0x20019, {24, 484, 0x40, 0, 0, "000000000002"}, ... 488, ) }, ... 488, ) == 0x0 03590 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03591 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03592 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\11\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0\11\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\12\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\12\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0\13\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0\13\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\14\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\11\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0\11\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\12\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\12\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0\13\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0\13\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\14\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0\13\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\14\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0 (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\11\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0\11\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\12\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\12\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0\13\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0\13\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\14\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 03593 896 NtClose (488, ... ) == 0x0 03594 896 NtOpenKey (0x20019, {24, 484, 0x40, 0, 0, (0x20019, {24, 484, 0x40, 0, 0, "000000000003"}, ... 488, ) }, ... 488, ) == 0x0 03595 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03596 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03597 896 NtAllocateVirtualMemory (-1, 1503232, 0, 4096, 4096, 4, ... 1503232, 4096, ) == 0x0 03598 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\17\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0\17\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\20\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\20\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0\21\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0\21\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\22\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\17\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0\17\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\20\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\20\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0\21\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0\21\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\22\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0\21\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\22\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0 (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\17\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0\17\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\20\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\20\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0\21\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0\21\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\22\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 03599 896 NtClose (488, ... ) == 0x0 03600 896 NtOpenKey (0x20019, {24, 484, 0x40, 0, 0, (0x20019, {24, 484, 0x40, 0, 0, "000000000004"}, ... 488, ) }, ... 488, ) == 0x0 03601 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03602 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03603 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\24\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0\24\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\25\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\25\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0\26\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0\26\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\27\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\24\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0\24\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\25\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\25\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0\26\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0\26\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\27\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0\26\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\27\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0 (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0\24\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0\24\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\25\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\25\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0\26\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0\26\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\27\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 03604 896 NtClose (488, ... ) == 0x0 03605 896 NtOpenKey (0x20019, {24, 484, 0x40, 0, 0, (0x20019, {24, 484, 0x40, 0, 0, "000000000005"}, ... 488, ) }, ... 488, ) == 0x0 03606 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03607 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03608 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0\31\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0\31\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\32\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\32\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0\33\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0\33\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\34\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0\31\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0\31\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\32\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\32\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0\33\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0\33\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\34\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0\33\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\34\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0 (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0\31\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0\31\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\32\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\32\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0\33\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0\33\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\34\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 03609 896 NtClose (488, ... ) == 0x0 03610 896 NtOpenKey (0x20019, {24, 484, 0x40, 0, 0, (0x20019, {24, 484, 0x40, 0, 0, "000000000006"}, ... 488, ) }, ... 488, ) == 0x0 03611 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03612 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03613 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\36\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0\36\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\37\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\37\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0 \16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0 \16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0!\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\36\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0\36\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\37\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\37\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0 \16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0 \16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0!\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0 \16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0!\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0 (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\36\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0\36\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\37\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\37\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0 \16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0 \16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0!\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 03614 896 NtClose (488, ... ) == 0x0 03615 896 NtOpenKey (0x20019, {24, 484, 0x40, 0, 0, (0x20019, {24, 484, 0x40, 0, 0, "000000000007"}, ... 488, ) }, ... 488, ) == 0x0 03616 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03617 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03618 896 NtAllocateVirtualMemory (-1, 1507328, 0, 4096, 4096, 4, ... 1507328, 4096, ) == 0x0 03619 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0$\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0$\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0%\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0%\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0&\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0&\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0'\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0$\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0$\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0%\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0%\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0&\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0&\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0'\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0&\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0'\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0 (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0$\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0$\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0%\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0%\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0&\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0&\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0'\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 03620 896 NtClose (488, ... ) == 0x0 03621 896 NtOpenKey (0x20019, {24, 484, 0x40, 0, 0, (0x20019, {24, 484, 0x40, 0, 0, "000000000008"}, ... 488, ) }, ... 488, ) == 0x0 03622 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03623 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03624 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0)\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0)\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0*\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0*\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0+\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0+\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0,\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0)\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0)\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0*\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0*\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0+\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0+\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0,\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0+\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0,\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0 (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0)\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0)\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0*\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0*\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0+\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0+\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0,\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 03625 896 NtClose (488, ... ) == 0x0 03626 896 NtOpenKey (0x20019, {24, 484, 0x40, 0, 0, (0x20019, {24, 484, 0x40, 0, 0, "000000000009"}, ... 488, ) }, ... 488, ) == 0x0 03627 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03628 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03629 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0.\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0.\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0/\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0/\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\00\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\00\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\01\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0.\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0.\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0/\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0/\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\00\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\00\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\01\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\00\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\01\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0 (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0.\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0.\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0/\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0/\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\00\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\00\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\01\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 03630 896 NtClose (488, ... ) == 0x0 03631 896 NtOpenKey (0x20019, {24, 484, 0x40, 0, 0, (0x20019, {24, 484, 0x40, 0, 0, "000000000010"}, ... 488, ) }, ... 488, ) == 0x0 03632 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03633 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03634 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\03\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\03\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\04\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\04\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\05\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\05\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\06\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\03\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\03\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\04\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\04\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\05\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\05\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\06\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\05\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\06\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0 (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\03\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\03\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\04\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\04\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\05\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\05\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\06\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 03635 896 NtClose (488, ... ) == 0x0 03636 896 NtOpenKey (0x20019, {24, 484, 0x40, 0, 0, (0x20019, {24, 484, 0x40, 0, 0, "000000000011"}, ... 488, ) }, ... 488, ) == 0x0 03637 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03638 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03639 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\08\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\08\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\09\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\09\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0:\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0:\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0;\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\08\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\08\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\09\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\09\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0:\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0:\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0;\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0:\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0;\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0 (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\08\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\08\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\09\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\09\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0:\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0:\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0;\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 03640 896 NtClose (488, ... ) == 0x0 03641 896 NtOpenKey (0x20019, {24, 484, 0x40, 0, 0, (0x20019, {24, 484, 0x40, 0, 0, "000000000012"}, ... 488, ) }, ... 488, ) == 0x0 03642 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03643 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03644 896 NtAllocateVirtualMemory (-1, 1511424, 0, 4096, 4096, 4, ... 1511424, 4096, ) == 0x0 03645 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0>\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0>\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0?\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0?\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0@\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0@\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0A\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0>\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0>\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0?\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0?\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0@\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0@\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0A\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0@\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0A\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0 (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0>\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0>\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0?\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0?\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0@\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0@\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0A\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 03646 896 NtClose (488, ... ) == 0x0 03647 896 NtOpenKey (0x20019, {24, 484, 0x40, 0, 0, (0x20019, {24, 484, 0x40, 0, 0, "000000000013"}, ... 488, ) }, ... 488, ) == 0x0 03648 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03649 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03650 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0C\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0C\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0D\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0D\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0E\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0E\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0F\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0C\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0C\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0D\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0D\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0E\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0E\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0F\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0E\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0F\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0 (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0C\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0C\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0D\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0D\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0E\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0E\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0F\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 03651 896 NtClose (488, ... ) == 0x0 03652 896 NtOpenKey (0x20019, {24, 484, 0x40, 0, 0, (0x20019, {24, 484, 0x40, 0, 0, "000000000014"}, ... 488, ) }, ... 488, ) == 0x0 03653 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03654 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03655 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0H\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0H\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0I\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0I\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0J\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0J\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0K\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0H\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0H\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0I\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0I\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0J\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0J\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0K\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0J\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0K\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0 (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0H\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0H\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0I\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0I\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0J\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0J\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0K\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 03656 896 NtClose (488, ... ) == 0x0 03657 896 NtOpenKey (0x20019, {24, 484, 0x40, 0, 0, (0x20019, {24, 484, 0x40, 0, 0, "000000000015"}, ... 488, ) }, ... 488, ) == 0x0 03658 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03659 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03660 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0M\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0M\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0N\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0N\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0O\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0O\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0P\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0M\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0M\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0N\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0N\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0O\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0O\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0P\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0O\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0P\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0 (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0M\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0M\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0N\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0N\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0O\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0O\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0P\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 03661 896 NtClose (488, ... ) == 0x0 03662 896 NtOpenKey (0x20019, {24, 484, 0x40, 0, 0, (0x20019, {24, 484, 0x40, 0, 0, "000000000016"}, ... 488, ) }, ... 488, ) == 0x0 03663 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03664 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03665 896 NtAllocateVirtualMemory (-1, 1515520, 0, 4096, 4096, 4, ... 1515520, 4096, ) == 0x0 03666 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0S\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0S\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0T\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0T\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0U\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0U\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0V\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0S\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0S\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0T\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0T\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0U\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0U\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0V\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0U\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0V\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0 (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0S\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0S\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0T\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0T\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0U\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0U\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0V\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 03667 896 NtClose (488, ... ) == 0x0 03668 896 NtOpenKey (0x20019, {24, 484, 0x40, 0, 0, (0x20019, {24, 484, 0x40, 0, 0, "000000000017"}, ... 488, ) }, ... 488, ) == 0x0 03669 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03670 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03671 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0X\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0X\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Y\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0Y\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0Z\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0Z\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0[\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0X\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0X\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Y\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0Y\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0Z\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0Z\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0[\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0Z\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0[\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0 (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0X\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0X\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0Y\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0Y\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0Z\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0Z\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0[\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 03672 896 NtClose (488, ... ) == 0x0 03673 896 NtOpenKey (0x20019, {24, 484, 0x40, 0, 0, (0x20019, {24, 484, 0x40, 0, 0, "000000000018"}, ... 488, ) }, ... 488, ) == 0x0 03674 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03675 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03676 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0]\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0]\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0^\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0^\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0_\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0_\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0`\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0]\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0]\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0^\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0^\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0_\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0_\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0`\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0_\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0`\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0 (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0]\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0]\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0^\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0^\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0_\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0_\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0`\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 03677 896 NtClose (488, ... ) == 0x0 03678 896 NtOpenKey (0x20019, {24, 484, 0x40, 0, 0, (0x20019, {24, 484, 0x40, 0, 0, "000000000019"}, ... 488, ) }, ... 488, ) == 0x0 03679 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03680 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03681 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0b\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0b\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0c\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0c\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0d\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0d\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0b\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0b\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0c\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0c\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0d\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0d\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0d\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0 (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0b\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0b\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0c\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0c\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0d\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0d\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 03682 896 NtClose (488, ... ) == 0x0 03683 896 NtOpenKey (0x20019, {24, 484, 0x40, 0, 0, (0x20019, {24, 484, 0x40, 0, 0, "000000000020"}, ... 488, ) }, ... 488, ) == 0x0 03684 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03685 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03686 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0g\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0g\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0h\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0i\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0i\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0g\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0g\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0h\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0i\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0i\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0i\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0 (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0g\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0g\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0h\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0i\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0i\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 03687 896 NtClose (488, ... ) == 0x0 03688 896 NtOpenKey (0x20019, {24, 484, 0x40, 0, 0, (0x20019, {24, 484, 0x40, 0, 0, "000000000021"}, ... 488, ) }, ... 488, ) == 0x0 03689 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03690 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03691 896 NtAllocateVirtualMemory (-1, 1519616, 0, 4096, 4096, 4, ... 1519616, 4096, ) == 0x0 03692 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0m\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0m\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0n\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0n\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0o\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0o\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0p\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0m\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0m\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0n\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0n\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0o\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0o\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0p\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0o\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0p\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0 (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0m\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0m\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0n\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\344\1\0\0\364\312\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0x\336\26\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0n\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\350\1\0\0o\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\26\0\2\0\0\0\220\0\0\0o\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0p\16\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\350\1\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 03693 896 NtClose (488, ... ) == 0x0 03694 896 NtOpenKey (0x20019, {24, 484, 0x40, 0, 0, (0x20019, {24, 484, 0x40, 0, 0, "000000000022"}, ... 488, ) }, ... 488, ) == 0x0 03695 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03696 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 03697 896 NtQueryValueKey (488, (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0r\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0r\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0s\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\344\1\0\0s\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0t\16\0\0\344\4\0\0\200\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\334\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\16\0\0\344\4\0\0\200\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0u\16\0\0\344\4\0\0\200\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0u\16\0\0\344\4\0\0\200\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\344\1\0\0v\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\330\1\0\0\34\313\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0X\340\26\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (488, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0r\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0r\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0s\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\344\1\0\0s\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0t\16\0\0\344\4\0\0\200\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\334\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\16\0\0\344\4\0\0\200\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0u\16\0\0\344\4\0\0\200\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0u\16\0\0\344\4\0\0\200\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\344\1\0\0v\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\330\1\0\0\34\313\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0X\340\26\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0r\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\350\1\0\0r\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0s\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\344\1\0\0s\16\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0t\16\0\0\344\4\0\0\200\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\334\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\16\0\0\344\4\0\0\200\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0u\16\0\0\344\4\0\0\200\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0u\16\0\0\344\4\0\0\200\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\344\1\0\0v\16\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\330\1\0\0\34\313\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0X\340\26\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0 03698 896 NtClose (488, ... ) == 0x0 03699 896 NtClose (484, ... ) == 0x0 03700 896 NtWaitForSingleObject (476, 0, {0, 0}, ... ) == 0x102 03701 896 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 484, ) == 0x0 03702 896 NtOpenKey (0x2000000, {24, 472, 0x40, 0, 0, (0x2000000, {24, 472, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 488, ) }, ... 488, ) == 0x0 03703 896 NtQueryValueKey (488, (488, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (488, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0 03704 896 NtNotifyChangeKey (488, 484, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103 03705 896 NtQueryValueKey (488, (488, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (488, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0 03706 896 NtOpenKey (0x2000000, {24, 488, 0x40, 0, 0, (0x2000000, {24, 488, 0x40, 0, 0, "00000005"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03707 896 NtQueryValueKey (488, (488, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (488, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0 03708 896 NtOpenKey (0x2000000, {24, 488, 0x40, 0, 0, (0x2000000, {24, 488, 0x40, 0, 0, "Catalog_Entries"}, ... 492, ) }, ... 492, ) == 0x0 03709 896 NtOpenKey (0x20019, {24, 492, 0x40, 0, 0, (0x20019, {24, 492, 0x40, 0, 0, "000000000001"}, ... 496, ) }, ... 496, ) == 0x0 03710 896 NtQueryValueKey (496, (496, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (496, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0 03711 896 NtQueryValueKey (496, (496, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (496, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0 03712 896 NtQueryValueKey (496, (496, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (496, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0 03713 896 NtQueryValueKey (496, (496, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (496, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0 03714 896 NtQueryValueKey (496, (496, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (496, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0 03715 896 NtQueryValueKey (496, (496, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (496, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0 03716 896 NtQueryValueKey (496, (496, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (496, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0 03717 896 NtQueryValueKey (496, (496, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03718 896 NtQueryValueKey (496, (496, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (496, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0 03719 896 NtQueryValueKey (496, (496, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (496, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 03720 896 NtQueryValueKey (496, (496, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (496, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 03721 896 NtQueryValueKey (496, (496, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (496, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 03722 896 NtClose (496, ... ) == 0x0 03723 896 NtOpenKey (0x20019, {24, 492, 0x40, 0, 0, (0x20019, {24, 492, 0x40, 0, 0, "000000000002"}, ... 496, ) }, ... 496, ) == 0x0 03724 896 NtQueryValueKey (496, (496, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (496, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0 03725 896 NtQueryValueKey (496, (496, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (496, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0 03726 896 NtQueryValueKey (496, (496, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (496, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0 03727 896 NtQueryValueKey (496, (496, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (496, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0 03728 896 NtQueryValueKey (496, (496, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (496, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0 03729 896 NtQueryValueKey (496, (496, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (496, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0 03730 896 NtQueryValueKey (496, (496, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (496, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0 03731 896 NtQueryValueKey (496, (496, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03732 896 NtQueryValueKey (496, (496, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (496, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0 03733 896 NtQueryValueKey (496, (496, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (496, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 03734 896 NtQueryValueKey (496, (496, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (496, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 03735 896 NtQueryValueKey (496, (496, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (496, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 03736 896 NtClose (496, ... ) == 0x0 03737 896 NtOpenKey (0x20019, {24, 492, 0x40, 0, 0, (0x20019, {24, 492, 0x40, 0, 0, "000000000003"}, ... 496, ) }, ... 496, ) == 0x0 03738 896 NtQueryValueKey (496, (496, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (496, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0 03739 896 NtQueryValueKey (496, (496, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (496, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0 03740 896 NtQueryValueKey (496, (496, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (496, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0 03741 896 NtQueryValueKey (496, (496, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (496, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0 03742 896 NtQueryValueKey (496, (496, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (496, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0 03743 896 NtQueryValueKey (496, (496, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (496, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0 03744 896 NtQueryValueKey (496, (496, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (496, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0 03745 896 NtQueryValueKey (496, (496, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03746 896 NtQueryValueKey (496, (496, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (496, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0 03747 896 NtQueryValueKey (496, (496, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (496, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 03748 896 NtQueryValueKey (496, (496, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (496, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 03749 896 NtQueryValueKey (496, (496, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (496, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 03750 896 NtClose (496, ... ) == 0x0 03751 896 NtAllocateVirtualMemory (-1, 1523712, 0, 4096, 4096, 4, ... 1523712, 4096, ) == 0x0 03752 896 NtOpenKey (0x20019, {24, 492, 0x40, 0, 0, (0x20019, {24, 492, 0x40, 0, 0, "000000000004"}, ... 496, ) }, ... 496, ) == 0x0 03753 896 NtQueryValueKey (496, (496, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (496, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0 03754 896 NtQueryValueKey (496, (496, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (496, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0 03755 896 NtQueryValueKey (496, (496, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (496, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0 03756 896 NtQueryValueKey (496, (496, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (496, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0 03757 896 NtQueryValueKey (496, (496, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (496, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0 03758 896 NtQueryValueKey (496, (496, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (496, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0 03759 896 NtQueryValueKey (496, (496, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (496, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) }, 28, ) == 0x0 03760 896 NtQueryValueKey (496, (496, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03761 896 NtQueryValueKey (496, (496, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (496, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0 03762 896 NtQueryValueKey (496, (496, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (496, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 03763 896 NtQueryValueKey (496, (496, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (496, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 03764 896 NtQueryValueKey (496, (496, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (496, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 03765 896 NtClose (496, ... ) == 0x0 03766 896 NtClose (492, ... ) == 0x0 03767 896 NtWaitForSingleObject (484, 0, {0, 0}, ... ) == 0x102 03768 896 NtClose (472, ... ) == 0x0 03769 896 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 03770 896 NtQuerySystemInformation (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0 03771 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 472, ) }, ... 472, ) == 0x0 03772 896 NtQueryValueKey (472, (472, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03773 896 NtClose (472, ... ) == 0x0 03774 896 NtDuplicateObject (-1, -2, -1, 0x0, 0, 2, ... 472, ) == 0x0 03775 896 NtWaitForSingleObject (484, 0, {0, 0}, ... ) == 0x102 03776 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 1228716, ... ) }, 1228716, ... ) == 0x0 03777 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 5, 96, ... 492, {status=0x0, info=1}, ) }, 5, 96, ... 492, {status=0x0, info=1}, ) == 0x0 03778 896 NtCreateSection (0xe, 0x0, 0x0, 16, 134217728, 492, ... 496, ) == 0x0 03779 896 NtClose (492, ... ) == 0x0 03780 896 NtMapViewOfSection (496, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x9c0000), 0x0, 245760, ) == 0x0 03781 896 NtClose (496, ... ) == 0x0 03782 896 NtUnmapViewOfSection (-1, 0x9c0000, ... ) == 0x0 03783 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 1229024, ... ) }, 1229024, ... ) == 0x0 03784 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 5, 96, ... 496, {status=0x0, info=1}, ) }, 5, 96, ... 496, {status=0x0, info=1}, ) == 0x0 03785 896 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 496, ... 492, ) == 0x0 03786 896 NtQuerySection (492, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 03787 896 NtClose (496, ... ) == 0x0 03788 896 NtMapViewOfSection (492, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 258048, ) == 0x0 03789 896 NtClose (492, ... ) == 0x0 03790 896 NtProtectVirtualMemory (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0 03791 896 NtProtectVirtualMemory (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0 03792 896 NtFlushInstructionCache (-1, 1906642944, 1060, ... ) == 0x0 03793 896 NtProtectVirtualMemory (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0 03794 896 NtProtectVirtualMemory (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0 03795 896 NtFlushInstructionCache (-1, 1906642944, 1060, ... ) == 0x0 03796 896 NtProtectVirtualMemory (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0 03797 896 NtProtectVirtualMemory (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0 03798 896 NtFlushInstructionCache (-1, 1906642944, 1060, ... ) == 0x0 03799 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03800 896 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 03801 896 NtQuerySystemInformation (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0 03802 896 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 03803 896 NtAllocateVirtualMemory (-1, 0, 0, 65536, 8192, 4, ... 10223616, 65536, ) == 0x0 03804 896 NtAllocateVirtualMemory (-1, 10223616, 0, 4096, 4096, 4, ... 10223616, 4096, ) == 0x0 03805 896 NtAllocateVirtualMemory (-1, 10227712, 0, 8192, 4096, 4, ... 10227712, 8192, ) == 0x0 03806 896 NtConnectPort ( ("\NLAPublicPort", {12, 0, 1, 0}, 0x0, 0x0, 1231576, 48, ... 496, 0x0, 0x0, 0x0, 48, ) , {12, 0, 1, 0}, 0x0, 0x0, 1231576, 48, ... 496, 0x0, 0x0, 0x0, 48, ) == 0x0 03807 896 NtMapViewOfSection (492, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x9d0000), {0, 0}, 4096, ) == 0x0 03808 896 NtRequestWaitReplyPort (496, {48, 72, new_msg, 0, 0, 0, 0, 0} (496, {48, 72, new_msg, 0, 0, 0, 0, 0} "WsMb\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {48, 72, reply, 0, 1252, 896, 81860, 0} "WsMb\364\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ) ... {48, 72, reply, 0, 1252, 896, 81860, 0} (496, {48, 72, new_msg, 0, 0, 0, 0, 0} "WsMb\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {48, 72, reply, 0, 1252, 896, 81860, 0} "WsMb\364\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ) ) == 0x0 03809 896 NtMapViewOfSection (500, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x9e0000), {0, 0}, 4096, ) == 0x0 03810 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 03811 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 504, ) == 0x0 03812 896 NtQueryInformationToken (504, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 03813 896 NtClose (504, ... ) == 0x0 03814 896 NtOpenKey (0x20019, {24, 0, 0x640, 0, 0, (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 504, ) }, ... 504, ) == 0x0 03815 896 NtCreateKey (0x20019, {24, 504, 0x40, 0, 0, (0x20019, {24, 504, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness"}, 0, "REG_SZ", 0, ... 508, 2, ) }, 0, (0x20019, {24, 504, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness"}, 0, "REG_SZ", 0, ... 508, 2, ) , 0, ... 508, 2, ) == 0x0 03816 896 NtClose (504, ... ) == 0x0 03817 896 NtQueryKey (508, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0 03818 896 NtQueryKey (508, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0 03819 896 NtQueryKey (508, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0 03820 896 NtOpenKey (0x2000000, {24, 16, 0x40, 0, 0, (0x2000000, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 504, ) }, ... 504, ) == 0x0 03821 896 NtQueryValueKey (504, (504, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (504, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0 03822 896 NtQueryValueKey (504, (504, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (504, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0 03823 896 NtQueryValueKey (504, (504, "AutodialDLL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03824 896 NtClose (504, ... ) == 0x0 03825 896 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "rasadhlp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03826 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\u:\work\rasadhlp.dll"}, 1229708, ... ) }, 1229708, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03827 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rasadhlp.dll"}, 1229708, ... ) }, 1229708, ... ) == 0x0 03828 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rasadhlp.dll"}, 5, 96, ... 504, {status=0x0, info=1}, ) }, 5, 96, ... 504, {status=0x0, info=1}, ) == 0x0 03829 896 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 504, ... 512, ) == 0x0 03830 896 NtQuerySection (512, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 03831 896 NtClose (504, ... ) == 0x0 03832 896 NtMapViewOfSection (512, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fc0000), 0x0, 24576, ) == 0x0 03833 896 NtClose (512, ... ) == 0x0 03834 896 NtProtectVirtualMemory (-1, (0x76fc1000), 152, 4, ... (0x76fc1000), 4096, 32, ) == 0x0 03835 896 NtProtectVirtualMemory (-1, (0x76fc1000), 4096, 32, ... (0x76fc1000), 4096, 4, ) == 0x0 03836 896 NtFlushInstructionCache (-1, 1996230656, 152, ... ) == 0x0 03837 896 NtProtectVirtualMemory (-1, (0x76fc1000), 152, 4, ... (0x76fc1000), 4096, 32, ) == 0x0 03838 896 NtProtectVirtualMemory (-1, (0x76fc1000), 4096, 32, ... (0x76fc1000), 4096, 4, ) == 0x0 03839 896 NtFlushInstructionCache (-1, 1996230656, 152, ... ) == 0x0 03840 896 NtProtectVirtualMemory (-1, (0x76fc1000), 152, 4, ... (0x76fc1000), 4096, 32, ) == 0x0 03841 896 NtProtectVirtualMemory (-1, (0x76fc1000), 4096, 32, ... (0x76fc1000), 4096, 4, ) == 0x0 03842 896 NtFlushInstructionCache (-1, 1996230656, 152, ... ) == 0x0 03843 896 NtProtectVirtualMemory (-1, (0x76fc1000), 152, 4, ... (0x76fc1000), 4096, 32, ) == 0x0 03844 896 NtProtectVirtualMemory (-1, (0x76fc1000), 4096, 32, ... (0x76fc1000), 4096, 4, ) == 0x0 03845 896 NtFlushInstructionCache (-1, 1996230656, 152, ... ) == 0x0 03846 896 NtProtectVirtualMemory (-1, (0x76fc1000), 152, 4, ... (0x76fc1000), 4096, 32, ) == 0x0 03847 896 NtProtectVirtualMemory (-1, (0x76fc1000), 4096, 32, ... (0x76fc1000), 4096, 4, ) == 0x0 03848 896 NtFlushInstructionCache (-1, 1996230656, 152, ... ) == 0x0 03849 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rasadhlp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03850 896 NtQueryPerformanceCounter (... {-1443379312, 16}, {3579545, 0}, ) == 0x0 03851 896 NtRequestWaitReplyPort (496, {48, 72, new_msg, 0, 0, 0, 0, 0} (496, {48, 72, new_msg, 0, 0, 0, 0, 0} "WsMb\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\220\36\234\0" ... {48, 72, reply, 0, 1252, 896, 81869, 0} "WsMb\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\220\36\234\0" ) ... {48, 72, reply, 0, 1252, 896, 81869, 0} (496, {48, 72, new_msg, 0, 0, 0, 0, 0} "WsMb\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\220\36\234\0" ... {48, 72, reply, 0, 1252, 896, 81869, 0} "WsMb\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\220\36\234\0" ) ) == 0x0 03852 896 NtUnmapViewOfSection (-1, 0x9d0000, ... ) == 0x0 03853 896 NtClose (492, ... ) == 0x0 03854 896 NtUnmapViewOfSection (-1, 0x9e0000, ... ) == 0x0 03855 896 NtClose (500, ... ) == 0x0 03856 896 NtClose (496, ... ) == 0x0 03857 896 NtClose (508, ... ) == 0x0 03858 896 NtYieldExecution (... ) == STATUS_NO_YIELD_PERFORMED 03859 896 NtClose (480, ... ) == 0x0 03860 896 NtClose (476, ... ) == 0x0 03861 896 NtFreeVirtualMemory (-1, (0x9c0000), 0, 32768, ... (0x9c0000), 65536, ) == 0x0 03862 896 NtYieldExecution (... ) == STATUS_NO_YIELD_PERFORMED 03863 896 NtClose (488, ... ) == 0x0 03864 896 NtClose (484, ... ) == 0x0 03865 896 NtWaitForSingleObject (384, 0, 0x0, ... ) == 0x0 03866 896 NtReleaseMutant (384, ... 0x0, ) == 0x0 03867 896 NtWaitForSingleObject (384, 0, 0x0, ... ) == 0x0 03868 896 NtReleaseMutant (384, ... 0x0, ) == 0x0 03869 896 NtWaitForSingleObject (392, 0, 0x0, ... ) == 0x0 03870 896 NtReleaseMutant (392, ... 0x0, ) == 0x0 03871 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3"}, ... 484, ) }, ... 484, ) == 0x0 03872 896 NtQueryValueKey (484, (484, "1806", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (484, "1806", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 03873 896 NtWaitForSingleObject (392, 0, 0x0, ... ) == 0x0 03874 896 NtReleaseMutant (392, ... 0x0, ) == 0x0 03875 896 NtClose (484, ... ) == 0x0 03876 896 NtClose (424, ... ) == 0x0 03877 896 NtClose (404, ... ) == 0x0 03878 896 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "SHDOCVW.dll"}, ... 404, ) }, ... 404, ) == 0x0 03879 896 NtMapViewOfSection (404, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77760000), 0x0, 1507328, ) == 0x0 03880 896 NtClose (404, ... ) == 0x0 03881 896 NtProtectVirtualMemory (-1, (0x77761000), 2836, 4, ... (0x77761000), 4096, 32, ) == 0x0 03882 896 NtProtectVirtualMemory (-1, (0x77761000), 4096, 32, ... (0x77761000), 4096, 4, ) == 0x0 03883 896 NtFlushInstructionCache (-1, 2004226048, 2836, ... ) == 0x0 03884 896 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 404, ) }, ... 404, ) == 0x0 03885 896 NtMapViewOfSection (404, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77a80000), 0x0, 606208, ) == 0x0 03886 896 NtClose (404, ... ) == 0x0 03887 896 NtProtectVirtualMemory (-1, (0x77a81000), 1340, 4, ... (0x77a81000), 4096, 32, ) == 0x0 03888 896 NtProtectVirtualMemory (-1, (0x77a81000), 4096, 32, ... (0x77a81000), 4096, 4, ) == 0x0 03889 896 NtFlushInstructionCache (-1, 2007502848, 1340, ... ) == 0x0 03890 896 NtProtectVirtualMemory (-1, (0x77a81000), 1340, 4, ... (0x77a81000), 4096, 32, ) == 0x0 03891 896 NtProtectVirtualMemory (-1, (0x77a81000), 4096, 32, ... (0x77a81000), 4096, 4, ) == 0x0 03892 896 NtFlushInstructionCache (-1, 2007502848, 1340, ... ) == 0x0 03893 896 NtProtectVirtualMemory (-1, (0x77a81000), 1340, 4, ... (0x77a81000), 4096, 32, ) == 0x0 03894 896 NtProtectVirtualMemory (-1, (0x77a81000), 4096, 32, ... (0x77a81000), 4096, 4, ) == 0x0 03895 896 NtFlushInstructionCache (-1, 2007502848, 1340, ... ) == 0x0 03896 896 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 404, ) }, ... 404, ) == 0x0 03897 896 NtMapViewOfSection (404, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77b20000), 0x0, 73728, ) == 0x0 03898 896 NtClose (404, ... ) == 0x0 03899 896 NtProtectVirtualMemory (-1, (0x77b21000), 160, 4, ... (0x77b21000), 4096, 32, ) == 0x0 03900 896 NtProtectVirtualMemory (-1, (0x77b21000), 4096, 32, ... (0x77b21000), 4096, 4, ) == 0x0 03901 896 NtFlushInstructionCache (-1, 2008158208, 160, ... ) == 0x0 03902 896 NtProtectVirtualMemory (-1, (0x77b21000), 160, 4, ... (0x77b21000), 4096, 32, ) == 0x0 03903 896 NtProtectVirtualMemory (-1, (0x77b21000), 4096, 32, ... (0x77b21000), 4096, 4, ) == 0x0 03904 896 NtFlushInstructionCache (-1, 2008158208, 160, ... ) == 0x0 03905 896 NtProtectVirtualMemory (-1, (0x77b21000), 160, 4, ... (0x77b21000), 4096, 32, ) == 0x0 03906 896 NtProtectVirtualMemory (-1, (0x77b21000), 4096, 32, ... (0x77b21000), 4096, 4, ) == 0x0 03907 896 NtFlushInstructionCache (-1, 2008158208, 160, ... ) == 0x0 03908 896 NtProtectVirtualMemory (-1, (0x77a81000), 1340, 4, ... (0x77a81000), 4096, 32, ) == 0x0 03909 896 NtProtectVirtualMemory (-1, (0x77a81000), 4096, 32, ... (0x77a81000), 4096, 4, ) == 0x0 03910 896 NtFlushInstructionCache (-1, 2007502848, 1340, ... ) == 0x0 03911 896 NtProtectVirtualMemory (-1, (0x77761000), 2836, 4, ... (0x77761000), 4096, 32, ) == 0x0 03912 896 NtProtectVirtualMemory (-1, (0x77761000), 4096, 32, ... (0x77761000), 4096, 4, ) == 0x0 03913 896 NtFlushInstructionCache (-1, 2004226048, 2836, ... ) == 0x0 03914 896 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "CRYPTUI.dll"}, ... 404, ) }, ... 404, ) == 0x0 03915 896 NtMapViewOfSection (404, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x754d0000), 0x0, 524288, ) == 0x0 03916 896 NtClose (404, ... ) == 0x0 03917 896 NtQueryDefaultUILanguage (1231456, ... 03918 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 03919 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... -2147482756, ) == 0x0 03920 896 NtQueryInformationToken (-2147482756, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 03921 896 NtClose (-2147482756, ... ) == 0x0 03922 896 NtOpenKey (0x2000000, {24, 0, 0x640, 0, 0, (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482756, ) }, ... -2147482756, ) == 0x0 03923 896 NtOpenKey (0x80000000, {24, -2147482756, 0x240, 0, 0, (0x80000000, {24, -2147482756, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03924 896 NtOpenKey (0x80000000, {24, -2147482756, 0x640, 0, 0, (0x80000000, {24, -2147482756, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0 03925 896 NtQueryValueKey (-2147481452, (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03926 896 NtClose (-2147481452, ... ) == 0x0 03927 896 NtClose (-2147482756, ... ) == 0x0 03917 896 NtQueryDefaultUILanguage ... ) == 0x0 03928 896 NtOpenFile (0x1200a9, {24, 0, 0x40, 0, 0, (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\CRYPTUI.dll.2.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03929 896 NtQueryDefaultLocale (1, 1229552, ... ) == 0x0 03930 896 NtOpenFile (0x1200a9, {24, 0, 0x40, 0, 0, (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\CRYPTUI.dll.2.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 03931 896 NtRequestWaitReplyPort (24, {128, 156, new_msg, 0, 2088850039, 1230588, 1179817, 1230312} (24, {128, 156, new_msg, 0, 2088850039, 1230588, 1179817, 1230312} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0`\306Qu\0\0\0\0\270\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\360\312\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81871, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0`\306Qu\0\0\0\0\270\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\360\312\22\0\0\0\0\0" ) ... {128, 156, reply, 0, 1252, 896, 81871, 0} (24, {128, 156, new_msg, 0, 2088850039, 1230588, 1179817, 1230312} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0`\306Qu\0\0\0\0\270\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\360\312\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81871, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\0\0\0\0\377\377\377\377\0\0\0\0`\306Qu\0\0\0\0\270\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\360\312\22\0\0\0\0\0" ) ) == 0x0 03932 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 03933 896 NtProtectVirtualMemory (-1, (0x754d1000), 1484, 4, ... (0x754d1000), 4096, 32, ) == 0x0 03934 896 NtProtectVirtualMemory (-1, (0x754d1000), 4096, 32, ... (0x754d1000), 4096, 4, ) == 0x0 03935 896 NtFlushInstructionCache (-1, 1967984640, 1484, ... ) == 0x0 03936 896 NtProtectVirtualMemory (-1, (0x754d1000), 1484, 4, ... (0x754d1000), 4096, 32, ) == 0x0 03937 896 NtProtectVirtualMemory (-1, (0x754d1000), 4096, 32, ... (0x754d1000), 4096, 4, ) == 0x0 03938 896 NtFlushInstructionCache (-1, 1967984640, 1484, ... ) == 0x0 03939 896 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "WINTRUST.dll"}, ... 404, ) }, ... 404, ) == 0x0 03940 896 NtMapViewOfSection (404, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c30000), 0x0, 188416, ) == 0x0 03941 896 NtClose (404, ... ) == 0x0 03942 896 NtProtectVirtualMemory (-1, (0x76c31000), 1204, 4, ... (0x76c31000), 4096, 32, ) == 0x0 03943 896 NtProtectVirtualMemory (-1, (0x76c31000), 4096, 32, ... (0x76c31000), 4096, 4, ) == 0x0 03944 896 NtFlushInstructionCache (-1, 1992495104, 1204, ... ) == 0x0 03945 896 NtProtectVirtualMemory (-1, (0x76c31000), 1204, 4, ... (0x76c31000), 4096, 32, ) == 0x0 03946 896 NtProtectVirtualMemory (-1, (0x76c31000), 4096, 32, ... (0x76c31000), 4096, 4, ) == 0x0 03947 896 NtFlushInstructionCache (-1, 1992495104, 1204, ... ) == 0x0 03948 896 NtProtectVirtualMemory (-1, (0x76c31000), 1204, 4, ... (0x76c31000), 4096, 32, ) == 0x0 03949 896 NtProtectVirtualMemory (-1, (0x76c31000), 4096, 32, ... (0x76c31000), 4096, 4, ) == 0x0 03950 896 NtFlushInstructionCache (-1, 1992495104, 1204, ... ) == 0x0 03951 896 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "IMAGEHLP.dll"}, ... 404, ) }, ... 404, ) == 0x0 03952 896 NtMapViewOfSection (404, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76c90000), 0x0, 163840, ) == 0x0 03953 896 NtClose (404, ... ) == 0x0 03954 896 NtProtectVirtualMemory (-1, (0x76c91000), 504, 4, ... (0x76c91000), 4096, 32, ) == 0x0 03955 896 NtProtectVirtualMemory (-1, (0x76c91000), 4096, 32, ... (0x76c91000), 4096, 4, ) == 0x0 03956 896 NtFlushInstructionCache (-1, 1992888320, 504, ... ) == 0x0 03957 896 NtProtectVirtualMemory (-1, (0x76c91000), 504, 4, ... (0x76c91000), 4096, 32, ) == 0x0 03958 896 NtProtectVirtualMemory (-1, (0x76c91000), 4096, 32, ... (0x76c91000), 4096, 4, ) == 0x0 03959 896 NtFlushInstructionCache (-1, 1992888320, 504, ... ) == 0x0 03960 896 NtProtectVirtualMemory (-1, (0x76c31000), 1204, 4, ... (0x76c31000), 4096, 32, ) == 0x0 03961 896 NtProtectVirtualMemory (-1, (0x76c31000), 4096, 32, ... (0x76c31000), 4096, 4, ) == 0x0 03962 896 NtFlushInstructionCache (-1, 1992495104, 1204, ... ) == 0x0 03963 896 NtProtectVirtualMemory (-1, (0x754d1000), 1484, 4, ... (0x754d1000), 4096, 32, ) == 0x0 03964 896 NtProtectVirtualMemory (-1, (0x754d1000), 4096, 32, ... (0x754d1000), 4096, 4, ) == 0x0 03965 896 NtFlushInstructionCache (-1, 1967984640, 1484, ... ) == 0x0 03966 896 NtProtectVirtualMemory (-1, (0x754d1000), 1484, 4, ... (0x754d1000), 4096, 32, ) == 0x0 03967 896 NtProtectVirtualMemory (-1, (0x754d1000), 4096, 32, ... (0x754d1000), 4096, 4, ) == 0x0 03968 896 NtFlushInstructionCache (-1, 1967984640, 1484, ... ) == 0x0 03969 896 NtProtectVirtualMemory (-1, (0x754d1000), 1484, 4, ... (0x754d1000), 4096, 32, ) == 0x0 03970 896 NtProtectVirtualMemory (-1, (0x754d1000), 4096, 32, ... (0x754d1000), 4096, 4, ) == 0x0 03971 896 NtFlushInstructionCache (-1, 1967984640, 1484, ... ) == 0x0 03972 896 NtProtectVirtualMemory (-1, (0x754d1000), 1484, 4, ... (0x754d1000), 4096, 32, ) == 0x0 03973 896 NtProtectVirtualMemory (-1, (0x754d1000), 4096, 32, ... (0x754d1000), 4096, 4, ) == 0x0 03974 896 NtFlushInstructionCache (-1, 1967984640, 1484, ... ) == 0x0 03975 896 NtProtectVirtualMemory (-1, (0x754d1000), 1484, 4, ... (0x754d1000), 4096, 32, ) == 0x0 03976 896 NtProtectVirtualMemory (-1, (0x754d1000), 4096, 32, ... (0x754d1000), 4096, 4, ) == 0x0 03977 896 NtFlushInstructionCache (-1, 1967984640, 1484, ... ) == 0x0 03978 896 NtProtectVirtualMemory (-1, (0x754d1000), 1484, 4, ... (0x754d1000), 4096, 32, ) == 0x0 03979 896 NtProtectVirtualMemory (-1, (0x754d1000), 4096, 32, ... (0x754d1000), 4096, 4, ) == 0x0 03980 896 NtFlushInstructionCache (-1, 1967984640, 1484, ... ) == 0x0 03981 896 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... 404, ) }, ... 404, ) == 0x0 03982 896 NtMapViewOfSection (404, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0 03983 896 NtClose (404, ... ) == 0x0 03984 896 NtProtectVirtualMemory (-1, (0x76f61000), 228, 4, ... (0x76f61000), 4096, 32, ) == 0x0 03985 896 NtProtectVirtualMemory (-1, (0x76f61000), 4096, 32, ... (0x76f61000), 4096, 4, ) == 0x0 03986 896 NtFlushInstructionCache (-1, 1995837440, 228, ... ) == 0x0 03987 896 NtProtectVirtualMemory (-1, (0x76f61000), 228, 4, ... (0x76f61000), 4096, 32, ) == 0x0 03988 896 NtProtectVirtualMemory (-1, (0x76f61000), 4096, 32, ... (0x76f61000), 4096, 4, ) == 0x0 03989 896 NtFlushInstructionCache (-1, 1995837440, 228, ... ) == 0x0 03990 896 NtProtectVirtualMemory (-1, (0x754d1000), 1484, 4, ... (0x754d1000), 4096, 32, ) == 0x0 03991 896 NtProtectVirtualMemory (-1, (0x754d1000), 4096, 32, ... (0x754d1000), 4096, 4, ) == 0x0 03992 896 NtFlushInstructionCache (-1, 1967984640, 1484, ... ) == 0x0 03993 896 NtProtectVirtualMemory (-1, (0x77761000), 2836, 4, ... (0x77761000), 4096, 32, ) == 0x0 03994 896 NtProtectVirtualMemory (-1, (0x77761000), 4096, 32, ... (0x77761000), 4096, 4, ) == 0x0 03995 896 NtFlushInstructionCache (-1, 2004226048, 2836, ... ) == 0x0 03996 896 NtProtectVirtualMemory (-1, (0x77761000), 2836, 4, ... (0x77761000), 4096, 32, ) == 0x0 03997 896 NtProtectVirtualMemory (-1, (0x77761000), 4096, 32, ... (0x77761000), 4096, 4, ) == 0x0 03998 896 NtFlushInstructionCache (-1, 2004226048, 2836, ... ) == 0x0 03999 896 NtProtectVirtualMemory (-1, (0x77761000), 2836, 4, ... (0x77761000), 4096, 32, ) == 0x0 04000 896 NtProtectVirtualMemory (-1, (0x77761000), 4096, 32, ... (0x77761000), 4096, 4, ) == 0x0 04001 896 NtFlushInstructionCache (-1, 2004226048, 2836, ... ) == 0x0 04002 896 NtProtectVirtualMemory (-1, (0x77761000), 2836, 4, ... (0x77761000), 4096, 32, ) == 0x0 04003 896 NtProtectVirtualMemory (-1, (0x77761000), 4096, 32, ... (0x77761000), 4096, 4, ) == 0x0 04004 896 NtFlushInstructionCache (-1, 2004226048, 2836, ... ) == 0x0 04005 896 NtProtectVirtualMemory (-1, (0x77761000), 2836, 4, ... (0x77761000), 4096, 32, ) == 0x0 04006 896 NtProtectVirtualMemory (-1, (0x77761000), 4096, 32, ... (0x77761000), 4096, 4, ) == 0x0 04007 896 NtFlushInstructionCache (-1, 2004226048, 2836, ... ) == 0x0 04008 896 NtProtectVirtualMemory (-1, (0x77761000), 2836, 4, ... (0x77761000), 4096, 32, ) == 0x0 04009 896 NtProtectVirtualMemory (-1, (0x77761000), 4096, 32, ... (0x77761000), 4096, 4, ) == 0x0 04010 896 NtFlushInstructionCache (-1, 2004226048, 2836, ... ) == 0x0 04011 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASN1.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04012 896 NtQueryPerformanceCounter (... {-1443265698, 16}, {3579545, 0}, ) == 0x0 04013 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CRYPT32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04014 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04015 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\msasn1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04016 896 NtCreateEvent (0x1f0003, {24, 44, 0x80, 1232740, 0, (0x1f0003, {24, 44, 0x80, 1232740, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED 04017 896 NtOpenEvent (0x100000, {24, 44, 0x0, 0, 0, (0x100000, {24, 44, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 404, ) }, ... 404, ) == 0x0 04018 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMAGEHLP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04019 896 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 04020 896 NtQuerySystemInformation (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0 04021 896 NtQuerySystemInformation (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0 04022 896 NtAllocateVirtualMemory (-1, 0, 0, 1048576, 8192, 4, ... 12779520, 1048576, ) == 0x0 04023 896 NtAllocateVirtualMemory (-1, 12779520, 0, 1048576, 4096, 4, ... 12779520, 1048576, ) == 0x0 04024 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINTRUST.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04025 896 NtCreateMutant (0x1f0001, 0x0, 0, ... 424, ) == 0x0 04026 896 NtCreateEvent (0x1f0003, 0x0, 0, 1, ... 484, ) == 0x0 04027 896 NtCreateMutant (0x1f0001, 0x0, 0, ... 488, ) == 0x0 04028 896 NtCreateEvent (0x1f0003, 0x0, 0, 1, ... 476, ) == 0x0 04029 896 NtCreateEvent (0x1f0003, 0x0, 0, 1, ... 480, ) == 0x0 04030 896 NtSetEvent (480, ... 0x0, ) == 0x0 04031 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WLDAP32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04032 896 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 508, ) == 0x0 04033 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 496, ) }, ... 496, ) == 0x0 04034 896 NtQueryValueKey (496, (496, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (496, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 04035 896 NtClose (496, ... ) == 0x0 04036 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CRYPTUI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04037 896 NtOpenKey (0x8, {24, 0, 0x40, 0, 0, (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04038 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 04039 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 04040 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1228668, ... ) }, 1228668, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04041 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 04042 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 04043 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 04044 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 1228732, ... ) }, 1228732, ... ) == 0x0 04045 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 3, 33, ... 496, {status=0x0, info=1}, ) }, 3, 33, ... 496, {status=0x0, info=1}, ) == 0x0 04046 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 04047 896 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "RichEd20.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04048 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\u:\work\RichEd20.dll"}, 1230692, ... ) }, 1230692, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04049 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\RichEd20.dll"}, 1230692, ... ) }, 1230692, ... ) == 0x0 04050 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\RichEd20.dll"}, 5, 96, ... 500, {status=0x0, info=1}, ) }, 5, 96, ... 500, {status=0x0, info=1}, ) == 0x0 04051 896 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 500, ... 492, ) == 0x0 04052 896 NtQuerySection (492, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 04053 896 NtClose (500, ... ) == 0x0 04054 896 NtMapViewOfSection (492, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x74e30000), 0x0, 442368, ) == 0x0 04055 896 NtClose (492, ... ) == 0x0 04056 896 NtProtectVirtualMemory (-1, (0x74e31000), 1092, 4, ... (0x74e31000), 4096, 32, ) == 0x0 04057 896 NtProtectVirtualMemory (-1, (0x74e31000), 4096, 32, ... (0x74e31000), 4096, 4, ) == 0x0 04058 896 NtFlushInstructionCache (-1, 1961037824, 1092, ... ) == 0x0 04059 896 NtProtectVirtualMemory (-1, (0x74e31000), 1092, 4, ... (0x74e31000), 4096, 32, ) == 0x0 04060 896 NtProtectVirtualMemory (-1, (0x74e31000), 4096, 32, ... (0x74e31000), 4096, 4, ) == 0x0 04061 896 NtFlushInstructionCache (-1, 1961037824, 1092, ... ) == 0x0 04062 896 NtProtectVirtualMemory (-1, (0x74e31000), 1092, 4, ... (0x74e31000), 4096, 32, ) == 0x0 04063 896 NtProtectVirtualMemory (-1, (0x74e31000), 4096, 32, ... (0x74e31000), 4096, 4, ) == 0x0 04064 896 NtFlushInstructionCache (-1, 1961037824, 1092, ... ) == 0x0 04065 896 NtProtectVirtualMemory (-1, (0x74e31000), 1092, 4, ... (0x74e31000), 4096, 32, ) == 0x0 04066 896 NtProtectVirtualMemory (-1, (0x74e31000), 4096, 32, ... (0x74e31000), 4096, 4, ) == 0x0 04067 896 NtFlushInstructionCache (-1, 1961037824, 1092, ... ) == 0x0 04068 896 NtProtectVirtualMemory (-1, (0x74e31000), 1092, 4, ... (0x74e31000), 4096, 32, ) == 0x0 04069 896 NtProtectVirtualMemory (-1, (0x74e31000), 4096, 32, ... (0x74e31000), 4096, 4, ) == 0x0 04070 896 NtFlushInstructionCache (-1, 1961037824, 1092, ... ) == 0x0 04071 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RichEd20.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04072 896 NtQueryPerformanceCounter (... {-1443229652, 16}, {3579545, 0}, ) == 0x0 04073 896 NtUserRegisterWindowMessage ( ("MSWHEEL_ROLLMSG", ... ) , ... ) == 0xc08f 04074 896 NtUserRegisterWindowMessage ( ("MSIMEMouseOperation", ... ) , ... ) == 0xc083 04075 896 NtUserRegisterWindowMessage ( ("MSIMEDocumentFeed", ... ) , ... ) == 0xc07f 04076 896 NtUserRegisterWindowMessage ( ("MSIMEQueryPosition", ... ) , ... ) == 0xc080 04077 896 NtUserRegisterWindowMessage ( ("MSIMEService", ... ) , ... ) == 0xc07b 04078 896 NtUserRegisterClassExWOW (1228484, 1228552, 1228568, 1228584, 0, 384, 0, ... ) == 0x8177c191 04079 896 NtUserRegisterClassExWOW (1228740, 1228836, 1228820, 1228808, 0, 386, 0, ... ) == 0x8177c163 04080 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHDOCVW.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04081 896 NtUserUnregisterClass (1231668, 1961033728, 1231656, ... ) == 0x1 04082 896 NtUserUnregisterClass (1230864, 1961033728, 1230852, ... ) == 0x1 04083 896 NtUnmapViewOfSection (-1, 0x74e30000, ... ) == 0x0 04084 896 NtQueryDefaultUILanguage (1230936, ... 04085 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 04086 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... -2147482756, ) == 0x0 04087 896 NtQueryInformationToken (-2147482756, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 04088 896 NtClose (-2147482756, ... ) == 0x0 04089 896 NtOpenKey (0x2000000, {24, 0, 0x640, 0, 0, (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482756, ) }, ... -2147482756, ) == 0x0 04090 896 NtOpenKey (0x80000000, {24, -2147482756, 0x240, 0, 0, (0x80000000, {24, -2147482756, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04091 896 NtOpenKey (0x80000000, {24, -2147482756, 0x640, 0, 0, (0x80000000, {24, -2147482756, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481452, ) }, ... -2147481452, ) == 0x0 04092 896 NtQueryValueKey (-2147481452, (-2147481452, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04093 896 NtClose (-2147481452, ... ) == 0x0 04094 896 NtClose (-2147482756, ... ) == 0x0 04084 896 NtQueryDefaultUILanguage ... ) == 0x0 04095 896 NtOpenFile (0x1200a9, {24, 0, 0x40, 0, 0, (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHDOCVW.dll"}, 1, 96, ... 492, {status=0x0, info=1}, ) }, 1, 96, ... 492, {status=0x0, info=1}, ) == 0x0 04096 896 NtCreateSection (0x4, 0x0, 0x0, 2, 134217728, 492, ... 500, ) == 0x0 04097 896 NtMapViewOfSection (500, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xd30000), 0x0, 1499136, ) == 0x0 04098 896 NtOpenFile (0x1200a9, {24, 0, 0x40, 0, 0, (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHDOCVW.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04099 896 NtQueryDefaultLocale (1, 1229032, ... ) == 0x0 04100 896 NtOpenFile (0x1200a9, {24, 0, 0x40, 0, 0, (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHDOCVW.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04101 896 NtRequestWaitReplyPort (24, {128, 156, new_msg, 0, 2088850039, 1230068, 1179817, 1229792} (24, {128, 156, new_msg, 0, 2088850039, 1230068, 1179817, 1229792} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\354\1\0\0\377\377\377\377\0\0\0\0@\277\340\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\350\310\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81872, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\354\1\0\0\377\377\377\377\0\0\0\0@\277\340\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\350\310\22\0\0\0\0\0" ) ... {128, 156, reply, 0, 1252, 896, 81872, 0} (24, {128, 156, new_msg, 0, 2088850039, 1230068, 1179817, 1229792} "\210\6!\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\354\1\0\0\377\377\377\377\0\0\0\0@\277\340\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\350\310\22\0\0\0\0\0" ... {128, 156, reply, 0, 1252, 896, 81872, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6!\1\354\1\0\0\377\377\377\377\0\0\0\0@\277\340\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6!\1\0\0\0\0\0\0\0\0\350\310\22\0\0\0\0\0" ) ) == 0x0 04102 896 NtClose (492, ... ) == 0x0 04103 896 NtClose (500, ... ) == 0x0 04104 896 NtUnmapViewOfSection (-1, 0xd30000, ... ) == 0x0 04105 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 04106 896 NtOpenKey (0x8, {24, 0, 0x40, 0, 0, (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04107 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 04108 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 04109 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1227676, ... ) }, 1227676, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04110 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 04111 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 04112 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 04113 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 1227740, ... ) }, 1227740, ... ) == 0x0 04114 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 3, 33, ... 500, {status=0x0, info=1}, ) }, 3, 33, ... 500, {status=0x0, info=1}, ) == 0x0 04115 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 04116 896 NtOpenKey (0x2000000, {24, 16, 0x40, 0, 0, (0x2000000, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04117 896 NtGdiCreateHalftonePalette (0, ... ) == 0x720804dc 04118 896 NtGdiDoPalette (1913128156, 0, 256, 1231812, 2, 0, ... ) == 0x100 04119 896 NtGdiDeleteObjectApp (1913128156, ... ) == 0x1 04120 896 NtGdiCreateCompatibleDC (0, ... ) == 0x730104dc 04121 896 NtGdiCreatePaletteInternal (1231808, 256, ... ) == 0x28080554 04122 896 NtGdiDeleteObjectApp (1929446620, ... ) == 0x1 04123 896 NtQueryKey (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 04124 896 NtOpenKey (0x1, {24, 222, 0x40, 0, 0, (0x1, {24, 222, 0x40, 0, 0, "clsid\{c90250f3-4d7d-4991-9b69-a5c5bc1c2ae6}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04125 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\clsid\{c90250f3-4d7d-4991-9b69-a5c5bc1c2ae6}"}, ... 492, ) }, ... 492, ) == 0x0 04126 896 NtClose (494, ... ) == 0x0 04127 896 NtQueryKey (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 04128 896 NtOpenKey (0x1, {24, 222, 0x40, 0, 0, (0x1, {24, 222, 0x40, 0, 0, "Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04129 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\Typelib"}, ... 492, ) }, ... 492, ) == 0x0 04130 896 NtQueryKey (494, Name, 392, ... {Name= (494, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib0"}, 186, ) }, 186, ) == 0x0 04131 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 04132 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 512, ) == 0x0 04133 896 NtQueryInformationToken (512, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 04134 896 NtClose (512, ... ) == 0x0 04135 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\Interface\{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04136 896 NtQueryValueKey (494, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (494, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0E\0A\0B\02\02\0A\0C\00\0-\03\00\0C\01\0-\01\01\0C\0F\0-\0A\07\0E\0B\0-\00\00\00\00\0C\00\05\0B\0A\0E\00\0B\0}\0\0\0"}, 90, ) }, 90, ) == 0x0 04137 896 NtClose (494, ... ) == 0x0 04138 896 NtQueryKey (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 04139 896 NtOpenKey (0x1, {24, 222, 0x40, 0, 0, (0x1, {24, 222, 0x40, 0, 0, "Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04140 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{b722bccb-4e68-101b-a2bc-00aa00404770}\ProxyStubClsid32"}, ... 492, ) }, ... 492, ) == 0x0 04141 896 NtQueryKey (494, Name, 392, ... {Name= (494, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0 04142 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 04143 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 512, ) == 0x0 04144 896 NtQueryInformationToken (512, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 04145 896 NtClose (512, ... ) == 0x0 04146 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04147 896 NtQueryValueKey (494, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (494, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0B\08\0D\0A\06\03\01\00\0-\0E\01\09\0B\0-\01\01\0D\00\0-\09\03\03\0C\0-\00\00\0A\00\0C\09\00\0D\0C\0A\0A\09\0}\0\0\0"}, 90, ) }, 90, ) == 0x0 04148 896 NtClose (494, ... ) == 0x0 04149 896 NtQueryKey (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 04150 896 NtOpenKey (0x1, {24, 222, 0x40, 0, 0, (0x1, {24, 222, 0x40, 0, 0, "Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04151 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{79eac9c4-baf9-11ce-8c82-00aa004ba90b}\ProxyStubClsid32"}, ... 492, ) }, ... 492, ) == 0x0 04152 896 NtQueryKey (494, Name, 392, ... {Name= (494, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0 04153 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 04154 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 512, ) == 0x0 04155 896 NtQueryInformationToken (512, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 04156 896 NtClose (512, ... ) == 0x0 04157 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\Interface\{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04158 896 NtQueryValueKey (494, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (494, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0B\08\0D\0A\06\03\01\00\0-\0E\01\09\0B\0-\01\01\0D\00\0-\09\03\03\0C\0-\00\00\0A\00\0C\09\00\0D\0C\0A\0A\09\0}\0\0\0"}, 90, ) }, 90, ) == 0x0 04159 896 NtClose (494, ... ) == 0x0 04160 896 NtQueryKey (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 04161 896 NtOpenKey (0x1, {24, 222, 0x40, 0, 0, (0x1, {24, 222, 0x40, 0, 0, "Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04162 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... 492, ) }, ... 492, ) == 0x0 04163 896 NtQueryKey (494, Name, 392, ... {Name= (494, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0 04164 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 04165 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 512, ) == 0x0 04166 896 NtQueryInformationToken (512, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 04167 896 NtClose (512, ... ) == 0x0 04168 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\Interface\{000214E6-0000-0000-C000-000000000046}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04169 896 NtQueryValueKey (494, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (494, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0b\0f\05\00\0b\06\08\0e\0-\02\09\0b\08\0-\04\03\08\06\0-\0a\0e\09\0c\0-\09\07\03\04\0d\05\01\01\07\0c\0d\05\0}\0\0\0"}, 90, ) }, 90, ) == 0x0 04170 896 NtClose (494, ... ) == 0x0 04171 896 NtQueryKey (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 04172 896 NtOpenKey (0x1, {24, 222, 0x40, 0, 0, (0x1, {24, 222, 0x40, 0, 0, "Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04173 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... 492, ) }, ... 492, ) == 0x0 04174 896 NtQueryKey (494, Name, 392, ... {Name= (494, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0 04175 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 04176 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 512, ) == 0x0 04177 896 NtQueryInformationToken (512, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 04178 896 NtClose (512, ... ) == 0x0 04179 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\Interface\{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04180 896 NtQueryValueKey (494, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (494, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="{\0b\0f\05\00\0b\06\08\0e\0-\02\09\0b\08\0-\04\03\08\06\0-\0a\0e\09\0c\0-\09\07\03\04\0d\05\01\01\07\0c\0d\05\0}\0\0\0"}, 90, ) }, 90, ) == 0x0 04181 896 NtClose (494, ... ) == 0x0 04182 896 NtReleaseSemaphore (48, 1, ... 0, ) == 0x0 04183 896 NtWaitForSingleObject (48, 0, {0, 0}, ... ) == 0x0 04184 896 NtReleaseSemaphore (48, 1, ... 0, ) == 0x0 04185 896 NtWaitForSingleObject (48, 0, {0, 0}, ... ) == 0x0 04186 896 NtReleaseSemaphore (48, 1, ... 0, ) == 0x0 04187 896 NtWaitForSingleObject (48, 0, {0, 0}, ... ) == 0x0 04188 896 NtReleaseSemaphore (48, 1, ... 0, ) == 0x0 04189 896 NtWaitForSingleObject (48, 0, {0, 0}, ... ) == 0x0 04190 896 NtQueryKey (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 04191 896 NtOpenKey (0x1, {24, 222, 0x40, 0, 0, (0x1, {24, 222, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04192 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 492, ) }, ... 492, ) == 0x0 04193 896 NtQueryKey (494, Name, 392, ... {Name= (494, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0 04194 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 04195 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 512, ) == 0x0 04196 896 NtQueryInformationToken (512, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 04197 896 NtClose (512, ... ) == 0x0 04198 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04199 896 NtQueryValueKey (494, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (494, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0 04200 896 NtClose (494, ... ) == 0x0 04201 896 NtQueryKey (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 04202 896 NtOpenKey (0x1, {24, 222, 0x40, 0, 0, (0x1, {24, 222, 0x40, 0, 0, ".ade"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04203 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.ade"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04204 896 NtQueryKey (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 04205 896 NtOpenKey (0x1, {24, 222, 0x40, 0, 0, (0x1, {24, 222, 0x40, 0, 0, ".adp"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04206 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.adp"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04207 896 NtQueryKey (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 04208 896 NtOpenKey (0x1, {24, 222, 0x40, 0, 0, (0x1, {24, 222, 0x40, 0, 0, ".app"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04209 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.app"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04210 896 NtQueryKey (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 04211 896 NtOpenKey (0x1, {24, 222, 0x40, 0, 0, (0x1, {24, 222, 0x40, 0, 0, ".asp"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04212 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.asp"}, ... 492, ) }, ... 492, ) == 0x0 04213 896 NtQueryKey (494, Name, 392, ... {Name= (494, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.aspo"}, 82, ) }, 82, ) == 0x0 04214 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 04215 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 512, ) == 0x0 04216 896 NtQueryInformationToken (512, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 04217 896 NtClose (512, ... ) == 0x0 04218 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\.asp"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04219 896 NtQueryValueKey (494, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (494, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="a\0s\0p\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0 04220 896 NtClose (494, ... ) == 0x0 04221 896 NtQueryKey (222, Name, 384, ... {Name= (222, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0 04222 896 NtOpenKey (0x1, {24, 222, 0x40, 0, 0, (0x1, {24, 222, 0x40, 0, 0, ".bas"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04223 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bas"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04224 896 NtAllocateVirtualMemory (-1, 1208320, 0, 4096, 4096, 260, ... 1208320, 4096, ) == 0x0 04225 896 NtAllocateVirtualMemory (-1, 1527808, 0, 4096, 4096, 4, ... 1527808, 4096, ) == 0x0 04226 896 NtAllocateVirtualMemory (-1, 1531904, 0, 4096, 4096, 4, ... 1531904, 4096, ) == 0x0 04227 896 NtQueryValueKey (132, (132, "FromCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04228 896 NtQueryValueKey (132, (132, "SecureProtocols", Partial, 144, ... TitleIdx=0, Type=4, Data="\240\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "SecureProtocols", Partial, 144, ... TitleIdx=0, Type=4, Data="\240\0\0\0"}, 16, ) }, 16, ) == 0x0 04229 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies"}, ... 492, ) }, ... 492, ) == 0x0 04230 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Policies"}, ... 512, ) }, ... 512, ) == 0x0 04231 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software"}, ... 504, ) }, ... 504, ) == 0x0 04232 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software"}, ... 516, ) }, ... 516, ) == 0x0 04233 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04234 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04235 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04236 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 520, ) }, ... 520, ) == 0x0 04237 896 NtQueryValueKey (520, (520, "CertificateRevocation", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (520, "CertificateRevocation", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 04238 896 NtClose (520, ... ) == 0x0 04239 896 NtQueryValueKey (132, (132, "DisableKeepAlive", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04240 896 NtQueryValueKey (132, (132, "DisablePassport", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04241 896 NtQueryValueKey (132, (132, "IdnEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04242 896 NtQueryValueKey (132, (132, "CacheMode", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04243 896 NtQueryValueKey (132, (132, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 04244 896 NtQueryValueKey (132, (132, "ProxyHttp1.1", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04245 896 NtQueryValueKey (132, (132, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 04246 896 NtQueryValueKey (132, (132, "DisableBasicOverClearChannel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04247 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04248 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04249 896 NtOpenKey (0x20019, {24, 84, 0x40, 0, 0, (0x20019, {24, 84, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04250 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 520, ) }, ... 520, ) == 0x0 04251 896 NtQueryValueKey (520, (520, "Feature_ClientAuthCertFilter", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04252 896 NtClose (520, ... ) == 0x0 04253 896 NtRequestWaitReplyPort (444, {28, 52, new_msg, 0, 0, 0, 0, 0} (444, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\353\6\10\2\320!\27\0" ... {188, 212, reply, 0, 1252, 896, 81873, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\34\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0" ) ... {188, 212, reply, 0, 1252, 896, 81873, 0} (444, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\353\6\10\2\320!\27\0" ... {188, 212, reply, 0, 1252, 896, 81873, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\34\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0" ) ) == 0x0 04254 896 NtQueryValueKey (132, (132, "SyncMode5", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04255 896 NtOpenKey (0x9, {24, 16, 0x40, 0, 0, (0x9, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 520, ) }, ... 520, ) == 0x0 04256 896 NtQueryValueKey (520, (520, "SessionStartTimeDefaultDeltaSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04257 896 NtClose (520, ... ) == 0x0 04258 896 NtOpenKey (0xf, {24, 16, 0x40, 0, 0, (0xf, {24, 16, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 520, ) }, ... 520, ) == 0x0 04259 896 NtOpenKey (0xf, {24, 84, 0x40, 0, 0, (0xf, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 524, ) }, ... 524, ) == 0x0 04260 896 NtOpenKey (0x9, {24, 84, 0x40, 0, 0, (0x9, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 528, ) }, ... 528, ) == 0x0 04261 896 NtQueryValueKey (528, (528, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (528, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0 04262 896 NtQueryValueKey (528, (528, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (528, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0 04263 896 NtClose (528, ... ) == 0x0 04264 896 NtOpenKey (0xf, {24, 524, 0x40, 0, 0, (0xf, {24, 524, 0x40, 0, 0, "Content"}, ... 528, ) }, ... 528, ) == 0x0 04265 896 NtQueryValueKey (528, (528, "PerUserItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04266 896 NtOpenKey (0xf, {24, 520, 0x40, 0, 0, (0xf, {24, 520, 0x40, 0, 0, "Content"}, ... 532, ) }, ... 532, ) == 0x0 04267 896 NtQueryValueKey (532, (532, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (532, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 04268 896 NtClose (532, ... ) == 0x0 04269 896 NtClose (528, ... ) == 0x0 04270 896 NtOpenKey (0xf, {24, 524, 0x40, 0, 0, (0xf, {24, 524, 0x40, 0, 0, "Content"}, ... 528, ) }, ... 528, ) == 0x0 04271 896 NtOpenThreadToken (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN 04272 896 NtCreateSemaphore (0x1f0003, {24, 44, 0x80, 1330600, 0, (0x1f0003, {24, 44, 0x80, 1330600, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 532, ) }, 0, 2147483647, ... 532, ) == STATUS_OBJECT_NAME_EXISTS 04273 896 NtReleaseSemaphore (532, 1, ... 0, ) == 0x0 04274 896 NtWaitForSingleObject (532, 0, {0, 0}, ... ) == 0x0 04275 896 NtCreateKey (0x2000000, {24, 84, 0x40, 0, 0, (0x2000000, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 536, 2, ) }, 0, 0x0, 0, ... 536, 2, ) == 0x0 04276 896 NtQueryValueKey (536, (536, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (536, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0 04277 896 NtClose (536, ... ) == 0x0 04278 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 1222060, ... ) }, 1222060, ... ) == 0x0 04279 896 NtCreateKey (0x2000000, {24, 84, 0x40, 0, 0, (0x2000000, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 536, 2, ) }, 0, 0x0, 0, ... 536, 2, ) == 0x0 04280 896 NtSetValueKey (536, (536, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 162, ... ) , 0, 1, (536, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 162, ... ) , 162, ... ) == 0x0 04281 896 NtClose (536, ... ) == 0x0 04282 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 1222752, ... ) }, 1222752, ... ) == 0x0 04283 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 1221960, ... ) }, 1221960, ... ) == 0x0 04284 896 NtOpenFile (0x100100, {24, 0, 0x40, 0, 0, (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files"}, 7, 2113568, ... 536, {status=0x0, info=1}, ) }, 7, 2113568, ... 536, {status=0x0, info=1}, ) == 0x0 04285 896 NtSetInformationFile (536, 1221932, 40, Basic, ... {status=0x0, info=0}, ) == 0x0 04286 896 NtClose (536, ... ) == 0x0 04287 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\desktop.ini"}, 1221956, ... ) }, 1221956, ... ) == 0x0 04288 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5"}, 1222752, ... ) }, 1222752, ... ) == 0x0 04289 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5"}, 1221960, ... ) }, 1221960, ... ) == 0x0 04290 896 NtOpenFile (0x100100, {24, 0, 0x40, 0, 0, (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5"}, 7, 2113568, ... 536, {status=0x0, info=1}, ) }, 7, 2113568, ... 536, {status=0x0, info=1}, ) == 0x0 04291 896 NtSetInformationFile (536, 1221932, 40, Basic, ... {status=0x0, info=0}, ) == 0x0 04292 896 NtClose (536, ... ) == 0x0 04293 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini"}, 1221956, ... ) }, 1221956, ... ) == 0x0 04294 896 NtQueryValueKey (528, (528, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (528, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0 04295 896 NtQueryValueKey (528, (528, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (528, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0 04296 896 NtQueryValueKey (528, (528, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\260\376\3\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (528, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\260\376\3\0"}, 16, ) }, 16, ) == 0x0 04297 896 NtOpenKey (0xf, {24, 524, 0x40, 0, 0, (0xf, {24, 524, 0x40, 0, 0, "Cookies"}, ... 536, ) }, ... 536, ) == 0x0 04298 896 NtQueryValueKey (536, (536, "PerUserItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04299 896 NtOpenKey (0xf, {24, 520, 0x40, 0, 0, (0xf, {24, 520, 0x40, 0, 0, "Cookies"}, ... 540, ) }, ... 540, ) == 0x0 04300 896 NtQueryValueKey (540, (540, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (540, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 04301 896 NtClose (540, ... ) == 0x0 04302 896 NtClose (536, ... ) == 0x0 04303 896 NtClose (528, ... ) == 0x0 04304 896 NtOpenKey (0xf, {24, 524, 0x40, 0, 0, (0xf, {24, 524, 0x40, 0, 0, "Cookies"}, ... 528, ) }, ... 528, ) == 0x0 04305 896 NtOpenThreadToken (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN 04306 896 NtReleaseSemaphore (532, 1, ... 0, ) == 0x0 04307 896 NtWaitForSingleObject (532, 0, {0, 0}, ... ) == 0x0 04308 896 NtCreateKey (0x2000000, {24, 84, 0x40, 0, 0, (0x2000000, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 536, 2, ) }, 0, 0x0, 0, ... 536, 2, ) == 0x0 04309 896 NtQueryValueKey (536, (536, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (536, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0 04310 896 NtClose (536, ... ) == 0x0 04311 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies"}, 1222060, ... ) }, 1222060, ... ) == 0x0 04312 896 NtCreateKey (0x2000000, {24, 84, 0x40, 0, 0, (0x2000000, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 536, 2, ) }, 0, 0x0, 0, ... 536, 2, ) == 0x0 04313 896 NtSetValueKey (536, (536, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 98, ... ) , 0, 1, (536, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 98, ... ) , 98, ... ) == 0x0 04314 896 NtClose (536, ... ) == 0x0 04315 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies"}, 1222752, ... ) }, 1222752, ... ) == 0x0 04316 896 NtQueryValueKey (528, (528, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (528, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0 04317 896 NtQueryValueKey (528, (528, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (528, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0 04318 896 NtQueryValueKey (528, (528, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (528, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0 04319 896 NtOpenKey (0xf, {24, 524, 0x40, 0, 0, (0xf, {24, 524, 0x40, 0, 0, "History"}, ... 536, ) }, ... 536, ) == 0x0 04320 896 NtQueryValueKey (536, (536, "PerUserItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04321 896 NtOpenKey (0xf, {24, 520, 0x40, 0, 0, (0xf, {24, 520, 0x40, 0, 0, "History"}, ... 540, ) }, ... 540, ) == 0x0 04322 896 NtQueryValueKey (540, (540, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (540, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 04323 896 NtClose (540, ... ) == 0x0 04324 896 NtClose (536, ... ) == 0x0 04325 896 NtClose (528, ... ) == 0x0 04326 896 NtOpenKey (0xf, {24, 524, 0x40, 0, 0, (0xf, {24, 524, 0x40, 0, 0, "History"}, ... 528, ) }, ... 528, ) == 0x0 04327 896 NtOpenThreadToken (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN 04328 896 NtReleaseSemaphore (532, 1, ... 0, ) == 0x0 04329 896 NtWaitForSingleObject (532, 0, {0, 0}, ... ) == 0x0 04330 896 NtCreateKey (0x2000000, {24, 84, 0x40, 0, 0, (0x2000000, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 536, 2, ) }, 0, 0x0, 0, ... 536, 2, ) == 0x0 04331 896 NtQueryValueKey (536, (536, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (536, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0 04332 896 NtClose (536, ... ) == 0x0 04333 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 1222060, ... ) }, 1222060, ... ) == 0x0 04334 896 NtCreateKey (0x2000000, {24, 84, 0x40, 0, 0, (0x2000000, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 536, 2, ) }, 0, 0x0, 0, ... 536, 2, ) == 0x0 04335 896 NtSetValueKey (536, (536, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 128, ... ) , 0, 1, (536, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 128, ... ) , 128, ... ) == 0x0 04336 896 NtClose (536, ... ) == 0x0 04337 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 1222752, ... ) }, 1222752, ... ) == 0x0 04338 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 1221960, ... ) }, 1221960, ... ) == 0x0 04339 896 NtOpenFile (0x100100, {24, 0, 0x40, 0, 0, (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History"}, 7, 2113568, ... 536, {status=0x0, info=1}, ) }, 7, 2113568, ... 536, {status=0x0, info=1}, ) == 0x0 04340 896 NtSetInformationFile (536, 1221932, 40, Basic, ... {status=0x0, info=0}, ) == 0x0 04341 896 NtClose (536, ... ) == 0x0 04342 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\desktop.ini"}, 1221956, ... ) }, 1221956, ... ) == 0x0 04343 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5"}, 1222752, ... ) }, 1222752, ... ) == 0x0 04344 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5"}, 1221960, ... ) }, 1221960, ... ) == 0x0 04345 896 NtOpenFile (0x100100, {24, 0, 0x40, 0, 0, (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5"}, 7, 2113568, ... 536, {status=0x0, info=1}, ) }, 7, 2113568, ... 536, {status=0x0, info=1}, ) == 0x0 04346 896 NtSetInformationFile (536, 1221932, 40, Basic, ... {status=0x0, info=0}, ) == 0x0 04347 896 NtClose (536, ... ) == 0x0 04348 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\desktop.ini"}, 1221956, ... ) }, 1221956, ... ) == 0x0 04349 896 NtQueryValueKey (528, (528, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (528, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0 04350 896 NtQueryValueKey (528, (528, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (528, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0 04351 896 NtQueryValueKey (528, (528, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (528, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0 04352 896 NtClose (528, ... ) == 0x0 04353 896 NtClose (524, ... ) == 0x0 04354 896 NtClose (520, ... ) == 0x0 04355 896 NtOpenMutant (0x100000, {24, 44, 0x0, 0, 0, (0x100000, {24, 44, 0x0, 0, 0, "Local\_!MSFTHISTORY!_"}, ... 520, ) }, ... 520, ) == 0x0 04356 896 NtOpenMutant (0x100000, {24, 44, 0x0, 0, 0, (0x100000, {24, 44, 0x0, 0, 0, "Local\c:!documents and settings!martim carbone!local settings!temporary internet files!content.ie5!"}, ... 524, ) }, ... 524, ) == 0x0 04357 896 NtWaitForSingleObject (524, 0, 0x0, ... ) == 0x0 04358 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 1224060, ... ) }, 1224060, ... ) == 0x0 04359 896 NtOpenFile (0x100100, {24, 0, 0x40, 0, 0, (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 528, {status=0x0, info=1}, ) }, 7, 2113568, ... 528, {status=0x0, info=1}, ) == 0x0 04360 896 NtSetInformationFile (528, 1224036, 40, Basic, ... {status=0x0, info=0}, ) == 0x0 04361 896 NtClose (528, ... ) == 0x0 04362 896 NtCreateFile (0xc0100080, {24, 0, 0x40, 0, 1223976, (0xc0100080, {24, 0, 0x40, 0, 1223976, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 8198, 3, 3, 2144, 0, 0, ... 528, {status=0x0, info=1}, ) }, 0x0, 8198, 3, 3, 2144, 0, 0, ... 528, {status=0x0, info=1}, ) == 0x0 04363 896 NtSetInformationFile (528, 1224028, 40, Basic, ... {status=0x0, info=0}, ) == 0x0 04364 896 NtQueryInformationFile (528, 1224028, 24, Standard, ... {status=0x0, info=24}, ) == 0x0 04365 896 NtOpenSection (0x2, {24, 44, 0x0, 0, 0, (0x2, {24, 44, 0x0, 0, 0, "Local\C:_Documents and Settings_Martim Carbone_Local Settings_Temporary Internet Files_Content.IE5_index.dat_802816"}, ... 536, ) }, ... 536, ) == 0x0 04366 896 NtMapViewOfSection (536, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xd30000), {0, 0}, 802816, ) == 0x0 04367 896 NtReleaseMutant (524, ... 0x0, ) == 0x0 04368 896 NtOpenMutant (0x100000, {24, 44, 0x0, 0, 0, (0x100000, {24, 44, 0x0, 0, 0, "Local\c:!documents and settings!martim carbone!cookies!"}, ... 540, ) }, ... 540, ) == 0x0 04369 896 NtWaitForSingleObject (540, 0, 0x0, ... ) == 0x0 04370 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies\"}, 1224060, ... ) }, 1224060, ... ) == 0x0 04371 896 NtOpenFile (0x100100, {24, 0, 0x40, 0, 0, (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Cookies\"}, 7, 2113568, ... 544, {status=0x0, info=1}, ) }, 7, 2113568, ... 544, {status=0x0, info=1}, ) == 0x0 04372 896 NtSetInformationFile (544, 1224036, 40, Basic, ... {status=0x0, info=0}, ) == 0x0 04373 896 NtClose (544, ... ) == 0x0 04374 896 NtCreateFile (0xc0100080, {24, 0, 0x40, 0, 1223976, (0xc0100080, {24, 0, 0x40, 0, 1223976, "\??\C:\Documents and Settings\Martim Carbone\Cookies\index.dat"}, 0x0, 8198, 3, 3, 2144, 0, 0, ... 544, {status=0x0, info=1}, ) }, 0x0, 8198, 3, 3, 2144, 0, 0, ... 544, {status=0x0, info=1}, ) == 0x0 04375 896 NtSetInformationFile (544, 1224028, 40, Basic, ... {status=0x0, info=0}, ) == 0x0 04376 896 NtQueryInformationFile (544, 1224028, 24, Standard, ... {status=0x0, info=24}, ) == 0x0 04377 896 NtOpenSection (0x2, {24, 44, 0x0, 0, 0, (0x2, {24, 44, 0x0, 0, 0, "Local\C:_Documents and Settings_Martim Carbone_Cookies_index.dat_32768"}, ... 548, ) }, ... 548, ) == 0x0 04378 896 NtMapViewOfSection (548, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x9e0000), {0, 0}, 32768, ) == 0x0 04379 896 NtReleaseMutant (540, ... 0x0, ) == 0x0 04380 896 NtOpenMutant (0x100000, {24, 44, 0x0, 0, 0, (0x100000, {24, 44, 0x0, 0, 0, "Local\c:!documents and settings!martim carbone!local settings!history!history.ie5!"}, ... 552, ) }, ... 552, ) == 0x0 04381 896 NtWaitForSingleObject (552, 0, 0x0, ... ) == 0x0 04382 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 1224060, ... ) }, 1224060, ... ) == 0x0 04383 896 NtOpenFile (0x100100, {24, 0, 0x40, 0, 0, (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 7, 2113568, ... 556, {status=0x0, info=1}, ) }, 7, 2113568, ... 556, {status=0x0, info=1}, ) == 0x0 04384 896 NtSetInformationFile (556, 1224036, 40, Basic, ... {status=0x0, info=0}, ) == 0x0 04385 896 NtClose (556, ... ) == 0x0 04386 896 NtCreateFile (0xc0100080, {24, 0, 0x40, 0, 1223976, (0xc0100080, {24, 0, 0x40, 0, 1223976, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\index.dat"}, 0x0, 8198, 3, 3, 2144, 0, 0, ... 556, {status=0x0, info=1}, ) }, 0x0, 8198, 3, 3, 2144, 0, 0, ... 556, {status=0x0, info=1}, ) == 0x0 04387 896 NtSetInformationFile (556, 1224028, 40, Basic, ... {status=0x0, info=0}, ) == 0x0 04388 896 NtQueryInformationFile (556, 1224028, 24, Standard, ... {status=0x0, info=24}, ) == 0x0 04389 896 NtOpenSection (0x2, {24, 44, 0x0, 0, 0, (0x2, {24, 44, 0x0, 0, 0, "Local\C:_Documents and Settings_Martim Carbone_Local Settings_History_History.IE5_index.dat_81920"}, ... 560, ) }, ... 560, ) == 0x0 04390 896 NtMapViewOfSection (560, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x9f0000), {0, 0}, 81920, ) == 0x0 04391 896 NtReleaseMutant (552, ... 0x0, ) == 0x0 04392 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 1223636, ... ) }, 1223636, ... ) == 0x0 04393 896 NtOpenFile (0x100100, {24, 0, 0x40, 0, 0, (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 564, {status=0x0, info=1}, ) }, 7, 2113568, ... 564, {status=0x0, info=1}, ) == 0x0 04394 896 NtSetInformationFile (564, 1223608, 40, Basic, ... {status=0x0, info=0}, ) == 0x0 04395 896 NtClose (564, ... ) == 0x0 04396 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini"}, 1223632, ... ) }, 1223632, ... ) == 0x0 04397 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 1223636, ... ) }, 1223636, ... ) == 0x0 04398 896 NtOpenFile (0x100100, {24, 0, 0x40, 0, 0, (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\"}, 7, 2113568, ... 564, {status=0x0, info=1}, ) }, 7, 2113568, ... 564, {status=0x0, info=1}, ) == 0x0 04399 896 NtSetInformationFile (564, 1223608, 40, Basic, ... {status=0x0, info=0}, ) == 0x0 04400 896 NtClose (564, ... ) == 0x0 04401 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\Martim Carbone\Local Settings\History\History.IE5\desktop.ini"}, 1223632, ... ) }, 1223632, ... ) == 0x0 04402 896 NtWaitForSingleObject (524, 0, 0x0, ... ) == 0x0 04403 896 NtReleaseMutant (524, ... 0x0, ) == 0x0 04404 896 NtOpenKey (0xf, {24, 84, 0x40, 0, 0, (0xf, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 564, ) }, ... 564, ) == 0x0 04405 896 NtOpenKey (0xf, {24, 564, 0x40, 0, 0, (0xf, {24, 564, 0x40, 0, 0, "Extensible Cache"}, ... 568, ) }, ... 568, ) == 0x0 04406 896 NtClose (564, ... ) == 0x0 04407 896 NtWaitForSingleObject (520, 0, {-600000000, -1}, ... ) == 0x0 04408 896 NtEnumerateKey (568, 0, Basic, 288, ... {LastWrite={0x47401762,0x1c74db1}, TitleIdx=0, Name= (568, 0, Basic, 288, ... {LastWrite={0x47401762,0x1c74db1}, TitleIdx=0, Name="feedplat"}, 32, ) }, 32, ) == 0x0 04409 896 NtOpenKey (0xf, {24, 568, 0x40, 0, 0, (0xf, {24, 568, 0x40, 0, 0, "feedplat"}, ... 564, ) }, ... 564, ) == 0x0 04410 896 NtQueryValueKey (564, (564, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (564, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 04411 896 NtQueryValueKey (564, (564, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04412 896 NtQueryValueKey (564, (564, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0F\0e\0e\0d\0s\0 \0C\0a\0c\0h\0e\0\0\0"}, 148, ) , Partial, 148, ... TitleIdx=0, Type=2, Data= (564, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0F\0e\0e\0d\0s\0 \0C\0a\0c\0h\0e\0\0\0"}, 148, ) }, 148, ) == 0x0 04413 896 NtQueryValueKey (564, (564, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04414 896 NtQueryValueKey (564, (564, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0F\0e\0e\0d\0s\0 \0C\0a\0c\0h\0e\0\0\0"}, 148, ) , Partial, 148, ... TitleIdx=0, Type=2, Data= (564, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0F\0e\0e\0d\0s\0 \0C\0a\0c\0h\0e\0\0\0"}, 148, ) }, 148, ) == 0x0 04415 896 NtQueryValueKey (564, (564, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="f\0e\0e\0d\0p\0l\0a\0t\0:\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (564, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="f\0e\0e\0d\0p\0l\0a\0t\0:\0\0\0"}, 32, ) }, 32, ) == 0x0 04416 896 NtQueryValueKey (564, (564, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="f\0e\0e\0d\0p\0l\0a\0t\0:\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (564, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="f\0e\0e\0d\0p\0l\0a\0t\0:\0\0\0"}, 32, ) }, 32, ) == 0x0 04417 896 NtQueryValueKey (564, (564, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (564, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0 04418 896 NtQueryValueKey (564, (564, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (564, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 04419 896 NtAllocateVirtualMemory (-1, 1536000, 0, 4096, 4096, 4, ... 1536000, 4096, ) == 0x0 04420 896 NtClose (564, ... ) == 0x0 04421 896 NtEnumerateKey (568, 1, Basic, 288, ... {LastWrite={0x450668aa,0x1c8b090}, TitleIdx=0, Name= (568, 1, Basic, 288, ... {LastWrite={0x450668aa,0x1c8b090}, TitleIdx=0, Name="MSHist012008050720080508"}, 64, ) }, 64, ) == 0x0 04422 896 NtOpenKey (0xf, {24, 568, 0x40, 0, 0, (0xf, {24, 568, 0x40, 0, 0, "MSHist012008050720080508"}, ... 564, ) }, ... 564, ) == 0x0 04423 896 NtQueryValueKey (564, (564, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (564, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 04424 896 NtQueryValueKey (564, (564, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04425 896 NtQueryValueKey (564, (564, "CachePath", Partial, 160, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\08\00\05\00\07\02\00\00\08\00\05\00\08\0\0\0"}, 160, ) , Partial, 160, ... TitleIdx=0, Type=2, Data= (564, "CachePath", Partial, 160, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\08\00\05\00\07\02\00\00\08\00\05\00\08\0\0\0"}, 160, ) }, 160, ) == 0x0 04426 896 NtQueryValueKey (564, (564, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04427 896 NtQueryValueKey (564, (564, "CachePath", Partial, 160, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\08\00\05\00\07\02\00\00\08\00\05\00\08\0\0\0"}, 160, ) , Partial, 160, ... TitleIdx=0, Type=2, Data= (564, "CachePath", Partial, 160, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\08\00\05\00\07\02\00\00\08\00\05\00\08\0\0\0"}, 160, ) }, 160, ) == 0x0 04428 896 NtQueryValueKey (564, (564, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\08\00\05\00\07\02\00\00\08\00\05\00\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (564, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\08\00\05\00\07\02\00\00\08\00\05\00\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0 04429 896 NtQueryValueKey (564, (564, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\08\00\05\00\07\02\00\00\08\00\05\00\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (564, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\08\00\05\00\07\02\00\00\08\00\05\00\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0 04430 896 NtQueryValueKey (564, (564, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (564, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0 04431 896 NtQueryValueKey (564, (564, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (564, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0 04432 896 NtClose (564, ... ) == 0x0 04433 896 NtEnumerateKey (568, 2, Basic, 288, ... {LastWrite={0x2030327f,0x1c7701e}, TitleIdx=0, Name= (568, 2, Basic, 288, ... {LastWrite={0x2030327f,0x1c7701e}, TitleIdx=0, Name="UserData"}, 32, ) }, 32, ) == 0x0 04434 896 NtOpenKey (0xf, {24, 568, 0x40, 0, 0, (0xf, {24, 568, 0x40, 0, 0, "UserData"}, ... 564, ) }, ... 564, ) == 0x0 04435 896 NtQueryValueKey (564, (564, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (564, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 04436 896 NtQueryValueKey (564, (564, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04437 896 NtQueryValueKey (564, (564, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 148, ) , Partial, 148, ... TitleIdx=0, Type=2, Data= (564, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 148, ) }, 148, ) == 0x0 04438 896 NtQueryValueKey (564, (564, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04439 896 NtQueryValueKey (564, (564, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 148, ) , Partial, 148, ... TitleIdx=0, Type=2, Data= (564, "CachePath", Partial, 148, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0I\0n\0t\0e\0r\0n\0e\0t\0 \0E\0x\0p\0l\0o\0r\0e\0r\0\\0U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 148, ) }, 148, ) == 0x0 04440 896 NtQueryValueKey (564, (564, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (564, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 30, ) }, 30, ) == 0x0 04441 896 NtQueryValueKey (564, (564, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (564, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="U\0s\0e\0r\0D\0a\0t\0a\0\0\0"}, 30, ) }, 30, ) == 0x0 04442 896 NtQueryValueKey (564, (564, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\350\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (564, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\350\3\0\0"}, 16, ) }, 16, ) == 0x0 04443 896 NtQueryValueKey (564, (564, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\10\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (564, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\10\0\0\0"}, 16, ) }, 16, ) == 0x0 04444 896 NtClose (564, ... ) == 0x0 04445 896 NtEnumerateKey (568, 3, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES 04446 896 NtReleaseMutant (520, ... 0x0, ) == 0x0 04447 896 NtClose (568, ... ) == 0x0 04448 896 NtWaitForSingleObject (524, 0, 0x0, ... ) == 0x0 04449 896 NtReleaseMutant (524, ... 0x0, ) == 0x0 04450 896 NtWaitForSingleObject (524, 0, 0x0, ... ) == 0x0 04451 896 NtReleaseMutant (524, ... 0x0, ) == 0x0 04452 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04453 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04454 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04455 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04456 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04457 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04458 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04459 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 568, ) }, ... 568, ) == 0x0 04460 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04461 896 NtOpenKey (0x1, {24, 568, 0x40, 0, 0, (0x1, {24, 568, 0x40, 0, 0, "RETRY_HEADERONLYPOST_ONCONNECTIONRESET"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04462 896 NtClose (568, ... ) == 0x0 04463 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04464 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04465 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 568, ) }, ... 568, ) == 0x0 04466 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04467 896 NtOpenKey (0x1, {24, 568, 0x40, 0, 0, (0x1, {24, 568, 0x40, 0, 0, "FEATURE_BUFFERBREAKING_818408"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04468 896 NtClose (568, ... ) == 0x0 04469 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04470 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04471 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 568, ) }, ... 568, ) == 0x0 04472 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04473 896 NtOpenKey (0x1, {24, 568, 0x40, 0, 0, (0x1, {24, 568, 0x40, 0, 0, "FEATURE_SKIP_POST_RETRY_ON_INTERNETWRITEFILE_KB895954"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04474 896 NtClose (568, ... ) == 0x0 04475 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04476 896 NtQueryValueKey (132, (132, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04477 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 568, ) }, ... 568, ) == 0x0 04478 896 NtQueryValueKey (568, (568, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04479 896 NtClose (568, ... ) == 0x0 04480 896 NtQueryValueKey (132, (132, "DisableReadRange", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04481 896 NtQueryValueKey (132, (132, "SocketSendBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04482 896 NtQueryValueKey (132, (132, "SocketReceiveBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04483 896 NtQueryValueKey (132, (132, "KeepAliveTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04484 896 NtQueryValueKey (132, (132, "MaxHttpRedirects", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04485 896 NtQueryValueKey (132, (132, "MaxConnectionsPerServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04486 896 NtQueryValueKey (132, (132, "MaxConnectionsPer1_0Server", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04487 896 NtQueryValueKey (132, (132, "ServerInfoTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04488 896 NtQueryValueKey (132, (132, "ConnectTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04489 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 568, ) }, ... 568, ) == 0x0 04490 896 NtQueryValueKey (568, (568, "ConnectTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04491 896 NtClose (568, ... ) == 0x0 04492 896 NtQueryValueKey (132, (132, "ConnectRetries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04493 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 568, ) }, ... 568, ) == 0x0 04494 896 NtQueryValueKey (568, (568, "ConnectRetries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04495 896 NtClose (568, ... ) == 0x0 04496 896 NtQueryValueKey (132, (132, "SendTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04497 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 568, ) }, ... 568, ) == 0x0 04498 896 NtQueryValueKey (568, (568, "SendTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04499 896 NtClose (568, ... ) == 0x0 04500 896 NtQueryValueKey (132, (132, "ReceiveTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04501 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 568, ) }, ... 568, ) == 0x0 04502 896 NtQueryValueKey (568, (568, "ReceiveTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04503 896 NtClose (568, ... ) == 0x0 04504 896 NtQueryValueKey (132, (132, "DisableNTLMPreAuth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04505 896 NtQueryValueKey (132, (132, "ScavengeCacheLowerBound", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04506 896 NtQueryValueKey (132, (132, "CertCacheNoValidate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04507 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 568, ) }, ... 568, ) == 0x0 04508 896 NtQueryValueKey (568, (568, "ScavengeCacheFileLifeTime", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04509 896 NtClose (568, ... ) == 0x0 04510 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04511 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04512 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04513 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 568, ) }, ... 568, ) == 0x0 04514 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 564, ) }, ... 564, ) == 0x0 04515 896 NtQueryValueKey (564, (564, "ScavengeCacheFileLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04516 896 NtQueryValueKey (568, (568, "ScavengeCacheFileLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04517 896 NtClose (568, ... ) == 0x0 04518 896 NtClose (564, ... ) == 0x0 04519 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04520 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04521 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 564, ) }, ... 564, ) == 0x0 04522 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04523 896 NtOpenKey (0x1, {24, 564, 0x40, 0, 0, (0x1, {24, 564, 0x40, 0, 0, "FEATURE_FIX_CHUNKED_PROXY_SCRIPT_DOWNLOAD_KB843289"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04524 896 NtClose (564, ... ) == 0x0 04525 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04526 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04527 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 564, ) }, ... 564, ) == 0x0 04528 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04529 896 NtOpenKey (0x1, {24, 564, 0x40, 0, 0, (0x1, {24, 564, 0x40, 0, 0, "FEATURE_USE_CNAME_FOR_SPN_KB911149"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04530 896 NtClose (564, ... ) == 0x0 04531 896 NtQueryValueKey (132, (132, "HttpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04532 896 NtQueryValueKey (132, (132, "FtpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04533 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04534 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04535 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 564, ) }, ... 564, ) == 0x0 04536 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04537 896 NtOpenKey (0x1, {24, 564, 0x40, 0, 0, (0x1, {24, 564, 0x40, 0, 0, "FEATURE_PERMIT_CACHE_FOR_AUTHENTICATED_FTP_KB910274"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04538 896 NtClose (564, ... ) == 0x0 04539 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04540 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04541 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 564, ) }, ... 564, ) == 0x0 04542 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04543 896 NtOpenKey (0x1, {24, 564, 0x40, 0, 0, (0x1, {24, 564, 0x40, 0, 0, "FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK"}, ... 568, ) }, ... 568, ) == 0x0 04544 896 NtQueryValueKey (568, (568, "packed.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04545 896 NtQueryValueKey (568, (568, "*", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04546 896 NtClose (568, ... ) == 0x0 04547 896 NtClose (564, ... ) == 0x0 04548 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04549 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04550 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... 564, ) }, ... 564, ) == 0x0 04551 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Main\FeatureControl"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04552 896 NtOpenKey (0x1, {24, 564, 0x40, 0, 0, (0x1, {24, 564, 0x40, 0, 0, "FEATURE_DIGEST_NO_EXTRAS_IN_URI"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04553 896 NtClose (564, ... ) == 0x0 04554 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 564, ) }, ... 564, ) == 0x0 04555 896 NtQueryValueKey (564, (564, "DisableCachingOfSSLPages", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (564, "DisableCachingOfSSLPages", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 04556 896 NtClose (564, ... ) == 0x0 04557 896 NtQueryValueKey (132, (132, "PerUserCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04558 896 NtQueryValueKey (132, (132, "LeashLegacyCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04559 896 NtQueryValueKey (132, (132, "DisableNT4RasCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04560 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 564, ) }, ... 564, ) == 0x0 04561 896 NtQueryValueKey (564, (564, "DialupUseLanSettings", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04562 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 568, ) }, ... 568, ) == 0x0 04563 896 NtQueryValueKey (568, (568, "DialupUseLanSettings", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04564 896 NtClose (564, ... ) == 0x0 04565 896 NtClose (568, ... ) == 0x0 04566 896 NtQueryValueKey (132, (132, "SendExtraCRLF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04567 896 NtQueryValueKey (132, (132, "BypassFtpTimeCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04568 896 NtQueryValueKey (132, (132, "ReleaseSocketDuringAuth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04569 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 568, ) }, ... 568, ) == 0x0 04570 896 NtQueryValueKey (568, (568, "ReleaseSocketDuring401Auth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04571 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 564, ) }, ... 564, ) == 0x0 04572 896 NtQueryValueKey (564, (564, "ReleaseSocketDuring401Auth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04573 896 NtClose (568, ... ) == 0x0 04574 896 NtClose (564, ... ) == 0x0 04575 896 NtQueryValueKey (132, (132, "WpadSearchAllDomains", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04576 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 564, ) }, ... 564, ) == 0x0 04577 896 NtQueryValueKey (564, (564, "DisableLegacyPreAuthAsServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04578 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 568, ) }, ... 568, ) == 0x0 04579 896 NtQueryValueKey (568, (568, "DisableLegacyPreAuthAsServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04580 896 NtClose (564, ... ) == 0x0 04581 896 NtClose (568, ... ) == 0x0 04582 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 568, ) }, ... 568, ) == 0x0 04583 896 NtQueryValueKey (568, (568, "BypassHTTPNoCacheCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04584 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 564, ) }, ... 564, ) == 0x0 04585 896 NtQueryValueKey (564, (564, "BypassHTTPNoCacheCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04586 896 NtClose (568, ... ) == 0x0 04587 896 NtClose (564, ... ) == 0x0 04588 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 564, ) }, ... 564, ) == 0x0 04589 896 NtQueryValueKey (564, (564, "BypassSSLNoCacheCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04590 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 568, ) }, ... 568, ) == 0x0 04591 896 NtQueryValueKey (568, (568, "BypassSSLNoCacheCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04592 896 NtClose (564, ... ) == 0x0 04593 896 NtClose (568, ... ) == 0x0 04594 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 568, ) }, ... 568, ) == 0x0 04595 896 NtQueryValueKey (568, (568, "EnableHttpTrace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04596 896 NtClose (568, ... ) == 0x0 04597 896 NtOpenKey (0x1, {24, 84, 0x40, 0, 0, (0x1, {24, 84, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 568, ) }, ... 568, ) == 0x0 04598 896 NtQueryValueKey (568, (568, "NoCheckAutodialOverRide", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04599 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 564, ) }, ... 564, ) == 0x0 04600 896 NtQueryValueKey (564, (564, "NoCheckAutodialOverRide", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04601 896 NtClose (568, ... ) == 0x0 04602 896 NtClose (564, ... ) == 0x0 04603 896 NtQueryValueKey (132, (132, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04604 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 564, ) }, ... 564, ) == 0x0 04605 896 NtQueryValueKey (564, (564, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04606 896 NtClose (564, ... ) == 0x0 04607 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 564, ) }, ... 564, ) == 0x0 04608 896 NtQueryValueKey (564, (564, "ShareCredsWithWinHttp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04609 896 NtClose (564, ... ) == 0x0 04610 896 NtQueryValueKey (132, (132, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0 04611 896 NtQueryValueKey (132, (132, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0 04612 896 NtQueryValueKey (132, (132, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0 04613 896 NtQueryValueKey (132, (132, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0 04614 896 NtQueryValueKey (132, (132, "HeaderExclusionListForCache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04615 896 NtQueryValueKey (132, (132, "DnsCacheEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04616 896 NtQueryValueKey (132, (132, "DnsCacheEntries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04617 896 NtQueryValueKey (132, (132, "DnsCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04618 896 NtQueryValueKey (132, (132, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (132, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 04619 896 NtQueryValueKey (132, (132, "WarnAlwaysOnPost", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04620 896 NtQueryValueKey (132, (132, "WarnOnZoneCrossing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "WarnOnZoneCrossing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 04621 896 NtQueryValueKey (132, (132, "WarnOnBadCertSending", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04622 896 NtQueryValueKey (132, (132, "WarnOnBadCertRecving", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04623 896 NtQueryValueKey (132, (132, "WarnOnPostRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04624 896 NtQueryValueKey (132, (132, "AlwaysDrainOnRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04625 896 NtQueryValueKey (132, (132, "WarnOnHTTPSToHTTPRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04626 896 NtOpenMutant (0x100000, {24, 44, 0x0, 0, 0, (0x100000, {24, 44, 0x0, 0, 0, "Local\WininetStartupMutex"}, ... 564, ) }, ... 564, ) == 0x0 04627 896 NtOpenKey (0x2000000, {24, 16, 0x40, 0, 0, (0x2000000, {24, 16, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 568, ) }, ... 568, ) == 0x0 04628 896 NtQueryValueKey (568, (568, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (568, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0 04629 896 NtQueryValueKey (568, (568, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (568, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0 04630 896 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 572, ) == 0x0 04631 896 NtOpenKey (0x2000000, {24, 568, 0x40, 0, 0, (0x2000000, {24, 568, 0x40, 0, 0, "Protocol_Catalog9"}, ... 576, ) }, ... 576, ) == 0x0 04632 896 NtQueryValueKey (576, (576, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (576, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0 04633 896 NtNotifyChangeKey (576, 572, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103 04634 896 NtQueryValueKey (576, (576, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (576, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0 04635 896 NtOpenKey (0x2000000, {24, 576, 0x40, 0, 0, (0x2000000, {24, 576, 0x40, 0, 0, "0000000D"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04636 896 NtQueryValueKey (576, (576, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (576, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) }, 16, ) == 0x0 04637 896 NtQueryValueKey (576, (576, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (576, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) }, 16, ) == 0x0 04638 896 NtOpenKey (0x2000000, {24, 576, 0x40, 0, 0, (0x2000000, {24, 576, 0x40, 0, 0, "Catalog_Entries"}, ... 580, ) }, ... 580, ) == 0x0 04639 896 NtOpenKey (0x20019, {24, 580, 0x40, 0, 0, (0x20019, {24, 580, 0x40, 0, 0, "000000000001"}, ... 584, ) }, ... 584, ) == 0x0 04640 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04641 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04642 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0#\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0#\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0$\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0$\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0%\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0%\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0&\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0#\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0#\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0$\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0$\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0%\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0%\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0&\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0%\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0&\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0 (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0#\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0#\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0$\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0$\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0%\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0%\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0&\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 04643 896 NtClose (584, ... ) == 0x0 04644 896 NtOpenKey (0x20019, {24, 580, 0x40, 0, 0, (0x20019, {24, 580, 0x40, 0, 0, "000000000002"}, ... 584, ) }, ... 584, ) == 0x0 04645 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04646 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04647 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0(\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0(\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0)\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0)\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0*\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0*\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0+\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0(\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0(\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0)\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0)\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0*\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0*\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0+\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0*\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0+\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0 (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0(\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0(\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0)\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0)\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0*\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0*\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0+\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 04648 896 NtClose (584, ... ) == 0x0 04649 896 NtOpenKey (0x20019, {24, 580, 0x40, 0, 0, (0x20019, {24, 580, 0x40, 0, 0, "000000000003"}, ... 584, ) }, ... 584, ) == 0x0 04650 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04651 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04652 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0-\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0-\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0.\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0.\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0/\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0/\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\00\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0-\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0-\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0.\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0.\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0/\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0/\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\00\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0/\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\00\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0 (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0-\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0-\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0.\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0.\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0/\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0/\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\00\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 04653 896 NtClose (584, ... ) == 0x0 04654 896 NtOpenKey (0x20019, {24, 580, 0x40, 0, 0, (0x20019, {24, 580, 0x40, 0, 0, "000000000004"}, ... 584, ) }, ... 584, ) == 0x0 04655 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04656 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04657 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\02\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\02\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\03\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\03\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\04\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\04\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\05\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\02\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\02\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\03\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\03\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\04\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\04\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\05\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\04\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\05\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0 (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\02\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\02\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\03\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\03\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\04\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\04\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\05\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 04658 896 NtClose (584, ... ) == 0x0 04659 896 NtOpenKey (0x20019, {24, 580, 0x40, 0, 0, (0x20019, {24, 580, 0x40, 0, 0, "000000000005"}, ... 584, ) }, ... 584, ) == 0x0 04660 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04661 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04662 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\07\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\07\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\08\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\08\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\09\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\09\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0:\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\07\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\07\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\08\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\08\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\09\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\09\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0:\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\09\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0:\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0 (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\07\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\07\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\08\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\08\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\09\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\09\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0:\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 04663 896 NtClose (584, ... ) == 0x0 04664 896 NtOpenKey (0x20019, {24, 580, 0x40, 0, 0, (0x20019, {24, 580, 0x40, 0, 0, "000000000006"}, ... 584, ) }, ... 584, ) == 0x0 04665 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04666 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04667 896 NtAllocateVirtualMemory (-1, 1540096, 0, 4096, 4096, 4, ... 1540096, 4096, ) == 0x0 04668 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0=\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0=\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0>\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0>\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0?\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0?\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0@\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0=\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0=\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0>\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0>\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0?\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0?\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0@\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0?\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0@\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0 (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0=\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0=\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0>\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0>\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0?\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0?\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0@\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 04669 896 NtClose (584, ... ) == 0x0 04670 896 NtOpenKey (0x20019, {24, 580, 0x40, 0, 0, (0x20019, {24, 580, 0x40, 0, 0, "000000000007"}, ... 584, ) }, ... 584, ) == 0x0 04671 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04672 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04673 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0B\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0B\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0C\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0C\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0D\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0D\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0E\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0B\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0B\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0C\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0C\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0D\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0D\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0E\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0D\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0E\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0 (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0B\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0B\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0C\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0C\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0D\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0D\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0E\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 04674 896 NtClose (584, ... ) == 0x0 04675 896 NtOpenKey (0x20019, {24, 580, 0x40, 0, 0, (0x20019, {24, 580, 0x40, 0, 0, "000000000008"}, ... 584, ) }, ... 584, ) == 0x0 04676 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04677 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04678 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0G\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0G\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0H\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0H\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0I\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0I\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0J\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0G\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0G\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0H\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0H\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0I\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0I\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0J\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0I\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0J\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0 (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0G\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0G\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0H\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0H\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0I\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0I\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0J\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 04679 896 NtClose (584, ... ) == 0x0 04680 896 NtOpenKey (0x20019, {24, 580, 0x40, 0, 0, (0x20019, {24, 580, 0x40, 0, 0, "000000000009"}, ... 584, ) }, ... 584, ) == 0x0 04681 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04682 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04683 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0L\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0L\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0M\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0M\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0N\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0N\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0O\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0L\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0L\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0M\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0M\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0N\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0N\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0O\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0N\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0O\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0 (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0L\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0L\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0M\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0M\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0N\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0N\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0O\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 04684 896 NtClose (584, ... ) == 0x0 04685 896 NtOpenKey (0x20019, {24, 580, 0x40, 0, 0, (0x20019, {24, 580, 0x40, 0, 0, "000000000010"}, ... 584, ) }, ... 584, ) == 0x0 04686 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04687 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04688 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0Q\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0Q\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0R\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0R\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0S\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0S\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0T\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0Q\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0Q\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0R\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0R\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0S\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0S\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0T\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0S\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0T\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0 (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0Q\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0Q\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0R\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0R\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0S\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0S\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0T\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 04689 896 NtClose (584, ... ) == 0x0 04690 896 NtOpenKey (0x20019, {24, 580, 0x40, 0, 0, (0x20019, {24, 580, 0x40, 0, 0, "000000000011"}, ... 584, ) }, ... 584, ) == 0x0 04691 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04692 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04693 896 NtAllocateVirtualMemory (-1, 1544192, 0, 4096, 4096, 4, ... 1544192, 4096, ) == 0x0 04694 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0W\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0W\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0X\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0X\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0Y\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0Y\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Z\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0W\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0W\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0X\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0X\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0Y\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0Y\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Z\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0Y\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Z\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0 (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0W\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0W\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0X\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0X\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0Y\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0Y\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Z\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 04695 896 NtClose (584, ... ) == 0x0 04696 896 NtOpenKey (0x20019, {24, 580, 0x40, 0, 0, (0x20019, {24, 580, 0x40, 0, 0, "000000000012"}, ... 584, ) }, ... 584, ) == 0x0 04697 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04698 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04699 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0\\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0]\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0]\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0^\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0^\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0_\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0\\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0]\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0]\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0^\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0^\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0_\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0^\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0_\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0 (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0\\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0]\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0]\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0^\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0^\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0_\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 04700 896 NtClose (584, ... ) == 0x0 04701 896 NtOpenKey (0x20019, {24, 580, 0x40, 0, 0, (0x20019, {24, 580, 0x40, 0, 0, "000000000013"}, ... 584, ) }, ... 584, ) == 0x0 04702 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04703 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04704 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0a\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0a\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0b\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0b\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0c\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0c\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0d\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0a\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0a\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0b\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0b\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0c\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0c\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0d\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0c\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0d\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0 (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0a\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0a\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0b\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0b\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0c\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0c\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0d\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 04705 896 NtClose (584, ... ) == 0x0 04706 896 NtOpenKey (0x20019, {24, 580, 0x40, 0, 0, (0x20019, {24, 580, 0x40, 0, 0, "000000000014"}, ... 584, ) }, ... 584, ) == 0x0 04707 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04708 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04709 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0f\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0f\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0g\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0g\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0h\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0h\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0i\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0f\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0f\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0g\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0g\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0h\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0h\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0i\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0h\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0i\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0 (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0f\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0f\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0g\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0g\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0h\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0h\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0i\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 04710 896 NtClose (584, ... ) == 0x0 04711 896 NtOpenKey (0x20019, {24, 580, 0x40, 0, 0, (0x20019, {24, 580, 0x40, 0, 0, "000000000015"}, ... 584, ) }, ... 584, ) == 0x0 04712 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04713 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04714 896 NtAllocateVirtualMemory (-1, 1548288, 0, 4096, 4096, 4, ... 1548288, 4096, ) == 0x0 04715 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0l\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0l\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0m\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0n\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0n\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0l\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0l\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0m\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0n\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0n\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0n\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0 (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0l\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0l\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0m\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0n\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0n\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 04716 896 NtClose (584, ... ) == 0x0 04717 896 NtOpenKey (0x20019, {24, 580, 0x40, 0, 0, (0x20019, {24, 580, 0x40, 0, 0, "000000000016"}, ... 584, ) }, ... 584, ) == 0x0 04718 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04719 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04720 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0q\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0q\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0r\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0r\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0s\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0s\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0q\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0q\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0r\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0r\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0s\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0s\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0s\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0 (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0q\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0q\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0r\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0r\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0s\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0s\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 04721 896 NtClose (584, ... ) == 0x0 04722 896 NtOpenKey (0x20019, {24, 580, 0x40, 0, 0, (0x20019, {24, 580, 0x40, 0, 0, "000000000017"}, ... 584, ) }, ... 584, ) == 0x0 04723 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04724 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04725 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0v\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0v\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0w\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0w\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0x\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0x\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0y\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0v\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0v\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0w\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0w\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0x\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0x\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0y\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0x\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0y\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0 (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0v\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0v\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0w\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0w\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0x\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0x\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0y\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 04726 896 NtClose (584, ... ) == 0x0 04727 896 NtOpenKey (0x20019, {24, 580, 0x40, 0, 0, (0x20019, {24, 580, 0x40, 0, 0, "000000000018"}, ... 584, ) }, ... 584, ) == 0x0 04728 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04729 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04730 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0{\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0{\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0|\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0|\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0}\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0}\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0~\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0{\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0{\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0|\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0|\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0}\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0}\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0~\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0}\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0~\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0 (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0{\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0{\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0|\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0|\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0}\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0}\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0~\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 04731 896 NtClose (584, ... ) == 0x0 04732 896 NtOpenKey (0x20019, {24, 580, 0x40, 0, 0, (0x20019, {24, 580, 0x40, 0, 0, "000000000019"}, ... 584, ) }, ... 584, ) == 0x0 04733 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04734 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04735 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\200\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0\200\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\201\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\201\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0\202\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0\202\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\203\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\200\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0\200\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\201\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\201\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0\202\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0\202\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\203\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0\202\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\203\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0 (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\200\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0\200\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\201\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\201\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0\202\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0\202\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\203\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 04736 896 NtClose (584, ... ) == 0x0 04737 896 NtOpenKey (0x20019, {24, 580, 0x40, 0, 0, (0x20019, {24, 580, 0x40, 0, 0, "000000000020"}, ... 584, ) }, ... 584, ) == 0x0 04738 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04739 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04740 896 NtAllocateVirtualMemory (-1, 1552384, 0, 4096, 4096, 4, ... 1552384, 4096, ) == 0x0 04741 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\206\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0\206\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\207\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\207\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0\210\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0\210\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\211\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\206\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0\206\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\207\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\207\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0\210\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0\210\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\211\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0\210\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\211\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0 (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\206\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0\206\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\207\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\207\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0\210\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0\210\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\211\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 04742 896 NtClose (584, ... ) == 0x0 04743 896 NtOpenKey (0x20019, {24, 580, 0x40, 0, 0, (0x20019, {24, 580, 0x40, 0, 0, "000000000021"}, ... 584, ) }, ... 584, ) == 0x0 04744 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04745 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04746 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\213\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0\213\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\214\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\214\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0\215\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0\215\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\213\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0\213\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\214\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\214\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0\215\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0\215\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0\215\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0 (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\213\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0\213\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\214\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0D\2\0\0\34\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0xv\27\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\214\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0H\2\0\0\215\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\27\0\2\0\0\0\220\0\0\0\215\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\22\0\0\344\4\0\0\200\3\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0H\2\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0 04747 896 NtClose (584, ... ) == 0x0 04748 896 NtOpenKey (0x20019, {24, 580, 0x40, 0, 0, (0x20019, {24, 580, 0x40, 0, 0, "000000000022"}, ... 584, ) }, ... 584, ) == 0x0 04749 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04750 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 04751 896 NtQueryValueKey (584, (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\220\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0\220\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\221\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\2\0\0\221\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\222\22\0\0\344\4\0\0\200\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0<\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\222\22\0\0\344\4\0\0\200\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\223\22\0\0\344\4\0\0\200\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\223\22\0\0\344\4\0\0\200\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\2\0\0\224\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\08\2\0\0D\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0@(\27\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (584, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\220\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0\220\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\221\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\2\0\0\221\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\222\22\0\0\344\4\0\0\200\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0<\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\222\22\0\0\344\4\0\0\200\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\223\22\0\0\344\4\0\0\200\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\223\22\0\0\344\4\0\0\200\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\2\0\0\224\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\08\2\0\0D\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0@(\27\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\220\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0H\2\0\0\220\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\221\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\2\0\0\221\22\0\0\344\4\0\0\200\3\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\222\22\0\0\344\4\0\0\200\3\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0<\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\222\22\0\0\344\4\0\0\200\3\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\223\22\0\0\344\4\0\0\200\3\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\223\22\0\0\344\4\0\0\200\3\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\2\0\0\224\22\0\0\344\4\0\0\200\3\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\08\2\0\0D\255\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0@(\27\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0 04752 896 NtClose (584, ... ) == 0x0 04753 896 NtClose (580, ... ) == 0x0 04754 896 NtWaitForSingleObject (572, 0, {0, 0}, ... ) == 0x102 04755 896 NtCreateEvent (0x1f0003, 0x0, 0, 0, ... 580, ) == 0x0 04756 896 NtOpenKey (0x2000000, {24, 568, 0x40, 0, 0, (0x2000000, {24, 568, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 584, ) }, ... 584, ) == 0x0 04757 896 NtQueryValueKey (584, (584, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (584, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0 04758 896 NtNotifyChangeKey (584, 580, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103 04759 896 NtQueryValueKey (584, (584, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (584, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0 04760 896 NtOpenKey (0x2000000, {24, 584, 0x40, 0, 0, (0x2000000, {24, 584, 0x40, 0, 0, "00000005"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04761 896 NtQueryValueKey (584, (584, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (584, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0 04762 896 NtOpenKey (0x2000000, {24, 584, 0x40, 0, 0, (0x2000000, {24, 584, 0x40, 0, 0, "Catalog_Entries"}, ... 588, ) }, ... 588, ) == 0x0 04763 896 NtOpenKey (0x20019, {24, 588, 0x40, 0, 0, (0x20019, {24, 588, 0x40, 0, 0, "000000000001"}, ... 592, ) }, ... 592, ) == 0x0 04764 896 NtQueryValueKey (592, (592, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (592, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0 04765 896 NtQueryValueKey (592, (592, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (592, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0 04766 896 NtQueryValueKey (592, (592, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (592, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0 04767 896 NtQueryValueKey (592, (592, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (592, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0 04768 896 NtQueryValueKey (592, (592, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (592, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0 04769 896 NtQueryValueKey (592, (592, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (592, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0 04770 896 NtQueryValueKey (592, (592, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (592, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0 04771 896 NtQueryValueKey (592, (592, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04772 896 NtQueryValueKey (592, (592, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (592, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0 04773 896 NtQueryValueKey (592, (592, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (592, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 04774 896 NtQueryValueKey (592, (592, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (592, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 04775 896 NtQueryValueKey (592, (592, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (592, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 04776 896 NtClose (592, ... ) == 0x0 04777 896 NtOpenKey (0x20019, {24, 588, 0x40, 0, 0, (0x20019, {24, 588, 0x40, 0, 0, "000000000002"}, ... 592, ) }, ... 592, ) == 0x0 04778 896 NtQueryValueKey (592, (592, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (592, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0 04779 896 NtQueryValueKey (592, (592, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (592, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0 04780 896 NtQueryValueKey (592, (592, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (592, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0 04781 896 NtQueryValueKey (592, (592, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (592, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0 04782 896 NtQueryValueKey (592, (592, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (592, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0 04783 896 NtQueryValueKey (592, (592, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (592, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0 04784 896 NtQueryValueKey (592, (592, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (592, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0 04785 896 NtQueryValueKey (592, (592, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04786 896 NtQueryValueKey (592, (592, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (592, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0 04787 896 NtQueryValueKey (592, (592, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (592, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 04788 896 NtQueryValueKey (592, (592, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (592, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 04789 896 NtQueryValueKey (592, (592, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (592, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 04790 896 NtClose (592, ... ) == 0x0 04791 896 NtOpenKey (0x20019, {24, 588, 0x40, 0, 0, (0x20019, {24, 588, 0x40, 0, 0, "000000000003"}, ... 592, ) }, ... 592, ) == 0x0 04792 896 NtQueryValueKey (592, (592, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (592, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0 04793 896 NtQueryValueKey (592, (592, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (592, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0 04794 896 NtQueryValueKey (592, (592, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (592, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0 04795 896 NtQueryValueKey (592, (592, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (592, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0 04796 896 NtQueryValueKey (592, (592, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (592, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0 04797 896 NtQueryValueKey (592, (592, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (592, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0 04798 896 NtQueryValueKey (592, (592, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (592, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0 04799 896 NtQueryValueKey (592, (592, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04800 896 NtQueryValueKey (592, (592, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (592, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0 04801 896 NtQueryValueKey (592, (592, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (592, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 04802 896 NtQueryValueKey (592, (592, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (592, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 04803 896 NtQueryValueKey (592, (592, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (592, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 04804 896 NtClose (592, ... ) == 0x0 04805 896 NtOpenKey (0x20019, {24, 588, 0x40, 0, 0, (0x20019, {24, 588, 0x40, 0, 0, "000000000004"}, ... 592, ) }, ... 592, ) == 0x0 04806 896 NtQueryValueKey (592, (592, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (592, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0 04807 896 NtQueryValueKey (592, (592, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (592, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0 04808 896 NtQueryValueKey (592, (592, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (592, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0 04809 896 NtQueryValueKey (592, (592, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (592, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0 04810 896 NtQueryValueKey (592, (592, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (592, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0 04811 896 NtQueryValueKey (592, (592, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (592, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0 04812 896 NtQueryValueKey (592, (592, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (592, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) }, 28, ) == 0x0 04813 896 NtQueryValueKey (592, (592, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04814 896 NtQueryValueKey (592, (592, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (592, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0 04815 896 NtQueryValueKey (592, (592, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (592, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 04816 896 NtQueryValueKey (592, (592, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (592, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 04817 896 NtQueryValueKey (592, (592, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (592, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 04818 896 NtClose (592, ... ) == 0x0 04819 896 NtClose (588, ... ) == 0x0 04820 896 NtWaitForSingleObject (580, 0, {0, 0}, ... ) == 0x102 04821 896 NtClose (568, ... ) == 0x0 04822 896 NtCreateEvent (0x1f0003, 0x0, 1, 1, ... 568, ) == 0x0 04823 896 NtQueryValueKey (132, (132, "GlobalUserOffline", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "GlobalUserOffline", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 04824 896 NtWaitForSingleObject (524, 0, 0x0, ... ) == 0x0 04825 896 NtReleaseMutant (524, ... 0x0, ) == 0x0 04826 896 NtOpenMutant (0x100000, {24, 44, 0x0, 0, 0, (0x100000, {24, 44, 0x0, 0, 0, "Local\WininetConnectionMutex"}, ... 588, ) }, ... 588, ) == 0x0 04827 896 NtOpenMutant (0x100000, {24, 44, 0x0, 0, 0, (0x100000, {24, 44, 0x0, 0, 0, "Local\WininetProxyRegistryMutex"}, ... 592, ) }, ... 592, ) == 0x0 04828 896 NtCreateEvent (0x1f0003, 0x0, 0, 1, ... 596, ) == 0x0 04829 896 NtQueryValueKey (132, (132, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 04830 896 NtQueryValueKey (132, (132, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 04831 896 NtCreateEvent (0x1f0003, 0x0, 1, 0, ... 600, ) == 0x0 04832 896 NtOpenKey (0x1, {24, 16, 0x40, 0, 0, (0x1, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 604, ) }, ... 604, ) == 0x0 04833 896 NtQueryValueKey (604, (604, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (604, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0 04834 896 NtQueryValueKey (604, (604, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (604, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0 04835 896 NtClose (604, ... ) == 0x0 04836 896 NtQueryValueKey (132, (132, "TruncateFileName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04837 896 NtAllocateVirtualMemory (-1, 1556480, 0, 4096, 4096, 4, ... 1556480, 4096, ) == 0x0 04838 896 NtQueryValueKey (132, (132, "BadProxyExpiresTime", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04839 896 NtAllocateVirtualMemory (-1, 1560576, 0, 8192, 4096, 4, ... 1560576, 8192, ) == 0x0 04840 896 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "xpsp2res.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04841 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\u:\work\xpsp2res.dll"}, 1223200, ... ) }, 1223200, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04842 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\xpsp2res.dll"}, 1223200, ... ) }, 1223200, ... ) == 0x0 04843 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\xpsp2res.dll"}, 5, 96, ... 604, {status=0x0, info=1}, ) }, 5, 96, ... 604, {status=0x0, info=1}, ) == 0x0 04844 896 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 604, ... 608, ) == 0x0 04845 896 NtQuerySection (608, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 04846 896 NtClose (604, ... ) == 0x0 04847 896 NtMapViewOfSection (608, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x20000000), 0x0, 2904064, ) == 0x0 04848 896 NtClose (608, ... ) == 0x0 04849 896 NtQueryDefaultLocale (1, 1225056, ... ) == 0x0 04850 896 NtCreateFile (0x80100080, {24, 0, 0x40, 0, 1224980, (0x80100080, {24, 0, 0x40, 0, 1224980, "\??\u:\work\rzqprvoo.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 608, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 608, {status=0x0, info=1}, ) == 0x0 04851 896 NtWaitForSingleObject (424, 0, 0x0, ... ) == 0x0 04852 896 NtClearEvent (484, ... ) == 0x0 04853 896 NtReleaseMutant (424, ... 0x0, ) == 0x0 04854 896 NtWaitForSingleObject (424, 0, 0x0, ... ) == 0x0 04855 896 NtSetEvent (484, ... 0x0, ) == 0x0 04856 896 NtReleaseMutant (424, ... 0x0, ) == 0x0 04857 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 604, ) }, ... 604, ) == 0x0 04858 896 NtQueryValueKey (604, (604, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (604, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0 04859 896 NtQueryValueKey (604, (604, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0t\0r\0u\0s\0t\0C\0e\0r\0t\0i\0f\0i\0c\0a\0t\0e\0T\0r\0u\0s\0t\0\0\0"}, 62, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (604, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0t\0r\0u\0s\0t\0C\0e\0r\0t\0i\0f\0i\0c\0a\0t\0e\0T\0r\0u\0s\0t\0\0\0"}, 62, ) }, 62, ) == 0x0 04860 896 NtClose (604, ... ) == 0x0 04861 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 604, ) }, ... 604, ) == 0x0 04862 896 NtQueryValueKey (604, (604, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (604, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0 04863 896 NtQueryValueKey (604, (604, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0A\0u\0t\0h\0e\0n\0t\0i\0c\0o\0d\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (604, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0A\0u\0t\0h\0e\0n\0t\0i\0c\0o\0d\0e\0\0\0"}, 52, ) }, 52, ) == 0x0 04864 896 NtClose (604, ... ) == 0x0 04865 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 604, ) }, ... 604, ) == 0x0 04866 896 NtQueryValueKey (604, (604, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (604, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0 04867 896 NtQueryValueKey (604, (604, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0I\0n\0i\0t\0i\0a\0l\0i\0z\0e\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (604, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0I\0n\0i\0t\0i\0a\0l\0i\0z\0e\0\0\0"}, 48, ) }, 48, ) == 0x0 04868 896 NtClose (604, ... ) == 0x0 04869 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 604, ) }, ... 604, ) == 0x0 04870 896 NtQueryValueKey (604, (604, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (604, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0 04871 896 NtQueryValueKey (604, (604, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0M\0e\0s\0s\0a\0g\0e\0\0\0"}, 50, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (604, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0M\0e\0s\0s\0a\0g\0e\0\0\0"}, 50, ) }, 50, ) == 0x0 04872 896 NtClose (604, ... ) == 0x0 04873 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 604, ) }, ... 604, ) == 0x0 04874 896 NtQueryValueKey (604, (604, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (604, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0 04875 896 NtQueryValueKey (604, (604, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0S\0i\0g\0n\0a\0t\0u\0r\0e\0\0\0"}, 54, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (604, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0L\0o\0a\0d\0S\0i\0g\0n\0a\0t\0u\0r\0e\0\0\0"}, 54, ) }, 54, ) == 0x0 04876 896 NtClose (604, ... ) == 0x0 04877 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 604, ) }, ... 604, ) == 0x0 04878 896 NtQueryValueKey (604, (604, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (604, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0 04879 896 NtQueryValueKey (604, (604, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0h\0e\0c\0k\0C\0e\0r\0t\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (604, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0h\0e\0c\0k\0C\0e\0r\0t\0\0\0"}, 46, ) }, 46, ) == 0x0 04880 896 NtClose (604, ... ) == 0x0 04881 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04882 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"}, ... 604, ) }, ... 604, ) == 0x0 04883 896 NtQueryValueKey (604, (604, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (604, "$DLL", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0I\0N\0T\0R\0U\0S\0T\0.\0D\0L\0L\0\0\0"}, 38, ) }, 38, ) == 0x0 04884 896 NtQueryValueKey (604, (604, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0l\0e\0a\0n\0u\0p\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (604, "$Function", Partial, 144, ... TitleIdx=0, Type=1, Data="S\0o\0f\0t\0p\0u\0b\0C\0l\0e\0a\0n\0u\0p\0\0\0"}, 42, ) }, 42, ) == 0x0 04885 896 NtClose (604, ... ) == 0x0 04886 896 NtWaitForMultipleObjects (2, (424, 484, ), 0, 0, 0x0, ... ) == 0x0 04887 896 NtReleaseMutant (424, ... 0x0, ) == 0x0 04888 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 04889 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 604, ) == 0x0 04890 896 NtQueryInformationToken (604, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 04891 896 NtClose (604, ... ) == 0x0 04892 896 NtOpenKey (0x20019, {24, 0, 0x640, 0, 0, (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 604, ) }, ... 604, ) == 0x0 04893 896 NtOpenKey (0x20019, {24, 604, 0x40, 0, 0, (0x20019, {24, 604, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Providers\Type 001"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04894 896 NtClose (604, ... ) == 0x0 04895 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001"}, ... 604, ) }, ... 604, ) == 0x0 04896 896 NtQueryValueKey (604, (604, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (604, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0 04897 896 NtQueryValueKey (604, (604, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (604, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0 04898 896 NtQueryValueKey (604, (604, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (604, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0 04899 896 NtQueryValueKey (604, (604, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (604, "Name", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0S\0t\0r\0o\0n\0g\0 \0C\0r\0y\0p\0t\0o\0g\0r\0a\0p\0h\0i\0c\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0"}, 92, ) }, 92, ) == 0x0 04900 896 NtClose (604, ... ) == 0x0 04901 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider"}, ... 604, ) }, ... 604, ) == 0x0 04902 896 NtQueryValueKey (604, (604, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (604, "Type", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 04903 896 NtQueryValueKey (604, (604, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (604, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 34, ) }, 34, ) == 0x0 04904 896 NtQueryValueKey (604, (604, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (604, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 34, ) }, 34, ) == 0x0 04905 896 NtQueryValueKey (604, (604, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (604, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 34, ) }, 34, ) == 0x0 04906 896 NtQueryValueKey (604, (604, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (604, "Image Path", Partial, 144, ... TitleIdx=0, Type=1, Data="r\0s\0a\0e\0n\0h\0.\0d\0l\0l\0\0\0"}, 34, ) }, 34, ) == 0x0 04907 896 NtOpenKey (0x20119, {24, 16, 0x40, 0, 0, (0x20119, {24, 16, 0x40, 0, 0, "Software\Microsoft\Cryptography"}, ... 612, ) }, ... 612, ) == 0x0 04908 896 NtQueryValueKey (612, (612, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="4\0c\0d\0d\07\03\08\06\0-\0b\03\06\01\0-\04\05\0a\0c\0-\09\02\0e\00\0-\0b\07\0f\0d\06\02\04\07\06\0d\0d\0c\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (612, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="4\0c\0d\0d\07\03\08\06\0-\0b\03\06\01\0-\04\05\0a\0c\0-\09\02\0e\00\0-\0b\07\0f\0d\06\02\04\07\06\0d\0d\0c\0\0\0"}, 86, ) }, 86, ) == 0x0 04909 896 NtQueryValueKey (612, (612, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="4\0c\0d\0d\07\03\08\06\0-\0b\03\06\01\0-\04\05\0a\0c\0-\09\02\0e\00\0-\0b\07\0f\0d\06\02\04\07\06\0d\0d\0c\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (612, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="4\0c\0d\0d\07\03\08\06\0-\0b\03\06\01\0-\04\05\0a\0c\0-\09\02\0e\00\0-\0b\07\0f\0d\06\02\04\07\06\0d\0d\0c\0\0\0"}, 86, ) }, 86, ) == 0x0 04910 896 NtQueryValueKey (612, (612, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="4\0c\0d\0d\07\03\08\06\0-\0b\03\06\01\0-\04\05\0a\0c\0-\09\02\0e\00\0-\0b\07\0f\0d\06\02\04\07\06\0d\0d\0c\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (612, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="4\0c\0d\0d\07\03\08\06\0-\0b\03\06\01\0-\04\05\0a\0c\0-\09\02\0e\00\0-\0b\07\0f\0d\06\02\04\07\06\0d\0d\0c\0\0\0"}, 86, ) }, 86, ) == 0x0 04911 896 NtQueryValueKey (612, (612, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="4\0c\0d\0d\07\03\08\06\0-\0b\03\06\01\0-\04\05\0a\0c\0-\09\02\0e\00\0-\0b\07\0f\0d\06\02\04\07\06\0d\0d\0c\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (612, "MachineGuid", Partial, 144, ... TitleIdx=0, Type=1, Data="4\0c\0d\0d\07\03\08\06\0-\0b\03\06\01\0-\04\05\0a\0c\0-\09\02\0e\00\0-\0b\07\0f\0d\06\02\04\07\06\0d\0d\0c\0\0\0"}, 86, ) }, 86, ) == 0x0 04912 896 NtClose (612, ... ) == 0x0 04913 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Cryptography\Offload"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04914 896 NtOpenThreadToken (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN 04915 896 NtOpenProcessToken (-1, 0x8, ... 612, ) == 0x0 04916 896 NtQueryInformationToken (612, User, 1024, ... {token info, class 1, size 36}, 36, ) == 0x0 04917 896 NtClose (612, ... ) == 0x0 04918 896 NtClose (604, ... ) == 0x0 04919 896 NtOpenThreadToken (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN 04920 896 NtOpenProcessToken (-1, 0x8, ... 604, ) == 0x0 04921 896 NtQueryInformationToken (604, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0 04922 896 NtClose (604, ... ) == 0x0 04923 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER"}, ... 604, ) }, ... 604, ) == 0x0 04924 896 NtSetInformationObject (604, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0 04925 896 NtOpenKey (0x2000000, {24, 604, 0x40, 0, 0, (0x2000000, {24, 604, 0x40, 0, 0, "S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 612, ) }, ... 612, ) == 0x0 04926 896 NtCreateKey (0x20019, {24, 612, 0x40, 0, 0, (0x20019, {24, 612, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing"}, 0, 0x0, 0, ... 616, 2, ) }, 0, 0x0, 0, ... 616, 2, ) == 0x0 04927 896 NtClose (612, ... ) == 0x0 04928 896 NtQueryValueKey (616, (616, "State", Partial, 144, ... TitleIdx=0, Type=4, Data="\0<\2\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (616, "State", Partial, 144, ... TitleIdx=0, Type=4, Data="\0<\2\0"}, 16, ) }, 16, ) == 0x0 04929 896 NtClose (616, ... ) == 0x0 04930 896 NtOpenThreadToken (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN 04931 896 NtOpenProcessToken (-1, 0x8, ... 616, ) == 0x0 04932 896 NtQueryInformationToken (616, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0 04933 896 NtClose (616, ... ) == 0x0 04934 896 NtOpenKey (0x2000000, {24, 604, 0x40, 0, 0, (0x2000000, {24, 604, 0x40, 0, 0, "S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 616, ) }, ... 616, ) == 0x0 04935 896 NtOpenKey (0x20019, {24, 616, 0x40, 0, 0, (0x20019, {24, 616, 0x40, 0, 0, "Software\Microsoft\Internet Explorer\Security"}, ... 612, ) }, ... 612, ) == 0x0 04936 896 NtClose (616, ... ) == 0x0 04937 896 NtQueryValueKey (612, (612, "Safety Warning Level", Partial, 144, ... TitleIdx=0, Type=1, Data="Q\0u\0e\0r\0y\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (612, "Safety Warning Level", Partial, 144, ... TitleIdx=0, Type=1, Data="Q\0u\0e\0r\0y\0\0\0"}, 24, ) }, 24, ) == 0x0 04938 896 NtClose (612, ... ) == 0x0 04939 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04940 896 NtOpenThreadToken (-2, 0x8, 1, ... ) == STATUS_NO_TOKEN 04941 896 NtOpenProcessToken (-1, 0x8, ... 612, ) == 0x0 04942 896 NtQueryInformationToken (612, User, 256, ... {token info, class 1, size 36}, 36, ) == 0x0 04943 896 NtClose (612, ... ) == 0x0 04944 896 NtOpenKey (0x2000000, {24, 604, 0x40, 0, 0, (0x2000000, {24, 604, 0x40, 0, 0, "S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 612, ) }, ... 612, ) == 0x0 04945 896 NtOpenKey (0x20019, {24, 612, 0x40, 0, 0, (0x20019, {24, 612, 0x40, 0, 0, "Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04946 896 NtClose (612, ... ) == 0x0 04947 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\SystemCertificates\TrustedPublisher\Safer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04948 896 NtCreateSection (0xf0005, 0x0, 0x0, 2, 134217728, 608, ... 612, ) == 0x0 04949 896 NtMapViewOfSection (612, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xa10000), {0, 0}, 4096, ) == 0x0 04950 896 NtClose (612, ... ) == 0x0 04951 896 NtQueryInformationFile (608, 1224448, 24, Standard, ... {status=0x0, info=24}, ) == 0x0 04952 896 NtUnmapViewOfSection (-1, 0xa10000, ... ) == 0x0 04953 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 612, ) }, ... 612, ) == 0x0 04954 896 NtOpenKey (0x20019, {24, 612, 0x40, 0, 0, (0x20019, {24, 612, 0x40, 0, 0, "EncodingType 0"}, ... 616, ) }, ... 616, ) == 0x0 04955 896 NtOpenKey (0x20019, {24, 616, 0x40, 0, 0, (0x20019, {24, 616, 0x40, 0, 0, "CryptSIPDllIsMyFileType"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 04956 896 NtClose (616, ... ) == 0x0 04957 896 NtClose (612, ... ) == 0x0 04958 896 NtOpenKey (0x20019, {24, 16, 0x40, 0, 0, (0x20019, {24, 16, 0x40, 0, 0, "Software\Microsoft\Cryptography\OID"}, ... 612, ) }, ... 612, ) == 0x0 04959 896 NtOpenKey (0x20019, {24, 612, 0x40, 0, 0, (0x20019, {24, 612, 0x40, 0, 0, "EncodingType 0"}, ... 616, ) }, ... 616, ) == 0x0 04960 896 NtOpenKey (0x20019, {24, 616, 0x40, 0, 0, (0x20019, {24, 616, 0x40, 0, 0, "CryptSIPDllIsMyFileType2"}, ... 620, ) }, ... 620, ) == 0x0 04961 896 NtEnumerateKey (620, 0, Basic, 288, ... {LastWrite={0x3c28a22,0x1c74da9}, TitleIdx=0, Name= (620, 0, Basic, 288, ... {LastWrite={0x3c28a22,0x1c74da9}, TitleIdx=0, Name="{000C10F1-0000-0000-C000-000000000046}"}, 92, ) }, 92, ) == 0x0 04962 896 NtOpenKey (0x20019, {24, 620, 0x40, 0, 0, (0x20019, {24, 620, 0x40, 0, 0, "{000C10F1-0000-0000-C000-000000000046}"}, ... 624, ) }, ... 624, ) == 0x0